diff --git a/.gitignore b/.gitignore index 9ea9030..7f5c956 100644 --- a/.gitignore +++ b/.gitignore @@ -135,3 +135,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.1.tar.xz.sig /gnutls-3.7.2.tar.xz /gnutls-3.7.2.tar.xz.sig +/gnutls-3.7.3.tar.xz +/gnutls-3.7.3.tar.xz.sig diff --git a/gnutls-3.7.1-aggressive-realloc-fixes.patch b/gnutls-3.7.1-aggressive-realloc-fixes.patch deleted file mode 100644 index dfe035f..0000000 --- a/gnutls-3.7.1-aggressive-realloc-fixes.patch +++ /dev/null @@ -1,84 +0,0 @@ -From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 10 Mar 2021 16:11:29 +0100 -Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if - AGGRESSIVE_REALLOC - -Signed-off-by: Daiki Ueno ---- - lib/str.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/str.c b/lib/str.c -index 506fe1721..bc20ebb04 100644 ---- a/lib/str.c -+++ b/lib/str.c -@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) - - unused = MEMSUB(dest->data, dest->allocd); - dest->allocd = -- gnutls_realloc_fast(dest->allocd, new_size); -+ gnutls_realloc_fast(dest->allocd, new_size + unused); - if (dest->allocd == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } -- dest->max_length = new_size; -+ dest->max_length = new_size + unused; - dest->data = dest->allocd + unused; - - return 0; --- -2.30.2 - - -From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 10 Mar 2021 16:12:23 +0100 -Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is - defined - -Signed-off-by: Daiki Ueno ---- - lib/str.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/lib/str.c b/lib/str.c -index bc20ebb04..8007340f1 100644 ---- a/lib/str.c -+++ b/lib/str.c -@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str) - - #define MIN_CHUNK 1024 - --static void align_allocd_with_data(gnutls_buffer_st * dest) --{ -- assert(dest->allocd != NULL); -- assert(dest->data != NULL); -- if (dest->length) -- memmove(dest->allocd, dest->data, dest->length); -- dest->data = dest->allocd; --} -- - /** - * gnutls_buffer_append_data: - * @dest: the buffer to append to -@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) - - #else - -+static void align_allocd_with_data(gnutls_buffer_st * dest) -+{ -+ assert(dest->allocd != NULL); -+ assert(dest->data != NULL); -+ if (dest->length) -+ memmove(dest->allocd, dest->data, dest->length); -+ dest->data = dest->allocd; -+} -+ - int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) - { - if (unlikely(dest->data != NULL && dest->allocd == NULL)) --- -2.30.2 - diff --git a/gnutls-3.7.2-config-allowlisting-race.patch b/gnutls-3.7.2-config-allowlisting-race.patch deleted file mode 100644 index 2036797..0000000 --- a/gnutls-3.7.2-config-allowlisting-race.patch +++ /dev/null @@ -1,254 +0,0 @@ -From dbdcc29ee9e31acaa8286f633a4f0c23abd09d03 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 26 Oct 2021 12:56:52 +0200 -Subject: [PATCH] priority: fix race condition when resolving SYSTEM in - allowlisting - -Signed-off-by: Daiki Ueno ---- - lib/priority.c | 65 +++++++++++++++++++++++++++++++------------------- - 1 file changed, 41 insertions(+), 24 deletions(-) - -diff --git a/lib/priority.c b/lib/priority.c -index 20230e46d1..606443f1f9 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -39,6 +39,7 @@ - #include "profiles.h" - #include "c-strcase.h" - #include "inih/ini.h" -+#include "locks.h" - #include "profiles.h" - #include "name_val_array.h" - -@@ -1001,6 +1002,7 @@ static void dummy_func(gnutls_priority_t c) - #include - - static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN; -+GNUTLS_STATIC_MUTEX(system_wide_priority_strings_mutex); - static name_val_array_t system_wide_priority_strings = NULL; - static char *system_wide_priority_string = NULL; - static unsigned system_wide_priority_strings_init = 0; -@@ -1727,6 +1729,9 @@ static int cfg_ini_handler(void *ctx, const char *section, const char *name, con - return 1; - } - -+static int -+resolve_priorities_from_system_wide_allowlisting(void); -+ - static void _gnutls_update_system_priorities(void) - { - int ret; -@@ -1734,17 +1739,19 @@ static void _gnutls_update_system_priorities(void) - FILE *fp; - struct cfg cfg; - -+ GNUTLS_STATIC_MUTEX_LOCK(system_wide_priority_strings_mutex); -+ - if (stat(system_priority_file, &sb) < 0) { - _gnutls_debug_log("cfg: unable to access: %s: %d\n", - system_priority_file, errno); -- return; -+ goto out; - } - - if (system_wide_priority_strings_init != 0 && - sb.st_mtime == system_priority_last_mod) { - _gnutls_debug_log("cfg: system priority %s has not changed\n", - system_priority_file); -- return; -+ goto out; - } - - if (system_wide_priority_strings_init != 0) -@@ -1757,7 +1764,7 @@ static void _gnutls_update_system_priorities(void) - if (fp == NULL) { - _gnutls_debug_log("cfg: unable to open: %s: %d\n", - system_priority_file, errno); -- return; -+ goto out; - } - /* Parsing the configuration file needs to be done in 2 phases: first - * parsing the [global] section and then the other sections, because the -@@ -1781,16 +1788,30 @@ static void _gnutls_update_system_priorities(void) - system_priority_file, ret); - if (fail_on_invalid_config) - exit(1); -- return; -+ goto out; - } - cfg_apply(&cfg); - cfg_deinit(&cfg); - -+ if (system_wide_allowlisting) { -+ ret = resolve_priorities_from_system_wide_allowlisting(); -+ if (ret < 0) { -+ _gnutls_debug_log("cfg: unable to resolve system priority string: %s\n", -+ gnutls_strerror(ret)); -+ if (fail_on_invalid_config) -+ exit(1); -+ goto out; -+ } -+ } -+ - _gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n", - system_priority_file, - (unsigned long long)sb.st_mtime); - - system_priority_last_mod = sb.st_mtime; -+ -+ out: -+ GNUTLS_STATIC_MUTEX_UNLOCK(system_wide_priority_strings_mutex); - } - - void _gnutls_load_system_priorities(void) -@@ -1835,17 +1856,13 @@ const char *gnutls_get_system_config_file(void) - return NULL; - } - --static const char * -+static int - resolve_priorities_from_system_wide_allowlisting(void) - { - gnutls_buffer_st buf; - int ret; - size_t i; - -- if (system_wide_priority_string) { -- return system_wide_priority_string; -- } -- - assert(system_wide_allowlisting); - - _gnutls_buffer_init(&buf); -@@ -1853,21 +1870,21 @@ resolve_priorities_from_system_wide_allowlisting(void) - ret = _gnutls_buffer_append_str(&buf, "NONE"); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - - for (i = 0; system_wide_tls_kxs[i] != 0; i++) { - ret = _gnutls_buffer_append_str(&buf, ":+"); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - - ret = _gnutls_buffer_append_str(&buf, - gnutls_kx_get_name(system_wide_tls_kxs[i])); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - } - -@@ -1875,14 +1892,14 @@ resolve_priorities_from_system_wide_allowlisting(void) - ret = _gnutls_buffer_append_str(&buf, ":+GROUP-"); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - - ret = _gnutls_buffer_append_str(&buf, - gnutls_group_get_name(system_wide_tls_groups[i])); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - } - -@@ -1890,14 +1907,14 @@ resolve_priorities_from_system_wide_allowlisting(void) - ret = _gnutls_buffer_append_str(&buf, ":+"); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - - ret = _gnutls_buffer_append_str(&buf, - gnutls_cipher_get_name(system_wide_tls_ciphers[i])); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - } - -@@ -1905,14 +1922,14 @@ resolve_priorities_from_system_wide_allowlisting(void) - ret = _gnutls_buffer_append_str(&buf, ":+"); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - - ret = _gnutls_buffer_append_str(&buf, - gnutls_mac_get_name(system_wide_tls_macs[i])); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - } - -@@ -1920,14 +1937,14 @@ resolve_priorities_from_system_wide_allowlisting(void) - ret = _gnutls_buffer_append_str(&buf, ":+SIGN-"); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - - ret = _gnutls_buffer_append_str(&buf, - gnutls_sign_get_name(system_wide_tls_sigs[i])); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - } - -@@ -1935,14 +1952,14 @@ resolve_priorities_from_system_wide_allowlisting(void) - ret = _gnutls_buffer_append_str(&buf, ":+VERS-"); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - - ret = _gnutls_buffer_append_str(&buf, - gnutls_protocol_get_name(system_wide_tls_vers[i])); - if (ret < 0) { - _gnutls_buffer_clear(&buf); -- return NULL; -+ return ret; - } - } - -@@ -1950,7 +1967,7 @@ resolve_priorities_from_system_wide_allowlisting(void) - system_wide_priority_string = gnutls_strdup((char *)buf.data); - _gnutls_buffer_clear(&buf); - -- return system_wide_priority_string; -+ return ret; - } - - #define S(str) ((str!=NULL)?str:"") -@@ -2010,7 +2027,7 @@ char *_gnutls_resolve_priorities(const char* priorities) - if (system_wide_allowlisting && - ss_len == sizeof(LEVEL_SYSTEM) - 1 && - strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) { -- p = resolve_priorities_from_system_wide_allowlisting(); -+ p = system_wide_priority_string; - } else { - p = _name_val_array_value(system_wide_priority_strings, ss, ss_len); - } --- -2.31.1 - diff --git a/gnutls-3.7.2-config-allowlisting.patch b/gnutls-3.7.2-config-allowlisting.patch deleted file mode 100644 index 484f053..0000000 --- a/gnutls-3.7.2-config-allowlisting.patch +++ /dev/null @@ -1,8352 +0,0 @@ -diff -ruN gnutls-3.7.2/aminclude_static.am gnutls-3.7.2-bootstrapped/aminclude_static.am ---- gnutls-3.7.2/aminclude_static.am 2021-05-29 10:11:18.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/aminclude_static.am 2021-06-28 09:11:35.000000000 +0200 -@@ -1,6 +1,6 @@ - - # aminclude_static.am generated automatically by Autoconf --# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021 -+# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021 - - - # Code coverage -diff -ruN gnutls-3.7.2/AUTHORS gnutls-3.7.2-bootstrapped/AUTHORS ---- gnutls-3.7.2/AUTHORS 2021-05-29 10:22:59.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/AUTHORS 2021-06-28 09:56:13.000000000 +0200 -@@ -37,8 +37,8 @@ - Kevin Cernekee - Nikolay Sivov - Sahana Prasad --Michael Catanzaro - Alexander Sosedkin -+Michael Catanzaro - Daniel Lenski - JonasZhou - Stefan Sørensen -diff -ruN gnutls-3.7.2/ChangeLog gnutls-3.7.2-bootstrapped/ChangeLog ---- gnutls-3.7.2/ChangeLog 2021-05-29 10:23:25.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/ChangeLog 2021-06-28 09:56:40.000000000 +0200 -@@ -1,4 +1,63 @@ - Author: Daiki Ueno -+Date: Mon Jun 28 07:04:55 2021 +0200 -+ -+ tests: set SH_LOG_COMPILER so sh tests run under $(SHELL) -+ -+ This omits the need of setting executable bits on shell script tests. -+ -+ Signed-off-by: Daiki Ueno -+ -+Author: Daiki Ueno -+Date: Thu May 6 12:41:40 2021 +0200 -+ -+ priority: support allowlisting in configuration file -+ -+ This adds a new mode of interpreting the [overrides] section. If -+ "override-mode" is set to "allowlisting" in the [global] section, all -+ the algorithms (hashes, signature algorithms, curves, and versions) -+ are initially marked as insecure/disabled. Then the user can enable -+ them by specifying allowlisting keywords such as "secure-hash" in the -+ [overrides] section. -+ -+ Signed-off-by: Daiki Ueno -+ Co-authored-by: Alexander Sosedkin -+ -+Author: Daiki Ueno -+Date: Wed May 5 16:27:55 2021 +0200 -+ -+ priority: refactor config file parsing -+ -+ This adds the following refactoring: -+ -+ - avoid side-effects during parsing the config file, by separating -+ application phase; the parsed configuration can be applied globally -+ with cfg_apply, after validation -+ - make _gnutls_*_mark_{disabled,insecure} take an ID instead of the -+ name -+ -+ Signed-off-by: Daiki Ueno -+ -+Author: Daiki Ueno -+Date: Fri Jun 11 06:58:43 2021 +0200 -+ -+ priority: reflect system wide config when constructing sigalgs -+ -+ Otherwise the client would advertise signature algorithms which it -+ cannot use and cause handshake to fail. -+ -+ Reported by Philip Schaten in: -+ https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html -+ -+ Signed-off-by: Daiki Ueno -+ -+Author: Daiki Ueno -+Date: Wed Jun 9 14:29:11 2021 +0200 -+ -+ p11tool: mention how CKA_IDs of certs are calculated upon --write -+ -+ Signed-off-by: Daiki Ueno -+ -+Author: Daiki Ueno - Date: Sat May 29 07:18:17 2021 +0200 - - Release 3.7.2 -@@ -49224,3 +49283,13 @@ - Date: Fri Nov 7 10:22:11 2014 +0100 - - doc: corrected values for INSECURE level -+ -+Author: Nikos Mavrogiannopoulos -+Date: Fri Nov 7 08:55:40 2014 +0100 -+ -+ pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags -+ -+Author: Nikos Mavrogiannopoulos -+Date: Fri Nov 7 08:44:46 2014 +0100 -+ -+ pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH -diff -ruN gnutls-3.7.2/doc/cha-config.texi gnutls-3.7.2-bootstrapped/doc/cha-config.texi ---- gnutls-3.7.2/doc/cha-config.texi 2021-05-10 16:34:47.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/cha-config.texi 2021-06-28 09:09:14.000000000 +0200 -@@ -74,6 +74,7 @@ - @item @code{insecure-sig-for-cert}: to mark the signature algorithm as insecure when used in certificates. - @item @code{insecure-sig}: to mark the signature algorithm as insecure for any use. - @item @code{insecure-hash}: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms). -+@item @code{disabled-curve}: to disable the specified elliptic curve. - @item @code{disabled-version}: to disable the specified TLS versions. - @item @code{tls-disabled-cipher}: to disable the specified ciphers for use in the TLS or DTLS protocols. - @item @code{tls-disabled-mac}: to disable the specified MAC algorithms for use in the TLS or DTLS protocols. -@@ -82,11 +83,39 @@ - @end itemize - - Each of the options can be repeated multiple times when multiple values need --to be disabled. -+to be disabled or enabled. - - The valid values for the options above can be found in the 'Protocols', 'Digests' - 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of the output of @code{gnutls-cli --list}. - -+Sometimes the system administrator wants to enable only specific -+algorithms, despite the library defaults. GnuTLS provides an -+alternative mode of overriding: allowlisting. -+ -+In the allowlisting mode, all the algorithms are initially marked as -+insecure or disabled, and shall be explicitly turned on by the options -+in the @code{[overrides]} section. Those options are mutually -+exclusive to the above ones for the blocklisting mode (the default) -+@itemize -+@item @code{secure-sig-for-cert}: to mark the signature algorithm as secure when used in certificates. -+@item @code{secure-sig}: to mark the signature algorithm as secure for any use. -+@item @code{secure-hash}: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms). -+@item @code{enabled-curve}: to enable the specified elliptic curve. -+@item @code{enabled-version}: to enable the specified TLS versions. -+@item @code{tls-enabled-cipher}: to enable the specified ciphers for use in the TLS or DTLS protocols. -+@item @code{tls-enabled-mac}: to enable the specified MAC algorithms for use in the TLS or DTLS protocols. -+@item @code{tls-enabled-group}: to enable the specified group for use in the TLS or DTLS protocols. -+@item @code{tls-enabled-kx}: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier). -+@end itemize -+ -+The allowlisting mode can be enabled by adding @code{override-mode = -+allowlist} in the @code{[global]} section. -+ -+When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API. -+ -+@showfuncD{gnutls_ecc_curve_mark_enabled,gnutls_sign_mark_secure,gnutls_digest_mark_secure,gnutls_protocol_mark_enabled} -+@showfuncD{gnutls_ecc_curve_mark_disabled,gnutls_sign_mark_insecure,gnutls_digest_mark_insecure,gnutls_protocol_mark_disabled} -+ - @subsection Examples - - The following example marks as insecure all digital signature algorithms -@@ -120,6 +149,20 @@ - tls-disabled-group = group-ffdhe8192 - @end example - -+The following example demonstrates the use of the allowlisting -+mode. It disables all the signature algorithms but -+@code{RSA-SHA256}. Note that the hash algorithm @code{SHA256} also -+needs to be explicitly enabled. -+ -+@example -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = sha256 -+secure-sig = rsa-sha256 -+@end example -+ - @node Querying for disabled algorithms and protocols - @section Querying for disabled algorithms and protocols - -diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure ---- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1,12 @@ -+ -+ -+ -+ -+@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig}) -+@var{dig}: is a digest algorithm -+ -+Mark @code{dig} as insecure system wide. This only works if the allowlisting mode -+is used in the configuration file. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short ---- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1 @@ -+@item @var{int} @ref{gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig}) -diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure ---- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1,12 @@ -+ -+ -+ -+ -+@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig}) -+@var{dig}: is a digest algorithm -+ -+Invalidate previous system wide setting that marked @code{dig} as insecure. This -+only works if the allowlisting mode is used in the configuration file. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short ---- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1 @@ -+@item @var{int} @ref{gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig}) -diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled ---- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1,15 @@ -+ -+ -+ -+ -+@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve}) -+@var{curve}: is an ECC curve -+ -+Mark @code{curve} as disabled system wide. This setting can be reverted with -+@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file -+uses the allowlisting mode. -+ -+@strong{Returns:} 0 on success or negative error code otherwise. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short ---- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short 2021-06-28 09:39:51.000000000 +0200 -@@ -0,0 +1 @@ -+@item @var{int} @ref{gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve}) -diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled ---- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1,15 @@ -+ -+ -+ -+ -+@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve}) -+@var{curve}: is an ECC curve -+ -+Invalidate previous system wide setting that marked @code{curve} as disabled. This -+only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()} or -+through the allowlisting mode in the configuration file. -+ -+@strong{Returns:} 0 on success or negative error code otherwise. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short ---- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short 2021-06-28 09:39:51.000000000 +0200 -@@ -0,0 +1 @@ -+@item @var{int} @ref{gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve}) -diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled ---- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1,10 @@ -+ -+ -+ -+ -+@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version}) -+@var{version}: is a (gnutls) version number -+ -+Mark @code{version} as disabled system wide. This only works if the allowlisting -+mode is used in the configuration file. -+@end deftypefun -diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short ---- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short 2021-06-28 09:39:51.000000000 +0200 -@@ -0,0 +1 @@ -+@item @var{int} @ref{gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version}) -diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled ---- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1,11 @@ -+ -+ -+ -+ -+@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version}) -+@var{version}: is a (gnutls) version number -+ -+Invalidate previous system wide setting that marked @code{version} as -+disabled. This only works if the allowlisting mode is used in the -+configuration file. -+@end deftypefun -diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short ---- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short 2021-06-28 09:39:51.000000000 +0200 -@@ -0,0 +1 @@ -+@item @var{int} @ref{gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version}) -diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure ---- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1,18 @@ -+ -+ -+ -+ -+@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) -+@var{sign}: the sign algorithm -+ -+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0 -+ -+Mark @code{sign} as insecure system wide. This only works if the -+allowlisting mode is used in the configuration file. -+ -+If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set, -+and the algorithm was previously considered secure for all purposes, -+it only marks the algorithm as insecure for the use with certificates. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short ---- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short 2021-06-28 09:39:51.000000000 +0200 -@@ -0,0 +1 @@ -+@item @var{int} @ref{gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) -diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure ---- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure 2021-06-28 09:39:50.000000000 +0200 -@@ -0,0 +1,22 @@ -+ -+ -+ -+ -+@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) -+@var{sign}: the sign algorithm -+ -+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0 -+ -+Invalidate previous system wide setting that marked @code{sign} as -+insecure. This only works if the algorithm is marked as insecure -+with @code{gnutls_sign_mark_insecure()} or through the allowlisting mode -+in the configuration file. -+ -+If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set, -+it marks it the algorithm as secure for all purposes. -+If the absence of this flag, it will mark it as -+"secure, but not for certificates" at most, -+but it won't restrict anything either. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short ---- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short 2021-06-28 09:39:51.000000000 +0200 -@@ -0,0 +1 @@ -+@item @var{int} @ref{gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) -diff -ruN gnutls-3.7.2/doc/gnutls-api.texi gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi ---- gnutls-3.7.2/doc/gnutls-api.texi 2021-05-29 10:19:28.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi 2021-06-28 09:39:50.000000000 +0200 -@@ -2706,6 +2706,28 @@ - integers indicating the available digests. - @end deftypefun - -+@subheading gnutls_digest_mark_insecure -+@anchor{gnutls_digest_mark_insecure} -+@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig}) -+@var{dig}: is a digest algorithm -+ -+Mark @code{dig} as insecure system wide. This only works if the allowlisting mode -+is used in the configuration file. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -+ -+@subheading gnutls_digest_mark_secure -+@anchor{gnutls_digest_mark_secure} -+@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig}) -+@var{dig}: is a digest algorithm -+ -+Invalidate previous system wide setting that marked @code{dig} as insecure. This -+only works if the allowlisting mode is used in the configuration file. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -+ - @subheading gnutls_early_cipher_get - @anchor{gnutls_early_cipher_get} - @deftypefun {gnutls_cipher_algorithm_t} {gnutls_early_cipher_get} (gnutls_session_t @var{session}) -@@ -2820,6 +2842,34 @@ - integers indicating the available curves. - @end deftypefun - -+@subheading gnutls_ecc_curve_mark_disabled -+@anchor{gnutls_ecc_curve_mark_disabled} -+@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve}) -+@var{curve}: is an ECC curve -+ -+Mark @code{curve} as disabled system wide. This setting can be reverted with -+@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file -+uses the allowlisting mode. -+ -+@strong{Returns:} 0 on success or negative error code otherwise. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -+ -+@subheading gnutls_ecc_curve_mark_enabled -+@anchor{gnutls_ecc_curve_mark_enabled} -+@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve}) -+@var{curve}: is an ECC curve -+ -+Invalidate previous system wide setting that marked @code{curve} as disabled. This -+only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()} or -+through the allowlisting mode in the configuration file. -+ -+@strong{Returns:} 0 on success or negative error code otherwise. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -+ - @subheading gnutls_error_is_fatal - @anchor{gnutls_error_is_fatal} - @deftypefun {int} {gnutls_error_is_fatal} (int @var{error}) -@@ -5026,6 +5076,25 @@ - indicating the available protocols. - @end deftypefun - -+@subheading gnutls_protocol_mark_disabled -+@anchor{gnutls_protocol_mark_disabled} -+@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version}) -+@var{version}: is a (gnutls) version number -+ -+Mark @code{version} as disabled system wide. This only works if the allowlisting -+mode is used in the configuration file. -+@end deftypefun -+ -+@subheading gnutls_protocol_mark_enabled -+@anchor{gnutls_protocol_mark_enabled} -+@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version}) -+@var{version}: is a (gnutls) version number -+ -+Invalidate previous system wide setting that marked @code{version} as -+disabled. This only works if the allowlisting mode is used in the -+configuration file. -+@end deftypefun -+ - @subheading gnutls_psk_allocate_client_credentials - @anchor{gnutls_psk_allocate_client_credentials} - @deftypefun {int} {gnutls_psk_allocate_client_credentials} (gnutls_psk_client_credentials_t * @var{sc}) -@@ -7027,6 +7096,44 @@ - integers indicating the available ciphers. - @end deftypefun - -+@subheading gnutls_sign_mark_insecure -+@anchor{gnutls_sign_mark_insecure} -+@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) -+@var{sign}: the sign algorithm -+ -+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0 -+ -+Mark @code{sign} as insecure system wide. This only works if the -+allowlisting mode is used in the configuration file. -+ -+If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set, -+and the algorithm was previously considered secure for all purposes, -+it only marks the algorithm as insecure for the use with certificates. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -+ -+@subheading gnutls_sign_mark_secure -+@anchor{gnutls_sign_mark_secure} -+@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) -+@var{sign}: the sign algorithm -+ -+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0 -+ -+Invalidate previous system wide setting that marked @code{sign} as -+insecure. This only works if the algorithm is marked as insecure -+with @code{gnutls_sign_mark_insecure()} or through the allowlisting mode -+in the configuration file. -+ -+If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set, -+it marks it the algorithm as secure for all purposes. -+If the absence of this flag, it will mark it as -+"secure, but not for certificates" at most, -+but it won't restrict anything either. -+ -+@strong{Since:} 3.7.3 -+@end deftypefun -+ - @subheading gnutls_sign_supports_pk_algorithm - @anchor{gnutls_sign_supports_pk_algorithm} - @deftypefun {unsigned} {gnutls_sign_supports_pk_algorithm} (gnutls_sign_algorithm_t @var{sign}, gnutls_pk_algorithm_t @var{pk}) -diff -ruN gnutls-3.7.2/doc/gnutls.html gnutls-3.7.2-bootstrapped/doc/gnutls.html ---- gnutls-3.7.2/doc/gnutls.html 2021-05-29 10:23:25.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/gnutls.html 2021-06-28 09:56:40.000000000 +0200 -@@ -8018,8 +8018,9 @@ -

write option.

- -

This is the “writes the loaded objects to a pkcs #11 token” option. --It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with -- one of –load-privkey, –load-pubkey, –load-certificate option. -+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of –load-privkey, –load-pubkey, –load-certificate option. -+

-+

When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand. -

id option.

- -

This is the “sets an id for the write operation” option. -@@ -16992,6 +16993,7 @@ -

  • insecure-sig-for-cert: to mark the signature algorithm as insecure when used in certificates. -
  • insecure-sig: to mark the signature algorithm as insecure for any use. -
  • insecure-hash: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms). -+
  • disabled-curve: to disable the specified elliptic curve. -
  • disabled-version: to disable the specified TLS versions. -
  • tls-disabled-cipher: to disable the specified ciphers for use in the TLS or DTLS protocols. -
  • tls-disabled-mac: to disable the specified MAC algorithms for use in the TLS or DTLS protocols. -@@ -17000,11 +17002,49 @@ -
    • - -

    Each of the options can be repeated multiple times when multiple values need --to be disabled. -+to be disabled or enabled. -

    -

    The valid values for the options above can be found in the ’Protocols’, ’Digests’ - ’PK-signatures’, ’Protocols’, ’Ciphrers’, and ’MACs’ fields of the output of gnutls-cli --list. -

    -+

    Sometimes the system administrator wants to enable only specific -+algorithms, despite the library defaults. GnuTLS provides an -+alternative mode of overriding: allowlisting. -+

    -+

    In the allowlisting mode, all the algorithms are initially marked as -+insecure or disabled, and shall be explicitly turned on by the options -+in the [overrides] section. Those options are mutually -+exclusive to the above ones for the blocklisting mode (the default) -+

      -+
    • secure-sig-for-cert: to mark the signature algorithm as secure when used in certificates. -+
    • secure-sig: to mark the signature algorithm as secure for any use. -+
    • secure-hash: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms). -+
    • enabled-curve: to enable the specified elliptic curve. -+
    • enabled-version: to enable the specified TLS versions. -+
    • tls-enabled-cipher: to enable the specified ciphers for use in the TLS or DTLS protocols. -+
    • tls-enabled-mac: to enable the specified MAC algorithms for use in the TLS or DTLS protocols. -+
    • tls-enabled-group: to enable the specified group for use in the TLS or DTLS protocols. -+
    • tls-enabled-kx: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier). -+
    -+ -+

    The allowlisting mode can be enabled by adding override-mode = -+allowlist in the [global] section. -+

    -+

    When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API. -+

    -+
    -+
    int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t curve)
    -+
    int gnutls_sign_mark_secure (gnutls_sign_algorithm_t sign, unsigned flags)
    -+
    int gnutls_digest_mark_secure (gnutls_digest_algorithm_t dig)
    -+
    int gnutls_protocol_mark_enabled (gnutls_protocol_t version)
    -+
    -+
    -+
    int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t curve)
    -+
    int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t sign, unsigned flags)
    -+
    int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t dig)
    -+
    int gnutls_protocol_mark_disabled (gnutls_protocol_t version)
    -+
    -+ -

    8.2.1 Examples

    - -

    The following example marks as insecure all digital signature algorithms -@@ -17038,6 +17078,20 @@ - tls-disabled-group = group-ffdhe8192 - - -+

    The following example demonstrates the use of the allowlisting -+mode. It disables all the signature algorithms but -+RSA-SHA256. Note that the hash algorithm SHA256 also -+needs to be explicitly enabled. -+

    -+
    -+
    [global]
-+override-mode = allowlist
-+
-+[overrides]
-+secure-hash = sha256
-+secure-sig = rsa-sha256
-+
    -+ -
    -
    -

    -@@ -23658,6 +23712,28 @@ - integers indicating the available digests. -

    - -+

    gnutls_digest_mark_insecure

    -+
    -+
    Function: int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t dig)
    -+

    dig: is a digest algorithm -+

    -+

    Mark dig as insecure system wide. This only works if the allowlisting mode -+is used in the configuration file. -+

    -+

    Since: 3.7.3 -+

    -+ -+

    gnutls_digest_mark_secure

    -+
    -+
    Function: int gnutls_digest_mark_secure (gnutls_digest_algorithm_t dig)
    -+

    dig: is a digest algorithm -+

    -+

    Invalidate previous system wide setting that marked dig as insecure. This -+only works if the allowlisting mode is used in the configuration file. -+

    -+

    Since: 3.7.3 -+

    -+ -

    gnutls_early_cipher_get

    -
    -
    Function: gnutls_cipher_algorithm_t gnutls_early_cipher_get (gnutls_session_t session)
    -@@ -23772,6 +23848,34 @@ - integers indicating the available curves. -

    - -+

    gnutls_ecc_curve_mark_disabled

    -+
    -+
    Function: int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t curve)
    -+

    curve: is an ECC curve -+

    -+

    Mark curve as disabled system wide. This setting can be reverted with -+gnutls_ecc_curve_mark_enabled() . This only works if the configuration file -+uses the allowlisting mode. -+

    -+

    Returns: 0 on success or negative error code otherwise. -+

    -+

    Since: 3.7.3 -+

    -+ -+

    gnutls_ecc_curve_mark_enabled

    -+
    -+
    Function: int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t curve)
    -+

    curve: is an ECC curve -+

    -+

    Invalidate previous system wide setting that marked curve as disabled. This -+only works if the curve is disabled with gnutls_ecc_curve_mark_disabled() or -+through the allowlisting mode in the configuration file. -+

    -+

    Returns: 0 on success or negative error code otherwise. -+

    -+

    Since: 3.7.3 -+

    -+ -

    gnutls_error_is_fatal

    -
    -
    Function: int gnutls_error_is_fatal (int error)
    -@@ -25978,6 +26082,25 @@ - indicating the available protocols. -

    - -+

    gnutls_protocol_mark_disabled

    -+
    -+
    Function: int gnutls_protocol_mark_disabled (gnutls_protocol_t version)
    -+

    version: is a (gnutls) version number -+

    -+

    Mark version as disabled system wide. This only works if the allowlisting -+mode is used in the configuration file. -+

    -+ -+

    gnutls_protocol_mark_enabled

    -+
    -+
    Function: int gnutls_protocol_mark_enabled (gnutls_protocol_t version)
    -+

    version: is a (gnutls) version number -+

    -+

    Invalidate previous system wide setting that marked version as -+disabled. This only works if the allowlisting mode is used in the -+configuration file. -+

    -+ -

    gnutls_psk_allocate_client_credentials

    -
    -
    Function: int gnutls_psk_allocate_client_credentials (gnutls_psk_client_credentials_t * sc)
    -@@ -27979,6 +28102,44 @@ - integers indicating the available ciphers. -

    - -+

    gnutls_sign_mark_insecure

    -+
    -+
    Function: int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t sign, unsigned flags)
    -+

    sign: the sign algorithm -+

    -+

    flags: GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0 -+

    -+

    Mark sign as insecure system wide. This only works if the -+allowlisting mode is used in the configuration file. -+

    -+

    If flags has GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set, -+and the algorithm was previously considered secure for all purposes, -+it only marks the algorithm as insecure for the use with certificates. -+

    -+

    Since: 3.7.3 -+

    -+ -+

    gnutls_sign_mark_secure

    -+
    -+
    Function: int gnutls_sign_mark_secure (gnutls_sign_algorithm_t sign, unsigned flags)
    -+

    sign: the sign algorithm -+

    -+

    flags: GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0 -+

    -+

    Invalidate previous system wide setting that marked sign as -+insecure. This only works if the algorithm is marked as insecure -+with gnutls_sign_mark_insecure() or through the allowlisting mode -+in the configuration file. -+

    -+

    If flags has GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set, -+it marks it the algorithm as secure for all purposes. -+If the absence of this flag, it will mark it as -+"secure, but not for certificates" at most, -+but it won’t restrict anything either. -+

    -+

    Since: 3.7.3 -+

    -+ -

    gnutls_sign_supports_pk_algorithm

    -
    -
    Function: unsigned gnutls_sign_supports_pk_algorithm (gnutls_sign_algorithm_t sign, gnutls_pk_algorithm_t pk)
    -@@ -45743,6 +45904,8 @@ - gnutls_digest_get_nameCore TLS API - gnutls_digest_get_oidCore TLS API - gnutls_digest_listCore TLS API -+gnutls_digest_mark_insecureCore TLS API -+gnutls_digest_mark_secureCore TLS API - gnutls_dtls_cookie_sendDatagram TLS API - gnutls_dtls_cookie_verifyDatagram TLS API - gnutls_dtls_get_data_mtuDatagram TLS API -@@ -45762,6 +45925,8 @@ - gnutls_ecc_curve_get_pkCore TLS API - gnutls_ecc_curve_get_sizeCore TLS API - gnutls_ecc_curve_listCore TLS API -+gnutls_ecc_curve_mark_disabledCore TLS API -+gnutls_ecc_curve_mark_enabledCore TLS API - gnutls_encode_ber_digest_infoCryptographic API - gnutls_encode_gost_rs_valueCryptographic API - gnutls_encode_rs_valueCryptographic API -@@ -46151,6 +46316,8 @@ - gnutls_protocol_get_nameCore TLS API - gnutls_protocol_get_versionCore TLS API - gnutls_protocol_listCore TLS API -+gnutls_protocol_mark_disabledCore TLS API -+gnutls_protocol_mark_enabledCore TLS API - gnutls_psk_allocate_client_credentialsCore TLS API - gnutls_psk_allocate_server_credentialsCore TLS API - gnutls_psk_client_get_hintCore TLS API -@@ -46325,6 +46492,8 @@ - gnutls_sign_is_secureCore TLS API - gnutls_sign_is_secure2Core TLS API - gnutls_sign_listCore TLS API -+gnutls_sign_mark_insecureCore TLS API -+gnutls_sign_mark_secureCore TLS API - gnutls_sign_supports_pk_algorithmCore TLS API - gnutls_srp_allocate_client_credentialsCore TLS API - gnutls_srp_allocate_server_credentialsCore TLS API -diff -ruN gnutls-3.7.2/doc/gnutls.info gnutls-3.7.2-bootstrapped/doc/gnutls.info ---- gnutls-3.7.2/doc/gnutls.info 2021-05-29 10:23:25.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info 2021-06-28 09:56:40.000000000 +0200 -@@ -29,12 +29,12 @@ -  - Indirect: - gnutls.info-1: 1291 --gnutls.info-2: 322163 --gnutls.info-3: 605942 --gnutls.info-4: 1147244 --gnutls.info-5: 1463965 --gnutls.info-6: 1515571 --gnutls.info-7: 1896190 -+gnutls.info-2: 322461 -+gnutls.info-3: 606240 -+gnutls.info-4: 1153831 -+gnutls.info-5: 1470552 -+gnutls.info-6: 1522158 -+gnutls.info-7: 1903361 -  - Tag Table: - (Indirect) -@@ -324,1507 +324,1515 @@ - Ref: p11tool set-id312425 - Ref: p11tool set-label312850 - Ref: p11tool write313198 --Ref: p11tool id313462 --Ref: p11tool mark-wrap313719 --Ref: p11tool mark-trusted313966 --Ref: p11tool mark-distrusted314330 --Ref: p11tool mark-decrypt314784 --Ref: p11tool mark-sign315061 --Ref: p11tool mark-ca315338 --Ref: p11tool mark-private315611 --Ref: p11tool ca315909 --Ref: p11tool private316043 --Ref: p11tool secret-key316198 --Ref: p11tool other-options316361 --Ref: p11tool debug316463 --Ref: p11tool so-login316604 --Ref: p11tool admin-login316848 --Ref: p11tool test-sign316989 --Ref: p11tool sign-params317283 --Ref: p11tool hash317623 --Ref: p11tool generate-random317919 --Ref: p11tool inder318093 --Ref: p11tool inraw318318 --Ref: p11tool outder318444 --Ref: p11tool outraw318696 --Ref: p11tool provider318829 --Ref: p11tool provider-opts319038 --Ref: p11tool batch319311 --Ref: p11tool exit status319464 --Ref: p11tool See Also319694 --Ref: p11tool Examples319742 --Node: Trusted Platform Module322163 --Ref: Trusted Platform Module-Footnote-1323956 --Ref: Trusted Platform Module-Footnote-2324004 --Node: Keys in TPM324061 --Node: Key generation325545 --Node: Using keys327813 --Node: tpmtool Invocation331458 --Ref: tpmtool usage331884 --Ref: tpmtool debug335196 --Ref: tpmtool generate-rsa335337 --Ref: tpmtool user335608 --Ref: tpmtool system335967 --Ref: tpmtool test-sign336321 --Ref: tpmtool sec-param336604 --Ref: tpmtool inder336930 --Ref: tpmtool outder337231 --Ref: tpmtool srk-well-known337450 --Ref: tpmtool exit status337606 --Ref: tpmtool See Also337836 --Ref: tpmtool Examples337897 --Node: How to use GnuTLS in applications338514 --Node: Introduction to the library339083 --Node: General idea339682 --Ref: fig-gnutls-design340531 --Ref: General idea-Footnote-1341836 --Node: Error handling341881 --Node: Common types344108 --Node: Debugging and auditing345442 --Ref: tab:environment346313 --Node: Thread safety349180 --Ref: Thread safety-Footnote-1351326 --Node: Running in a sandbox351538 --Node: Sessions and fork352932 --Node: Callback functions353484 --Node: Preparation354452 --Node: Headers354871 --Node: Initialization355160 --Ref: Initialization-Footnote-1356154 --Node: Version check356447 --Node: Building the source357322 --Node: Session initialization359433 --Ref: gnutls_init_flags_t360910 --Node: Associating the credentials367923 --Ref: tab:key-exchange-cred368699 --Node: Certificate credentials369830 --Node: Raw public-key credentials385415 --Node: SRP credentials386715 --Node: PSK credentials391613 --Node: Anonymous credentials395548 --Node: Setting up the transport layer396394 --Node: Asynchronous operation405947 --Node: Reducing round-trips410248 --Node: Zero-roundtrip mode413688 --Node: Anti-replay protection415893 --Node: DTLS sessions419538 --Ref: DTLS sessions-Footnote-1421842 --Node: DTLS and SCTP421919 --Node: TLS handshake422939 --Node: Data transfer and termination426857 --Node: Buffered data transfer435999 --Node: Handling alerts437800 --Node: Priority Strings441182 --Ref: tab:prio-keywords443782 --Ref: tab:prio-algorithms450860 --Ref: tab:prio-special1456290 --Ref: tab:prio-special2460137 --Ref: Priority Strings-Footnote-1466758 --Node: Selecting cryptographic key sizes466980 --Ref: tab:key-sizes467629 --Node: Advanced topics472378 --Node: Virtual hosts and credentials472876 --Node: Session resumption476201 --Node: Certificate verification484108 --Ref: dane_verify_status_t493829 --Node: TLS 1.2 re-authentication494234 --Node: TLS 1.3 re-authentication and re-key499091 --Node: Parameter generation500750 --Node: Deriving keys for other applications/protocols503397 --Node: Channel Bindings506627 --Node: Interoperability508166 --Node: Compatibility with the OpenSSL library509484 --Node: GnuTLS application examples510211 --Ref: examples510430 --Node: Client examples510723 --Node: Client example with X.509 certificate support511250 --Ref: ex-verify511488 --Node: Datagram TLS client example516532 --Node: Client using a smart card with TLS520937 --Ref: ex-pkcs11-client521174 --Node: Client with Resume capability example526469 --Ref: ex-resume-client526753 --Node: Client example with SSH-style certificate verification531940 --Node: Server examples536147 --Node: Echo server with X.509 authentication536501 --Node: DTLS echo server with X.509 authentication544225 --Node: More advanced client and servers558636 --Node: Client example with anonymous authentication559493 --Node: Using a callback to select the certificate to use563417 --Node: Obtaining session information569800 --Node: Advanced certificate verification example574013 --Ref: ex-verify2574289 --Node: Client example with PSK authentication579719 --Node: Client example with SRP authentication584085 --Node: Legacy client example with X.509 certificate support588369 --Ref: ex-verify-legacy588686 --Node: Client example in C++594639 --Node: Echo server with PSK authentication597211 --Node: Echo server with SRP authentication605942 --Node: Echo server with anonymous authentication612860 --Node: Helper functions for TCP connections618188 --Node: Helper functions for UDP connections619780 --Node: OCSP example621685 --Ref: Generate OCSP request621868 --Node: Miscellaneous examples631475 --Node: Checking for an alert631801 --Node: X.509 certificate parsing example633250 --Ref: ex-x509-info633507 --Node: Listing the ciphersuites in a priority string637536 --Node: PKCS12 structure generation example639853 --Node: System-wide configuration of the library644058 --Node: Application-specific priority strings645885 --Node: Disabling algorithms and protocols647333 --Node: Querying for disabled algorithms and protocols650217 --Node: Overriding the parameter verification profile651339 --Node: Overriding the default priority string652341 --Node: Using GnuTLS as a cryptographic library652958 --Ref: Using GnuTLS as a cryptographic library-Footnote-1653814 --Node: Symmetric algorithms653871 --Ref: gnutls_cipher_algorithm_t654631 --Ref: Symmetric algorithms-Footnote-1663061 --Node: Public key algorithms663146 --Node: Cryptographic Message Syntax / PKCS7667868 --Ref: gnutls_pkcs7_sign_flags671307 --Node: Hash and MAC functions672775 --Ref: gnutls_mac_algorithm_t673387 --Ref: gnutls_digest_algorithm_t676759 --Node: Random number generation677810 --Ref: gnutls_rnd_level_t678172 --Node: Overriding algorithms679279 --Node: Other included programs685597 --Node: gnutls-cli Invocation686168 --Ref: gnutls-cli usage686730 --Ref: gnutls-cli debug694480 --Ref: gnutls-cli tofu694621 --Ref: gnutls-cli strict-tofu695084 --Ref: gnutls-cli dane695486 --Ref: gnutls-cli local-dns695829 --Ref: gnutls-cli ca-verification696144 --Ref: gnutls-cli ocsp696499 --Ref: gnutls-cli resume696741 --Ref: gnutls-cli rehandshake696887 --Ref: gnutls-cli sni-hostname697054 --Ref: gnutls-cli verify-hostname697580 --Ref: gnutls-cli starttls697813 --Ref: gnutls-cli app-proto697997 --Ref: gnutls-cli starttls-proto698159 --Ref: gnutls-cli save-ocsp-multi698670 --Ref: gnutls-cli dh-bits699127 --Ref: gnutls-cli priority699478 --Ref: gnutls-cli rawpkkeyfile699856 --Ref: gnutls-cli rawpkfile700313 --Ref: gnutls-cli ranges700854 --Ref: gnutls-cli benchmark-ciphers701104 --Ref: gnutls-cli benchmark-tls-ciphers701422 --Ref: gnutls-cli list701741 --Ref: gnutls-cli priority-list702108 --Ref: gnutls-cli noticket702354 --Ref: gnutls-cli alpn702515 --Ref: gnutls-cli disable-extensions702824 --Ref: gnutls-cli single-key-share703056 --Ref: gnutls-cli post-handshake-auth703272 --Ref: gnutls-cli inline-commands703469 --Ref: gnutls-cli inline-commands-prefix703789 --Ref: gnutls-cli provider704192 --Ref: gnutls-cli logfile704389 --Ref: gnutls-cli waitresumption704746 --Ref: gnutls-cli ca-auto-retrieve705003 --Ref: gnutls-cli exit status705407 --Ref: gnutls-cli See Also705643 --Ref: gnutls-cli Examples705720 --Node: gnutls-serv Invocation709927 --Ref: gnutls-serv usage710404 --Ref: gnutls-serv debug715924 --Ref: gnutls-serv sni-hostname716065 --Ref: gnutls-serv alpn716397 --Ref: gnutls-serv require-client-cert716684 --Ref: gnutls-serv verify-client-cert716928 --Ref: gnutls-serv heartbeat717157 --Ref: gnutls-serv priority717308 --Ref: gnutls-serv x509keyfile717677 --Ref: gnutls-serv x509certfile718194 --Ref: gnutls-serv x509dsakeyfile718711 --Ref: gnutls-serv x509dsacertfile718875 --Ref: gnutls-serv x509ecckeyfile719042 --Ref: gnutls-serv x509ecccertfile719204 --Ref: gnutls-serv rawpkkeyfile719371 --Ref: gnutls-serv rawpkfile720190 --Ref: gnutls-serv ocsp-response721045 --Ref: gnutls-serv ignore-ocsp-response-errors721362 --Ref: gnutls-serv list721609 --Ref: gnutls-serv provider721847 --Ref: gnutls-serv exit status722044 --Ref: gnutls-serv See Also722282 --Ref: gnutls-serv Examples722360 --Node: gnutls-cli-debug Invocation727668 --Ref: gnutls-cli-debug usage728490 --Ref: gnutls-cli-debug debug730745 --Ref: gnutls-cli-debug app-proto730886 --Ref: gnutls-cli-debug starttls-proto731054 --Ref: gnutls-cli-debug exit status731433 --Ref: gnutls-cli-debug See Also731681 --Ref: gnutls-cli-debug Examples731764 --Node: Internal architecture of GnuTLS735261 --Node: The TLS Protocol735867 --Ref: fig-client-server736343 --Node: TLS Handshake Protocol736433 --Ref: fig-gnutls-handshake736875 --Ref: fig-gnutls-handshake-sequence737384 --Node: TLS Authentication Methods737482 --Ref: TLS Authentication Methods-Footnote-1739786 --Node: TLS Hello Extension Handling739852 --Node: Cryptographic Backend752954 --Ref: fig-crypto-layers753637 --Ref: Cryptographic Backend-Footnote-1756919 --Ref: Cryptographic Backend-Footnote-2757004 --Node: Random Number Generators-internals757112 --Node: FIPS140-2 mode764476 --Ref: gnutls_fips_mode_t767112 --Node: Upgrading from previous versions769259 --Node: Support783253 --Node: Getting help783501 --Node: Commercial Support784089 --Node: Bug Reports784360 --Node: Contributing785724 --Node: Certification787750 --Node: Error codes788214 --Node: Supported ciphersuites812847 --Ref: ciphersuites813020 --Node: API reference828064 --Node: Core TLS API828474 --Ref: gnutls_alert_get828701 --Ref: gnutls_alert_get_name829320 --Ref: gnutls_alert_get_strname829705 --Ref: gnutls_alert_send830040 --Ref: gnutls_alert_send_appropriate830918 --Ref: gnutls_alert_set_read_function831885 --Ref: gnutls_alpn_get_selected_protocol832269 --Ref: gnutls_alpn_set_protocols832933 --Ref: gnutls_anon_allocate_client_credentials833770 --Ref: gnutls_anon_allocate_server_credentials834155 --Ref: gnutls_anon_free_client_credentials834532 --Ref: gnutls_anon_free_server_credentials834821 --Ref: gnutls_anon_set_params_function835102 --Ref: gnutls_anon_set_server_dh_params835778 --Ref: gnutls_anon_set_server_known_dh_params836438 --Ref: gnutls_anon_set_server_params_function837347 --Ref: gnutls_anti_replay_deinit838010 --Ref: gnutls_anti_replay_enable838324 --Ref: gnutls_anti_replay_init838672 --Ref: gnutls_anti_replay_set_add_function839200 --Ref: gnutls_anti_replay_set_ptr840218 --Ref: gnutls_anti_replay_set_window840553 --Ref: gnutls_auth_client_get_type841321 --Ref: gnutls_auth_get_type841948 --Ref: gnutls_auth_server_get_type842760 --Ref: gnutls_base64_decode2843389 --Ref: gnutls_base64_encode2843945 --Ref: gnutls_buffer_append_data844565 --Ref: gnutls_bye844963 --Ref: gnutls_certificate_activation_time_peers846564 --Ref: gnutls_certificate_allocate_credentials846982 --Ref: gnutls_certificate_client_get_request_status847379 --Ref: gnutls_certificate_expiration_time_peers847787 --Ref: gnutls_certificate_free_ca_names848191 --Ref: gnutls_certificate_free_cas848860 --Ref: gnutls_certificate_free_credentials849263 --Ref: gnutls_certificate_free_crls849697 --Ref: gnutls_certificate_free_keys849997 --Ref: gnutls_certificate_get_crt_raw850431 --Ref: gnutls_certificate_get_issuer851502 --Ref: gnutls_certificate_get_ocsp_expiration852585 --Ref: gnutls_certificate_get_ours853756 --Ref: gnutls_certificate_get_peers854586 --Ref: gnutls_certificate_get_peers_subkey_id855709 --Ref: gnutls_certificate_get_verify_flags856065 --Ref: gnutls_certificate_get_x509_crt856478 --Ref: gnutls_certificate_get_x509_key858122 --Ref: gnutls_certificate_send_x509_rdn_sequence859437 --Ref: gnutls_certificate_server_set_request860144 --Ref: gnutls_certificate_set_dh_params860934 --Ref: gnutls_certificate_set_flags861753 --Ref: gnutls_certificate_set_known_dh_params862278 --Ref: gnutls_certificate_set_ocsp_status_request_file863206 --Ref: gnutls_certificate_set_ocsp_status_request_file2865112 --Ref: gnutls_certificate_set_ocsp_status_request_function866630 --Ref: gnutls_certificate_set_ocsp_status_request_function2868118 --Ref: gnutls_certificate_set_ocsp_status_request_mem870084 --Ref: gnutls_certificate_set_params_function871859 --Ref: gnutls_certificate_set_pin_function872556 --Ref: gnutls_certificate_set_rawpk_key_file873209 --Ref: gnutls_certificate_set_rawpk_key_mem876513 --Ref: gnutls_certificate_set_retrieve_function879660 --Ref: gnutls_certificate_set_verify_flags881790 --Ref: gnutls_certificate_set_verify_function882283 --Ref: gnutls_certificate_set_verify_limits883347 --Ref: gnutls_certificate_set_x509_crl884028 --Ref: gnutls_certificate_set_x509_crl_file884856 --Ref: gnutls_certificate_set_x509_crl_mem885637 --Ref: gnutls_certificate_set_x509_key886414 --Ref: gnutls_certificate_set_x509_key_file888082 --Ref: gnutls_certificate_set_x509_key_file2890318 --Ref: gnutls_certificate_set_x509_key_mem892852 --Ref: gnutls_certificate_set_x509_key_mem2894500 --Ref: gnutls_certificate_set_x509_simple_pkcs12_file896313 --Ref: gnutls_certificate_set_x509_simple_pkcs12_mem898443 --Ref: gnutls_certificate_set_x509_system_trust900543 --Ref: gnutls_certificate_set_x509_trust901113 --Ref: gnutls_certificate_set_x509_trust_dir902093 --Ref: gnutls_certificate_set_x509_trust_file902831 --Ref: gnutls_certificate_set_x509_trust_mem904007 --Ref: gnutls_certificate_type_get904950 --Ref: gnutls_certificate_type_get2905797 --Ref: gnutls_certificate_type_get_id907182 --Ref: gnutls_certificate_type_get_name907579 --Ref: gnutls_certificate_type_list907962 --Ref: gnutls_certificate_verification_status_print908316 --Ref: gnutls_certificate_verify_peers909074 --Ref: gnutls_certificate_verify_peers2911870 --Ref: gnutls_certificate_verify_peers3913785 --Ref: gnutls_check_version916095 --Ref: gnutls_cipher_get916837 --Ref: gnutls_cipher_get_id917142 --Ref: gnutls_cipher_get_key_size917524 --Ref: gnutls_cipher_get_name917888 --Ref: gnutls_cipher_list918235 --Ref: gnutls_cipher_suite_get_name918795 --Ref: gnutls_cipher_suite_info919663 --Ref: gnutls_credentials_clear920846 --Ref: gnutls_credentials_get921074 --Ref: gnutls_credentials_set922029 --Ref: gnutls_db_check_entry923393 --Ref: gnutls_db_check_entry_expire_time923850 --Ref: gnutls_db_check_entry_time924256 --Ref: gnutls_db_get_default_cache_expiration924647 --Ref: gnutls_db_get_ptr924842 --Ref: gnutls_db_remove_session925154 --Ref: gnutls_db_set_cache_expiration925691 --Ref: gnutls_db_set_ptr926112 --Ref: gnutls_db_set_remove_function926447 --Ref: gnutls_db_set_retrieve_function926950 --Ref: gnutls_db_set_store_function927636 --Ref: gnutls_deinit928103 --Ref: gnutls_dh_get_group928442 --Ref: gnutls_dh_get_peers_public_bits929294 --Ref: gnutls_dh_get_prime_bits929738 --Ref: gnutls_dh_get_pubkey930378 --Ref: gnutls_dh_get_secret_bits931076 --Ref: gnutls_dh_params_cpy931508 --Ref: gnutls_dh_params_deinit932016 --Ref: gnutls_dh_params_export2_pkcs3932257 --Ref: gnutls_dh_params_export_pkcs3933078 --Ref: gnutls_dh_params_export_raw934097 --Ref: gnutls_dh_params_generate2934850 --Ref: gnutls_dh_params_import_dsa936104 --Ref: gnutls_dh_params_import_pkcs3936581 --Ref: gnutls_dh_params_import_raw937320 --Ref: gnutls_dh_params_import_raw2937950 --Ref: gnutls_dh_params_import_raw3938664 --Ref: gnutls_dh_params_init939364 --Ref: gnutls_dh_set_prime_bits939695 --Ref: gnutls_digest_get_id940798 --Ref: gnutls_digest_get_name941224 --Ref: gnutls_digest_get_oid941570 --Ref: gnutls_digest_list941961 --Ref: gnutls_early_cipher_get942332 --Ref: gnutls_early_prf_hash_get942705 --Ref: gnutls_ecc_curve_get943123 --Ref: gnutls_ecc_curve_get_id943524 --Ref: gnutls_ecc_curve_get_name943905 --Ref: gnutls_ecc_curve_get_oid944239 --Ref: gnutls_ecc_curve_get_pk944584 --Ref: gnutls_ecc_curve_get_size944888 --Ref: gnutls_ecc_curve_list945117 --Ref: gnutls_error_is_fatal945440 --Ref: gnutls_error_to_alert946242 --Ref: gnutls_est_record_overhead_size946974 --Ref: gnutls_ext_get_current_msg947882 --Ref: gnutls_ext_get_data948573 --Ref: gnutls_ext_get_name949088 --Ref: gnutls_ext_get_name2949406 --Ref: gnutls_ext_raw_parse949916 --Ref: gnutls_ext_register951066 --Ref: gnutls_ext_set_data952701 --Ref: gnutls_fingerprint953212 --Ref: gnutls_fips140_mode_enabled954218 --Ref: gnutls_fips140_set_mode954772 --Ref: gnutls_get_system_config_file955825 --Ref: gnutls_global_deinit956201 --Ref: gnutls_global_init956651 --Ref: gnutls_global_set_audit_log_function957926 --Ref: gnutls_global_set_log_function958633 --Ref: gnutls_global_set_log_level959141 --Ref: gnutls_global_set_mutex959629 --Ref: gnutls_global_set_time_function960731 --Ref: gnutls_gost_paramset_get_name961168 --Ref: gnutls_gost_paramset_get_oid961544 --Ref: gnutls_group_get961921 --Ref: gnutls_group_get_id962291 --Ref: gnutls_group_get_name962638 --Ref: gnutls_group_list962958 --Ref: gnutls_handshake963280 --Ref: gnutls_handshake_description_get_name965385 --Ref: gnutls_handshake_get_last_in965773 --Ref: gnutls_handshake_get_last_out966398 --Ref: gnutls_handshake_set_hook_function967030 --Ref: gnutls_handshake_set_max_packet_length968422 --Ref: gnutls_handshake_set_post_client_hello_function969207 --Ref: gnutls_handshake_set_private_extensions970533 --Ref: gnutls_handshake_set_random971212 --Ref: gnutls_handshake_set_read_function971932 --Ref: gnutls_handshake_set_secret_function972333 --Ref: gnutls_handshake_set_timeout972712 --Ref: gnutls_handshake_write973402 --Ref: gnutls_heartbeat_allowed974103 --Ref: gnutls_heartbeat_enable974577 --Ref: gnutls_heartbeat_get_timeout975415 --Ref: gnutls_heartbeat_ping975954 --Ref: gnutls_heartbeat_pong977086 --Ref: gnutls_heartbeat_set_timeouts977493 --Ref: gnutls_hex2bin978264 --Ref: gnutls_hex_decode978983 --Ref: gnutls_hex_decode2979709 --Ref: gnutls_hex_encode980138 --Ref: gnutls_hex_encode2980735 --Ref: gnutls_idna_map981250 --Ref: gnutls_idna_reverse_map982380 --Ref: gnutls_init983145 --Ref: gnutls_key_generate983973 --Ref: gnutls_kx_get984390 --Ref: gnutls_kx_get_id984976 --Ref: gnutls_kx_get_name985320 --Ref: gnutls_kx_list985665 --Ref: gnutls_load_file985993 --Ref: gnutls_mac_get986765 --Ref: gnutls_mac_get_id987070 --Ref: gnutls_mac_get_key_size987483 --Ref: gnutls_mac_get_name987820 --Ref: gnutls_mac_list988139 --Ref: gnutls_memcmp988527 --Ref: gnutls_memset989087 --Ref: gnutls_ocsp_status_request_enable_client989481 --Ref: gnutls_ocsp_status_request_get990492 --Ref: gnutls_ocsp_status_request_get2991154 --Ref: gnutls_ocsp_status_request_is_checked992149 --Ref: gnutls_oid_to_digest993537 --Ref: gnutls_oid_to_ecc_curve993946 --Ref: gnutls_oid_to_gost_paramset994272 --Ref: gnutls_oid_to_mac994683 --Ref: gnutls_oid_to_pk995096 --Ref: gnutls_oid_to_sign995468 --Ref: gnutls_openpgp_send_cert995872 --Ref: gnutls_packet_deinit996174 --Ref: gnutls_packet_get996448 --Ref: gnutls_pem_base64_decode996953 --Ref: gnutls_pem_base64_decode2997808 --Ref: gnutls_pem_base64_encode998803 --Ref: gnutls_pem_base64_encode2999632 --Ref: gnutls_perror1000568 --Ref: gnutls_pk_algorithm_get_name1000864 --Ref: gnutls_pk_bits_to_sec_param1001220 --Ref: gnutls_pk_get_id1001694 --Ref: gnutls_pk_get_name1002212 --Ref: gnutls_pk_get_oid1002580 --Ref: gnutls_pk_list1002979 --Ref: gnutls_pk_to_sign1003312 --Ref: gnutls_prf1003723 --Ref: gnutls_prf_early1005718 --Ref: gnutls_prf_hash_get1007373 --Ref: gnutls_prf_raw1007905 --Ref: gnutls_prf_rfc57051009789 --Ref: gnutls_priority_certificate_type_list1011466 --Ref: gnutls_priority_certificate_type_list21012162 --Ref: gnutls_priority_cipher_list1012778 --Ref: gnutls_priority_deinit1013165 --Ref: gnutls_priority_ecc_curve_list1013408 --Ref: gnutls_priority_get_cipher_suite_index1013940 --Ref: gnutls_priority_group_list1014856 --Ref: gnutls_priority_init1015237 --Ref: gnutls_priority_init21016317 --Ref: gnutls_priority_kx_list1020691 --Ref: gnutls_priority_mac_list1021096 --Ref: gnutls_priority_protocol_list1021501 --Ref: gnutls_priority_set1021903 --Ref: gnutls_priority_set_direct1022558 --Ref: gnutls_priority_sign_list1023491 --Ref: gnutls_priority_string_list1023907 --Ref: gnutls_protocol_get_id1024539 --Ref: gnutls_protocol_get_name1024855 --Ref: gnutls_protocol_get_version1025214 --Ref: gnutls_protocol_list1025512 --Ref: gnutls_psk_allocate_client_credentials1025882 --Ref: gnutls_psk_allocate_server_credentials1026302 --Ref: gnutls_psk_client_get_hint1026698 --Ref: gnutls_psk_free_client_credentials1027325 --Ref: gnutls_psk_free_server_credentials1027608 --Ref: gnutls_psk_server_get_username1027883 --Ref: gnutls_psk_server_get_username21028590 --Ref: gnutls_psk_set_client_credentials1029284 --Ref: gnutls_psk_set_client_credentials21030307 --Ref: gnutls_psk_set_client_credentials_function1031087 --Ref: gnutls_psk_set_client_credentials_function21032090 --Ref: gnutls_psk_set_params_function1033247 --Ref: gnutls_psk_set_server_credentials_file1033927 --Ref: gnutls_psk_set_server_credentials_function1034788 --Ref: gnutls_psk_set_server_credentials_function21035742 --Ref: gnutls_psk_set_server_credentials_hint1036865 --Ref: gnutls_psk_set_server_dh_params1037489 --Ref: gnutls_psk_set_server_known_dh_params1038174 --Ref: gnutls_psk_set_server_params_function1039071 --Ref: gnutls_random_art1039712 --Ref: gnutls_range_split1040574 --Ref: gnutls_reauth1041656 --Ref: gnutls_record_can_use_length_hiding1043758 --Ref: gnutls_record_check_corked1044509 --Ref: gnutls_record_check_pending1044892 --Ref: gnutls_record_cork1045303 --Ref: gnutls_record_disable_padding1045717 --Ref: gnutls_record_discard_queued1046325 --Ref: gnutls_record_get_direction1046942 --Ref: gnutls_record_get_max_early_data_size1047923 --Ref: gnutls_record_get_max_size1048475 --Ref: gnutls_record_get_state1048842 --Ref: gnutls_record_overhead_size1049864 --Ref: gnutls_record_recv1050251 --Ref: gnutls_record_recv_early_data1051701 --Ref: gnutls_record_recv_packet1052763 --Ref: gnutls_record_recv_seq1053642 --Ref: gnutls_record_send1054628 --Ref: gnutls_record_send21056686 --Ref: gnutls_record_send_early_data1057838 --Ref: gnutls_record_send_range1058894 --Ref: gnutls_record_set_max_early_data_size1060073 --Ref: gnutls_record_set_max_recv_size1060719 --Ref: gnutls_record_set_max_size1061423 --Ref: gnutls_record_set_state1062602 --Ref: gnutls_record_set_timeout1063260 --Ref: gnutls_record_uncork1063861 --Ref: gnutls_rehandshake1064801 --Ref: gnutls_safe_renegotiation_status1066583 --Ref: gnutls_sec_param_get_name1066998 --Ref: gnutls_sec_param_to_pk_bits1067372 --Ref: gnutls_sec_param_to_symmetric_bits1068042 --Ref: gnutls_server_name_get1068426 --Ref: gnutls_server_name_set1069898 --Ref: gnutls_session_channel_binding1071056 --Ref: gnutls_session_enable_compatibility_mode1071774 --Ref: gnutls_session_etm_status1072481 --Ref: gnutls_session_ext_master_secret_status1072884 --Ref: gnutls_session_ext_register1073375 --Ref: gnutls_session_force_valid1075637 --Ref: gnutls_session_get_data1076058 --Ref: gnutls_session_get_data21076718 --Ref: gnutls_session_get_desc1078991 --Ref: gnutls_session_get_flags1079513 --Ref: gnutls_session_get_id1080051 --Ref: gnutls_session_get_id21081574 --Ref: gnutls_session_get_keylog_function1083044 --Ref: gnutls_session_get_master_secret1083451 --Ref: gnutls_session_get_ptr1083935 --Ref: gnutls_session_get_random1084330 --Ref: gnutls_session_get_verify_cert_status1084951 --Ref: gnutls_session_is_resumed1085624 --Ref: gnutls_session_key_update1085994 --Ref: gnutls_session_resumption_requested1086942 --Ref: gnutls_session_set_data1087324 --Ref: gnutls_session_set_id1088165 --Ref: gnutls_session_set_keylog_function1088840 --Ref: gnutls_session_set_premaster1089239 --Ref: gnutls_session_set_ptr1090334 --Ref: gnutls_session_set_verify_cert1090734 --Ref: gnutls_session_set_verify_cert21092078 --Ref: gnutls_session_set_verify_function1093262 --Ref: gnutls_session_supplemental_register1094374 --Ref: gnutls_session_ticket_enable_client1095632 --Ref: gnutls_session_ticket_enable_server1096125 --Ref: gnutls_session_ticket_key_generate1096919 --Ref: gnutls_session_ticket_send1097347 --Ref: gnutls_set_default_priority1097931 --Ref: gnutls_set_default_priority_append1099016 --Ref: gnutls_sign_algorithm_get1100358 --Ref: gnutls_sign_algorithm_get_client1100801 --Ref: gnutls_sign_algorithm_get_requested1101268 --Ref: gnutls_sign_get_hash_algorithm1102295 --Ref: gnutls_sign_get_id1102707 --Ref: gnutls_sign_get_name1103070 --Ref: gnutls_sign_get_oid1103402 --Ref: gnutls_sign_get_pk_algorithm1103788 --Ref: gnutls_sign_is_secure1104395 --Ref: gnutls_sign_is_secure21104665 --Ref: gnutls_sign_list1105001 --Ref: gnutls_sign_supports_pk_algorithm1105361 --Ref: gnutls_srp_allocate_client_credentials1105945 --Ref: gnutls_srp_allocate_server_credentials1106346 --Ref: gnutls_srp_base64_decode1106719 --Ref: gnutls_srp_base64_decode21107424 --Ref: gnutls_srp_base64_encode1108092 --Ref: gnutls_srp_base64_encode21108893 --Ref: gnutls_srp_free_client_credentials1109624 --Ref: gnutls_srp_free_server_credentials1109907 --Ref: gnutls_srp_server_get_username1110182 --Ref: gnutls_srp_set_client_credentials1110636 --Ref: gnutls_srp_set_client_credentials_function1111526 --Ref: gnutls_srp_set_prime_bits1112773 --Ref: gnutls_srp_set_server_credentials_file1113458 --Ref: gnutls_srp_set_server_credentials_function1114184 --Ref: gnutls_srp_set_server_fake_salt_seed1115899 --Ref: gnutls_srp_verifier1117402 --Ref: gnutls_srtp_get_keys1118330 --Ref: gnutls_srtp_get_mki1119724 --Ref: gnutls_srtp_get_profile_id1120293 --Ref: gnutls_srtp_get_profile_name1120751 --Ref: gnutls_srtp_get_selected_profile1121172 --Ref: gnutls_srtp_set_mki1121616 --Ref: gnutls_srtp_set_profile1122065 --Ref: gnutls_srtp_set_profile_direct1122597 --Ref: gnutls_store_commitment1123320 --Ref: gnutls_store_pubkey1124619 --Ref: gnutls_strerror1126406 --Ref: gnutls_strerror_name1126891 --Ref: gnutls_supplemental_get_name1127360 --Ref: gnutls_supplemental_recv1127782 --Ref: gnutls_supplemental_register1128252 --Ref: gnutls_supplemental_send1129364 --Ref: gnutls_system_recv_timeout1129809 --Ref: gnutls_tdb_deinit1130551 --Ref: gnutls_tdb_init1130766 --Ref: gnutls_tdb_set_store_commitment_func1131125 --Ref: gnutls_tdb_set_store_func1131806 --Ref: gnutls_tdb_set_verify_func1132395 --Ref: gnutls_transport_get_int1133139 --Ref: gnutls_transport_get_int21133547 --Ref: gnutls_transport_get_ptr1134050 --Ref: gnutls_transport_get_ptr21134466 --Ref: gnutls_transport_set_errno1135000 --Ref: gnutls_transport_set_errno_function1135987 --Ref: gnutls_transport_set_int1136524 --Ref: gnutls_transport_set_int21137078 --Ref: gnutls_transport_set_ptr1137807 --Ref: gnutls_transport_set_ptr21138220 --Ref: gnutls_transport_set_pull_function1138864 --Ref: gnutls_transport_set_pull_timeout_function1139644 --Ref: gnutls_transport_set_push_function1141347 --Ref: gnutls_transport_set_vec_push_function1142192 --Ref: gnutls_url_is_supported1142888 --Ref: gnutls_utf8_password_normalize1143308 --Ref: gnutls_verify_stored_pubkey1144097 --Node: Datagram TLS API1147244 --Ref: gnutls_dtls_cookie_send1147520 --Ref: gnutls_dtls_cookie_verify1148775 --Ref: gnutls_dtls_get_data_mtu1149719 --Ref: gnutls_dtls_get_mtu1150162 --Ref: gnutls_dtls_get_timeout1150605 --Ref: gnutls_dtls_prestate_set1151148 --Ref: gnutls_dtls_set_data_mtu1151732 --Ref: gnutls_dtls_set_mtu1152706 --Ref: gnutls_dtls_set_timeouts1153313 --Ref: gnutls_record_get_discarded1154317 --Node: X509 certificate API1154591 --Ref: gnutls_certificate_get_trust_list1154940 --Ref: gnutls_certificate_set_trust_list1155588 --Ref: gnutls_certificate_verification_profile_get_id1156363 --Ref: gnutls_certificate_verification_profile_get_name1156910 --Ref: gnutls_pkcs8_info1157293 --Ref: gnutls_pkcs_schema_get_name1158811 --Ref: gnutls_pkcs_schema_get_oid1159216 --Ref: gnutls_session_set_verify_output_function1159643 --Ref: gnutls_subject_alt_names_deinit1160800 --Ref: gnutls_subject_alt_names_get1161079 --Ref: gnutls_subject_alt_names_init1162089 --Ref: gnutls_subject_alt_names_set1162469 --Ref: gnutls_x509_aia_deinit1163288 --Ref: gnutls_x509_aia_get1163522 --Ref: gnutls_x509_aia_init1164681 --Ref: gnutls_x509_aia_set1165016 --Ref: gnutls_x509_aki_deinit1165811 --Ref: gnutls_x509_aki_get_cert_issuer1166075 --Ref: gnutls_x509_aki_get_id1167141 --Ref: gnutls_x509_aki_init1167680 --Ref: gnutls_x509_aki_set_cert_issuer1168029 --Ref: gnutls_x509_aki_set_id1169144 --Ref: gnutls_x509_cidr_to_rfc52801169573 --Ref: gnutls_x509_crl_check_issuer1170471 --Ref: gnutls_x509_crl_deinit1170919 --Ref: gnutls_x509_crl_dist_points_deinit1171151 --Ref: gnutls_x509_crl_dist_points_get1171446 --Ref: gnutls_x509_crl_dist_points_init1172420 --Ref: gnutls_x509_crl_dist_points_set1172816 --Ref: gnutls_x509_crl_export1173519 --Ref: gnutls_x509_crl_export21174402 --Ref: gnutls_x509_crl_get_authority_key_gn_serial1175122 --Ref: gnutls_x509_crl_get_authority_key_id1176436 --Ref: gnutls_x509_crl_get_crt_count1177499 --Ref: gnutls_x509_crl_get_crt_serial1177857 --Ref: gnutls_x509_crl_get_dn_oid1178761 --Ref: gnutls_x509_crl_get_extension_data1179567 --Ref: gnutls_x509_crl_get_extension_data21180684 --Ref: gnutls_x509_crl_get_extension_info1181563 --Ref: gnutls_x509_crl_get_extension_oid1182827 --Ref: gnutls_x509_crl_get_issuer_dn1183679 --Ref: gnutls_x509_crl_get_issuer_dn21184680 --Ref: gnutls_x509_crl_get_issuer_dn31185514 --Ref: gnutls_x509_crl_get_issuer_dn_by_oid1186492 --Ref: gnutls_x509_crl_get_next_update1188003 --Ref: gnutls_x509_crl_get_number1188437 --Ref: gnutls_x509_crl_get_raw_issuer_dn1189162 --Ref: gnutls_x509_crl_get_signature1189616 --Ref: gnutls_x509_crl_get_signature_algorithm1190163 --Ref: gnutls_x509_crl_get_signature_oid1190725 --Ref: gnutls_x509_crl_get_this_update1191386 --Ref: gnutls_x509_crl_get_version1191711 --Ref: gnutls_x509_crl_import1192019 --Ref: gnutls_x509_crl_init1192643 --Ref: gnutls_x509_crl_iter_crt_serial1193232 --Ref: gnutls_x509_crl_iter_deinit1194378 --Ref: gnutls_x509_crl_list_import1194623 --Ref: gnutls_x509_crl_list_import21195625 --Ref: gnutls_x509_crl_print1196491 --Ref: gnutls_x509_crl_set_authority_key_id1197140 --Ref: gnutls_x509_crl_set_crt1197793 --Ref: gnutls_x509_crl_set_crt_serial1198366 --Ref: gnutls_x509_crl_set_next_update1198998 --Ref: gnutls_x509_crl_set_number1199615 --Ref: gnutls_x509_crl_set_this_update1200192 --Ref: gnutls_x509_crl_set_version1200596 --Ref: gnutls_x509_crl_sign1201139 --Ref: gnutls_x509_crl_sign21201832 --Ref: gnutls_x509_crl_verify1203068 --Ref: gnutls_x509_crq_deinit1204312 --Ref: gnutls_x509_crq_export1204550 --Ref: gnutls_x509_crq_export21205547 --Ref: gnutls_x509_crq_get_attribute_by_oid1206321 --Ref: gnutls_x509_crq_get_attribute_data1207346 --Ref: gnutls_x509_crq_get_attribute_info1208458 --Ref: gnutls_x509_crq_get_basic_constraints1209655 --Ref: gnutls_x509_crq_get_challenge_password1210908 --Ref: gnutls_x509_crq_get_dn1211520 --Ref: gnutls_x509_crq_get_dn21212469 --Ref: gnutls_x509_crq_get_dn31213326 --Ref: gnutls_x509_crq_get_dn_by_oid1214334 --Ref: gnutls_x509_crq_get_dn_oid1215795 --Ref: gnutls_x509_crq_get_extension_by_oid1216582 --Ref: gnutls_x509_crq_get_extension_by_oid21217739 --Ref: gnutls_x509_crq_get_extension_data1218821 --Ref: gnutls_x509_crq_get_extension_data21219951 --Ref: gnutls_x509_crq_get_extension_info1220830 --Ref: gnutls_x509_crq_get_key_id1222091 --Ref: gnutls_x509_crq_get_key_purpose_oid1223158 --Ref: gnutls_x509_crq_get_key_rsa_raw1224173 --Ref: gnutls_x509_crq_get_key_usage1224797 --Ref: gnutls_x509_crq_get_pk_algorithm1225883 --Ref: gnutls_x509_crq_get_pk_oid1226604 --Ref: gnutls_x509_crq_get_private_key_usage_period1227261 --Ref: gnutls_x509_crq_get_signature_algorithm1227976 --Ref: gnutls_x509_crq_get_signature_oid1228615 --Ref: gnutls_x509_crq_get_spki1229276 --Ref: gnutls_x509_crq_get_subject_alt_name1229836 --Ref: gnutls_x509_crq_get_subject_alt_othername_oid1231394 --Ref: gnutls_x509_crq_get_tlsfeatures1232874 --Ref: gnutls_x509_crq_get_version1234003 --Ref: gnutls_x509_crq_import1234349 --Ref: gnutls_x509_crq_init1235031 --Ref: gnutls_x509_crq_print1235379 --Ref: gnutls_x509_crq_set_attribute_by_oid1236035 --Ref: gnutls_x509_crq_set_basic_constraints1236900 --Ref: gnutls_x509_crq_set_challenge_password1237644 --Ref: gnutls_x509_crq_set_dn1238095 --Ref: gnutls_x509_crq_set_dn_by_oid1238713 --Ref: gnutls_x509_crq_set_extension_by_oid1239843 --Ref: gnutls_x509_crq_set_key1240622 --Ref: gnutls_x509_crq_set_key_purpose_oid1241085 --Ref: gnutls_x509_crq_set_key_rsa_raw1241865 --Ref: gnutls_x509_crq_set_key_usage1242441 --Ref: gnutls_x509_crq_set_private_key_usage_period1242945 --Ref: gnutls_x509_crq_set_spki1243450 --Ref: gnutls_x509_crq_set_subject_alt_name1244321 --Ref: gnutls_x509_crq_set_subject_alt_othername1245147 --Ref: gnutls_x509_crq_set_tlsfeatures1245985 --Ref: gnutls_x509_crq_set_version1246535 --Ref: gnutls_x509_crq_sign1247020 --Ref: gnutls_x509_crq_sign21247791 --Ref: gnutls_x509_crq_verify1249123 --Ref: gnutls_x509_crt_check_email1249716 --Ref: gnutls_x509_crt_check_hostname1250244 --Ref: gnutls_x509_crt_check_hostname21250956 --Ref: gnutls_x509_crt_check_ip1252707 --Ref: gnutls_x509_crt_check_issuer1253321 --Ref: gnutls_x509_crt_check_key_purpose1254059 --Ref: gnutls_x509_crt_check_revocation1254753 --Ref: gnutls_x509_crt_cpy_crl_dist_points1255402 --Ref: gnutls_x509_crt_deinit1255991 --Ref: gnutls_x509_crt_equals1256209 --Ref: gnutls_x509_crt_equals21256591 --Ref: gnutls_x509_crt_export1257015 --Ref: gnutls_x509_crt_export21257926 --Ref: gnutls_x509_crt_get_activation_time1258624 --Ref: gnutls_x509_crt_get_authority_info_access1259002 --Ref: gnutls_x509_crt_get_authority_key_gn_serial1262476 --Ref: gnutls_x509_crt_get_authority_key_id1263917 --Ref: gnutls_x509_crt_get_basic_constraints1265048 --Ref: gnutls_x509_crt_get_ca_status1266262 --Ref: gnutls_x509_crt_get_crl_dist_points1267261 --Ref: gnutls_x509_crt_get_dn1268586 --Ref: gnutls_x509_crt_get_dn21269781 --Ref: gnutls_x509_crt_get_dn31270590 --Ref: gnutls_x509_crt_get_dn_by_oid1271550 --Ref: gnutls_x509_crt_get_dn_oid1273319 --Ref: gnutls_x509_crt_get_expiration_time1274347 --Ref: gnutls_x509_crt_get_extension_by_oid1274713 --Ref: gnutls_x509_crt_get_extension_by_oid21275840 --Ref: gnutls_x509_crt_get_extension_data1276913 --Ref: gnutls_x509_crt_get_extension_data21278002 --Ref: gnutls_x509_crt_get_extension_info1278867 --Ref: gnutls_x509_crt_get_extension_oid1280279 --Ref: gnutls_x509_crt_get_fingerprint1281242 --Ref: gnutls_x509_crt_get_inhibit_anypolicy1282130 --Ref: gnutls_x509_crt_get_issuer1283099 --Ref: gnutls_x509_crt_get_issuer_alt_name1283737 --Ref: gnutls_x509_crt_get_issuer_alt_name21285537 --Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1287119 --Ref: gnutls_x509_crt_get_issuer_dn1288768 --Ref: gnutls_x509_crt_get_issuer_dn21289889 --Ref: gnutls_x509_crt_get_issuer_dn31290736 --Ref: gnutls_x509_crt_get_issuer_dn_by_oid1291727 --Ref: gnutls_x509_crt_get_issuer_dn_oid1293514 --Ref: gnutls_x509_crt_get_issuer_unique_id1294550 --Ref: gnutls_x509_crt_get_key_id1295645 --Ref: gnutls_x509_crt_get_key_purpose_oid1296668 --Ref: gnutls_x509_crt_get_key_usage1297829 --Ref: gnutls_x509_crt_get_name_constraints1298889 --Ref: gnutls_x509_crt_get_pk_algorithm1300297 --Ref: gnutls_x509_crt_get_pk_dsa_raw1301086 --Ref: gnutls_x509_crt_get_pk_ecc_raw1301754 --Ref: gnutls_x509_crt_get_pk_gost_raw1302567 --Ref: gnutls_x509_crt_get_pk_oid1303411 --Ref: gnutls_x509_crt_get_pk_rsa_raw1304037 --Ref: gnutls_x509_crt_get_policy1304615 --Ref: gnutls_x509_crt_get_private_key_usage_period1305561 --Ref: gnutls_x509_crt_get_proxy1306313 --Ref: gnutls_x509_crt_get_raw_dn1307334 --Ref: gnutls_x509_crt_get_raw_issuer_dn1307927 --Ref: gnutls_x509_crt_get_serial1308506 --Ref: gnutls_x509_crt_get_signature1309246 --Ref: gnutls_x509_crt_get_signature_algorithm1309801 --Ref: gnutls_x509_crt_get_signature_oid1310414 --Ref: gnutls_x509_crt_get_spki1311072 --Ref: gnutls_x509_crt_get_subject1311558 --Ref: gnutls_x509_crt_get_subject_alt_name1312201 --Ref: gnutls_x509_crt_get_subject_alt_name21313960 --Ref: gnutls_x509_crt_get_subject_alt_othername_oid1315525 --Ref: gnutls_x509_crt_get_subject_key_id1317165 --Ref: gnutls_x509_crt_get_subject_unique_id1317997 --Ref: gnutls_x509_crt_get_tlsfeatures1319082 --Ref: gnutls_x509_crt_get_version1320194 --Ref: gnutls_x509_crt_import1320521 --Ref: gnutls_x509_crt_import_url1321222 --Ref: gnutls_x509_crt_init1321943 --Ref: gnutls_x509_crt_list_import1322290 --Ref: gnutls_x509_crt_list_import21323657 --Ref: gnutls_x509_crt_list_import_url1324729 --Ref: gnutls_x509_crt_list_verify1325953 --Ref: gnutls_x509_crt_print1327533 --Ref: gnutls_x509_crt_set_activation_time1328425 --Ref: gnutls_x509_crt_set_authority_info_access1328892 --Ref: gnutls_x509_crt_set_authority_key_id1329787 --Ref: gnutls_x509_crt_set_basic_constraints1330369 --Ref: gnutls_x509_crt_set_ca_status1331068 --Ref: gnutls_x509_crt_set_crl_dist_points1331666 --Ref: gnutls_x509_crt_set_crl_dist_points21332318 --Ref: gnutls_x509_crt_set_crq1333017 --Ref: gnutls_x509_crt_set_crq_extension_by_oid1333734 --Ref: gnutls_x509_crt_set_crq_extensions1334370 --Ref: gnutls_x509_crt_set_dn1334836 --Ref: gnutls_x509_crt_set_dn_by_oid1335719 --Ref: gnutls_x509_crt_set_expiration_time1336836 --Ref: gnutls_x509_crt_set_extension_by_oid1337381 --Ref: gnutls_x509_crt_set_flags1338156 --Ref: gnutls_x509_crt_set_inhibit_anypolicy1338664 --Ref: gnutls_x509_crt_set_issuer_alt_name1339174 --Ref: gnutls_x509_crt_set_issuer_alt_othername1340196 --Ref: gnutls_x509_crt_set_issuer_dn1341172 --Ref: gnutls_x509_crt_set_issuer_dn_by_oid1341811 --Ref: gnutls_x509_crt_set_issuer_unique_id1343090 --Ref: gnutls_x509_crt_set_key1343595 --Ref: gnutls_x509_crt_set_key_purpose_oid1344175 --Ref: gnutls_x509_crt_set_key_usage1344943 --Ref: gnutls_x509_crt_set_name_constraints1345402 --Ref: gnutls_x509_crt_set_pin_function1346024 --Ref: gnutls_x509_crt_set_policy1346692 --Ref: gnutls_x509_crt_set_private_key_usage_period1347545 --Ref: gnutls_x509_crt_set_proxy1348052 --Ref: gnutls_x509_crt_set_proxy_dn1348866 --Ref: gnutls_x509_crt_set_serial1349885 --Ref: gnutls_x509_crt_set_spki1350945 --Ref: gnutls_x509_crt_set_subject_alt_name1351800 --Ref: gnutls_x509_crt_set_subject_alt_othername1353040 --Ref: gnutls_x509_crt_set_subject_alternative_name1354048 --Ref: gnutls_x509_crt_set_subject_key_id1354946 --Ref: gnutls_x509_crt_set_subject_unique_id1355466 --Ref: gnutls_x509_crt_set_tlsfeatures1355989 --Ref: gnutls_x509_crt_set_version1356513 --Ref: gnutls_x509_crt_sign1357336 --Ref: gnutls_x509_crt_sign21358031 --Ref: gnutls_x509_crt_verify1359264 --Ref: gnutls_x509_crt_verify_data21360313 --Ref: gnutls_x509_dn_deinit1361317 --Ref: gnutls_x509_dn_export1361579 --Ref: gnutls_x509_dn_export21362473 --Ref: gnutls_x509_dn_get_rdn_ava1363134 --Ref: gnutls_x509_dn_get_str1364166 --Ref: gnutls_x509_dn_get_str21364762 --Ref: gnutls_x509_dn_import1365624 --Ref: gnutls_x509_dn_init1366240 --Ref: gnutls_x509_dn_oid_known1366661 --Ref: gnutls_x509_dn_oid_name1367330 --Ref: gnutls_x509_dn_set_str1367859 --Ref: gnutls_x509_ext_deinit1368458 --Ref: gnutls_x509_ext_export_aia1368702 --Ref: gnutls_x509_ext_export_authority_key_id1369296 --Ref: gnutls_x509_ext_export_basic_constraints1369952 --Ref: gnutls_x509_ext_export_crl_dist_points1370649 --Ref: gnutls_x509_ext_export_inhibit_anypolicy1371317 --Ref: gnutls_x509_ext_export_key_purposes1371985 --Ref: gnutls_x509_ext_export_key_usage1372604 --Ref: gnutls_x509_ext_export_name_constraints1373220 --Ref: gnutls_x509_ext_export_policies1373861 --Ref: gnutls_x509_ext_export_private_key_usage_period1374524 --Ref: gnutls_x509_ext_export_proxy1375189 --Ref: gnutls_x509_ext_export_subject_alt_names1376175 --Ref: gnutls_x509_ext_export_subject_key_id1376824 --Ref: gnutls_x509_ext_export_tlsfeatures1377446 --Ref: gnutls_x509_ext_import_aia1378064 --Ref: gnutls_x509_ext_import_authority_key_id1378769 --Ref: gnutls_x509_ext_import_basic_constraints1379437 --Ref: gnutls_x509_ext_import_crl_dist_points1380063 --Ref: gnutls_x509_ext_import_inhibit_anypolicy1380691 --Ref: gnutls_x509_ext_import_key_purposes1381606 --Ref: gnutls_x509_ext_import_key_usage1382240 --Ref: gnutls_x509_ext_import_name_constraints1383256 --Ref: gnutls_x509_ext_import_policies1384594 --Ref: gnutls_x509_ext_import_private_key_usage_period1385201 --Ref: gnutls_x509_ext_import_proxy1385816 --Ref: gnutls_x509_ext_import_subject_alt_names1386902 --Ref: gnutls_x509_ext_import_subject_key_id1387660 --Ref: gnutls_x509_ext_import_tlsfeatures1388295 --Ref: gnutls_x509_ext_print1389187 --Ref: gnutls_x509_key_purpose_deinit1389898 --Ref: gnutls_x509_key_purpose_get1390152 --Ref: gnutls_x509_key_purpose_init1390880 --Ref: gnutls_x509_key_purpose_set1391241 --Ref: gnutls_x509_name_constraints_add_excluded1391696 --Ref: gnutls_x509_name_constraints_add_permitted1392637 --Ref: gnutls_x509_name_constraints_check1393512 --Ref: gnutls_x509_name_constraints_check_crt1394349 --Ref: gnutls_x509_name_constraints_deinit1395219 --Ref: gnutls_x509_name_constraints_get_excluded1395519 --Ref: gnutls_x509_name_constraints_get_permitted1396590 --Ref: gnutls_x509_name_constraints_init1397644 --Ref: gnutls_x509_othername_to_virtual1398027 --Ref: gnutls_x509_policies_deinit1398646 --Ref: gnutls_x509_policies_get1398926 --Ref: gnutls_x509_policies_init1399712 --Ref: gnutls_x509_policies_set1400077 --Ref: gnutls_x509_policy_release1400544 --Ref: gnutls_x509_privkey_cpy1400908 --Ref: gnutls_x509_privkey_deinit1401378 --Ref: gnutls_x509_privkey_export1401619 --Ref: gnutls_x509_privkey_export21402654 --Ref: gnutls_x509_privkey_export2_pkcs81403532 --Ref: gnutls_x509_privkey_export_dsa_raw1404808 --Ref: gnutls_x509_privkey_export_ecc_raw1405548 --Ref: gnutls_x509_privkey_export_gost_raw1406431 --Ref: gnutls_x509_privkey_export_pkcs81407516 --Ref: gnutls_x509_privkey_export_rsa_raw1409021 --Ref: gnutls_x509_privkey_export_rsa_raw21409882 --Ref: gnutls_x509_privkey_fix1410868 --Ref: gnutls_x509_privkey_generate1411253 --Ref: gnutls_x509_privkey_generate21412778 --Ref: gnutls_x509_privkey_get_key_id1414937 --Ref: gnutls_x509_privkey_get_pk_algorithm1415956 --Ref: gnutls_x509_privkey_get_pk_algorithm21416384 --Ref: gnutls_x509_privkey_get_seed1416875 --Ref: gnutls_x509_privkey_get_spki1417699 --Ref: gnutls_x509_privkey_import1418234 --Ref: gnutls_x509_privkey_import21419029 --Ref: gnutls_x509_privkey_import_dsa_raw1420102 --Ref: gnutls_x509_privkey_import_ecc_raw1420834 --Ref: gnutls_x509_privkey_import_gost_raw1421650 --Ref: gnutls_x509_privkey_import_openssl1422926 --Ref: gnutls_x509_privkey_import_pkcs81423800 --Ref: gnutls_x509_privkey_import_rsa_raw1425247 --Ref: gnutls_x509_privkey_import_rsa_raw21426101 --Ref: gnutls_x509_privkey_init1427097 --Ref: gnutls_x509_privkey_sec_param1427442 --Ref: gnutls_x509_privkey_set_flags1427861 --Ref: gnutls_x509_privkey_set_pin_function1428411 --Ref: gnutls_x509_privkey_set_spki1429029 --Ref: gnutls_x509_privkey_sign_data1429576 --Ref: gnutls_x509_privkey_verify_params1430797 --Ref: gnutls_x509_privkey_verify_seed1431133 --Ref: gnutls_x509_rdn_get1431962 --Ref: gnutls_x509_rdn_get21432780 --Ref: gnutls_x509_rdn_get_by_oid1433688 --Ref: gnutls_x509_rdn_get_oid1434670 --Ref: gnutls_x509_spki_deinit1435415 --Ref: gnutls_x509_spki_get_rsa_pss_params1435697 --Ref: gnutls_x509_spki_init1436258 --Ref: gnutls_x509_spki_set_rsa_pss_params1436774 --Ref: gnutls_x509_tlsfeatures_add1437287 --Ref: gnutls_x509_tlsfeatures_check_crt1437743 --Ref: gnutls_x509_tlsfeatures_deinit1438343 --Ref: gnutls_x509_tlsfeatures_get1438621 --Ref: gnutls_x509_tlsfeatures_init1439181 --Ref: gnutls_x509_trust_list_add_cas1439566 --Ref: gnutls_x509_trust_list_add_crls1440751 --Ref: gnutls_x509_trust_list_add_named_crt1442129 --Ref: gnutls_x509_trust_list_add_system_trust1443344 --Ref: gnutls_x509_trust_list_add_trust_dir1444106 --Ref: gnutls_x509_trust_list_add_trust_file1444969 --Ref: gnutls_x509_trust_list_add_trust_mem1446116 --Ref: gnutls_x509_trust_list_deinit1447035 --Ref: gnutls_x509_trust_list_get_issuer1447661 --Ref: gnutls_x509_trust_list_get_issuer_by_dn1448711 --Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1449440 --Ref: gnutls_x509_trust_list_get_ptr1450248 --Ref: gnutls_x509_trust_list_init1450761 --Ref: gnutls_x509_trust_list_iter_deinit1451266 --Ref: gnutls_x509_trust_list_iter_get_ca1451575 --Ref: gnutls_x509_trust_list_remove_cas1452755 --Ref: gnutls_x509_trust_list_remove_trust_file1453610 --Ref: gnutls_x509_trust_list_remove_trust_mem1454311 --Ref: gnutls_x509_trust_list_set_getissuer_function1454969 --Ref: gnutls_x509_trust_list_set_ptr1456602 --Ref: gnutls_x509_trust_list_verify_crt1457140 --Ref: gnutls_x509_trust_list_verify_crt21458303 --Ref: gnutls_x509_trust_list_verify_named_crt1461237 --Node: PKCS 7 API1463965 --Ref: gnutls_pkcs7_add_attr1464261 --Ref: gnutls_pkcs7_attrs_deinit1465067 --Ref: gnutls_pkcs7_deinit1465302 --Ref: gnutls_pkcs7_delete_crl1465507 --Ref: gnutls_pkcs7_delete_crt1465936 --Ref: gnutls_pkcs7_export1466382 --Ref: gnutls_pkcs7_export21467282 --Ref: gnutls_pkcs7_get_attr1467943 --Ref: gnutls_pkcs7_get_crl_count1468830 --Ref: gnutls_pkcs7_get_crl_raw1469178 --Ref: gnutls_pkcs7_get_crl_raw21469953 --Ref: gnutls_pkcs7_get_crt_count1470584 --Ref: gnutls_pkcs7_get_crt_raw1470959 --Ref: gnutls_pkcs7_get_crt_raw21471859 --Ref: gnutls_pkcs7_get_embedded_data1472713 --Ref: gnutls_pkcs7_get_embedded_data_oid1473713 --Ref: gnutls_pkcs7_get_signature_count1474273 --Ref: gnutls_pkcs7_get_signature_info1474680 --Ref: gnutls_pkcs7_import1475353 --Ref: gnutls_pkcs7_init1475974 --Ref: gnutls_pkcs7_print1476398 --Ref: gnutls_pkcs7_print_signature_info1477143 --Ref: gnutls_pkcs7_set_crl1477948 --Ref: gnutls_pkcs7_set_crl_raw1478349 --Ref: gnutls_pkcs7_set_crt1478739 --Ref: gnutls_pkcs7_set_crt_raw1479223 --Ref: gnutls_pkcs7_sign1479636 --Ref: gnutls_pkcs7_signature_info_deinit1481075 --Ref: gnutls_pkcs7_verify1481428 --Ref: gnutls_pkcs7_verify_direct1482593 --Node: OCSP API1484053 --Ref: gnutls_ocsp_req_add_cert1484337 --Ref: gnutls_ocsp_req_add_cert_id1485297 --Ref: gnutls_ocsp_req_deinit1486617 --Ref: gnutls_ocsp_req_export1486834 --Ref: gnutls_ocsp_req_get_cert_id1487259 --Ref: gnutls_ocsp_req_get_extension1488851 --Ref: gnutls_ocsp_req_get_nonce1490267 --Ref: gnutls_ocsp_req_get_version1490921 --Ref: gnutls_ocsp_req_import1491308 --Ref: gnutls_ocsp_req_init1491804 --Ref: gnutls_ocsp_req_print1492132 --Ref: gnutls_ocsp_req_randomize_nonce1492868 --Ref: gnutls_ocsp_req_set_extension1493301 --Ref: gnutls_ocsp_req_set_nonce1493985 --Ref: gnutls_ocsp_resp_check_crt1494572 --Ref: gnutls_ocsp_resp_deinit1495156 --Ref: gnutls_ocsp_resp_export1495380 --Ref: gnutls_ocsp_resp_export21495806 --Ref: gnutls_ocsp_resp_get_certs1496326 --Ref: gnutls_ocsp_resp_get_extension1497451 --Ref: gnutls_ocsp_resp_get_nonce1498875 --Ref: gnutls_ocsp_resp_get_produced1499541 --Ref: gnutls_ocsp_resp_get_responder1499888 --Ref: gnutls_ocsp_resp_get_responder21500993 --Ref: gnutls_ocsp_resp_get_responder_raw_id1502256 --Ref: gnutls_ocsp_resp_get_response1503087 --Ref: gnutls_ocsp_resp_get_signature1504313 --Ref: gnutls_ocsp_resp_get_signature_algorithm1504802 --Ref: gnutls_ocsp_resp_get_single1505280 --Ref: gnutls_ocsp_resp_get_status1507222 --Ref: gnutls_ocsp_resp_get_version1507651 --Ref: gnutls_ocsp_resp_import1508059 --Ref: gnutls_ocsp_resp_import21508627 --Ref: gnutls_ocsp_resp_init1509255 --Ref: gnutls_ocsp_resp_list_import21509604 --Ref: gnutls_ocsp_resp_print1510795 --Ref: gnutls_ocsp_resp_verify1511521 --Ref: gnutls_ocsp_resp_verify_direct1513138 --Node: PKCS 12 API1515571 --Ref: gnutls_pkcs12_bag_decrypt1515861 --Ref: gnutls_pkcs12_bag_deinit1516293 --Ref: gnutls_pkcs12_bag_enc_info1516531 --Ref: gnutls_pkcs12_bag_encrypt1517904 --Ref: gnutls_pkcs12_bag_get_count1518409 --Ref: gnutls_pkcs12_bag_get_data1518720 --Ref: gnutls_pkcs12_bag_get_friendly_name1519326 --Ref: gnutls_pkcs12_bag_get_key_id1519963 --Ref: gnutls_pkcs12_bag_get_type1520582 --Ref: gnutls_pkcs12_bag_init1520952 --Ref: gnutls_pkcs12_bag_set_crl1521410 --Ref: gnutls_pkcs12_bag_set_crt1521843 --Ref: gnutls_pkcs12_bag_set_data1522289 --Ref: gnutls_pkcs12_bag_set_friendly_name1522760 --Ref: gnutls_pkcs12_bag_set_key_id1523444 --Ref: gnutls_pkcs12_bag_set_privkey1524118 --Ref: gnutls_pkcs12_deinit1524774 --Ref: gnutls_pkcs12_export1524976 --Ref: gnutls_pkcs12_export21525883 --Ref: gnutls_pkcs12_generate_mac1526559 --Ref: gnutls_pkcs12_generate_mac21526950 --Ref: gnutls_pkcs12_get_bag1527394 --Ref: gnutls_pkcs12_import1527980 --Ref: gnutls_pkcs12_init1528701 --Ref: gnutls_pkcs12_mac_info1529134 --Ref: gnutls_pkcs12_set_bag1530443 --Ref: gnutls_pkcs12_simple_parse1530849 --Ref: gnutls_pkcs12_verify_mac1533530 --Node: PKCS 11 API1533886 --Ref: gnutls_pkcs11_add_provider1534215 --Ref: gnutls_pkcs11_copy_attached_extension1534960 --Ref: gnutls_pkcs11_copy_pubkey1535819 --Ref: gnutls_pkcs11_copy_secret_key1536852 --Ref: gnutls_pkcs11_copy_x509_crt1537577 --Ref: gnutls_pkcs11_copy_x509_crt21538225 --Ref: gnutls_pkcs11_copy_x509_privkey1539193 --Ref: gnutls_pkcs11_copy_x509_privkey21540010 --Ref: gnutls_pkcs11_crt_is_known1540955 --Ref: gnutls_pkcs11_deinit1542091 --Ref: gnutls_pkcs11_delete_url1542408 --Ref: gnutls_pkcs11_get_pin_function1542924 --Ref: gnutls_pkcs11_get_raw_issuer1543307 --Ref: gnutls_pkcs11_get_raw_issuer_by_dn1544217 --Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1545256 --Ref: gnutls_pkcs11_init1546367 --Ref: gnutls_pkcs11_obj_deinit1547409 --Ref: gnutls_pkcs11_obj_export1547655 --Ref: gnutls_pkcs11_obj_export21548500 --Ref: gnutls_pkcs11_obj_export31549097 --Ref: gnutls_pkcs11_obj_export_url1549770 --Ref: gnutls_pkcs11_obj_flags_get_str1550297 --Ref: gnutls_pkcs11_obj_get_exts1550776 --Ref: gnutls_pkcs11_obj_get_flags1551712 --Ref: gnutls_pkcs11_obj_get_info1552249 --Ref: gnutls_pkcs11_obj_get_ptr1553513 --Ref: gnutls_pkcs11_obj_get_type1554422 --Ref: gnutls_pkcs11_obj_import_url1554772 --Ref: gnutls_pkcs11_obj_init1555692 --Ref: gnutls_pkcs11_obj_list_import_url31556077 --Ref: gnutls_pkcs11_obj_list_import_url41558018 --Ref: gnutls_pkcs11_obj_set_info1559694 --Ref: gnutls_pkcs11_obj_set_pin_function1560473 --Ref: gnutls_pkcs11_privkey_cpy1560984 --Ref: gnutls_pkcs11_privkey_deinit1561485 --Ref: gnutls_pkcs11_privkey_export_pubkey1561748 --Ref: gnutls_pkcs11_privkey_export_url1562552 --Ref: gnutls_pkcs11_privkey_generate1563062 --Ref: gnutls_pkcs11_privkey_generate21563734 --Ref: gnutls_pkcs11_privkey_generate31564964 --Ref: gnutls_pkcs11_privkey_get_info1566474 --Ref: gnutls_pkcs11_privkey_get_pk_algorithm1567356 --Ref: gnutls_pkcs11_privkey_import_url1567887 --Ref: gnutls_pkcs11_privkey_init1568588 --Ref: gnutls_pkcs11_privkey_set_pin_function1569303 --Ref: gnutls_pkcs11_privkey_status1569823 --Ref: gnutls_pkcs11_reinit1570199 --Ref: gnutls_pkcs11_set_pin_function1570759 --Ref: gnutls_pkcs11_set_token_function1571249 --Ref: gnutls_pkcs11_token_check_mechanism1571667 --Ref: gnutls_pkcs11_token_get_flags1572424 --Ref: gnutls_pkcs11_token_get_info1572966 --Ref: gnutls_pkcs11_token_get_mechanism1573989 --Ref: gnutls_pkcs11_token_get_ptr1574602 --Ref: gnutls_pkcs11_token_get_random1575301 --Ref: gnutls_pkcs11_token_get_url1575932 --Ref: gnutls_pkcs11_token_init1576600 --Ref: gnutls_pkcs11_token_set_pin1577238 --Ref: gnutls_pkcs11_type_get_name1578078 --Ref: gnutls_x509_crt_import_pkcs111578567 --Ref: gnutls_x509_crt_list_import_pkcs111579089 --Node: TPM API1579698 --Ref: gnutls_tpm_get_registered1579977 --Ref: gnutls_tpm_key_list_deinit1580370 --Ref: gnutls_tpm_key_list_get_url1580638 --Ref: gnutls_tpm_privkey_delete1581291 --Ref: gnutls_tpm_privkey_generate1581729 --Node: Abstract key API1583079 --Ref: gnutls_certificate_set_key1583400 --Ref: gnutls_certificate_set_retrieve_function21585536 --Ref: gnutls_certificate_set_retrieve_function31587786 --Ref: gnutls_pcert_deinit1590646 --Ref: gnutls_pcert_export_openpgp1590891 --Ref: gnutls_pcert_export_x5091591240 --Ref: gnutls_pcert_import_openpgp1591890 --Ref: gnutls_pcert_import_openpgp_raw1592289 --Ref: gnutls_pcert_import_rawpk1592858 --Ref: gnutls_pcert_import_rawpk_raw1593711 --Ref: gnutls_pcert_import_x5091594960 --Ref: gnutls_pcert_import_x509_list1595557 --Ref: gnutls_pcert_import_x509_raw1596747 --Ref: gnutls_pcert_list_import_x509_file1597453 --Ref: gnutls_pcert_list_import_x509_raw1598885 --Ref: gnutls_privkey_decrypt_data1600219 --Ref: gnutls_privkey_decrypt_data21600867 --Ref: gnutls_privkey_deinit1601692 --Ref: gnutls_privkey_export_dsa_raw1601941 --Ref: gnutls_privkey_export_dsa_raw21602671 --Ref: gnutls_privkey_export_ecc_raw1603477 --Ref: gnutls_privkey_export_ecc_raw21604339 --Ref: gnutls_privkey_export_gost_raw21605281 --Ref: gnutls_privkey_export_openpgp1606415 --Ref: gnutls_privkey_export_pkcs111606767 --Ref: gnutls_privkey_export_rsa_raw1607379 --Ref: gnutls_privkey_export_rsa_raw21608410 --Ref: gnutls_privkey_export_x5091609456 --Ref: gnutls_privkey_generate1610104 --Ref: gnutls_privkey_generate21611595 --Ref: gnutls_privkey_get_pk_algorithm1613723 --Ref: gnutls_privkey_get_seed1614337 --Ref: gnutls_privkey_get_spki1615136 --Ref: gnutls_privkey_get_type1615716 --Ref: gnutls_privkey_import_dsa_raw1616205 --Ref: gnutls_privkey_import_ecc_raw1616917 --Ref: gnutls_privkey_import_ext1617730 --Ref: gnutls_privkey_import_ext21618880 --Ref: gnutls_privkey_import_ext31620237 --Ref: gnutls_privkey_import_ext41621851 --Ref: gnutls_privkey_import_gost_raw1624611 --Ref: gnutls_privkey_import_openpgp1625819 --Ref: gnutls_privkey_import_openpgp_raw1626228 --Ref: gnutls_privkey_import_pkcs111626817 --Ref: gnutls_privkey_import_pkcs11_url1627575 --Ref: gnutls_privkey_import_rsa_raw1628024 --Ref: gnutls_privkey_import_tpm_raw1629020 --Ref: gnutls_privkey_import_tpm_url1629887 --Ref: gnutls_privkey_import_url1630990 --Ref: gnutls_privkey_import_x5091631537 --Ref: gnutls_privkey_import_x509_raw1632285 --Ref: gnutls_privkey_init1633064 --Ref: gnutls_privkey_set_flags1633982 --Ref: gnutls_privkey_set_pin_function1634507 --Ref: gnutls_privkey_set_spki1635077 --Ref: gnutls_privkey_sign_data1635650 --Ref: gnutls_privkey_sign_data21636670 --Ref: gnutls_privkey_sign_hash1637568 --Ref: gnutls_privkey_sign_hash21639005 --Ref: gnutls_privkey_status1640271 --Ref: gnutls_privkey_verify_params1640815 --Ref: gnutls_privkey_verify_seed1641177 --Ref: gnutls_pubkey_deinit1641889 --Ref: gnutls_pubkey_encrypt_data1642129 --Ref: gnutls_pubkey_export1642771 --Ref: gnutls_pubkey_export21643785 --Ref: gnutls_pubkey_export_dsa_raw1644558 --Ref: gnutls_pubkey_export_dsa_raw21645370 --Ref: gnutls_pubkey_export_ecc_raw1646254 --Ref: gnutls_pubkey_export_ecc_raw21647153 --Ref: gnutls_pubkey_export_ecc_x9621648132 --Ref: gnutls_pubkey_export_gost_raw21648791 --Ref: gnutls_pubkey_export_rsa_raw1649935 --Ref: gnutls_pubkey_export_rsa_raw21650632 --Ref: gnutls_pubkey_get_key_id1651393 --Ref: gnutls_pubkey_get_key_usage1652418 --Ref: gnutls_pubkey_get_openpgp_key_id1652915 --Ref: gnutls_pubkey_get_pk_algorithm1653554 --Ref: gnutls_pubkey_get_preferred_hash_algorithm1654202 --Ref: gnutls_pubkey_get_spki1655143 --Ref: gnutls_pubkey_import1655711 --Ref: gnutls_pubkey_import_dsa_raw1656395 --Ref: gnutls_pubkey_import_ecc_raw1657056 --Ref: gnutls_pubkey_import_ecc_x9621657824 --Ref: gnutls_pubkey_import_gost_raw1658460 --Ref: gnutls_pubkey_import_openpgp1659607 --Ref: gnutls_pubkey_import_openpgp_raw1659999 --Ref: gnutls_pubkey_import_pkcs111660568 --Ref: gnutls_pubkey_import_privkey1661110 --Ref: gnutls_pubkey_import_rsa_raw1661812 --Ref: gnutls_pubkey_import_tpm_raw1662336 --Ref: gnutls_pubkey_import_tpm_url1663113 --Ref: gnutls_pubkey_import_url1664005 --Ref: gnutls_pubkey_import_x5091664478 --Ref: gnutls_pubkey_import_x509_crq1664978 --Ref: gnutls_pubkey_import_x509_raw1665481 --Ref: gnutls_pubkey_init1666058 --Ref: gnutls_pubkey_print1666387 --Ref: gnutls_pubkey_set_key_usage1667121 --Ref: gnutls_pubkey_set_pin_function1667690 --Ref: gnutls_pubkey_set_spki1668255 --Ref: gnutls_pubkey_verify_data21668826 --Ref: gnutls_pubkey_verify_hash21669734 --Ref: gnutls_pubkey_verify_params1670858 --Ref: gnutls_register_custom_url1671216 --Ref: gnutls_system_key_add_x5091672154 --Ref: gnutls_system_key_delete1672899 --Ref: gnutls_system_key_iter_deinit1673323 --Ref: gnutls_system_key_iter_get_info1673591 --Ref: gnutls_x509_crl_privkey_sign1674865 --Ref: gnutls_x509_crq_privkey_sign1676134 --Ref: gnutls_x509_crq_set_pubkey1677496 --Ref: gnutls_x509_crt_privkey_sign1678004 --Ref: gnutls_x509_crt_set_pubkey1679247 --Node: Socket specific API1679700 --Ref: gnutls_transport_set_fastopen1679993 --Node: DANE API1681539 --Ref: dane_cert_type_name1681913 --Ref: dane_cert_usage_name1682203 --Ref: dane_match_type_name1682515 --Ref: dane_query_data1682798 --Ref: dane_query_deinit1683477 --Ref: dane_query_entries1683682 --Ref: dane_query_status1683924 --Ref: dane_query_tlsa1684218 --Ref: dane_query_to_raw_tlsa1684809 --Ref: dane_raw_tlsa1686151 --Ref: dane_state_deinit1687228 --Ref: dane_state_init1687420 --Ref: dane_state_set_dlv_file1687934 --Ref: dane_strerror1688235 --Ref: dane_verification_status_print1688734 --Ref: dane_verify_crt1689328 --Ref: dane_verify_crt_raw1691515 --Ref: dane_verify_session_crt1692748 --Node: Cryptographic API1694150 --Ref: gnutls_aead_cipher_decrypt1694651 --Ref: gnutls_aead_cipher_decryptv21696030 --Ref: gnutls_aead_cipher_deinit1696955 --Ref: gnutls_aead_cipher_encrypt1697283 --Ref: gnutls_aead_cipher_encryptv1698392 --Ref: gnutls_aead_cipher_encryptv21699540 --Ref: gnutls_aead_cipher_init1700468 --Ref: gnutls_cipher_add_auth1701134 --Ref: gnutls_cipher_decrypt1701714 --Ref: gnutls_cipher_decrypt21702338 --Ref: gnutls_cipher_deinit1703264 --Ref: gnutls_cipher_encrypt1703543 --Ref: gnutls_cipher_encrypt21704003 --Ref: gnutls_cipher_get_block_size1704780 --Ref: gnutls_cipher_get_iv_size1705060 --Ref: gnutls_cipher_get_tag_size1705542 --Ref: gnutls_cipher_init1705948 --Ref: gnutls_cipher_set_iv1706678 --Ref: gnutls_cipher_tag1707023 --Ref: gnutls_crypto_register_aead_cipher1707525 --Ref: gnutls_crypto_register_cipher1709129 --Ref: gnutls_crypto_register_digest1710910 --Ref: gnutls_crypto_register_mac1712134 --Ref: gnutls_decode_ber_digest_info1713562 --Ref: gnutls_decode_gost_rs_value1714361 --Ref: gnutls_decode_rs_value1715161 --Ref: gnutls_encode_ber_digest_info1715946 --Ref: gnutls_encode_gost_rs_value1716590 --Ref: gnutls_encode_rs_value1717336 --Ref: gnutls_hash1717956 --Ref: gnutls_hash_copy1718387 --Ref: gnutls_hash_deinit1718904 --Ref: gnutls_hash_fast1719232 --Ref: gnutls_hash_get_len1719749 --Ref: gnutls_hash_init1720082 --Ref: gnutls_hash_output1720618 --Ref: gnutls_hkdf_expand1720950 --Ref: gnutls_hkdf_extract1721653 --Ref: gnutls_hmac1722196 --Ref: gnutls_hmac_copy1722627 --Ref: gnutls_hmac_deinit1723108 --Ref: gnutls_hmac_fast1723435 --Ref: gnutls_hmac_get_key_size1724159 --Ref: gnutls_hmac_get_len1724620 --Ref: gnutls_hmac_init1724950 --Ref: gnutls_hmac_output1725733 --Ref: gnutls_hmac_set_nonce1726068 --Ref: gnutls_mac_get_nonce_size1726435 --Ref: gnutls_pbkdf21726751 --Ref: gnutls_rnd1727384 --Ref: gnutls_rnd_refresh1728022 --Node: Compatibility API1728308 --Ref: gnutls_compression_get1728650 --Ref: gnutls_compression_get_id1729002 --Ref: gnutls_compression_get_name1729366 --Ref: gnutls_compression_list1729748 --Ref: gnutls_global_set_mem_functions1730080 --Ref: gnutls_openpgp_privkey_sign_hash1731455 --Ref: gnutls_priority_compression_list1731884 --Ref: gnutls_x509_crt_get_preferred_hash_algorithm1732336 --Ref: gnutls_x509_privkey_sign_hash1733217 --Node: Copying Information1734087 --Node: Bibliography1759264 --Ref: CBCATT1759403 --Ref: GPGH1759581 --Ref: GUTPKI1759704 --Ref: PRNGATTACKS1759879 --Ref: KEYPIN1760079 --Ref: NISTSP800571760254 --Ref: RFC74131760502 --Ref: RFC79181760669 --Ref: RFC61251760846 --Ref: RFC76851761187 --Ref: RFC76131761362 --Ref: RFC22461761610 --Ref: RFC60831761771 --Ref: RFC44181762008 --Ref: RFC46801762175 --Ref: RFC76331762333 --Ref: RFC79191762505 --Ref: RFC45141762709 --Ref: RFC43461762913 --Ref: RFC43471763063 --Ref: RFC52461763230 --Ref: RFC24401763381 --Ref: RFC48801763563 --Ref: RFC42111763757 --Ref: RFC28171763951 --Ref: RFC28181764104 --Ref: RFC29451764218 --Ref: RFC73011764368 --Ref: RFC29861764588 --Ref: PKIX1764777 --Ref: RFC37491765040 --Ref: RFC38201765206 --Ref: RFC65201765449 --Ref: RFC57461765688 --Ref: RFC52801765897 --Ref: TLSTKT1766164 --Ref: PKCS121766396 --Ref: PKCS111766537 --Ref: RESCORLA1766683 --Ref: SELKEY1766779 --Ref: SSL31766938 --Ref: STEVENS1767129 --Ref: TLSEXT1767237 --Ref: TLSPGP1767454 --Ref: TLSSRP1767619 --Ref: TLSPSK1767816 --Ref: TOMSRP1767985 --Ref: WEGER1768098 --Ref: ECRYPT1768290 --Ref: RFC50561768495 --Ref: RFC57641768648 --Ref: RFC59291768936 --Ref: PKCS11URI1769079 --Ref: TPMURI1769215 --Ref: ANDERSON1769409 --Ref: RFC48211769555 --Ref: RFC25601769708 --Ref: RIVESTCRL1769902 --Node: Function and Data Index1770263 --Node: Concept Index1896190 -+Ref: p11tool id313760 -+Ref: p11tool mark-wrap314017 -+Ref: p11tool mark-trusted314264 -+Ref: p11tool mark-distrusted314628 -+Ref: p11tool mark-decrypt315082 -+Ref: p11tool mark-sign315359 -+Ref: p11tool mark-ca315636 -+Ref: p11tool mark-private315909 -+Ref: p11tool ca316207 -+Ref: p11tool private316341 -+Ref: p11tool secret-key316496 -+Ref: p11tool other-options316659 -+Ref: p11tool debug316761 -+Ref: p11tool so-login316902 -+Ref: p11tool admin-login317146 -+Ref: p11tool test-sign317287 -+Ref: p11tool sign-params317581 -+Ref: p11tool hash317921 -+Ref: p11tool generate-random318217 -+Ref: p11tool inder318391 -+Ref: p11tool inraw318616 -+Ref: p11tool outder318742 -+Ref: p11tool outraw318994 -+Ref: p11tool provider319127 -+Ref: p11tool provider-opts319336 -+Ref: p11tool batch319609 -+Ref: p11tool exit status319762 -+Ref: p11tool See Also319992 -+Ref: p11tool Examples320040 -+Node: Trusted Platform Module322461 -+Ref: Trusted Platform Module-Footnote-1324254 -+Ref: Trusted Platform Module-Footnote-2324302 -+Node: Keys in TPM324359 -+Node: Key generation325843 -+Node: Using keys328111 -+Node: tpmtool Invocation331756 -+Ref: tpmtool usage332182 -+Ref: tpmtool debug335494 -+Ref: tpmtool generate-rsa335635 -+Ref: tpmtool user335906 -+Ref: tpmtool system336265 -+Ref: tpmtool test-sign336619 -+Ref: tpmtool sec-param336902 -+Ref: tpmtool inder337228 -+Ref: tpmtool outder337529 -+Ref: tpmtool srk-well-known337748 -+Ref: tpmtool exit status337904 -+Ref: tpmtool See Also338134 -+Ref: tpmtool Examples338195 -+Node: How to use GnuTLS in applications338812 -+Node: Introduction to the library339381 -+Node: General idea339980 -+Ref: fig-gnutls-design340829 -+Ref: General idea-Footnote-1342134 -+Node: Error handling342179 -+Node: Common types344406 -+Node: Debugging and auditing345740 -+Ref: tab:environment346611 -+Node: Thread safety349478 -+Ref: Thread safety-Footnote-1351624 -+Node: Running in a sandbox351836 -+Node: Sessions and fork353230 -+Node: Callback functions353782 -+Node: Preparation354750 -+Node: Headers355169 -+Node: Initialization355458 -+Ref: Initialization-Footnote-1356452 -+Node: Version check356745 -+Node: Building the source357620 -+Node: Session initialization359731 -+Ref: gnutls_init_flags_t361208 -+Node: Associating the credentials368221 -+Ref: tab:key-exchange-cred368997 -+Node: Certificate credentials370128 -+Node: Raw public-key credentials385713 -+Node: SRP credentials387013 -+Node: PSK credentials391911 -+Node: Anonymous credentials395846 -+Node: Setting up the transport layer396692 -+Node: Asynchronous operation406245 -+Node: Reducing round-trips410546 -+Node: Zero-roundtrip mode413986 -+Node: Anti-replay protection416191 -+Node: DTLS sessions419836 -+Ref: DTLS sessions-Footnote-1422140 -+Node: DTLS and SCTP422217 -+Node: TLS handshake423237 -+Node: Data transfer and termination427155 -+Node: Buffered data transfer436297 -+Node: Handling alerts438098 -+Node: Priority Strings441480 -+Ref: tab:prio-keywords444080 -+Ref: tab:prio-algorithms451158 -+Ref: tab:prio-special1456588 -+Ref: tab:prio-special2460435 -+Ref: Priority Strings-Footnote-1467056 -+Node: Selecting cryptographic key sizes467278 -+Ref: tab:key-sizes467927 -+Node: Advanced topics472676 -+Node: Virtual hosts and credentials473174 -+Node: Session resumption476499 -+Node: Certificate verification484406 -+Ref: dane_verify_status_t494127 -+Node: TLS 1.2 re-authentication494532 -+Node: TLS 1.3 re-authentication and re-key499389 -+Node: Parameter generation501048 -+Node: Deriving keys for other applications/protocols503695 -+Node: Channel Bindings506925 -+Node: Interoperability508464 -+Node: Compatibility with the OpenSSL library509782 -+Node: GnuTLS application examples510509 -+Ref: examples510728 -+Node: Client examples511021 -+Node: Client example with X.509 certificate support511548 -+Ref: ex-verify511786 -+Node: Datagram TLS client example516830 -+Node: Client using a smart card with TLS521235 -+Ref: ex-pkcs11-client521472 -+Node: Client with Resume capability example526767 -+Ref: ex-resume-client527051 -+Node: Client example with SSH-style certificate verification532238 -+Node: Server examples536445 -+Node: Echo server with X.509 authentication536799 -+Node: DTLS echo server with X.509 authentication544523 -+Node: More advanced client and servers558934 -+Node: Client example with anonymous authentication559791 -+Node: Using a callback to select the certificate to use563715 -+Node: Obtaining session information570098 -+Node: Advanced certificate verification example574311 -+Ref: ex-verify2574587 -+Node: Client example with PSK authentication580017 -+Node: Client example with SRP authentication584383 -+Node: Legacy client example with X.509 certificate support588667 -+Ref: ex-verify-legacy588984 -+Node: Client example in C++594937 -+Node: Echo server with PSK authentication597509 -+Node: Echo server with SRP authentication606240 -+Node: Echo server with anonymous authentication613158 -+Node: Helper functions for TCP connections618486 -+Node: Helper functions for UDP connections620078 -+Node: OCSP example621983 -+Ref: Generate OCSP request622166 -+Node: Miscellaneous examples631773 -+Node: Checking for an alert632099 -+Node: X.509 certificate parsing example633548 -+Ref: ex-x509-info633805 -+Node: Listing the ciphersuites in a priority string637834 -+Node: PKCS12 structure generation example640151 -+Node: System-wide configuration of the library644356 -+Node: Application-specific priority strings646183 -+Node: Disabling algorithms and protocols647631 -+Node: Querying for disabled algorithms and protocols653128 -+Node: Overriding the parameter verification profile654250 -+Node: Overriding the default priority string655252 -+Node: Using GnuTLS as a cryptographic library655869 -+Ref: Using GnuTLS as a cryptographic library-Footnote-1656725 -+Node: Symmetric algorithms656782 -+Ref: gnutls_cipher_algorithm_t657542 -+Ref: Symmetric algorithms-Footnote-1665972 -+Node: Public key algorithms666057 -+Node: Cryptographic Message Syntax / PKCS7670779 -+Ref: gnutls_pkcs7_sign_flags674218 -+Node: Hash and MAC functions675686 -+Ref: gnutls_mac_algorithm_t676298 -+Ref: gnutls_digest_algorithm_t679670 -+Node: Random number generation680721 -+Ref: gnutls_rnd_level_t681083 -+Node: Overriding algorithms682190 -+Node: Other included programs688508 -+Node: gnutls-cli Invocation689079 -+Ref: gnutls-cli usage689641 -+Ref: gnutls-cli debug697391 -+Ref: gnutls-cli tofu697532 -+Ref: gnutls-cli strict-tofu697995 -+Ref: gnutls-cli dane698397 -+Ref: gnutls-cli local-dns698740 -+Ref: gnutls-cli ca-verification699055 -+Ref: gnutls-cli ocsp699410 -+Ref: gnutls-cli resume699652 -+Ref: gnutls-cli rehandshake699798 -+Ref: gnutls-cli sni-hostname699965 -+Ref: gnutls-cli verify-hostname700491 -+Ref: gnutls-cli starttls700724 -+Ref: gnutls-cli app-proto700908 -+Ref: gnutls-cli starttls-proto701070 -+Ref: gnutls-cli save-ocsp-multi701581 -+Ref: gnutls-cli dh-bits702038 -+Ref: gnutls-cli priority702389 -+Ref: gnutls-cli rawpkkeyfile702767 -+Ref: gnutls-cli rawpkfile703224 -+Ref: gnutls-cli ranges703765 -+Ref: gnutls-cli benchmark-ciphers704015 -+Ref: gnutls-cli benchmark-tls-ciphers704333 -+Ref: gnutls-cli list704652 -+Ref: gnutls-cli priority-list705019 -+Ref: gnutls-cli noticket705265 -+Ref: gnutls-cli alpn705426 -+Ref: gnutls-cli disable-extensions705735 -+Ref: gnutls-cli single-key-share705967 -+Ref: gnutls-cli post-handshake-auth706183 -+Ref: gnutls-cli inline-commands706380 -+Ref: gnutls-cli inline-commands-prefix706700 -+Ref: gnutls-cli provider707103 -+Ref: gnutls-cli logfile707300 -+Ref: gnutls-cli waitresumption707657 -+Ref: gnutls-cli ca-auto-retrieve707914 -+Ref: gnutls-cli exit status708318 -+Ref: gnutls-cli See Also708554 -+Ref: gnutls-cli Examples708631 -+Node: gnutls-serv Invocation712838 -+Ref: gnutls-serv usage713315 -+Ref: gnutls-serv debug718835 -+Ref: gnutls-serv sni-hostname718976 -+Ref: gnutls-serv alpn719308 -+Ref: gnutls-serv require-client-cert719595 -+Ref: gnutls-serv verify-client-cert719839 -+Ref: gnutls-serv heartbeat720068 -+Ref: gnutls-serv priority720219 -+Ref: gnutls-serv x509keyfile720588 -+Ref: gnutls-serv x509certfile721105 -+Ref: gnutls-serv x509dsakeyfile721622 -+Ref: gnutls-serv x509dsacertfile721786 -+Ref: gnutls-serv x509ecckeyfile721953 -+Ref: gnutls-serv x509ecccertfile722115 -+Ref: gnutls-serv rawpkkeyfile722282 -+Ref: gnutls-serv rawpkfile723101 -+Ref: gnutls-serv ocsp-response723956 -+Ref: gnutls-serv ignore-ocsp-response-errors724273 -+Ref: gnutls-serv list724520 -+Ref: gnutls-serv provider724758 -+Ref: gnutls-serv exit status724955 -+Ref: gnutls-serv See Also725193 -+Ref: gnutls-serv Examples725271 -+Node: gnutls-cli-debug Invocation730579 -+Ref: gnutls-cli-debug usage731401 -+Ref: gnutls-cli-debug debug733656 -+Ref: gnutls-cli-debug app-proto733797 -+Ref: gnutls-cli-debug starttls-proto733965 -+Ref: gnutls-cli-debug exit status734344 -+Ref: gnutls-cli-debug See Also734592 -+Ref: gnutls-cli-debug Examples734675 -+Node: Internal architecture of GnuTLS738172 -+Node: The TLS Protocol738778 -+Ref: fig-client-server739254 -+Node: TLS Handshake Protocol739344 -+Ref: fig-gnutls-handshake739786 -+Ref: fig-gnutls-handshake-sequence740295 -+Node: TLS Authentication Methods740393 -+Ref: TLS Authentication Methods-Footnote-1742697 -+Node: TLS Hello Extension Handling742763 -+Node: Cryptographic Backend755865 -+Ref: fig-crypto-layers756548 -+Ref: Cryptographic Backend-Footnote-1759830 -+Ref: Cryptographic Backend-Footnote-2759915 -+Node: Random Number Generators-internals760023 -+Node: FIPS140-2 mode767387 -+Ref: gnutls_fips_mode_t770023 -+Node: Upgrading from previous versions772170 -+Node: Support786164 -+Node: Getting help786412 -+Node: Commercial Support787000 -+Node: Bug Reports787271 -+Node: Contributing788635 -+Node: Certification790661 -+Node: Error codes791125 -+Node: Supported ciphersuites815758 -+Ref: ciphersuites815931 -+Node: API reference830975 -+Node: Core TLS API831385 -+Ref: gnutls_alert_get831612 -+Ref: gnutls_alert_get_name832231 -+Ref: gnutls_alert_get_strname832616 -+Ref: gnutls_alert_send832951 -+Ref: gnutls_alert_send_appropriate833829 -+Ref: gnutls_alert_set_read_function834796 -+Ref: gnutls_alpn_get_selected_protocol835180 -+Ref: gnutls_alpn_set_protocols835844 -+Ref: gnutls_anon_allocate_client_credentials836681 -+Ref: gnutls_anon_allocate_server_credentials837066 -+Ref: gnutls_anon_free_client_credentials837443 -+Ref: gnutls_anon_free_server_credentials837732 -+Ref: gnutls_anon_set_params_function838013 -+Ref: gnutls_anon_set_server_dh_params838689 -+Ref: gnutls_anon_set_server_known_dh_params839349 -+Ref: gnutls_anon_set_server_params_function840258 -+Ref: gnutls_anti_replay_deinit840921 -+Ref: gnutls_anti_replay_enable841235 -+Ref: gnutls_anti_replay_init841583 -+Ref: gnutls_anti_replay_set_add_function842111 -+Ref: gnutls_anti_replay_set_ptr843129 -+Ref: gnutls_anti_replay_set_window843464 -+Ref: gnutls_auth_client_get_type844232 -+Ref: gnutls_auth_get_type844859 -+Ref: gnutls_auth_server_get_type845671 -+Ref: gnutls_base64_decode2846300 -+Ref: gnutls_base64_encode2846856 -+Ref: gnutls_buffer_append_data847476 -+Ref: gnutls_bye847874 -+Ref: gnutls_certificate_activation_time_peers849475 -+Ref: gnutls_certificate_allocate_credentials849893 -+Ref: gnutls_certificate_client_get_request_status850290 -+Ref: gnutls_certificate_expiration_time_peers850698 -+Ref: gnutls_certificate_free_ca_names851102 -+Ref: gnutls_certificate_free_cas851771 -+Ref: gnutls_certificate_free_credentials852174 -+Ref: gnutls_certificate_free_crls852608 -+Ref: gnutls_certificate_free_keys852908 -+Ref: gnutls_certificate_get_crt_raw853342 -+Ref: gnutls_certificate_get_issuer854413 -+Ref: gnutls_certificate_get_ocsp_expiration855496 -+Ref: gnutls_certificate_get_ours856667 -+Ref: gnutls_certificate_get_peers857497 -+Ref: gnutls_certificate_get_peers_subkey_id858620 -+Ref: gnutls_certificate_get_verify_flags858976 -+Ref: gnutls_certificate_get_x509_crt859389 -+Ref: gnutls_certificate_get_x509_key861033 -+Ref: gnutls_certificate_send_x509_rdn_sequence862348 -+Ref: gnutls_certificate_server_set_request863055 -+Ref: gnutls_certificate_set_dh_params863845 -+Ref: gnutls_certificate_set_flags864664 -+Ref: gnutls_certificate_set_known_dh_params865189 -+Ref: gnutls_certificate_set_ocsp_status_request_file866117 -+Ref: gnutls_certificate_set_ocsp_status_request_file2868023 -+Ref: gnutls_certificate_set_ocsp_status_request_function869541 -+Ref: gnutls_certificate_set_ocsp_status_request_function2871029 -+Ref: gnutls_certificate_set_ocsp_status_request_mem872995 -+Ref: gnutls_certificate_set_params_function874770 -+Ref: gnutls_certificate_set_pin_function875467 -+Ref: gnutls_certificate_set_rawpk_key_file876120 -+Ref: gnutls_certificate_set_rawpk_key_mem879424 -+Ref: gnutls_certificate_set_retrieve_function882571 -+Ref: gnutls_certificate_set_verify_flags884701 -+Ref: gnutls_certificate_set_verify_function885194 -+Ref: gnutls_certificate_set_verify_limits886258 -+Ref: gnutls_certificate_set_x509_crl886939 -+Ref: gnutls_certificate_set_x509_crl_file887767 -+Ref: gnutls_certificate_set_x509_crl_mem888548 -+Ref: gnutls_certificate_set_x509_key889325 -+Ref: gnutls_certificate_set_x509_key_file890993 -+Ref: gnutls_certificate_set_x509_key_file2893229 -+Ref: gnutls_certificate_set_x509_key_mem895763 -+Ref: gnutls_certificate_set_x509_key_mem2897411 -+Ref: gnutls_certificate_set_x509_simple_pkcs12_file899224 -+Ref: gnutls_certificate_set_x509_simple_pkcs12_mem901354 -+Ref: gnutls_certificate_set_x509_system_trust903454 -+Ref: gnutls_certificate_set_x509_trust904024 -+Ref: gnutls_certificate_set_x509_trust_dir905004 -+Ref: gnutls_certificate_set_x509_trust_file905742 -+Ref: gnutls_certificate_set_x509_trust_mem906918 -+Ref: gnutls_certificate_type_get907861 -+Ref: gnutls_certificate_type_get2908708 -+Ref: gnutls_certificate_type_get_id910093 -+Ref: gnutls_certificate_type_get_name910490 -+Ref: gnutls_certificate_type_list910873 -+Ref: gnutls_certificate_verification_status_print911227 -+Ref: gnutls_certificate_verify_peers911985 -+Ref: gnutls_certificate_verify_peers2914781 -+Ref: gnutls_certificate_verify_peers3916696 -+Ref: gnutls_check_version919006 -+Ref: gnutls_cipher_get919748 -+Ref: gnutls_cipher_get_id920053 -+Ref: gnutls_cipher_get_key_size920435 -+Ref: gnutls_cipher_get_name920799 -+Ref: gnutls_cipher_list921146 -+Ref: gnutls_cipher_suite_get_name921706 -+Ref: gnutls_cipher_suite_info922574 -+Ref: gnutls_credentials_clear923757 -+Ref: gnutls_credentials_get923985 -+Ref: gnutls_credentials_set924940 -+Ref: gnutls_db_check_entry926304 -+Ref: gnutls_db_check_entry_expire_time926761 -+Ref: gnutls_db_check_entry_time927167 -+Ref: gnutls_db_get_default_cache_expiration927558 -+Ref: gnutls_db_get_ptr927753 -+Ref: gnutls_db_remove_session928065 -+Ref: gnutls_db_set_cache_expiration928602 -+Ref: gnutls_db_set_ptr929023 -+Ref: gnutls_db_set_remove_function929358 -+Ref: gnutls_db_set_retrieve_function929861 -+Ref: gnutls_db_set_store_function930547 -+Ref: gnutls_deinit931014 -+Ref: gnutls_dh_get_group931353 -+Ref: gnutls_dh_get_peers_public_bits932205 -+Ref: gnutls_dh_get_prime_bits932649 -+Ref: gnutls_dh_get_pubkey933289 -+Ref: gnutls_dh_get_secret_bits933987 -+Ref: gnutls_dh_params_cpy934419 -+Ref: gnutls_dh_params_deinit934927 -+Ref: gnutls_dh_params_export2_pkcs3935168 -+Ref: gnutls_dh_params_export_pkcs3935989 -+Ref: gnutls_dh_params_export_raw937008 -+Ref: gnutls_dh_params_generate2937761 -+Ref: gnutls_dh_params_import_dsa939015 -+Ref: gnutls_dh_params_import_pkcs3939492 -+Ref: gnutls_dh_params_import_raw940231 -+Ref: gnutls_dh_params_import_raw2940861 -+Ref: gnutls_dh_params_import_raw3941575 -+Ref: gnutls_dh_params_init942275 -+Ref: gnutls_dh_set_prime_bits942606 -+Ref: gnutls_digest_get_id943709 -+Ref: gnutls_digest_get_name944135 -+Ref: gnutls_digest_get_oid944481 -+Ref: gnutls_digest_list944872 -+Ref: gnutls_digest_mark_insecure945251 -+Ref: gnutls_digest_mark_secure945570 -+Ref: gnutls_early_cipher_get945923 -+Ref: gnutls_early_prf_hash_get946296 -+Ref: gnutls_ecc_curve_get946714 -+Ref: gnutls_ecc_curve_get_id947115 -+Ref: gnutls_ecc_curve_get_name947496 -+Ref: gnutls_ecc_curve_get_oid947830 -+Ref: gnutls_ecc_curve_get_pk948175 -+Ref: gnutls_ecc_curve_get_size948479 -+Ref: gnutls_ecc_curve_list948708 -+Ref: gnutls_ecc_curve_mark_disabled949049 -+Ref: gnutls_ecc_curve_mark_enabled949506 -+Ref: gnutls_error_is_fatal949986 -+Ref: gnutls_error_to_alert950788 -+Ref: gnutls_est_record_overhead_size951520 -+Ref: gnutls_ext_get_current_msg952428 -+Ref: gnutls_ext_get_data953119 -+Ref: gnutls_ext_get_name953634 -+Ref: gnutls_ext_get_name2953952 -+Ref: gnutls_ext_raw_parse954462 -+Ref: gnutls_ext_register955612 -+Ref: gnutls_ext_set_data957247 -+Ref: gnutls_fingerprint957758 -+Ref: gnutls_fips140_mode_enabled958764 -+Ref: gnutls_fips140_set_mode959318 -+Ref: gnutls_get_system_config_file960371 -+Ref: gnutls_global_deinit960747 -+Ref: gnutls_global_init961197 -+Ref: gnutls_global_set_audit_log_function962472 -+Ref: gnutls_global_set_log_function963179 -+Ref: gnutls_global_set_log_level963687 -+Ref: gnutls_global_set_mutex964175 -+Ref: gnutls_global_set_time_function965277 -+Ref: gnutls_gost_paramset_get_name965714 -+Ref: gnutls_gost_paramset_get_oid966090 -+Ref: gnutls_group_get966467 -+Ref: gnutls_group_get_id966837 -+Ref: gnutls_group_get_name967184 -+Ref: gnutls_group_list967504 -+Ref: gnutls_handshake967826 -+Ref: gnutls_handshake_description_get_name969931 -+Ref: gnutls_handshake_get_last_in970319 -+Ref: gnutls_handshake_get_last_out970944 -+Ref: gnutls_handshake_set_hook_function971576 -+Ref: gnutls_handshake_set_max_packet_length972968 -+Ref: gnutls_handshake_set_post_client_hello_function973753 -+Ref: gnutls_handshake_set_private_extensions975079 -+Ref: gnutls_handshake_set_random975758 -+Ref: gnutls_handshake_set_read_function976478 -+Ref: gnutls_handshake_set_secret_function976879 -+Ref: gnutls_handshake_set_timeout977258 -+Ref: gnutls_handshake_write977948 -+Ref: gnutls_heartbeat_allowed978649 -+Ref: gnutls_heartbeat_enable979123 -+Ref: gnutls_heartbeat_get_timeout979961 -+Ref: gnutls_heartbeat_ping980500 -+Ref: gnutls_heartbeat_pong981632 -+Ref: gnutls_heartbeat_set_timeouts982039 -+Ref: gnutls_hex2bin982810 -+Ref: gnutls_hex_decode983529 -+Ref: gnutls_hex_decode2984255 -+Ref: gnutls_hex_encode984684 -+Ref: gnutls_hex_encode2985281 -+Ref: gnutls_idna_map985796 -+Ref: gnutls_idna_reverse_map986926 -+Ref: gnutls_init987691 -+Ref: gnutls_key_generate988519 -+Ref: gnutls_kx_get988936 -+Ref: gnutls_kx_get_id989522 -+Ref: gnutls_kx_get_name989866 -+Ref: gnutls_kx_list990211 -+Ref: gnutls_load_file990539 -+Ref: gnutls_mac_get991311 -+Ref: gnutls_mac_get_id991616 -+Ref: gnutls_mac_get_key_size992029 -+Ref: gnutls_mac_get_name992366 -+Ref: gnutls_mac_list992685 -+Ref: gnutls_memcmp993073 -+Ref: gnutls_memset993633 -+Ref: gnutls_ocsp_status_request_enable_client994027 -+Ref: gnutls_ocsp_status_request_get995038 -+Ref: gnutls_ocsp_status_request_get2995700 -+Ref: gnutls_ocsp_status_request_is_checked996695 -+Ref: gnutls_oid_to_digest998083 -+Ref: gnutls_oid_to_ecc_curve998492 -+Ref: gnutls_oid_to_gost_paramset998818 -+Ref: gnutls_oid_to_mac999229 -+Ref: gnutls_oid_to_pk999642 -+Ref: gnutls_oid_to_sign1000014 -+Ref: gnutls_openpgp_send_cert1000418 -+Ref: gnutls_packet_deinit1000720 -+Ref: gnutls_packet_get1000994 -+Ref: gnutls_pem_base64_decode1001499 -+Ref: gnutls_pem_base64_decode21002354 -+Ref: gnutls_pem_base64_encode1003349 -+Ref: gnutls_pem_base64_encode21004178 -+Ref: gnutls_perror1005114 -+Ref: gnutls_pk_algorithm_get_name1005410 -+Ref: gnutls_pk_bits_to_sec_param1005766 -+Ref: gnutls_pk_get_id1006240 -+Ref: gnutls_pk_get_name1006758 -+Ref: gnutls_pk_get_oid1007126 -+Ref: gnutls_pk_list1007525 -+Ref: gnutls_pk_to_sign1007858 -+Ref: gnutls_prf1008269 -+Ref: gnutls_prf_early1010264 -+Ref: gnutls_prf_hash_get1011919 -+Ref: gnutls_prf_raw1012451 -+Ref: gnutls_prf_rfc57051014335 -+Ref: gnutls_priority_certificate_type_list1016012 -+Ref: gnutls_priority_certificate_type_list21016708 -+Ref: gnutls_priority_cipher_list1017324 -+Ref: gnutls_priority_deinit1017711 -+Ref: gnutls_priority_ecc_curve_list1017954 -+Ref: gnutls_priority_get_cipher_suite_index1018486 -+Ref: gnutls_priority_group_list1019402 -+Ref: gnutls_priority_init1019783 -+Ref: gnutls_priority_init21020863 -+Ref: gnutls_priority_kx_list1025237 -+Ref: gnutls_priority_mac_list1025642 -+Ref: gnutls_priority_protocol_list1026047 -+Ref: gnutls_priority_set1026449 -+Ref: gnutls_priority_set_direct1027104 -+Ref: gnutls_priority_sign_list1028037 -+Ref: gnutls_priority_string_list1028453 -+Ref: gnutls_protocol_get_id1029085 -+Ref: gnutls_protocol_get_name1029401 -+Ref: gnutls_protocol_get_version1029760 -+Ref: gnutls_protocol_list1030058 -+Ref: gnutls_protocol_mark_disabled1030410 -+Ref: gnutls_protocol_mark_enabled1030727 -+Ref: gnutls_psk_allocate_client_credentials1031103 -+Ref: gnutls_psk_allocate_server_credentials1031523 -+Ref: gnutls_psk_client_get_hint1031919 -+Ref: gnutls_psk_free_client_credentials1032546 -+Ref: gnutls_psk_free_server_credentials1032829 -+Ref: gnutls_psk_server_get_username1033104 -+Ref: gnutls_psk_server_get_username21033811 -+Ref: gnutls_psk_set_client_credentials1034505 -+Ref: gnutls_psk_set_client_credentials21035528 -+Ref: gnutls_psk_set_client_credentials_function1036308 -+Ref: gnutls_psk_set_client_credentials_function21037311 -+Ref: gnutls_psk_set_params_function1038468 -+Ref: gnutls_psk_set_server_credentials_file1039148 -+Ref: gnutls_psk_set_server_credentials_function1040009 -+Ref: gnutls_psk_set_server_credentials_function21040963 -+Ref: gnutls_psk_set_server_credentials_hint1042086 -+Ref: gnutls_psk_set_server_dh_params1042710 -+Ref: gnutls_psk_set_server_known_dh_params1043395 -+Ref: gnutls_psk_set_server_params_function1044292 -+Ref: gnutls_random_art1044933 -+Ref: gnutls_range_split1045795 -+Ref: gnutls_reauth1046877 -+Ref: gnutls_record_can_use_length_hiding1048979 -+Ref: gnutls_record_check_corked1049730 -+Ref: gnutls_record_check_pending1050113 -+Ref: gnutls_record_cork1050524 -+Ref: gnutls_record_disable_padding1050938 -+Ref: gnutls_record_discard_queued1051546 -+Ref: gnutls_record_get_direction1052163 -+Ref: gnutls_record_get_max_early_data_size1053144 -+Ref: gnutls_record_get_max_size1053696 -+Ref: gnutls_record_get_state1054063 -+Ref: gnutls_record_overhead_size1055085 -+Ref: gnutls_record_recv1055472 -+Ref: gnutls_record_recv_early_data1056922 -+Ref: gnutls_record_recv_packet1057984 -+Ref: gnutls_record_recv_seq1058863 -+Ref: gnutls_record_send1059849 -+Ref: gnutls_record_send21061907 -+Ref: gnutls_record_send_early_data1063059 -+Ref: gnutls_record_send_range1064115 -+Ref: gnutls_record_set_max_early_data_size1065294 -+Ref: gnutls_record_set_max_recv_size1065940 -+Ref: gnutls_record_set_max_size1066644 -+Ref: gnutls_record_set_state1067823 -+Ref: gnutls_record_set_timeout1068481 -+Ref: gnutls_record_uncork1069082 -+Ref: gnutls_rehandshake1070022 -+Ref: gnutls_safe_renegotiation_status1071804 -+Ref: gnutls_sec_param_get_name1072219 -+Ref: gnutls_sec_param_to_pk_bits1072593 -+Ref: gnutls_sec_param_to_symmetric_bits1073263 -+Ref: gnutls_server_name_get1073647 -+Ref: gnutls_server_name_set1075119 -+Ref: gnutls_session_channel_binding1076277 -+Ref: gnutls_session_enable_compatibility_mode1076995 -+Ref: gnutls_session_etm_status1077702 -+Ref: gnutls_session_ext_master_secret_status1078105 -+Ref: gnutls_session_ext_register1078596 -+Ref: gnutls_session_force_valid1080858 -+Ref: gnutls_session_get_data1081279 -+Ref: gnutls_session_get_data21081939 -+Ref: gnutls_session_get_desc1084212 -+Ref: gnutls_session_get_flags1084734 -+Ref: gnutls_session_get_id1085272 -+Ref: gnutls_session_get_id21086795 -+Ref: gnutls_session_get_keylog_function1088265 -+Ref: gnutls_session_get_master_secret1088672 -+Ref: gnutls_session_get_ptr1089156 -+Ref: gnutls_session_get_random1089551 -+Ref: gnutls_session_get_verify_cert_status1090172 -+Ref: gnutls_session_is_resumed1090845 -+Ref: gnutls_session_key_update1091215 -+Ref: gnutls_session_resumption_requested1092163 -+Ref: gnutls_session_set_data1092545 -+Ref: gnutls_session_set_id1093386 -+Ref: gnutls_session_set_keylog_function1094061 -+Ref: gnutls_session_set_premaster1094460 -+Ref: gnutls_session_set_ptr1095555 -+Ref: gnutls_session_set_verify_cert1095955 -+Ref: gnutls_session_set_verify_cert21097299 -+Ref: gnutls_session_set_verify_function1098483 -+Ref: gnutls_session_supplemental_register1099595 -+Ref: gnutls_session_ticket_enable_client1100853 -+Ref: gnutls_session_ticket_enable_server1101346 -+Ref: gnutls_session_ticket_key_generate1102140 -+Ref: gnutls_session_ticket_send1102568 -+Ref: gnutls_set_default_priority1103152 -+Ref: gnutls_set_default_priority_append1104237 -+Ref: gnutls_sign_algorithm_get1105579 -+Ref: gnutls_sign_algorithm_get_client1106022 -+Ref: gnutls_sign_algorithm_get_requested1106489 -+Ref: gnutls_sign_get_hash_algorithm1107516 -+Ref: gnutls_sign_get_id1107928 -+Ref: gnutls_sign_get_name1108291 -+Ref: gnutls_sign_get_oid1108623 -+Ref: gnutls_sign_get_pk_algorithm1109009 -+Ref: gnutls_sign_is_secure1109616 -+Ref: gnutls_sign_is_secure21109886 -+Ref: gnutls_sign_list1110222 -+Ref: gnutls_sign_mark_insecure1110566 -+Ref: gnutls_sign_mark_secure1111163 -+Ref: gnutls_sign_supports_pk_algorithm1111948 -+Ref: gnutls_srp_allocate_client_credentials1112532 -+Ref: gnutls_srp_allocate_server_credentials1112933 -+Ref: gnutls_srp_base64_decode1113306 -+Ref: gnutls_srp_base64_decode21114011 -+Ref: gnutls_srp_base64_encode1114679 -+Ref: gnutls_srp_base64_encode21115480 -+Ref: gnutls_srp_free_client_credentials1116211 -+Ref: gnutls_srp_free_server_credentials1116494 -+Ref: gnutls_srp_server_get_username1116769 -+Ref: gnutls_srp_set_client_credentials1117223 -+Ref: gnutls_srp_set_client_credentials_function1118113 -+Ref: gnutls_srp_set_prime_bits1119360 -+Ref: gnutls_srp_set_server_credentials_file1120045 -+Ref: gnutls_srp_set_server_credentials_function1120771 -+Ref: gnutls_srp_set_server_fake_salt_seed1122486 -+Ref: gnutls_srp_verifier1123989 -+Ref: gnutls_srtp_get_keys1124917 -+Ref: gnutls_srtp_get_mki1126311 -+Ref: gnutls_srtp_get_profile_id1126880 -+Ref: gnutls_srtp_get_profile_name1127338 -+Ref: gnutls_srtp_get_selected_profile1127759 -+Ref: gnutls_srtp_set_mki1128203 -+Ref: gnutls_srtp_set_profile1128652 -+Ref: gnutls_srtp_set_profile_direct1129184 -+Ref: gnutls_store_commitment1129907 -+Ref: gnutls_store_pubkey1131206 -+Ref: gnutls_strerror1132993 -+Ref: gnutls_strerror_name1133478 -+Ref: gnutls_supplemental_get_name1133947 -+Ref: gnutls_supplemental_recv1134369 -+Ref: gnutls_supplemental_register1134839 -+Ref: gnutls_supplemental_send1135951 -+Ref: gnutls_system_recv_timeout1136396 -+Ref: gnutls_tdb_deinit1137138 -+Ref: gnutls_tdb_init1137353 -+Ref: gnutls_tdb_set_store_commitment_func1137712 -+Ref: gnutls_tdb_set_store_func1138393 -+Ref: gnutls_tdb_set_verify_func1138982 -+Ref: gnutls_transport_get_int1139726 -+Ref: gnutls_transport_get_int21140134 -+Ref: gnutls_transport_get_ptr1140637 -+Ref: gnutls_transport_get_ptr21141053 -+Ref: gnutls_transport_set_errno1141587 -+Ref: gnutls_transport_set_errno_function1142574 -+Ref: gnutls_transport_set_int1143111 -+Ref: gnutls_transport_set_int21143665 -+Ref: gnutls_transport_set_ptr1144394 -+Ref: gnutls_transport_set_ptr21144807 -+Ref: gnutls_transport_set_pull_function1145451 -+Ref: gnutls_transport_set_pull_timeout_function1146231 -+Ref: gnutls_transport_set_push_function1147934 -+Ref: gnutls_transport_set_vec_push_function1148779 -+Ref: gnutls_url_is_supported1149475 -+Ref: gnutls_utf8_password_normalize1149895 -+Ref: gnutls_verify_stored_pubkey1150684 -+Node: Datagram TLS API1153831 -+Ref: gnutls_dtls_cookie_send1154107 -+Ref: gnutls_dtls_cookie_verify1155362 -+Ref: gnutls_dtls_get_data_mtu1156306 -+Ref: gnutls_dtls_get_mtu1156749 -+Ref: gnutls_dtls_get_timeout1157192 -+Ref: gnutls_dtls_prestate_set1157735 -+Ref: gnutls_dtls_set_data_mtu1158319 -+Ref: gnutls_dtls_set_mtu1159293 -+Ref: gnutls_dtls_set_timeouts1159900 -+Ref: gnutls_record_get_discarded1160904 -+Node: X509 certificate API1161178 -+Ref: gnutls_certificate_get_trust_list1161527 -+Ref: gnutls_certificate_set_trust_list1162175 -+Ref: gnutls_certificate_verification_profile_get_id1162950 -+Ref: gnutls_certificate_verification_profile_get_name1163497 -+Ref: gnutls_pkcs8_info1163880 -+Ref: gnutls_pkcs_schema_get_name1165398 -+Ref: gnutls_pkcs_schema_get_oid1165803 -+Ref: gnutls_session_set_verify_output_function1166230 -+Ref: gnutls_subject_alt_names_deinit1167387 -+Ref: gnutls_subject_alt_names_get1167666 -+Ref: gnutls_subject_alt_names_init1168676 -+Ref: gnutls_subject_alt_names_set1169056 -+Ref: gnutls_x509_aia_deinit1169875 -+Ref: gnutls_x509_aia_get1170109 -+Ref: gnutls_x509_aia_init1171268 -+Ref: gnutls_x509_aia_set1171603 -+Ref: gnutls_x509_aki_deinit1172398 -+Ref: gnutls_x509_aki_get_cert_issuer1172662 -+Ref: gnutls_x509_aki_get_id1173728 -+Ref: gnutls_x509_aki_init1174267 -+Ref: gnutls_x509_aki_set_cert_issuer1174616 -+Ref: gnutls_x509_aki_set_id1175731 -+Ref: gnutls_x509_cidr_to_rfc52801176160 -+Ref: gnutls_x509_crl_check_issuer1177058 -+Ref: gnutls_x509_crl_deinit1177506 -+Ref: gnutls_x509_crl_dist_points_deinit1177738 -+Ref: gnutls_x509_crl_dist_points_get1178033 -+Ref: gnutls_x509_crl_dist_points_init1179007 -+Ref: gnutls_x509_crl_dist_points_set1179403 -+Ref: gnutls_x509_crl_export1180106 -+Ref: gnutls_x509_crl_export21180989 -+Ref: gnutls_x509_crl_get_authority_key_gn_serial1181709 -+Ref: gnutls_x509_crl_get_authority_key_id1183023 -+Ref: gnutls_x509_crl_get_crt_count1184086 -+Ref: gnutls_x509_crl_get_crt_serial1184444 -+Ref: gnutls_x509_crl_get_dn_oid1185348 -+Ref: gnutls_x509_crl_get_extension_data1186154 -+Ref: gnutls_x509_crl_get_extension_data21187271 -+Ref: gnutls_x509_crl_get_extension_info1188150 -+Ref: gnutls_x509_crl_get_extension_oid1189414 -+Ref: gnutls_x509_crl_get_issuer_dn1190266 -+Ref: gnutls_x509_crl_get_issuer_dn21191267 -+Ref: gnutls_x509_crl_get_issuer_dn31192101 -+Ref: gnutls_x509_crl_get_issuer_dn_by_oid1193079 -+Ref: gnutls_x509_crl_get_next_update1194590 -+Ref: gnutls_x509_crl_get_number1195024 -+Ref: gnutls_x509_crl_get_raw_issuer_dn1195749 -+Ref: gnutls_x509_crl_get_signature1196203 -+Ref: gnutls_x509_crl_get_signature_algorithm1196750 -+Ref: gnutls_x509_crl_get_signature_oid1197312 -+Ref: gnutls_x509_crl_get_this_update1197973 -+Ref: gnutls_x509_crl_get_version1198298 -+Ref: gnutls_x509_crl_import1198606 -+Ref: gnutls_x509_crl_init1199230 -+Ref: gnutls_x509_crl_iter_crt_serial1199819 -+Ref: gnutls_x509_crl_iter_deinit1200965 -+Ref: gnutls_x509_crl_list_import1201210 -+Ref: gnutls_x509_crl_list_import21202212 -+Ref: gnutls_x509_crl_print1203078 -+Ref: gnutls_x509_crl_set_authority_key_id1203727 -+Ref: gnutls_x509_crl_set_crt1204380 -+Ref: gnutls_x509_crl_set_crt_serial1204953 -+Ref: gnutls_x509_crl_set_next_update1205585 -+Ref: gnutls_x509_crl_set_number1206202 -+Ref: gnutls_x509_crl_set_this_update1206779 -+Ref: gnutls_x509_crl_set_version1207183 -+Ref: gnutls_x509_crl_sign1207726 -+Ref: gnutls_x509_crl_sign21208419 -+Ref: gnutls_x509_crl_verify1209655 -+Ref: gnutls_x509_crq_deinit1210899 -+Ref: gnutls_x509_crq_export1211137 -+Ref: gnutls_x509_crq_export21212134 -+Ref: gnutls_x509_crq_get_attribute_by_oid1212908 -+Ref: gnutls_x509_crq_get_attribute_data1213933 -+Ref: gnutls_x509_crq_get_attribute_info1215045 -+Ref: gnutls_x509_crq_get_basic_constraints1216242 -+Ref: gnutls_x509_crq_get_challenge_password1217495 -+Ref: gnutls_x509_crq_get_dn1218107 -+Ref: gnutls_x509_crq_get_dn21219056 -+Ref: gnutls_x509_crq_get_dn31219913 -+Ref: gnutls_x509_crq_get_dn_by_oid1220921 -+Ref: gnutls_x509_crq_get_dn_oid1222382 -+Ref: gnutls_x509_crq_get_extension_by_oid1223169 -+Ref: gnutls_x509_crq_get_extension_by_oid21224326 -+Ref: gnutls_x509_crq_get_extension_data1225408 -+Ref: gnutls_x509_crq_get_extension_data21226538 -+Ref: gnutls_x509_crq_get_extension_info1227417 -+Ref: gnutls_x509_crq_get_key_id1228678 -+Ref: gnutls_x509_crq_get_key_purpose_oid1229745 -+Ref: gnutls_x509_crq_get_key_rsa_raw1230760 -+Ref: gnutls_x509_crq_get_key_usage1231384 -+Ref: gnutls_x509_crq_get_pk_algorithm1232470 -+Ref: gnutls_x509_crq_get_pk_oid1233191 -+Ref: gnutls_x509_crq_get_private_key_usage_period1233848 -+Ref: gnutls_x509_crq_get_signature_algorithm1234563 -+Ref: gnutls_x509_crq_get_signature_oid1235202 -+Ref: gnutls_x509_crq_get_spki1235863 -+Ref: gnutls_x509_crq_get_subject_alt_name1236423 -+Ref: gnutls_x509_crq_get_subject_alt_othername_oid1237981 -+Ref: gnutls_x509_crq_get_tlsfeatures1239461 -+Ref: gnutls_x509_crq_get_version1240590 -+Ref: gnutls_x509_crq_import1240936 -+Ref: gnutls_x509_crq_init1241618 -+Ref: gnutls_x509_crq_print1241966 -+Ref: gnutls_x509_crq_set_attribute_by_oid1242622 -+Ref: gnutls_x509_crq_set_basic_constraints1243487 -+Ref: gnutls_x509_crq_set_challenge_password1244231 -+Ref: gnutls_x509_crq_set_dn1244682 -+Ref: gnutls_x509_crq_set_dn_by_oid1245300 -+Ref: gnutls_x509_crq_set_extension_by_oid1246430 -+Ref: gnutls_x509_crq_set_key1247209 -+Ref: gnutls_x509_crq_set_key_purpose_oid1247672 -+Ref: gnutls_x509_crq_set_key_rsa_raw1248452 -+Ref: gnutls_x509_crq_set_key_usage1249028 -+Ref: gnutls_x509_crq_set_private_key_usage_period1249532 -+Ref: gnutls_x509_crq_set_spki1250037 -+Ref: gnutls_x509_crq_set_subject_alt_name1250908 -+Ref: gnutls_x509_crq_set_subject_alt_othername1251734 -+Ref: gnutls_x509_crq_set_tlsfeatures1252572 -+Ref: gnutls_x509_crq_set_version1253122 -+Ref: gnutls_x509_crq_sign1253607 -+Ref: gnutls_x509_crq_sign21254378 -+Ref: gnutls_x509_crq_verify1255710 -+Ref: gnutls_x509_crt_check_email1256303 -+Ref: gnutls_x509_crt_check_hostname1256831 -+Ref: gnutls_x509_crt_check_hostname21257543 -+Ref: gnutls_x509_crt_check_ip1259294 -+Ref: gnutls_x509_crt_check_issuer1259908 -+Ref: gnutls_x509_crt_check_key_purpose1260646 -+Ref: gnutls_x509_crt_check_revocation1261340 -+Ref: gnutls_x509_crt_cpy_crl_dist_points1261989 -+Ref: gnutls_x509_crt_deinit1262578 -+Ref: gnutls_x509_crt_equals1262796 -+Ref: gnutls_x509_crt_equals21263178 -+Ref: gnutls_x509_crt_export1263602 -+Ref: gnutls_x509_crt_export21264513 -+Ref: gnutls_x509_crt_get_activation_time1265211 -+Ref: gnutls_x509_crt_get_authority_info_access1265589 -+Ref: gnutls_x509_crt_get_authority_key_gn_serial1269063 -+Ref: gnutls_x509_crt_get_authority_key_id1270504 -+Ref: gnutls_x509_crt_get_basic_constraints1271635 -+Ref: gnutls_x509_crt_get_ca_status1272849 -+Ref: gnutls_x509_crt_get_crl_dist_points1273848 -+Ref: gnutls_x509_crt_get_dn1275173 -+Ref: gnutls_x509_crt_get_dn21276368 -+Ref: gnutls_x509_crt_get_dn31277177 -+Ref: gnutls_x509_crt_get_dn_by_oid1278137 -+Ref: gnutls_x509_crt_get_dn_oid1279906 -+Ref: gnutls_x509_crt_get_expiration_time1280934 -+Ref: gnutls_x509_crt_get_extension_by_oid1281300 -+Ref: gnutls_x509_crt_get_extension_by_oid21282427 -+Ref: gnutls_x509_crt_get_extension_data1283500 -+Ref: gnutls_x509_crt_get_extension_data21284589 -+Ref: gnutls_x509_crt_get_extension_info1285454 -+Ref: gnutls_x509_crt_get_extension_oid1286866 -+Ref: gnutls_x509_crt_get_fingerprint1287829 -+Ref: gnutls_x509_crt_get_inhibit_anypolicy1288717 -+Ref: gnutls_x509_crt_get_issuer1289686 -+Ref: gnutls_x509_crt_get_issuer_alt_name1290324 -+Ref: gnutls_x509_crt_get_issuer_alt_name21292124 -+Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1293706 -+Ref: gnutls_x509_crt_get_issuer_dn1295355 -+Ref: gnutls_x509_crt_get_issuer_dn21296476 -+Ref: gnutls_x509_crt_get_issuer_dn31297323 -+Ref: gnutls_x509_crt_get_issuer_dn_by_oid1298314 -+Ref: gnutls_x509_crt_get_issuer_dn_oid1300101 -+Ref: gnutls_x509_crt_get_issuer_unique_id1301137 -+Ref: gnutls_x509_crt_get_key_id1302232 -+Ref: gnutls_x509_crt_get_key_purpose_oid1303255 -+Ref: gnutls_x509_crt_get_key_usage1304416 -+Ref: gnutls_x509_crt_get_name_constraints1305476 -+Ref: gnutls_x509_crt_get_pk_algorithm1306884 -+Ref: gnutls_x509_crt_get_pk_dsa_raw1307673 -+Ref: gnutls_x509_crt_get_pk_ecc_raw1308341 -+Ref: gnutls_x509_crt_get_pk_gost_raw1309154 -+Ref: gnutls_x509_crt_get_pk_oid1309998 -+Ref: gnutls_x509_crt_get_pk_rsa_raw1310624 -+Ref: gnutls_x509_crt_get_policy1311202 -+Ref: gnutls_x509_crt_get_private_key_usage_period1312148 -+Ref: gnutls_x509_crt_get_proxy1312900 -+Ref: gnutls_x509_crt_get_raw_dn1313921 -+Ref: gnutls_x509_crt_get_raw_issuer_dn1314514 -+Ref: gnutls_x509_crt_get_serial1315093 -+Ref: gnutls_x509_crt_get_signature1315833 -+Ref: gnutls_x509_crt_get_signature_algorithm1316388 -+Ref: gnutls_x509_crt_get_signature_oid1317001 -+Ref: gnutls_x509_crt_get_spki1317659 -+Ref: gnutls_x509_crt_get_subject1318145 -+Ref: gnutls_x509_crt_get_subject_alt_name1318788 -+Ref: gnutls_x509_crt_get_subject_alt_name21320547 -+Ref: gnutls_x509_crt_get_subject_alt_othername_oid1322112 -+Ref: gnutls_x509_crt_get_subject_key_id1323752 -+Ref: gnutls_x509_crt_get_subject_unique_id1324584 -+Ref: gnutls_x509_crt_get_tlsfeatures1325669 -+Ref: gnutls_x509_crt_get_version1326781 -+Ref: gnutls_x509_crt_import1327108 -+Ref: gnutls_x509_crt_import_url1327809 -+Ref: gnutls_x509_crt_init1328530 -+Ref: gnutls_x509_crt_list_import1328877 -+Ref: gnutls_x509_crt_list_import21330244 -+Ref: gnutls_x509_crt_list_import_url1331316 -+Ref: gnutls_x509_crt_list_verify1332540 -+Ref: gnutls_x509_crt_print1334120 -+Ref: gnutls_x509_crt_set_activation_time1335012 -+Ref: gnutls_x509_crt_set_authority_info_access1335479 -+Ref: gnutls_x509_crt_set_authority_key_id1336374 -+Ref: gnutls_x509_crt_set_basic_constraints1336956 -+Ref: gnutls_x509_crt_set_ca_status1337655 -+Ref: gnutls_x509_crt_set_crl_dist_points1338253 -+Ref: gnutls_x509_crt_set_crl_dist_points21338905 -+Ref: gnutls_x509_crt_set_crq1339604 -+Ref: gnutls_x509_crt_set_crq_extension_by_oid1340321 -+Ref: gnutls_x509_crt_set_crq_extensions1340957 -+Ref: gnutls_x509_crt_set_dn1341423 -+Ref: gnutls_x509_crt_set_dn_by_oid1342306 -+Ref: gnutls_x509_crt_set_expiration_time1343423 -+Ref: gnutls_x509_crt_set_extension_by_oid1343968 -+Ref: gnutls_x509_crt_set_flags1344743 -+Ref: gnutls_x509_crt_set_inhibit_anypolicy1345251 -+Ref: gnutls_x509_crt_set_issuer_alt_name1345761 -+Ref: gnutls_x509_crt_set_issuer_alt_othername1346783 -+Ref: gnutls_x509_crt_set_issuer_dn1347759 -+Ref: gnutls_x509_crt_set_issuer_dn_by_oid1348398 -+Ref: gnutls_x509_crt_set_issuer_unique_id1349677 -+Ref: gnutls_x509_crt_set_key1350182 -+Ref: gnutls_x509_crt_set_key_purpose_oid1350762 -+Ref: gnutls_x509_crt_set_key_usage1351530 -+Ref: gnutls_x509_crt_set_name_constraints1351989 -+Ref: gnutls_x509_crt_set_pin_function1352611 -+Ref: gnutls_x509_crt_set_policy1353279 -+Ref: gnutls_x509_crt_set_private_key_usage_period1354132 -+Ref: gnutls_x509_crt_set_proxy1354639 -+Ref: gnutls_x509_crt_set_proxy_dn1355453 -+Ref: gnutls_x509_crt_set_serial1356472 -+Ref: gnutls_x509_crt_set_spki1357532 -+Ref: gnutls_x509_crt_set_subject_alt_name1358387 -+Ref: gnutls_x509_crt_set_subject_alt_othername1359627 -+Ref: gnutls_x509_crt_set_subject_alternative_name1360635 -+Ref: gnutls_x509_crt_set_subject_key_id1361533 -+Ref: gnutls_x509_crt_set_subject_unique_id1362053 -+Ref: gnutls_x509_crt_set_tlsfeatures1362576 -+Ref: gnutls_x509_crt_set_version1363100 -+Ref: gnutls_x509_crt_sign1363923 -+Ref: gnutls_x509_crt_sign21364618 -+Ref: gnutls_x509_crt_verify1365851 -+Ref: gnutls_x509_crt_verify_data21366900 -+Ref: gnutls_x509_dn_deinit1367904 -+Ref: gnutls_x509_dn_export1368166 -+Ref: gnutls_x509_dn_export21369060 -+Ref: gnutls_x509_dn_get_rdn_ava1369721 -+Ref: gnutls_x509_dn_get_str1370753 -+Ref: gnutls_x509_dn_get_str21371349 -+Ref: gnutls_x509_dn_import1372211 -+Ref: gnutls_x509_dn_init1372827 -+Ref: gnutls_x509_dn_oid_known1373248 -+Ref: gnutls_x509_dn_oid_name1373917 -+Ref: gnutls_x509_dn_set_str1374446 -+Ref: gnutls_x509_ext_deinit1375045 -+Ref: gnutls_x509_ext_export_aia1375289 -+Ref: gnutls_x509_ext_export_authority_key_id1375883 -+Ref: gnutls_x509_ext_export_basic_constraints1376539 -+Ref: gnutls_x509_ext_export_crl_dist_points1377236 -+Ref: gnutls_x509_ext_export_inhibit_anypolicy1377904 -+Ref: gnutls_x509_ext_export_key_purposes1378572 -+Ref: gnutls_x509_ext_export_key_usage1379191 -+Ref: gnutls_x509_ext_export_name_constraints1379807 -+Ref: gnutls_x509_ext_export_policies1380448 -+Ref: gnutls_x509_ext_export_private_key_usage_period1381111 -+Ref: gnutls_x509_ext_export_proxy1381776 -+Ref: gnutls_x509_ext_export_subject_alt_names1382762 -+Ref: gnutls_x509_ext_export_subject_key_id1383411 -+Ref: gnutls_x509_ext_export_tlsfeatures1384033 -+Ref: gnutls_x509_ext_import_aia1384651 -+Ref: gnutls_x509_ext_import_authority_key_id1385356 -+Ref: gnutls_x509_ext_import_basic_constraints1386024 -+Ref: gnutls_x509_ext_import_crl_dist_points1386650 -+Ref: gnutls_x509_ext_import_inhibit_anypolicy1387278 -+Ref: gnutls_x509_ext_import_key_purposes1388193 -+Ref: gnutls_x509_ext_import_key_usage1388827 -+Ref: gnutls_x509_ext_import_name_constraints1389843 -+Ref: gnutls_x509_ext_import_policies1391181 -+Ref: gnutls_x509_ext_import_private_key_usage_period1391788 -+Ref: gnutls_x509_ext_import_proxy1392403 -+Ref: gnutls_x509_ext_import_subject_alt_names1393489 -+Ref: gnutls_x509_ext_import_subject_key_id1394247 -+Ref: gnutls_x509_ext_import_tlsfeatures1394882 -+Ref: gnutls_x509_ext_print1395774 -+Ref: gnutls_x509_key_purpose_deinit1396485 -+Ref: gnutls_x509_key_purpose_get1396739 -+Ref: gnutls_x509_key_purpose_init1397467 -+Ref: gnutls_x509_key_purpose_set1397828 -+Ref: gnutls_x509_name_constraints_add_excluded1398283 -+Ref: gnutls_x509_name_constraints_add_permitted1399224 -+Ref: gnutls_x509_name_constraints_check1400099 -+Ref: gnutls_x509_name_constraints_check_crt1400936 -+Ref: gnutls_x509_name_constraints_deinit1401806 -+Ref: gnutls_x509_name_constraints_get_excluded1402106 -+Ref: gnutls_x509_name_constraints_get_permitted1403177 -+Ref: gnutls_x509_name_constraints_init1404231 -+Ref: gnutls_x509_othername_to_virtual1404614 -+Ref: gnutls_x509_policies_deinit1405233 -+Ref: gnutls_x509_policies_get1405513 -+Ref: gnutls_x509_policies_init1406299 -+Ref: gnutls_x509_policies_set1406664 -+Ref: gnutls_x509_policy_release1407131 -+Ref: gnutls_x509_privkey_cpy1407495 -+Ref: gnutls_x509_privkey_deinit1407965 -+Ref: gnutls_x509_privkey_export1408206 -+Ref: gnutls_x509_privkey_export21409241 -+Ref: gnutls_x509_privkey_export2_pkcs81410119 -+Ref: gnutls_x509_privkey_export_dsa_raw1411395 -+Ref: gnutls_x509_privkey_export_ecc_raw1412135 -+Ref: gnutls_x509_privkey_export_gost_raw1413018 -+Ref: gnutls_x509_privkey_export_pkcs81414103 -+Ref: gnutls_x509_privkey_export_rsa_raw1415608 -+Ref: gnutls_x509_privkey_export_rsa_raw21416469 -+Ref: gnutls_x509_privkey_fix1417455 -+Ref: gnutls_x509_privkey_generate1417840 -+Ref: gnutls_x509_privkey_generate21419365 -+Ref: gnutls_x509_privkey_get_key_id1421524 -+Ref: gnutls_x509_privkey_get_pk_algorithm1422543 -+Ref: gnutls_x509_privkey_get_pk_algorithm21422971 -+Ref: gnutls_x509_privkey_get_seed1423462 -+Ref: gnutls_x509_privkey_get_spki1424286 -+Ref: gnutls_x509_privkey_import1424821 -+Ref: gnutls_x509_privkey_import21425616 -+Ref: gnutls_x509_privkey_import_dsa_raw1426689 -+Ref: gnutls_x509_privkey_import_ecc_raw1427421 -+Ref: gnutls_x509_privkey_import_gost_raw1428237 -+Ref: gnutls_x509_privkey_import_openssl1429513 -+Ref: gnutls_x509_privkey_import_pkcs81430387 -+Ref: gnutls_x509_privkey_import_rsa_raw1431834 -+Ref: gnutls_x509_privkey_import_rsa_raw21432688 -+Ref: gnutls_x509_privkey_init1433684 -+Ref: gnutls_x509_privkey_sec_param1434029 -+Ref: gnutls_x509_privkey_set_flags1434448 -+Ref: gnutls_x509_privkey_set_pin_function1434998 -+Ref: gnutls_x509_privkey_set_spki1435616 -+Ref: gnutls_x509_privkey_sign_data1436163 -+Ref: gnutls_x509_privkey_verify_params1437384 -+Ref: gnutls_x509_privkey_verify_seed1437720 -+Ref: gnutls_x509_rdn_get1438549 -+Ref: gnutls_x509_rdn_get21439367 -+Ref: gnutls_x509_rdn_get_by_oid1440275 -+Ref: gnutls_x509_rdn_get_oid1441257 -+Ref: gnutls_x509_spki_deinit1442002 -+Ref: gnutls_x509_spki_get_rsa_pss_params1442284 -+Ref: gnutls_x509_spki_init1442845 -+Ref: gnutls_x509_spki_set_rsa_pss_params1443361 -+Ref: gnutls_x509_tlsfeatures_add1443874 -+Ref: gnutls_x509_tlsfeatures_check_crt1444330 -+Ref: gnutls_x509_tlsfeatures_deinit1444930 -+Ref: gnutls_x509_tlsfeatures_get1445208 -+Ref: gnutls_x509_tlsfeatures_init1445768 -+Ref: gnutls_x509_trust_list_add_cas1446153 -+Ref: gnutls_x509_trust_list_add_crls1447338 -+Ref: gnutls_x509_trust_list_add_named_crt1448716 -+Ref: gnutls_x509_trust_list_add_system_trust1449931 -+Ref: gnutls_x509_trust_list_add_trust_dir1450693 -+Ref: gnutls_x509_trust_list_add_trust_file1451556 -+Ref: gnutls_x509_trust_list_add_trust_mem1452703 -+Ref: gnutls_x509_trust_list_deinit1453622 -+Ref: gnutls_x509_trust_list_get_issuer1454248 -+Ref: gnutls_x509_trust_list_get_issuer_by_dn1455298 -+Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1456027 -+Ref: gnutls_x509_trust_list_get_ptr1456835 -+Ref: gnutls_x509_trust_list_init1457348 -+Ref: gnutls_x509_trust_list_iter_deinit1457853 -+Ref: gnutls_x509_trust_list_iter_get_ca1458162 -+Ref: gnutls_x509_trust_list_remove_cas1459342 -+Ref: gnutls_x509_trust_list_remove_trust_file1460197 -+Ref: gnutls_x509_trust_list_remove_trust_mem1460898 -+Ref: gnutls_x509_trust_list_set_getissuer_function1461556 -+Ref: gnutls_x509_trust_list_set_ptr1463189 -+Ref: gnutls_x509_trust_list_verify_crt1463727 -+Ref: gnutls_x509_trust_list_verify_crt21464890 -+Ref: gnutls_x509_trust_list_verify_named_crt1467824 -+Node: PKCS 7 API1470552 -+Ref: gnutls_pkcs7_add_attr1470848 -+Ref: gnutls_pkcs7_attrs_deinit1471654 -+Ref: gnutls_pkcs7_deinit1471889 -+Ref: gnutls_pkcs7_delete_crl1472094 -+Ref: gnutls_pkcs7_delete_crt1472523 -+Ref: gnutls_pkcs7_export1472969 -+Ref: gnutls_pkcs7_export21473869 -+Ref: gnutls_pkcs7_get_attr1474530 -+Ref: gnutls_pkcs7_get_crl_count1475417 -+Ref: gnutls_pkcs7_get_crl_raw1475765 -+Ref: gnutls_pkcs7_get_crl_raw21476540 -+Ref: gnutls_pkcs7_get_crt_count1477171 -+Ref: gnutls_pkcs7_get_crt_raw1477546 -+Ref: gnutls_pkcs7_get_crt_raw21478446 -+Ref: gnutls_pkcs7_get_embedded_data1479300 -+Ref: gnutls_pkcs7_get_embedded_data_oid1480300 -+Ref: gnutls_pkcs7_get_signature_count1480860 -+Ref: gnutls_pkcs7_get_signature_info1481267 -+Ref: gnutls_pkcs7_import1481940 -+Ref: gnutls_pkcs7_init1482561 -+Ref: gnutls_pkcs7_print1482985 -+Ref: gnutls_pkcs7_print_signature_info1483730 -+Ref: gnutls_pkcs7_set_crl1484535 -+Ref: gnutls_pkcs7_set_crl_raw1484936 -+Ref: gnutls_pkcs7_set_crt1485326 -+Ref: gnutls_pkcs7_set_crt_raw1485810 -+Ref: gnutls_pkcs7_sign1486223 -+Ref: gnutls_pkcs7_signature_info_deinit1487662 -+Ref: gnutls_pkcs7_verify1488015 -+Ref: gnutls_pkcs7_verify_direct1489180 -+Node: OCSP API1490640 -+Ref: gnutls_ocsp_req_add_cert1490924 -+Ref: gnutls_ocsp_req_add_cert_id1491884 -+Ref: gnutls_ocsp_req_deinit1493204 -+Ref: gnutls_ocsp_req_export1493421 -+Ref: gnutls_ocsp_req_get_cert_id1493846 -+Ref: gnutls_ocsp_req_get_extension1495438 -+Ref: gnutls_ocsp_req_get_nonce1496854 -+Ref: gnutls_ocsp_req_get_version1497508 -+Ref: gnutls_ocsp_req_import1497895 -+Ref: gnutls_ocsp_req_init1498391 -+Ref: gnutls_ocsp_req_print1498719 -+Ref: gnutls_ocsp_req_randomize_nonce1499455 -+Ref: gnutls_ocsp_req_set_extension1499888 -+Ref: gnutls_ocsp_req_set_nonce1500572 -+Ref: gnutls_ocsp_resp_check_crt1501159 -+Ref: gnutls_ocsp_resp_deinit1501743 -+Ref: gnutls_ocsp_resp_export1501967 -+Ref: gnutls_ocsp_resp_export21502393 -+Ref: gnutls_ocsp_resp_get_certs1502913 -+Ref: gnutls_ocsp_resp_get_extension1504038 -+Ref: gnutls_ocsp_resp_get_nonce1505462 -+Ref: gnutls_ocsp_resp_get_produced1506128 -+Ref: gnutls_ocsp_resp_get_responder1506475 -+Ref: gnutls_ocsp_resp_get_responder21507580 -+Ref: gnutls_ocsp_resp_get_responder_raw_id1508843 -+Ref: gnutls_ocsp_resp_get_response1509674 -+Ref: gnutls_ocsp_resp_get_signature1510900 -+Ref: gnutls_ocsp_resp_get_signature_algorithm1511389 -+Ref: gnutls_ocsp_resp_get_single1511867 -+Ref: gnutls_ocsp_resp_get_status1513809 -+Ref: gnutls_ocsp_resp_get_version1514238 -+Ref: gnutls_ocsp_resp_import1514646 -+Ref: gnutls_ocsp_resp_import21515214 -+Ref: gnutls_ocsp_resp_init1515842 -+Ref: gnutls_ocsp_resp_list_import21516191 -+Ref: gnutls_ocsp_resp_print1517382 -+Ref: gnutls_ocsp_resp_verify1518108 -+Ref: gnutls_ocsp_resp_verify_direct1519725 -+Node: PKCS 12 API1522158 -+Ref: gnutls_pkcs12_bag_decrypt1522448 -+Ref: gnutls_pkcs12_bag_deinit1522880 -+Ref: gnutls_pkcs12_bag_enc_info1523118 -+Ref: gnutls_pkcs12_bag_encrypt1524491 -+Ref: gnutls_pkcs12_bag_get_count1524996 -+Ref: gnutls_pkcs12_bag_get_data1525307 -+Ref: gnutls_pkcs12_bag_get_friendly_name1525913 -+Ref: gnutls_pkcs12_bag_get_key_id1526550 -+Ref: gnutls_pkcs12_bag_get_type1527169 -+Ref: gnutls_pkcs12_bag_init1527539 -+Ref: gnutls_pkcs12_bag_set_crl1527997 -+Ref: gnutls_pkcs12_bag_set_crt1528430 -+Ref: gnutls_pkcs12_bag_set_data1528876 -+Ref: gnutls_pkcs12_bag_set_friendly_name1529347 -+Ref: gnutls_pkcs12_bag_set_key_id1530031 -+Ref: gnutls_pkcs12_bag_set_privkey1530705 -+Ref: gnutls_pkcs12_deinit1531361 -+Ref: gnutls_pkcs12_export1531563 -+Ref: gnutls_pkcs12_export21532470 -+Ref: gnutls_pkcs12_generate_mac1533146 -+Ref: gnutls_pkcs12_generate_mac21533537 -+Ref: gnutls_pkcs12_get_bag1533981 -+Ref: gnutls_pkcs12_import1534567 -+Ref: gnutls_pkcs12_init1535288 -+Ref: gnutls_pkcs12_mac_info1535721 -+Ref: gnutls_pkcs12_set_bag1537030 -+Ref: gnutls_pkcs12_simple_parse1537436 -+Ref: gnutls_pkcs12_verify_mac1540117 -+Node: PKCS 11 API1540473 -+Ref: gnutls_pkcs11_add_provider1540802 -+Ref: gnutls_pkcs11_copy_attached_extension1541547 -+Ref: gnutls_pkcs11_copy_pubkey1542406 -+Ref: gnutls_pkcs11_copy_secret_key1543439 -+Ref: gnutls_pkcs11_copy_x509_crt1544164 -+Ref: gnutls_pkcs11_copy_x509_crt21544812 -+Ref: gnutls_pkcs11_copy_x509_privkey1545780 -+Ref: gnutls_pkcs11_copy_x509_privkey21546597 -+Ref: gnutls_pkcs11_crt_is_known1547542 -+Ref: gnutls_pkcs11_deinit1548678 -+Ref: gnutls_pkcs11_delete_url1548995 -+Ref: gnutls_pkcs11_get_pin_function1549511 -+Ref: gnutls_pkcs11_get_raw_issuer1549894 -+Ref: gnutls_pkcs11_get_raw_issuer_by_dn1550804 -+Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1551843 -+Ref: gnutls_pkcs11_init1552954 -+Ref: gnutls_pkcs11_obj_deinit1553996 -+Ref: gnutls_pkcs11_obj_export1554242 -+Ref: gnutls_pkcs11_obj_export21555087 -+Ref: gnutls_pkcs11_obj_export31555684 -+Ref: gnutls_pkcs11_obj_export_url1556357 -+Ref: gnutls_pkcs11_obj_flags_get_str1556884 -+Ref: gnutls_pkcs11_obj_get_exts1557363 -+Ref: gnutls_pkcs11_obj_get_flags1558299 -+Ref: gnutls_pkcs11_obj_get_info1558836 -+Ref: gnutls_pkcs11_obj_get_ptr1560100 -+Ref: gnutls_pkcs11_obj_get_type1561009 -+Ref: gnutls_pkcs11_obj_import_url1561359 -+Ref: gnutls_pkcs11_obj_init1562279 -+Ref: gnutls_pkcs11_obj_list_import_url31562664 -+Ref: gnutls_pkcs11_obj_list_import_url41564605 -+Ref: gnutls_pkcs11_obj_set_info1566281 -+Ref: gnutls_pkcs11_obj_set_pin_function1567060 -+Ref: gnutls_pkcs11_privkey_cpy1567571 -+Ref: gnutls_pkcs11_privkey_deinit1568072 -+Ref: gnutls_pkcs11_privkey_export_pubkey1568335 -+Ref: gnutls_pkcs11_privkey_export_url1569139 -+Ref: gnutls_pkcs11_privkey_generate1569649 -+Ref: gnutls_pkcs11_privkey_generate21570321 -+Ref: gnutls_pkcs11_privkey_generate31571551 -+Ref: gnutls_pkcs11_privkey_get_info1573061 -+Ref: gnutls_pkcs11_privkey_get_pk_algorithm1573943 -+Ref: gnutls_pkcs11_privkey_import_url1574474 -+Ref: gnutls_pkcs11_privkey_init1575175 -+Ref: gnutls_pkcs11_privkey_set_pin_function1575890 -+Ref: gnutls_pkcs11_privkey_status1576410 -+Ref: gnutls_pkcs11_reinit1576786 -+Ref: gnutls_pkcs11_set_pin_function1577346 -+Ref: gnutls_pkcs11_set_token_function1577836 -+Ref: gnutls_pkcs11_token_check_mechanism1578254 -+Ref: gnutls_pkcs11_token_get_flags1579011 -+Ref: gnutls_pkcs11_token_get_info1579553 -+Ref: gnutls_pkcs11_token_get_mechanism1580576 -+Ref: gnutls_pkcs11_token_get_ptr1581189 -+Ref: gnutls_pkcs11_token_get_random1581888 -+Ref: gnutls_pkcs11_token_get_url1582519 -+Ref: gnutls_pkcs11_token_init1583187 -+Ref: gnutls_pkcs11_token_set_pin1583825 -+Ref: gnutls_pkcs11_type_get_name1584665 -+Ref: gnutls_x509_crt_import_pkcs111585154 -+Ref: gnutls_x509_crt_list_import_pkcs111585676 -+Node: TPM API1586285 -+Ref: gnutls_tpm_get_registered1586564 -+Ref: gnutls_tpm_key_list_deinit1586957 -+Ref: gnutls_tpm_key_list_get_url1587225 -+Ref: gnutls_tpm_privkey_delete1587878 -+Ref: gnutls_tpm_privkey_generate1588316 -+Node: Abstract key API1589666 -+Ref: gnutls_certificate_set_key1589987 -+Ref: gnutls_certificate_set_retrieve_function21592123 -+Ref: gnutls_certificate_set_retrieve_function31594373 -+Ref: gnutls_pcert_deinit1597233 -+Ref: gnutls_pcert_export_openpgp1597478 -+Ref: gnutls_pcert_export_x5091597827 -+Ref: gnutls_pcert_import_openpgp1598477 -+Ref: gnutls_pcert_import_openpgp_raw1598876 -+Ref: gnutls_pcert_import_rawpk1599445 -+Ref: gnutls_pcert_import_rawpk_raw1600298 -+Ref: gnutls_pcert_import_x5091601547 -+Ref: gnutls_pcert_import_x509_list1602144 -+Ref: gnutls_pcert_import_x509_raw1603334 -+Ref: gnutls_pcert_list_import_x509_file1604040 -+Ref: gnutls_pcert_list_import_x509_raw1605472 -+Ref: gnutls_privkey_decrypt_data1606806 -+Ref: gnutls_privkey_decrypt_data21607454 -+Ref: gnutls_privkey_deinit1608279 -+Ref: gnutls_privkey_export_dsa_raw1608528 -+Ref: gnutls_privkey_export_dsa_raw21609258 -+Ref: gnutls_privkey_export_ecc_raw1610064 -+Ref: gnutls_privkey_export_ecc_raw21610926 -+Ref: gnutls_privkey_export_gost_raw21611868 -+Ref: gnutls_privkey_export_openpgp1613002 -+Ref: gnutls_privkey_export_pkcs111613354 -+Ref: gnutls_privkey_export_rsa_raw1613966 -+Ref: gnutls_privkey_export_rsa_raw21614997 -+Ref: gnutls_privkey_export_x5091616043 -+Ref: gnutls_privkey_generate1616691 -+Ref: gnutls_privkey_generate21618182 -+Ref: gnutls_privkey_get_pk_algorithm1620310 -+Ref: gnutls_privkey_get_seed1620924 -+Ref: gnutls_privkey_get_spki1621723 -+Ref: gnutls_privkey_get_type1622303 -+Ref: gnutls_privkey_import_dsa_raw1622792 -+Ref: gnutls_privkey_import_ecc_raw1623504 -+Ref: gnutls_privkey_import_ext1624317 -+Ref: gnutls_privkey_import_ext21625467 -+Ref: gnutls_privkey_import_ext31626824 -+Ref: gnutls_privkey_import_ext41628438 -+Ref: gnutls_privkey_import_gost_raw1631198 -+Ref: gnutls_privkey_import_openpgp1632406 -+Ref: gnutls_privkey_import_openpgp_raw1632815 -+Ref: gnutls_privkey_import_pkcs111633404 -+Ref: gnutls_privkey_import_pkcs11_url1634162 -+Ref: gnutls_privkey_import_rsa_raw1634611 -+Ref: gnutls_privkey_import_tpm_raw1635607 -+Ref: gnutls_privkey_import_tpm_url1636474 -+Ref: gnutls_privkey_import_url1637577 -+Ref: gnutls_privkey_import_x5091638124 -+Ref: gnutls_privkey_import_x509_raw1638872 -+Ref: gnutls_privkey_init1639651 -+Ref: gnutls_privkey_set_flags1640569 -+Ref: gnutls_privkey_set_pin_function1641094 -+Ref: gnutls_privkey_set_spki1641664 -+Ref: gnutls_privkey_sign_data1642237 -+Ref: gnutls_privkey_sign_data21643257 -+Ref: gnutls_privkey_sign_hash1644155 -+Ref: gnutls_privkey_sign_hash21645592 -+Ref: gnutls_privkey_status1646858 -+Ref: gnutls_privkey_verify_params1647402 -+Ref: gnutls_privkey_verify_seed1647764 -+Ref: gnutls_pubkey_deinit1648476 -+Ref: gnutls_pubkey_encrypt_data1648716 -+Ref: gnutls_pubkey_export1649358 -+Ref: gnutls_pubkey_export21650372 -+Ref: gnutls_pubkey_export_dsa_raw1651145 -+Ref: gnutls_pubkey_export_dsa_raw21651957 -+Ref: gnutls_pubkey_export_ecc_raw1652841 -+Ref: gnutls_pubkey_export_ecc_raw21653740 -+Ref: gnutls_pubkey_export_ecc_x9621654719 -+Ref: gnutls_pubkey_export_gost_raw21655378 -+Ref: gnutls_pubkey_export_rsa_raw1656522 -+Ref: gnutls_pubkey_export_rsa_raw21657219 -+Ref: gnutls_pubkey_get_key_id1657980 -+Ref: gnutls_pubkey_get_key_usage1659005 -+Ref: gnutls_pubkey_get_openpgp_key_id1659502 -+Ref: gnutls_pubkey_get_pk_algorithm1660141 -+Ref: gnutls_pubkey_get_preferred_hash_algorithm1660789 -+Ref: gnutls_pubkey_get_spki1661730 -+Ref: gnutls_pubkey_import1662298 -+Ref: gnutls_pubkey_import_dsa_raw1662982 -+Ref: gnutls_pubkey_import_ecc_raw1663643 -+Ref: gnutls_pubkey_import_ecc_x9621664411 -+Ref: gnutls_pubkey_import_gost_raw1665047 -+Ref: gnutls_pubkey_import_openpgp1666194 -+Ref: gnutls_pubkey_import_openpgp_raw1666586 -+Ref: gnutls_pubkey_import_pkcs111667155 -+Ref: gnutls_pubkey_import_privkey1667697 -+Ref: gnutls_pubkey_import_rsa_raw1668399 -+Ref: gnutls_pubkey_import_tpm_raw1668923 -+Ref: gnutls_pubkey_import_tpm_url1669700 -+Ref: gnutls_pubkey_import_url1670592 -+Ref: gnutls_pubkey_import_x5091671065 -+Ref: gnutls_pubkey_import_x509_crq1671565 -+Ref: gnutls_pubkey_import_x509_raw1672068 -+Ref: gnutls_pubkey_init1672645 -+Ref: gnutls_pubkey_print1672974 -+Ref: gnutls_pubkey_set_key_usage1673708 -+Ref: gnutls_pubkey_set_pin_function1674277 -+Ref: gnutls_pubkey_set_spki1674842 -+Ref: gnutls_pubkey_verify_data21675413 -+Ref: gnutls_pubkey_verify_hash21676321 -+Ref: gnutls_pubkey_verify_params1677445 -+Ref: gnutls_register_custom_url1677803 -+Ref: gnutls_system_key_add_x5091678741 -+Ref: gnutls_system_key_delete1679486 -+Ref: gnutls_system_key_iter_deinit1679910 -+Ref: gnutls_system_key_iter_get_info1680178 -+Ref: gnutls_x509_crl_privkey_sign1681452 -+Ref: gnutls_x509_crq_privkey_sign1682721 -+Ref: gnutls_x509_crq_set_pubkey1684083 -+Ref: gnutls_x509_crt_privkey_sign1684591 -+Ref: gnutls_x509_crt_set_pubkey1685834 -+Node: Socket specific API1686287 -+Ref: gnutls_transport_set_fastopen1686580 -+Node: DANE API1688126 -+Ref: dane_cert_type_name1688500 -+Ref: dane_cert_usage_name1688790 -+Ref: dane_match_type_name1689102 -+Ref: dane_query_data1689385 -+Ref: dane_query_deinit1690064 -+Ref: dane_query_entries1690269 -+Ref: dane_query_status1690511 -+Ref: dane_query_tlsa1690805 -+Ref: dane_query_to_raw_tlsa1691396 -+Ref: dane_raw_tlsa1692738 -+Ref: dane_state_deinit1693815 -+Ref: dane_state_init1694007 -+Ref: dane_state_set_dlv_file1694521 -+Ref: dane_strerror1694822 -+Ref: dane_verification_status_print1695321 -+Ref: dane_verify_crt1695915 -+Ref: dane_verify_crt_raw1698102 -+Ref: dane_verify_session_crt1699335 -+Node: Cryptographic API1700737 -+Ref: gnutls_aead_cipher_decrypt1701238 -+Ref: gnutls_aead_cipher_decryptv21702617 -+Ref: gnutls_aead_cipher_deinit1703542 -+Ref: gnutls_aead_cipher_encrypt1703870 -+Ref: gnutls_aead_cipher_encryptv1704979 -+Ref: gnutls_aead_cipher_encryptv21706127 -+Ref: gnutls_aead_cipher_init1707055 -+Ref: gnutls_cipher_add_auth1707721 -+Ref: gnutls_cipher_decrypt1708301 -+Ref: gnutls_cipher_decrypt21708925 -+Ref: gnutls_cipher_deinit1709851 -+Ref: gnutls_cipher_encrypt1710130 -+Ref: gnutls_cipher_encrypt21710590 -+Ref: gnutls_cipher_get_block_size1711367 -+Ref: gnutls_cipher_get_iv_size1711647 -+Ref: gnutls_cipher_get_tag_size1712129 -+Ref: gnutls_cipher_init1712535 -+Ref: gnutls_cipher_set_iv1713265 -+Ref: gnutls_cipher_tag1713610 -+Ref: gnutls_crypto_register_aead_cipher1714112 -+Ref: gnutls_crypto_register_cipher1715716 -+Ref: gnutls_crypto_register_digest1717497 -+Ref: gnutls_crypto_register_mac1718721 -+Ref: gnutls_decode_ber_digest_info1720149 -+Ref: gnutls_decode_gost_rs_value1720948 -+Ref: gnutls_decode_rs_value1721748 -+Ref: gnutls_encode_ber_digest_info1722533 -+Ref: gnutls_encode_gost_rs_value1723177 -+Ref: gnutls_encode_rs_value1723923 -+Ref: gnutls_hash1724543 -+Ref: gnutls_hash_copy1724974 -+Ref: gnutls_hash_deinit1725491 -+Ref: gnutls_hash_fast1725819 -+Ref: gnutls_hash_get_len1726336 -+Ref: gnutls_hash_init1726669 -+Ref: gnutls_hash_output1727205 -+Ref: gnutls_hkdf_expand1727537 -+Ref: gnutls_hkdf_extract1728240 -+Ref: gnutls_hmac1728783 -+Ref: gnutls_hmac_copy1729214 -+Ref: gnutls_hmac_deinit1729695 -+Ref: gnutls_hmac_fast1730022 -+Ref: gnutls_hmac_get_key_size1730746 -+Ref: gnutls_hmac_get_len1731207 -+Ref: gnutls_hmac_init1731537 -+Ref: gnutls_hmac_output1732320 -+Ref: gnutls_hmac_set_nonce1732655 -+Ref: gnutls_mac_get_nonce_size1733022 -+Ref: gnutls_pbkdf21733338 -+Ref: gnutls_rnd1733971 -+Ref: gnutls_rnd_refresh1734609 -+Node: Compatibility API1734895 -+Ref: gnutls_compression_get1735237 -+Ref: gnutls_compression_get_id1735589 -+Ref: gnutls_compression_get_name1735953 -+Ref: gnutls_compression_list1736335 -+Ref: gnutls_global_set_mem_functions1736667 -+Ref: gnutls_openpgp_privkey_sign_hash1738042 -+Ref: gnutls_priority_compression_list1738471 -+Ref: gnutls_x509_crt_get_preferred_hash_algorithm1738923 -+Ref: gnutls_x509_privkey_sign_hash1739804 -+Node: Copying Information1740674 -+Node: Bibliography1765851 -+Ref: CBCATT1765990 -+Ref: GPGH1766168 -+Ref: GUTPKI1766291 -+Ref: PRNGATTACKS1766466 -+Ref: KEYPIN1766666 -+Ref: NISTSP800571766841 -+Ref: RFC74131767089 -+Ref: RFC79181767256 -+Ref: RFC61251767433 -+Ref: RFC76851767774 -+Ref: RFC76131767949 -+Ref: RFC22461768197 -+Ref: RFC60831768358 -+Ref: RFC44181768595 -+Ref: RFC46801768762 -+Ref: RFC76331768920 -+Ref: RFC79191769092 -+Ref: RFC45141769296 -+Ref: RFC43461769500 -+Ref: RFC43471769650 -+Ref: RFC52461769817 -+Ref: RFC24401769968 -+Ref: RFC48801770150 -+Ref: RFC42111770344 -+Ref: RFC28171770538 -+Ref: RFC28181770691 -+Ref: RFC29451770805 -+Ref: RFC73011770955 -+Ref: RFC29861771175 -+Ref: PKIX1771364 -+Ref: RFC37491771627 -+Ref: RFC38201771793 -+Ref: RFC65201772036 -+Ref: RFC57461772275 -+Ref: RFC52801772484 -+Ref: TLSTKT1772751 -+Ref: PKCS121772983 -+Ref: PKCS111773124 -+Ref: RESCORLA1773270 -+Ref: SELKEY1773366 -+Ref: SSL31773525 -+Ref: STEVENS1773716 -+Ref: TLSEXT1773824 -+Ref: TLSPGP1774041 -+Ref: TLSSRP1774206 -+Ref: TLSPSK1774403 -+Ref: TOMSRP1774572 -+Ref: WEGER1774685 -+Ref: ECRYPT1774877 -+Ref: RFC50561775082 -+Ref: RFC57641775235 -+Ref: RFC59291775523 -+Ref: PKCS11URI1775666 -+Ref: TPMURI1775802 -+Ref: ANDERSON1775996 -+Ref: RFC48211776142 -+Ref: RFC25601776295 -+Ref: RIVESTCRL1776489 -+Node: Function and Data Index1776850 -+Node: Concept Index1903361 -  - End Tag Table - -diff -ruN gnutls-3.7.2/doc/gnutls.info-1 gnutls-3.7.2-bootstrapped/doc/gnutls.info-1 ---- gnutls-3.7.2/doc/gnutls.info-1 2021-05-29 10:19:34.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-1 2021-06-28 09:39:56.000000000 +0200 -@@ -7426,6 +7426,12 @@ - to a token. Must be combined with one of -load-privkey, -load-pubkey, - -load-certificate option. - -+When writing a certificate object, its CKA_ID is set to the same CKA_ID -+of the corresponding public key, if it exists on the token; otherwise it -+will be derived from the X.509 Subject Key Identifier of the -+certificate. If this behavior is undesired, write the public key to the -+token beforehand. -+ - id option. - .......... - -diff -ruN gnutls-3.7.2/doc/gnutls.info-3 gnutls-3.7.2-bootstrapped/doc/gnutls.info-3 ---- gnutls-3.7.2/doc/gnutls.info-3 2021-05-29 10:19:36.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-3 2021-06-28 09:39:58.000000000 +0200 -@@ -1350,6 +1350,7 @@ - * 'insecure-hash': to mark the hash algorithm as insecure for digital - signature use (provides a more generic way to disable digital - signatures for broken hash algorithms). -+ * 'disabled-curve': to disable the specified elliptic curve. - * 'disabled-version': to disable the specified TLS versions. - * 'tls-disabled-cipher': to disable the specified ciphers for use in - the TLS or DTLS protocols. -@@ -1362,12 +1363,54 @@ - earlier). - - Each of the options can be repeated multiple times when multiple values --need to be disabled. -+need to be disabled or enabled. - - The valid values for the options above can be found in the 'Protocols', - 'Digests' 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of - the output of 'gnutls-cli --list'. - -+Sometimes the system administrator wants to enable only specific -+algorithms, despite the library defaults. GnuTLS provides an -+alternative mode of overriding: allowlisting. -+ -+In the allowlisting mode, all the algorithms are initially marked as -+insecure or disabled, and shall be explicitly turned on by the options -+in the '[overrides]' section. Those options are mutually exclusive to -+the above ones for the blocklisting mode (the default) -+ * 'secure-sig-for-cert': to mark the signature algorithm as secure -+ when used in certificates. -+ * 'secure-sig': to mark the signature algorithm as secure for any -+ use. -+ * 'secure-hash': to mark the hash algorithm as secure for digital -+ signature use (provides a more generic way to enable digital -+ signatures for broken hash algorithms). -+ * 'enabled-curve': to enable the specified elliptic curve. -+ * 'enabled-version': to enable the specified TLS versions. -+ * 'tls-enabled-cipher': to enable the specified ciphers for use in -+ the TLS or DTLS protocols. -+ * 'tls-enabled-mac': to enable the specified MAC algorithms for use -+ in the TLS or DTLS protocols. -+ * 'tls-enabled-group': to enable the specified group for use in the -+ TLS or DTLS protocols. -+ * 'tls-enabled-kx': to enable the specified key exchange algorithms -+ for use in the TLS or DTLS protocols (applies to TLS1.2 or -+ earlier). -+ -+The allowlisting mode can be enabled by adding 'override-mode = -+allowlist' in the '[global]' section. -+ -+When the allowlisting mode is in effect, it is also possible for the -+applications to modify the setting through the API. -+ -+'INT *note gnutls_ecc_curve_mark_enabled:: (gnutls_ecc_curve_t CURVE)' -+'INT *note gnutls_sign_mark_secure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)' -+'INT *note gnutls_digest_mark_secure:: (gnutls_digest_algorithm_t DIG)' -+'INT *note gnutls_protocol_mark_enabled:: (gnutls_protocol_t VERSION)' -+'INT *note gnutls_ecc_curve_mark_disabled:: (gnutls_ecc_curve_t CURVE)' -+'INT *note gnutls_sign_mark_insecure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)' -+'INT *note gnutls_digest_mark_insecure:: (gnutls_digest_algorithm_t DIG)' -+'INT *note gnutls_protocol_mark_disabled:: (gnutls_protocol_t VERSION)' -+ - 8.2.1 Examples - -------------- - -@@ -1396,6 +1439,17 @@ - tls-disabled-mac = sha1 - tls-disabled-group = group-ffdhe8192 - -+The following example demonstrates the use of the allowlisting mode. It -+disables all the signature algorithms but 'RSA-SHA256'. Note that the -+hash algorithm 'SHA256' also needs to be explicitly enabled. -+ -+ [global] -+ override-mode = allowlist -+ -+ [overrides] -+ secure-hash = sha256 -+ secure-sig = rsa-sha256 -+ -  - File: gnutls.info, Node: Querying for disabled algorithms and protocols, Next: Overriding the parameter verification profile, Prev: Disabling algorithms and protocols, Up: System-wide configuration of the library - -@@ -8538,6 +8592,31 @@ - 'gnutls_digest_algorithm_t' integers indicating the available - digests. - -+gnutls_digest_mark_insecure -+--------------------------- -+ -+ -- Function: int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t -+ DIG) -+ DIG: is a digest algorithm -+ -+ Mark 'dig' as insecure system wide. This only works if the -+ allowlisting mode is used in the configuration file. -+ -+ *Since:* 3.7.3 -+ -+gnutls_digest_mark_secure -+------------------------- -+ -+ -- Function: int gnutls_digest_mark_secure (gnutls_digest_algorithm_t -+ DIG) -+ DIG: is a digest algorithm -+ -+ Invalidate previous system wide setting that marked 'dig' as -+ insecure. This only works if the allowlisting mode is used in the -+ configuration file. -+ -+ *Since:* 3.7.3 -+ - gnutls_early_cipher_get - ----------------------- - -@@ -8657,6 +8736,37 @@ - *Returns:* Return a (0)-terminated list of 'gnutls_ecc_curve_t' - integers indicating the available curves. - -+gnutls_ecc_curve_mark_disabled -+------------------------------ -+ -+ -- Function: int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t -+ CURVE) -+ CURVE: is an ECC curve -+ -+ Mark 'curve' as disabled system wide. This setting can be reverted -+ with 'gnutls_ecc_curve_mark_enabled()' . This only works if the -+ configuration file uses the allowlisting mode. -+ -+ *Returns:* 0 on success or negative error code otherwise. -+ -+ *Since:* 3.7.3 -+ -+gnutls_ecc_curve_mark_enabled -+----------------------------- -+ -+ -- Function: int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t -+ CURVE) -+ CURVE: is an ECC curve -+ -+ Invalidate previous system wide setting that marked 'curve' as -+ disabled. This only works if the curve is disabled with -+ 'gnutls_ecc_curve_mark_disabled()' or through the allowlisting mode -+ in the configuration file. -+ -+ *Returns:* 0 on success or negative error code otherwise. -+ -+ *Since:* 3.7.3 -+ - gnutls_error_is_fatal - --------------------- - -@@ -11047,6 +11157,27 @@ - *Returns:* a (0)-terminated list of 'gnutls_protocol_t' integers - indicating the available protocols. - -+gnutls_protocol_mark_disabled -+----------------------------- -+ -+ -- Function: int gnutls_protocol_mark_disabled (gnutls_protocol_t -+ VERSION) -+ VERSION: is a (gnutls) version number -+ -+ Mark 'version' as disabled system wide. This only works if the -+ allowlisting mode is used in the configuration file. -+ -+gnutls_protocol_mark_enabled -+---------------------------- -+ -+ -- Function: int gnutls_protocol_mark_enabled (gnutls_protocol_t -+ VERSION) -+ VERSION: is a (gnutls) version number -+ -+ Invalidate previous system wide setting that marked 'version' as -+ disabled. This only works if the allowlisting mode is used in the -+ configuration file. -+ - gnutls_psk_allocate_client_credentials - -------------------------------------- - -@@ -13235,6 +13366,45 @@ - *Returns:* a (0)-terminated list of 'gnutls_sign_algorithm_t' - integers indicating the available ciphers. - -+gnutls_sign_mark_insecure -+------------------------- -+ -+ -- Function: int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t -+ SIGN, unsigned FLAGS) -+ SIGN: the sign algorithm -+ -+ FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0 -+ -+ Mark 'sign' as insecure system wide. This only works if the -+ allowlisting mode is used in the configuration file. -+ -+ If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, and the -+ algorithm was previously considered secure for all purposes, it -+ only marks the algorithm as insecure for the use with certificates. -+ -+ *Since:* 3.7.3 -+ -+gnutls_sign_mark_secure -+----------------------- -+ -+ -- Function: int gnutls_sign_mark_secure (gnutls_sign_algorithm_t SIGN, -+ unsigned FLAGS) -+ SIGN: the sign algorithm -+ -+ FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0 -+ -+ Invalidate previous system wide setting that marked 'sign' as -+ insecure. This only works if the algorithm is marked as insecure -+ with 'gnutls_sign_mark_insecure()' or through the allowlisting mode -+ in the configuration file. -+ -+ If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, it -+ marks it the algorithm as secure for all purposes. If the absence -+ of this flag, it will mark it as "secure, but not for certificates" -+ at most, but it won't restrict anything either. -+ -+ *Since:* 3.7.3 -+ - gnutls_sign_supports_pk_algorithm - --------------------------------- - -diff -ruN gnutls-3.7.2/doc/gnutls.info-6 gnutls-3.7.2-bootstrapped/doc/gnutls.info-6 ---- gnutls-3.7.2/doc/gnutls.info-6 2021-05-29 10:19:38.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-6 2021-06-28 09:40:00.000000000 +0200 -@@ -7847,6 +7847,8 @@ - * gnutls_digest_get_name: Core TLS API. (line 3005) - * gnutls_digest_get_oid: Core TLS API. (line 3017) - * gnutls_digest_list: Core TLS API. (line 3032) -+* gnutls_digest_mark_insecure: Core TLS API. (line 3046) -+* gnutls_digest_mark_secure: Core TLS API. (line 3058) - * gnutls_dtls_cookie_send: Datagram TLS API. (line 11) - * gnutls_dtls_cookie_verify: Datagram TLS API. (line 45) - * gnutls_dtls_get_data_mtu: Datagram TLS API. (line 74) -@@ -7858,71 +7860,73 @@ - * gnutls_dtls_set_data_mtu: Datagram TLS API. (line 139) - * gnutls_dtls_set_mtu: Datagram TLS API. (line 165) - * gnutls_dtls_set_timeouts: Datagram TLS API. (line 182) --* gnutls_early_cipher_get: Core TLS API. (line 3046) --* gnutls_early_prf_hash_get: Core TLS API. (line 3060) --* gnutls_ecc_curve_get: Core TLS API. (line 3075) --* gnutls_ecc_curve_get_id: Core TLS API. (line 3089) --* gnutls_ecc_curve_get_name: Core TLS API. (line 3103) --* gnutls_ecc_curve_get_oid: Core TLS API. (line 3117) --* gnutls_ecc_curve_get_pk: Core TLS API. (line 3131) --* gnutls_ecc_curve_get_size: Core TLS API. (line 3143) --* gnutls_ecc_curve_list: Core TLS API. (line 3153) -+* gnutls_early_cipher_get: Core TLS API. (line 3071) -+* gnutls_early_prf_hash_get: Core TLS API. (line 3085) -+* gnutls_ecc_curve_get: Core TLS API. (line 3100) -+* gnutls_ecc_curve_get_id: Core TLS API. (line 3114) -+* gnutls_ecc_curve_get_name: Core TLS API. (line 3128) -+* gnutls_ecc_curve_get_oid: Core TLS API. (line 3142) -+* gnutls_ecc_curve_get_pk: Core TLS API. (line 3156) -+* gnutls_ecc_curve_get_size: Core TLS API. (line 3168) -+* gnutls_ecc_curve_list: Core TLS API. (line 3178) -+* gnutls_ecc_curve_mark_disabled: Core TLS API. (line 3190) -+* gnutls_ecc_curve_mark_enabled: Core TLS API. (line 3205) - * gnutls_encode_ber_digest_info: Cryptographic API. (line 689) - * gnutls_encode_gost_rs_value: Cryptographic API. (line 709) - * gnutls_encode_rs_value: Cryptographic API. (line 732) - * gnutls_error_is_fatal: Data transfer and termination. - (line 82) --* gnutls_error_is_fatal <1>: Core TLS API. (line 3165) -+* gnutls_error_is_fatal <1>: Core TLS API. (line 3221) - * gnutls_error_to_alert: Handling alerts. (line 66) --* gnutls_error_to_alert <1>: Core TLS API. (line 3185) --* gnutls_est_record_overhead_size: Core TLS API. (line 3204) --* gnutls_ext_get_current_msg: Core TLS API. (line 3231) --* gnutls_ext_get_data: Core TLS API. (line 3249) --* gnutls_ext_get_name: Core TLS API. (line 3268) --* gnutls_ext_get_name2: Core TLS API. (line 3279) --* gnutls_ext_raw_parse: Core TLS API. (line 3296) --* gnutls_ext_register: Core TLS API. (line 3327) --* gnutls_ext_set_data: Core TLS API. (line 3374) --* gnutls_fingerprint: Core TLS API. (line 3391) --* gnutls_fips140_mode_enabled: Core TLS API. (line 3418) --* gnutls_fips140_set_mode: Core TLS API. (line 3436) -+* gnutls_error_to_alert <1>: Core TLS API. (line 3241) -+* gnutls_est_record_overhead_size: Core TLS API. (line 3260) -+* gnutls_ext_get_current_msg: Core TLS API. (line 3287) -+* gnutls_ext_get_data: Core TLS API. (line 3305) -+* gnutls_ext_get_name: Core TLS API. (line 3324) -+* gnutls_ext_get_name2: Core TLS API. (line 3335) -+* gnutls_ext_raw_parse: Core TLS API. (line 3352) -+* gnutls_ext_register: Core TLS API. (line 3383) -+* gnutls_ext_set_data: Core TLS API. (line 3430) -+* gnutls_fingerprint: Core TLS API. (line 3447) -+* gnutls_fips140_mode_enabled: Core TLS API. (line 3474) -+* gnutls_fips140_set_mode: Core TLS API. (line 3492) - * gnutls_get_system_config_file: System-wide configuration of the library. - (line 24) --* gnutls_get_system_config_file <1>: Core TLS API. (line 3462) --* gnutls_global_deinit: Core TLS API. (line 3476) --* gnutls_global_init: Core TLS API. (line 3489) -+* gnutls_get_system_config_file <1>: Core TLS API. (line 3518) -+* gnutls_global_deinit: Core TLS API. (line 3532) -+* gnutls_global_init: Core TLS API. (line 3545) - * gnutls_global_set_audit_log_function: Debugging and auditing. - (line 64) --* gnutls_global_set_audit_log_function <1>: Core TLS API. (line 3518) --* gnutls_global_set_log_function: Core TLS API. (line 3537) --* gnutls_global_set_log_level: Core TLS API. (line 3552) -+* gnutls_global_set_audit_log_function <1>: Core TLS API. (line 3574) -+* gnutls_global_set_log_function: Core TLS API. (line 3593) -+* gnutls_global_set_log_level: Core TLS API. (line 3608) - * gnutls_global_set_mem_functions: Compatibility API. (line 60) --* gnutls_global_set_mutex: Core TLS API. (line 3565) --* gnutls_global_set_time_function: Core TLS API. (line 3594) --* gnutls_gost_paramset_get_name: Core TLS API. (line 3608) --* gnutls_gost_paramset_get_oid: Core TLS API. (line 3622) --* gnutls_group_get: Core TLS API. (line 3636) --* gnutls_group_get_id: Core TLS API. (line 3649) --* gnutls_group_get_name: Core TLS API. (line 3662) --* gnutls_group_list: Core TLS API. (line 3675) -+* gnutls_global_set_mutex: Core TLS API. (line 3621) -+* gnutls_global_set_time_function: Core TLS API. (line 3650) -+* gnutls_gost_paramset_get_name: Core TLS API. (line 3664) -+* gnutls_gost_paramset_get_oid: Core TLS API. (line 3678) -+* gnutls_group_get: Core TLS API. (line 3692) -+* gnutls_group_get_id: Core TLS API. (line 3705) -+* gnutls_group_get_name: Core TLS API. (line 3718) -+* gnutls_group_list: Core TLS API. (line 3731) - * gnutls_handshake: TLS handshake. (line 10) --* gnutls_handshake <1>: Core TLS API. (line 3689) --* gnutls_handshake_description_get_name: Core TLS API. (line 3732) --* gnutls_handshake_get_last_in: Core TLS API. (line 3744) --* gnutls_handshake_get_last_out: Core TLS API. (line 3761) -+* gnutls_handshake <1>: Core TLS API. (line 3745) -+* gnutls_handshake_description_get_name: Core TLS API. (line 3788) -+* gnutls_handshake_get_last_in: Core TLS API. (line 3800) -+* gnutls_handshake_get_last_out: Core TLS API. (line 3817) - * gnutls_handshake_set_hook_function: Virtual hosts and credentials. - (line 56) --* gnutls_handshake_set_hook_function <1>: Core TLS API. (line 3778) --* gnutls_handshake_set_max_packet_length: Core TLS API. (line 3815) -+* gnutls_handshake_set_hook_function <1>: Core TLS API. (line 3834) -+* gnutls_handshake_set_max_packet_length: Core TLS API. (line 3871) - * gnutls_handshake_set_post_client_hello_function: Core TLS API. -- (line 3836) --* gnutls_handshake_set_private_extensions: Core TLS API. (line 3867) --* gnutls_handshake_set_random: Core TLS API. (line 3886) --* gnutls_handshake_set_read_function: Core TLS API. (line 3908) --* gnutls_handshake_set_secret_function: Core TLS API. (line 3922) -+ (line 3892) -+* gnutls_handshake_set_private_extensions: Core TLS API. (line 3923) -+* gnutls_handshake_set_random: Core TLS API. (line 3942) -+* gnutls_handshake_set_read_function: Core TLS API. (line 3964) -+* gnutls_handshake_set_secret_function: Core TLS API. (line 3978) - * gnutls_handshake_set_timeout: TLS handshake. (line 50) --* gnutls_handshake_set_timeout <1>: Core TLS API. (line 3936) --* gnutls_handshake_write: Core TLS API. (line 3956) -+* gnutls_handshake_set_timeout <1>: Core TLS API. (line 3992) -+* gnutls_handshake_write: Core TLS API. (line 4012) - * gnutls_hash: Cryptographic API. (line 753) - * gnutls_hash_copy: Cryptographic API. (line 771) - * gnutls_hash_deinit: Cryptographic API. (line 787) -@@ -7930,17 +7934,17 @@ - * gnutls_hash_get_len: Cryptographic API. (line 821) - * gnutls_hash_init: Cryptographic API. (line 835) - * gnutls_hash_output: Cryptographic API. (line 853) --* gnutls_heartbeat_allowed: Core TLS API. (line 3977) --* gnutls_heartbeat_enable: Core TLS API. (line 3994) --* gnutls_heartbeat_get_timeout: Core TLS API. (line 4018) --* gnutls_heartbeat_ping: Core TLS API. (line 4034) --* gnutls_heartbeat_pong: Core TLS API. (line 4066) --* gnutls_heartbeat_set_timeouts: Core TLS API. (line 4082) --* gnutls_hex2bin: Core TLS API. (line 4104) --* gnutls_hex_decode: Core TLS API. (line 4127) --* gnutls_hex_decode2: Core TLS API. (line 4149) --* gnutls_hex_encode: Core TLS API. (line 4164) --* gnutls_hex_encode2: Core TLS API. (line 4183) -+* gnutls_heartbeat_allowed: Core TLS API. (line 4033) -+* gnutls_heartbeat_enable: Core TLS API. (line 4050) -+* gnutls_heartbeat_get_timeout: Core TLS API. (line 4074) -+* gnutls_heartbeat_ping: Core TLS API. (line 4090) -+* gnutls_heartbeat_pong: Core TLS API. (line 4122) -+* gnutls_heartbeat_set_timeouts: Core TLS API. (line 4138) -+* gnutls_hex2bin: Core TLS API. (line 4160) -+* gnutls_hex_decode: Core TLS API. (line 4183) -+* gnutls_hex_decode2: Core TLS API. (line 4205) -+* gnutls_hex_encode: Core TLS API. (line 4220) -+* gnutls_hex_encode2: Core TLS API. (line 4239) - * gnutls_hkdf_expand: Cryptographic API. (line 867) - * gnutls_hkdf_extract: Cryptographic API. (line 891) - * gnutls_hmac: Cryptographic API. (line 912) -@@ -7952,25 +7956,25 @@ - * gnutls_hmac_init: Cryptographic API. (line 1015) - * gnutls_hmac_output: Cryptographic API. (line 1041) - * gnutls_hmac_set_nonce: Cryptographic API. (line 1055) --* gnutls_idna_map: Core TLS API. (line 4201) --* gnutls_idna_reverse_map: Core TLS API. (line 4232) -+* gnutls_idna_map: Core TLS API. (line 4257) -+* gnutls_idna_reverse_map: Core TLS API. (line 4288) - * gnutls_init: Session initialization. - (line 14) --* gnutls_init <1>: Core TLS API. (line 4258) --* gnutls_key_generate: Core TLS API. (line 4281) --* gnutls_kx_get: Core TLS API. (line 4298) --* gnutls_kx_get_id: Core TLS API. (line 4315) --* gnutls_kx_get_name: Core TLS API. (line 4327) --* gnutls_kx_list: Core TLS API. (line 4339) --* gnutls_load_file: Core TLS API. (line 4351) --* gnutls_mac_get: Core TLS API. (line 4374) --* gnutls_mac_get_id: Core TLS API. (line 4386) --* gnutls_mac_get_key_size: Core TLS API. (line 4399) --* gnutls_mac_get_name: Core TLS API. (line 4411) -+* gnutls_init <1>: Core TLS API. (line 4314) -+* gnutls_key_generate: Core TLS API. (line 4337) -+* gnutls_kx_get: Core TLS API. (line 4354) -+* gnutls_kx_get_id: Core TLS API. (line 4371) -+* gnutls_kx_get_name: Core TLS API. (line 4383) -+* gnutls_kx_list: Core TLS API. (line 4395) -+* gnutls_load_file: Core TLS API. (line 4407) -+* gnutls_mac_get: Core TLS API. (line 4430) -+* gnutls_mac_get_id: Core TLS API. (line 4442) -+* gnutls_mac_get_key_size: Core TLS API. (line 4455) -+* gnutls_mac_get_name: Core TLS API. (line 4467) - * gnutls_mac_get_nonce_size: Cryptographic API. (line 1070) --* gnutls_mac_list: Core TLS API. (line 4423) --* gnutls_memcmp: Core TLS API. (line 4435) --* gnutls_memset: Core TLS API. (line 4456) -+* gnutls_mac_list: Core TLS API. (line 4479) -+* gnutls_memcmp: Core TLS API. (line 4491) -+* gnutls_memset: Core TLS API. (line 4512) - * gnutls_ocsp_req_add_cert: OCSP API. (line 12) - * gnutls_ocsp_req_add_cert_id: OCSP API. (line 36) - * gnutls_ocsp_req_deinit: OCSP API. (line 69) -@@ -8011,20 +8015,20 @@ - * gnutls_ocsp_resp_print: OCSP API. (line 757) - * gnutls_ocsp_resp_verify: OCSP API. (line 780) - * gnutls_ocsp_resp_verify_direct: OCSP API. (line 818) --* gnutls_ocsp_status_request_enable_client: Core TLS API. (line 4471) --* gnutls_ocsp_status_request_get: Core TLS API. (line 4499) --* gnutls_ocsp_status_request_get2: Core TLS API. (line 4518) --* gnutls_ocsp_status_request_is_checked: Core TLS API. (line 4544) --* gnutls_oid_to_digest: Core TLS API. (line 4578) --* gnutls_oid_to_ecc_curve: Core TLS API. (line 4593) --* gnutls_oid_to_gost_paramset: Core TLS API. (line 4605) --* gnutls_oid_to_mac: Core TLS API. (line 4620) --* gnutls_oid_to_pk: Core TLS API. (line 4635) --* gnutls_oid_to_sign: Core TLS API. (line 4649) -+* gnutls_ocsp_status_request_enable_client: Core TLS API. (line 4527) -+* gnutls_ocsp_status_request_get: Core TLS API. (line 4555) -+* gnutls_ocsp_status_request_get2: Core TLS API. (line 4574) -+* gnutls_ocsp_status_request_is_checked: Core TLS API. (line 4600) -+* gnutls_oid_to_digest: Core TLS API. (line 4634) -+* gnutls_oid_to_ecc_curve: Core TLS API. (line 4649) -+* gnutls_oid_to_gost_paramset: Core TLS API. (line 4661) -+* gnutls_oid_to_mac: Core TLS API. (line 4676) -+* gnutls_oid_to_pk: Core TLS API. (line 4691) -+* gnutls_oid_to_sign: Core TLS API. (line 4705) - * gnutls_openpgp_privkey_sign_hash: Compatibility API. (line 95) --* gnutls_openpgp_send_cert: Core TLS API. (line 4664) --* gnutls_packet_deinit: Core TLS API. (line 4677) --* gnutls_packet_get: Core TLS API. (line 4688) -+* gnutls_openpgp_send_cert: Core TLS API. (line 4720) -+* gnutls_packet_deinit: Core TLS API. (line 4733) -+* gnutls_packet_get: Core TLS API. (line 4744) - * gnutls_pbkdf2: Cryptographic API. (line 1083) - * gnutls_pcert_deinit: Abstract key API. (line 176) - * gnutls_pcert_export_openpgp: Abstract key API. (line 186) -@@ -8038,11 +8042,11 @@ - * gnutls_pcert_import_x509_raw: Abstract key API. (line 370) - * gnutls_pcert_list_import_x509_file: Abstract key API. (line 393) - * gnutls_pcert_list_import_x509_raw: Abstract key API. (line 430) --* gnutls_pem_base64_decode: Core TLS API. (line 4706) --* gnutls_pem_base64_decode2: Core TLS API. (line 4730) --* gnutls_pem_base64_encode: Core TLS API. (line 4758) --* gnutls_pem_base64_encode2: Core TLS API. (line 4781) --* gnutls_perror: Core TLS API. (line 4809) -+* gnutls_pem_base64_decode: Core TLS API. (line 4762) -+* gnutls_pem_base64_decode2: Core TLS API. (line 4786) -+* gnutls_pem_base64_encode: Core TLS API. (line 4814) -+* gnutls_pem_base64_encode2: Core TLS API. (line 4837) -+* gnutls_perror: Core TLS API. (line 4865) - * gnutls_pkcs11_add_provider: PKCS11 Manual Initialization. - (line 13) - * gnutls_pkcs11_add_provider <1>: PKCS 11 API. (line 12) -@@ -8183,39 +8187,39 @@ - (line 122) - * gnutls_pkcs_schema_get_oid: X509 certificate API. - (line 137) --* gnutls_pk_algorithm_get_name: Core TLS API. (line 4818) -+* gnutls_pk_algorithm_get_name: Core TLS API. (line 4874) - * gnutls_pk_bits_to_sec_param: Selecting cryptographic key sizes. - (line 91) --* gnutls_pk_bits_to_sec_param <1>: Core TLS API. (line 4830) --* gnutls_pk_get_id: Core TLS API. (line 4847) --* gnutls_pk_get_name: Core TLS API. (line 4862) --* gnutls_pk_get_oid: Core TLS API. (line 4876) --* gnutls_pk_list: Core TLS API. (line 4891) --* gnutls_pk_to_sign: Core TLS API. (line 4905) --* gnutls_prf: Core TLS API. (line 4920) --* gnutls_prf_early: Core TLS API. (line 4970) --* gnutls_prf_hash_get: Core TLS API. (line 5015) --* gnutls_prf_raw: Core TLS API. (line 5032) -+* gnutls_pk_bits_to_sec_param <1>: Core TLS API. (line 4886) -+* gnutls_pk_get_id: Core TLS API. (line 4903) -+* gnutls_pk_get_name: Core TLS API. (line 4918) -+* gnutls_pk_get_oid: Core TLS API. (line 4932) -+* gnutls_pk_list: Core TLS API. (line 4947) -+* gnutls_pk_to_sign: Core TLS API. (line 4961) -+* gnutls_prf: Core TLS API. (line 4976) -+* gnutls_prf_early: Core TLS API. (line 5026) -+* gnutls_prf_hash_get: Core TLS API. (line 5071) -+* gnutls_prf_raw: Core TLS API. (line 5088) - * gnutls_prf_rfc5705: Deriving keys for other applications/protocols. - (line 16) --* gnutls_prf_rfc5705 <1>: Core TLS API. (line 5077) --* gnutls_priority_certificate_type_list: Core TLS API. (line 5124) --* gnutls_priority_certificate_type_list2: Core TLS API. (line 5145) --* gnutls_priority_cipher_list: Core TLS API. (line 5165) -+* gnutls_prf_rfc5705 <1>: Core TLS API. (line 5133) -+* gnutls_priority_certificate_type_list: Core TLS API. (line 5180) -+* gnutls_priority_certificate_type_list2: Core TLS API. (line 5201) -+* gnutls_priority_cipher_list: Core TLS API. (line 5221) - * gnutls_priority_compression_list: Compatibility API. (line 111) --* gnutls_priority_deinit: Core TLS API. (line 5180) --* gnutls_priority_ecc_curve_list: Core TLS API. (line 5189) --* gnutls_priority_get_cipher_suite_index: Core TLS API. (line 5207) --* gnutls_priority_group_list: Core TLS API. (line 5232) --* gnutls_priority_init: Core TLS API. (line 5247) --* gnutls_priority_init2: Core TLS API. (line 5275) --* gnutls_priority_kx_list: Core TLS API. (line 5383) --* gnutls_priority_mac_list: Core TLS API. (line 5399) --* gnutls_priority_protocol_list: Core TLS API. (line 5414) --* gnutls_priority_set: Core TLS API. (line 5430) --* gnutls_priority_set_direct: Core TLS API. (line 5448) --* gnutls_priority_sign_list: Core TLS API. (line 5472) --* gnutls_priority_string_list: Core TLS API. (line 5488) -+* gnutls_priority_deinit: Core TLS API. (line 5236) -+* gnutls_priority_ecc_curve_list: Core TLS API. (line 5245) -+* gnutls_priority_get_cipher_suite_index: Core TLS API. (line 5263) -+* gnutls_priority_group_list: Core TLS API. (line 5288) -+* gnutls_priority_init: Core TLS API. (line 5303) -+* gnutls_priority_init2: Core TLS API. (line 5331) -+* gnutls_priority_kx_list: Core TLS API. (line 5439) -+* gnutls_priority_mac_list: Core TLS API. (line 5455) -+* gnutls_priority_protocol_list: Core TLS API. (line 5470) -+* gnutls_priority_set: Core TLS API. (line 5486) -+* gnutls_priority_set_direct: Core TLS API. (line 5504) -+* gnutls_priority_sign_list: Core TLS API. (line 5528) -+* gnutls_priority_string_list: Core TLS API. (line 5544) - * gnutls_privkey_decrypt_data: Operations. (line 144) - * gnutls_privkey_decrypt_data <1>: Abstract key API. (line 465) - * gnutls_privkey_decrypt_data2: Abstract key API. (line 488) -@@ -8275,33 +8279,35 @@ - * gnutls_privkey_status: Abstract key API. (line 1705) - * gnutls_privkey_verify_params: Abstract key API. (line 1721) - * gnutls_privkey_verify_seed: Abstract key API. (line 1734) --* gnutls_protocol_get_id: Core TLS API. (line 5508) --* gnutls_protocol_get_name: Core TLS API. (line 5520) --* gnutls_protocol_get_version: Core TLS API. (line 5532) --* gnutls_protocol_list: Core TLS API. (line 5543) --* gnutls_psk_allocate_client_credentials: Core TLS API. (line 5555) --* gnutls_psk_allocate_server_credentials: Core TLS API. (line 5567) --* gnutls_psk_client_get_hint: Core TLS API. (line 5579) --* gnutls_psk_free_client_credentials: Core TLS API. (line 5598) --* gnutls_psk_free_server_credentials: Core TLS API. (line 5607) --* gnutls_psk_server_get_username: Core TLS API. (line 5616) --* gnutls_psk_server_get_username2: Core TLS API. (line 5636) --* gnutls_psk_set_client_credentials: Core TLS API. (line 5657) --* gnutls_psk_set_client_credentials2: Core TLS API. (line 5683) -+* gnutls_protocol_get_id: Core TLS API. (line 5564) -+* gnutls_protocol_get_name: Core TLS API. (line 5576) -+* gnutls_protocol_get_version: Core TLS API. (line 5588) -+* gnutls_protocol_list: Core TLS API. (line 5599) -+* gnutls_protocol_mark_disabled: Core TLS API. (line 5611) -+* gnutls_protocol_mark_enabled: Core TLS API. (line 5621) -+* gnutls_psk_allocate_client_credentials: Core TLS API. (line 5632) -+* gnutls_psk_allocate_server_credentials: Core TLS API. (line 5644) -+* gnutls_psk_client_get_hint: Core TLS API. (line 5656) -+* gnutls_psk_free_client_credentials: Core TLS API. (line 5675) -+* gnutls_psk_free_server_credentials: Core TLS API. (line 5684) -+* gnutls_psk_server_get_username: Core TLS API. (line 5693) -+* gnutls_psk_server_get_username2: Core TLS API. (line 5713) -+* gnutls_psk_set_client_credentials: Core TLS API. (line 5734) -+* gnutls_psk_set_client_credentials2: Core TLS API. (line 5760) - * gnutls_psk_set_client_credentials_function: PSK credentials. - (line 22) - * gnutls_psk_set_client_credentials_function <1>: Core TLS API. -- (line 5706) --* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5731) --* gnutls_psk_set_params_function: Core TLS API. (line 5760) -+ (line 5783) -+* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5808) -+* gnutls_psk_set_params_function: Core TLS API. (line 5837) - * gnutls_psk_set_server_credentials_file: PSK credentials. (line 59) --* gnutls_psk_set_server_credentials_file <1>: Core TLS API. (line 5778) --* gnutls_psk_set_server_credentials_function: Core TLS API. (line 5800) --* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5825) --* gnutls_psk_set_server_credentials_hint: Core TLS API. (line 5854) --* gnutls_psk_set_server_dh_params: Core TLS API. (line 5873) --* gnutls_psk_set_server_known_dh_params: Core TLS API. (line 5891) --* gnutls_psk_set_server_params_function: Core TLS API. (line 5915) -+* gnutls_psk_set_server_credentials_file <1>: Core TLS API. (line 5855) -+* gnutls_psk_set_server_credentials_function: Core TLS API. (line 5877) -+* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5902) -+* gnutls_psk_set_server_credentials_hint: Core TLS API. (line 5931) -+* gnutls_psk_set_server_dh_params: Core TLS API. (line 5950) -+* gnutls_psk_set_server_known_dh_params: Core TLS API. (line 5968) -+* gnutls_psk_set_server_params_function: Core TLS API. (line 5992) - * gnutls_pubkey_deinit: Abstract key API. (line 1758) - * gnutls_pubkey_encrypt_data: Operations. (line 60) - * gnutls_pubkey_encrypt_data <1>: Abstract key API. (line 1768) -@@ -8351,169 +8357,171 @@ - * gnutls_pubkey_verify_hash2: Operations. (line 33) - * gnutls_pubkey_verify_hash2 <1>: Abstract key API. (line 2681) - * gnutls_pubkey_verify_params: Abstract key API. (line 2711) --* gnutls_random_art: Core TLS API. (line 5933) --* gnutls_range_split: Core TLS API. (line 5960) --* gnutls_reauth: Core TLS API. (line 5986) --* gnutls_record_can_use_length_hiding: Core TLS API. (line 6032) --* gnutls_record_check_corked: Core TLS API. (line 6050) -+* gnutls_random_art: Core TLS API. (line 6010) -+* gnutls_range_split: Core TLS API. (line 6037) -+* gnutls_reauth: Core TLS API. (line 6063) -+* gnutls_record_can_use_length_hiding: Core TLS API. (line 6109) -+* gnutls_record_check_corked: Core TLS API. (line 6127) - * gnutls_record_check_pending: Data transfer and termination. - (line 138) --* gnutls_record_check_pending <1>: Core TLS API. (line 6064) -+* gnutls_record_check_pending <1>: Core TLS API. (line 6141) - * gnutls_record_cork: Buffered data transfer. - (line 12) --* gnutls_record_cork <1>: Core TLS API. (line 6077) --* gnutls_record_disable_padding: Core TLS API. (line 6091) --* gnutls_record_discard_queued: Core TLS API. (line 6106) -+* gnutls_record_cork <1>: Core TLS API. (line 6154) -+* gnutls_record_disable_padding: Core TLS API. (line 6168) -+* gnutls_record_discard_queued: Core TLS API. (line 6183) - * gnutls_record_get_direction: Asynchronous operation. - (line 65) --* gnutls_record_get_direction <1>: Core TLS API. (line 6125) -+* gnutls_record_get_direction <1>: Core TLS API. (line 6202) - * gnutls_record_get_discarded: Datagram TLS API. (line 209) --* gnutls_record_get_max_early_data_size: Core TLS API. (line 6148) --* gnutls_record_get_max_size: Core TLS API. (line 6164) --* gnutls_record_get_state: Core TLS API. (line 6176) --* gnutls_record_overhead_size: Core TLS API. (line 6207) -+* gnutls_record_get_max_early_data_size: Core TLS API. (line 6225) -+* gnutls_record_get_max_size: Core TLS API. (line 6241) -+* gnutls_record_get_state: Core TLS API. (line 6253) -+* gnutls_record_overhead_size: Core TLS API. (line 6284) - * gnutls_record_recv: Data transfer and termination. - (line 53) --* gnutls_record_recv <1>: Core TLS API. (line 6220) --* gnutls_record_recv_early_data: Core TLS API. (line 6252) --* gnutls_record_recv_packet: Core TLS API. (line 6280) -+* gnutls_record_recv <1>: Core TLS API. (line 6297) -+* gnutls_record_recv_early_data: Core TLS API. (line 6329) -+* gnutls_record_recv_packet: Core TLS API. (line 6357) - * gnutls_record_recv_seq: Data transfer and termination. - (line 108) --* gnutls_record_recv_seq <1>: Core TLS API. (line 6304) -+* gnutls_record_recv_seq <1>: Core TLS API. (line 6381) - * gnutls_record_send: Data transfer and termination. - (line 12) --* gnutls_record_send <1>: Core TLS API. (line 6331) -+* gnutls_record_send <1>: Core TLS API. (line 6408) - * gnutls_record_send2: On Record Padding. (line 23) --* gnutls_record_send2 <1>: Core TLS API. (line 6375) --* gnutls_record_send_early_data: Core TLS API. (line 6408) --* gnutls_record_send_range: Core TLS API. (line 6436) --* gnutls_record_set_max_early_data_size: Core TLS API. (line 6465) --* gnutls_record_set_max_recv_size: Core TLS API. (line 6484) --* gnutls_record_set_max_size: Core TLS API. (line 6506) --* gnutls_record_set_state: Core TLS API. (line 6535) --* gnutls_record_set_timeout: Core TLS API. (line 6556) -+* gnutls_record_send2 <1>: Core TLS API. (line 6452) -+* gnutls_record_send_early_data: Core TLS API. (line 6485) -+* gnutls_record_send_range: Core TLS API. (line 6513) -+* gnutls_record_set_max_early_data_size: Core TLS API. (line 6542) -+* gnutls_record_set_max_recv_size: Core TLS API. (line 6561) -+* gnutls_record_set_max_size: Core TLS API. (line 6583) -+* gnutls_record_set_state: Core TLS API. (line 6612) -+* gnutls_record_set_timeout: Core TLS API. (line 6633) - * gnutls_record_uncork: Buffered data transfer. - (line 23) --* gnutls_record_uncork <1>: Core TLS API. (line 6575) -+* gnutls_record_uncork <1>: Core TLS API. (line 6652) - * gnutls_register_custom_url: Application-specific keys. - (line 69) - * gnutls_register_custom_url <1>: Abstract key API. (line 2724) - * gnutls_rehandshake: TLS 1.2 re-authentication. - (line 70) --* gnutls_rehandshake <1>: Core TLS API. (line 6600) -+* gnutls_rehandshake <1>: Core TLS API. (line 6677) - * gnutls_rnd: Random number generation. - (line 21) - * gnutls_rnd <1>: Cryptographic API. (line 1108) - * gnutls_rnd_refresh: Cryptographic API. (line 1130) - * gnutls_safe_renegotiation_status: TLS 1.2 re-authentication. - (line 44) --* gnutls_safe_renegotiation_status <1>: Core TLS API. (line 6640) --* gnutls_sec_param_get_name: Core TLS API. (line 6655) -+* gnutls_safe_renegotiation_status <1>: Core TLS API. (line 6717) -+* gnutls_sec_param_get_name: Core TLS API. (line 6732) - * gnutls_sec_param_to_pk_bits: Selecting cryptographic key sizes. - (line 75) --* gnutls_sec_param_to_pk_bits <1>: Core TLS API. (line 6669) --* gnutls_sec_param_to_symmetric_bits: Core TLS API. (line 6688) --* gnutls_server_name_get: Core TLS API. (line 6702) --* gnutls_server_name_set: Core TLS API. (line 6741) --* gnutls_session_channel_binding: Core TLS API. (line 6772) --* gnutls_session_enable_compatibility_mode: Core TLS API. (line 6793) --* gnutls_session_etm_status: Core TLS API. (line 6813) --* gnutls_session_ext_master_secret_status: Core TLS API. (line 6826) --* gnutls_session_ext_register: Core TLS API. (line 6840) --* gnutls_session_force_valid: Core TLS API. (line 6896) --* gnutls_session_get_data: Core TLS API. (line 6907) --* gnutls_session_get_data2: Core TLS API. (line 6927) --* gnutls_session_get_desc: Core TLS API. (line 6975) --* gnutls_session_get_flags: Core TLS API. (line 6992) --* gnutls_session_get_id: Core TLS API. (line 7011) -+* gnutls_sec_param_to_pk_bits <1>: Core TLS API. (line 6746) -+* gnutls_sec_param_to_symmetric_bits: Core TLS API. (line 6765) -+* gnutls_server_name_get: Core TLS API. (line 6779) -+* gnutls_server_name_set: Core TLS API. (line 6818) -+* gnutls_session_channel_binding: Core TLS API. (line 6849) -+* gnutls_session_enable_compatibility_mode: Core TLS API. (line 6870) -+* gnutls_session_etm_status: Core TLS API. (line 6890) -+* gnutls_session_ext_master_secret_status: Core TLS API. (line 6903) -+* gnutls_session_ext_register: Core TLS API. (line 6917) -+* gnutls_session_force_valid: Core TLS API. (line 6973) -+* gnutls_session_get_data: Core TLS API. (line 6984) -+* gnutls_session_get_data2: Core TLS API. (line 7004) -+* gnutls_session_get_desc: Core TLS API. (line 7052) -+* gnutls_session_get_flags: Core TLS API. (line 7069) -+* gnutls_session_get_id: Core TLS API. (line 7088) - * gnutls_session_get_id2: Session resumption. (line 49) --* gnutls_session_get_id2 <1>: Core TLS API. (line 7045) --* gnutls_session_get_keylog_function: Core TLS API. (line 7078) --* gnutls_session_get_master_secret: Core TLS API. (line 7092) --* gnutls_session_get_ptr: Core TLS API. (line 7108) --* gnutls_session_get_random: Core TLS API. (line 7120) --* gnutls_session_get_verify_cert_status: Core TLS API. (line 7140) -+* gnutls_session_get_id2 <1>: Core TLS API. (line 7122) -+* gnutls_session_get_keylog_function: Core TLS API. (line 7155) -+* gnutls_session_get_master_secret: Core TLS API. (line 7169) -+* gnutls_session_get_ptr: Core TLS API. (line 7185) -+* gnutls_session_get_random: Core TLS API. (line 7197) -+* gnutls_session_get_verify_cert_status: Core TLS API. (line 7217) - * gnutls_session_is_resumed: Session resumption. (line 40) --* gnutls_session_is_resumed <1>: Core TLS API. (line 7160) --* gnutls_session_key_update: Core TLS API. (line 7172) -+* gnutls_session_is_resumed <1>: Core TLS API. (line 7237) -+* gnutls_session_key_update: Core TLS API. (line 7249) - * gnutls_session_resumption_requested: Session resumption. (line 150) --* gnutls_session_resumption_requested <1>: Core TLS API. (line 7199) --* gnutls_session_set_data: Core TLS API. (line 7212) --* gnutls_session_set_id: Core TLS API. (line 7235) --* gnutls_session_set_keylog_function: Core TLS API. (line 7256) --* gnutls_session_set_premaster: Core TLS API. (line 7270) --* gnutls_session_set_ptr: Core TLS API. (line 7305) -+* gnutls_session_resumption_requested <1>: Core TLS API. (line 7276) -+* gnutls_session_set_data: Core TLS API. (line 7289) -+* gnutls_session_set_id: Core TLS API. (line 7312) -+* gnutls_session_set_keylog_function: Core TLS API. (line 7333) -+* gnutls_session_set_premaster: Core TLS API. (line 7347) -+* gnutls_session_set_ptr: Core TLS API. (line 7382) - * gnutls_session_set_verify_cert: Certificate credentials. - (line 267) --* gnutls_session_set_verify_cert <1>: Core TLS API. (line 7318) --* gnutls_session_set_verify_cert2: Core TLS API. (line 7351) --* gnutls_session_set_verify_function: Core TLS API. (line 7383) -+* gnutls_session_set_verify_cert <1>: Core TLS API. (line 7395) -+* gnutls_session_set_verify_cert2: Core TLS API. (line 7428) -+* gnutls_session_set_verify_function: Core TLS API. (line 7460) - * gnutls_session_set_verify_output_function: X509 certificate API. - (line 152) --* gnutls_session_supplemental_register: Core TLS API. (line 7412) --* gnutls_session_ticket_enable_client: Core TLS API. (line 7448) -+* gnutls_session_supplemental_register: Core TLS API. (line 7489) -+* gnutls_session_ticket_enable_client: Core TLS API. (line 7525) - * gnutls_session_ticket_enable_server: Session resumption. (line 117) --* gnutls_session_ticket_enable_server <1>: Core TLS API. (line 7464) -+* gnutls_session_ticket_enable_server <1>: Core TLS API. (line 7541) - * gnutls_session_ticket_key_generate: Session resumption. (line 137) --* gnutls_session_ticket_key_generate <1>: Core TLS API. (line 7487) -+* gnutls_session_ticket_key_generate <1>: Core TLS API. (line 7564) - * gnutls_session_ticket_send: Session resumption. (line 170) --* gnutls_session_ticket_send <1>: Core TLS API. (line 7503) --* gnutls_set_default_priority: Core TLS API. (line 7521) --* gnutls_set_default_priority_append: Core TLS API. (line 7547) --* gnutls_sign_algorithm_get: Core TLS API. (line 7583) --* gnutls_sign_algorithm_get_client: Core TLS API. (line 7597) --* gnutls_sign_algorithm_get_requested: Core TLS API. (line 7612) --* gnutls_sign_get_hash_algorithm: Core TLS API. (line 7639) --* gnutls_sign_get_id: Core TLS API. (line 7654) --* gnutls_sign_get_name: Core TLS API. (line 7666) --* gnutls_sign_get_oid: Core TLS API. (line 7678) --* gnutls_sign_get_pk_algorithm: Core TLS API. (line 7692) --* gnutls_sign_is_secure: Core TLS API. (line 7710) --* gnutls_sign_is_secure2: Core TLS API. (line 7720) --* gnutls_sign_list: Core TLS API. (line 7732) --* gnutls_sign_supports_pk_algorithm: Core TLS API. (line 7743) --* gnutls_srp_allocate_client_credentials: Core TLS API. (line 7761) --* gnutls_srp_allocate_server_credentials: Core TLS API. (line 7773) --* gnutls_srp_base64_decode: Core TLS API. (line 7785) --* gnutls_srp_base64_decode2: Core TLS API. (line 7807) --* gnutls_srp_base64_encode: Core TLS API. (line 7827) --* gnutls_srp_base64_encode2: Core TLS API. (line 7849) --* gnutls_srp_free_client_credentials: Core TLS API. (line 7870) --* gnutls_srp_free_server_credentials: Core TLS API. (line 7879) --* gnutls_srp_server_get_username: Core TLS API. (line 7888) --* gnutls_srp_set_client_credentials: Core TLS API. (line 7901) -+* gnutls_session_ticket_send <1>: Core TLS API. (line 7580) -+* gnutls_set_default_priority: Core TLS API. (line 7598) -+* gnutls_set_default_priority_append: Core TLS API. (line 7624) -+* gnutls_sign_algorithm_get: Core TLS API. (line 7660) -+* gnutls_sign_algorithm_get_client: Core TLS API. (line 7674) -+* gnutls_sign_algorithm_get_requested: Core TLS API. (line 7689) -+* gnutls_sign_get_hash_algorithm: Core TLS API. (line 7716) -+* gnutls_sign_get_id: Core TLS API. (line 7731) -+* gnutls_sign_get_name: Core TLS API. (line 7743) -+* gnutls_sign_get_oid: Core TLS API. (line 7755) -+* gnutls_sign_get_pk_algorithm: Core TLS API. (line 7769) -+* gnutls_sign_is_secure: Core TLS API. (line 7787) -+* gnutls_sign_is_secure2: Core TLS API. (line 7797) -+* gnutls_sign_list: Core TLS API. (line 7809) -+* gnutls_sign_mark_insecure: Core TLS API. (line 7820) -+* gnutls_sign_mark_secure: Core TLS API. (line 7838) -+* gnutls_sign_supports_pk_algorithm: Core TLS API. (line 7859) -+* gnutls_srp_allocate_client_credentials: Core TLS API. (line 7877) -+* gnutls_srp_allocate_server_credentials: Core TLS API. (line 7889) -+* gnutls_srp_base64_decode: Core TLS API. (line 7901) -+* gnutls_srp_base64_decode2: Core TLS API. (line 7923) -+* gnutls_srp_base64_encode: Core TLS API. (line 7943) -+* gnutls_srp_base64_encode2: Core TLS API. (line 7965) -+* gnutls_srp_free_client_credentials: Core TLS API. (line 7986) -+* gnutls_srp_free_server_credentials: Core TLS API. (line 7995) -+* gnutls_srp_server_get_username: Core TLS API. (line 8004) -+* gnutls_srp_set_client_credentials: Core TLS API. (line 8017) - * gnutls_srp_set_client_credentials_function: SRP credentials. - (line 19) - * gnutls_srp_set_client_credentials_function <1>: Core TLS API. -- (line 7924) --* gnutls_srp_set_prime_bits: Core TLS API. (line 7957) -+ (line 8040) -+* gnutls_srp_set_prime_bits: Core TLS API. (line 8073) - * gnutls_srp_set_server_credentials_file: SRP credentials. (line 56) --* gnutls_srp_set_server_credentials_file <1>: Core TLS API. (line 7978) -+* gnutls_srp_set_server_credentials_file <1>: Core TLS API. (line 8094) - * gnutls_srp_set_server_credentials_function: SRP credentials. - (line 72) - * gnutls_srp_set_server_credentials_function <1>: Core TLS API. -- (line 7997) --* gnutls_srp_set_server_fake_salt_seed: Core TLS API. (line 8035) -+ (line 8113) -+* gnutls_srp_set_server_fake_salt_seed: Core TLS API. (line 8151) - * gnutls_srp_verifier: Authentication using SRP. - (line 45) --* gnutls_srp_verifier <1>: Core TLS API. (line 8072) -+* gnutls_srp_verifier <1>: Core TLS API. (line 8188) - * gnutls_srtp_get_keys: SRTP. (line 31) --* gnutls_srtp_get_keys <1>: Core TLS API. (line 8101) --* gnutls_srtp_get_mki: Core TLS API. (line 8139) --* gnutls_srtp_get_profile_id: Core TLS API. (line 8157) --* gnutls_srtp_get_profile_name: Core TLS API. (line 8173) --* gnutls_srtp_get_selected_profile: Core TLS API. (line 8188) --* gnutls_srtp_set_mki: Core TLS API. (line 8204) --* gnutls_srtp_set_profile: Core TLS API. (line 8221) --* gnutls_srtp_set_profile_direct: Core TLS API. (line 8238) -+* gnutls_srtp_get_keys <1>: Core TLS API. (line 8217) -+* gnutls_srtp_get_mki: Core TLS API. (line 8255) -+* gnutls_srtp_get_profile_id: Core TLS API. (line 8273) -+* gnutls_srtp_get_profile_name: Core TLS API. (line 8289) -+* gnutls_srtp_get_selected_profile: Core TLS API. (line 8304) -+* gnutls_srtp_set_mki: Core TLS API. (line 8320) -+* gnutls_srtp_set_profile: Core TLS API. (line 8337) -+* gnutls_srtp_set_profile_direct: Core TLS API. (line 8354) - * gnutls_store_commitment: Certificate verification. - (line 115) --* gnutls_store_commitment <1>: Core TLS API. (line 8259) -+* gnutls_store_commitment <1>: Core TLS API. (line 8375) - * gnutls_store_pubkey: Certificate verification. - (line 64) --* gnutls_store_pubkey <1>: Core TLS API. (line 8299) --* gnutls_strerror: Core TLS API. (line 8348) --* gnutls_strerror_name: Core TLS API. (line 8362) -+* gnutls_store_pubkey <1>: Core TLS API. (line 8415) -+* gnutls_strerror: Core TLS API. (line 8464) -+* gnutls_strerror_name: Core TLS API. (line 8478) - * gnutls_subject_alt_names_deinit: X509 certificate API. - (line 181) - * gnutls_subject_alt_names_get: X509 certificate API. -@@ -8522,22 +8530,22 @@ - (line 221) - * gnutls_subject_alt_names_set: X509 certificate API. - (line 235) --* gnutls_supplemental_get_name: Core TLS API. (line 8377) --* gnutls_supplemental_recv: Core TLS API. (line 8390) --* gnutls_supplemental_register: Core TLS API. (line 8405) --* gnutls_supplemental_send: Core TLS API. (line 8436) -+* gnutls_supplemental_get_name: Core TLS API. (line 8493) -+* gnutls_supplemental_recv: Core TLS API. (line 8506) -+* gnutls_supplemental_register: Core TLS API. (line 8521) -+* gnutls_supplemental_send: Core TLS API. (line 8552) - * gnutls_system_key_add_x509: Abstract key API. (line 2750) - * gnutls_system_key_delete: Abstract key API. (line 2776) - * gnutls_system_key_iter_deinit: Abstract key API. (line 2792) - * gnutls_system_key_iter_get_info: Application-specific keys. - (line 20) - * gnutls_system_key_iter_get_info <1>: Abstract key API. (line 2803) --* gnutls_system_recv_timeout: Core TLS API. (line 8450) --* gnutls_tdb_deinit: Core TLS API. (line 8473) --* gnutls_tdb_init: Core TLS API. (line 8482) --* gnutls_tdb_set_store_commitment_func: Core TLS API. (line 8493) --* gnutls_tdb_set_store_func: Core TLS API. (line 8513) --* gnutls_tdb_set_verify_func: Core TLS API. (line 8532) -+* gnutls_system_recv_timeout: Core TLS API. (line 8566) -+* gnutls_tdb_deinit: Core TLS API. (line 8589) -+* gnutls_tdb_init: Core TLS API. (line 8598) -+* gnutls_tdb_set_store_commitment_func: Core TLS API. (line 8609) -+* gnutls_tdb_set_store_func: Core TLS API. (line 8629) -+* gnutls_tdb_set_verify_func: Core TLS API. (line 8648) - * gnutls_tpm_get_registered: TPM API. (line 12) - * gnutls_tpm_key_list_deinit: TPM API. (line 27) - * gnutls_tpm_key_list_get_url: TPM API. (line 38) -@@ -8546,44 +8554,44 @@ - * gnutls_tpm_privkey_delete <2>: TPM API. (line 60) - * gnutls_tpm_privkey_generate: Key generation. (line 9) - * gnutls_tpm_privkey_generate <1>: TPM API. (line 76) --* gnutls_transport_get_int: Core TLS API. (line 8554) --* gnutls_transport_get_int2: Core TLS API. (line 8568) --* gnutls_transport_get_ptr: Core TLS API. (line 8585) --* gnutls_transport_get_ptr2: Core TLS API. (line 8598) -+* gnutls_transport_get_int: Core TLS API. (line 8670) -+* gnutls_transport_get_int2: Core TLS API. (line 8684) -+* gnutls_transport_get_ptr: Core TLS API. (line 8701) -+* gnutls_transport_get_ptr2: Core TLS API. (line 8714) - * gnutls_transport_set_errno: Setting up the transport layer. - (line 116) --* gnutls_transport_set_errno <1>: Core TLS API. (line 8614) --* gnutls_transport_set_errno_function: Core TLS API. (line 8637) -+* gnutls_transport_set_errno <1>: Core TLS API. (line 8730) -+* gnutls_transport_set_errno_function: Core TLS API. (line 8753) - * gnutls_transport_set_fastopen: Reducing round-trips. - (line 22) - * gnutls_transport_set_fastopen <1>: Socket specific API. - (line 11) --* gnutls_transport_set_int: Core TLS API. (line 8655) --* gnutls_transport_set_int2: Core TLS API. (line 8673) --* gnutls_transport_set_ptr: Core TLS API. (line 8695) --* gnutls_transport_set_ptr2: Core TLS API. (line 8708) -+* gnutls_transport_set_int: Core TLS API. (line 8771) -+* gnutls_transport_set_int2: Core TLS API. (line 8789) -+* gnutls_transport_set_ptr: Core TLS API. (line 8811) -+* gnutls_transport_set_ptr2: Core TLS API. (line 8824) - * gnutls_transport_set_pull_function: Setting up the transport layer. - (line 56) --* gnutls_transport_set_pull_function <1>: Core TLS API. (line 8725) -+* gnutls_transport_set_pull_function <1>: Core TLS API. (line 8841) - * gnutls_transport_set_pull_timeout_function: Setting up the transport layer. - (line 71) - * gnutls_transport_set_pull_timeout_function <1>: Setting up the transport layer. - (line 156) - * gnutls_transport_set_pull_timeout_function <2>: Core TLS API. -- (line 8743) -+ (line 8859) - * gnutls_transport_set_push_function: Setting up the transport layer. - (line 23) --* gnutls_transport_set_push_function <1>: Core TLS API. (line 8783) -+* gnutls_transport_set_push_function <1>: Core TLS API. (line 8899) - * gnutls_transport_set_vec_push_function: Setting up the transport layer. - (line 40) --* gnutls_transport_set_vec_push_function <1>: Core TLS API. (line 8803) -+* gnutls_transport_set_vec_push_function <1>: Core TLS API. (line 8919) - * gnutls_url_is_supported: Abstract public keys. - (line 57) --* gnutls_url_is_supported <1>: Core TLS API. (line 8822) --* gnutls_utf8_password_normalize: Core TLS API. (line 8836) -+* gnutls_url_is_supported <1>: Core TLS API. (line 8938) -+* gnutls_utf8_password_normalize: Core TLS API. (line 8952) - * gnutls_verify_stored_pubkey: Certificate verification. - (line 18) --* gnutls_verify_stored_pubkey <1>: Core TLS API. (line 8861) -+* gnutls_verify_stored_pubkey <1>: Core TLS API. (line 8977) - * gnutls_x509_aia_deinit: X509 certificate API. - (line 262) - * gnutls_x509_aia_get: X509 certificate API. -diff -ruN gnutls-3.7.2/doc/invoke-p11tool.texi gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi ---- gnutls-3.7.2/doc/invoke-p11tool.texi 2021-05-29 10:19:05.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi 2021-06-28 09:39:25.000000000 +0200 -@@ -403,8 +403,9 @@ - @anchor{p11tool write} - - This is the ``writes the loaded objects to a pkcs #11 token'' option. --It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with -- one of --load-privkey, --load-pubkey, --load-certificate option. -+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option. -+ -+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand. - @subsubheading id option. - @anchor{p11tool id} - -diff -ruN gnutls-3.7.2/doc/Makefile.am gnutls-3.7.2-bootstrapped/doc/Makefile.am ---- gnutls-3.7.2/doc/Makefile.am 2021-05-27 08:08:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/Makefile.am 2021-06-28 09:09:14.000000000 +0200 -@@ -974,6 +974,10 @@ - FUNCS += functions/gnutls_digest_get_oid.short - FUNCS += functions/gnutls_digest_list - FUNCS += functions/gnutls_digest_list.short -+FUNCS += functions/gnutls_digest_mark_insecure -+FUNCS += functions/gnutls_digest_mark_insecure.short -+FUNCS += functions/gnutls_digest_mark_secure -+FUNCS += functions/gnutls_digest_mark_secure.short - FUNCS += functions/gnutls_dtls_cookie_send - FUNCS += functions/gnutls_dtls_cookie_send.short - FUNCS += functions/gnutls_dtls_cookie_verify -@@ -1010,6 +1014,10 @@ - FUNCS += functions/gnutls_ecc_curve_get_size.short - FUNCS += functions/gnutls_ecc_curve_list - FUNCS += functions/gnutls_ecc_curve_list.short -+FUNCS += functions/gnutls_ecc_curve_mark_disabled -+FUNCS += functions/gnutls_ecc_curve_mark_disabled.short -+FUNCS += functions/gnutls_ecc_curve_mark_enabled -+FUNCS += functions/gnutls_ecc_curve_mark_enabled.short - FUNCS += functions/gnutls_encode_ber_digest_info - FUNCS += functions/gnutls_encode_ber_digest_info.short - FUNCS += functions/gnutls_encode_gost_rs_value -@@ -1730,6 +1738,10 @@ - FUNCS += functions/gnutls_protocol_get_version.short - FUNCS += functions/gnutls_protocol_list - FUNCS += functions/gnutls_protocol_list.short -+FUNCS += functions/gnutls_protocol_mark_disabled -+FUNCS += functions/gnutls_protocol_mark_disabled.short -+FUNCS += functions/gnutls_protocol_mark_enabled -+FUNCS += functions/gnutls_protocol_mark_enabled.short - FUNCS += functions/gnutls_psk_allocate_client_credentials - FUNCS += functions/gnutls_psk_allocate_client_credentials.short - FUNCS += functions/gnutls_psk_allocate_server_credentials -@@ -2024,6 +2036,10 @@ - FUNCS += functions/gnutls_sign_is_secure2.short - FUNCS += functions/gnutls_sign_list - FUNCS += functions/gnutls_sign_list.short -+FUNCS += functions/gnutls_sign_mark_insecure -+FUNCS += functions/gnutls_sign_mark_insecure.short -+FUNCS += functions/gnutls_sign_mark_secure -+FUNCS += functions/gnutls_sign_mark_secure.short - FUNCS += functions/gnutls_sign_supports_pk_algorithm - FUNCS += functions/gnutls_sign_supports_pk_algorithm.short - FUNCS += functions/gnutls_srp_allocate_client_credentials -diff -ruN gnutls-3.7.2/doc/Makefile.in gnutls-3.7.2-bootstrapped/doc/Makefile.in ---- gnutls-3.7.2/doc/Makefile.in 2021-05-29 10:11:20.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/Makefile.in 2021-06-28 09:11:37.000000000 +0200 -@@ -2697,6 +2697,10 @@ - functions/gnutls_digest_get_oid.short \ - functions/gnutls_digest_list \ - functions/gnutls_digest_list.short \ -+ functions/gnutls_digest_mark_insecure \ -+ functions/gnutls_digest_mark_insecure.short \ -+ functions/gnutls_digest_mark_secure \ -+ functions/gnutls_digest_mark_secure.short \ - functions/gnutls_dtls_cookie_send \ - functions/gnutls_dtls_cookie_send.short \ - functions/gnutls_dtls_cookie_verify \ -@@ -2733,6 +2737,10 @@ - functions/gnutls_ecc_curve_get_size.short \ - functions/gnutls_ecc_curve_list \ - functions/gnutls_ecc_curve_list.short \ -+ functions/gnutls_ecc_curve_mark_disabled \ -+ functions/gnutls_ecc_curve_mark_disabled.short \ -+ functions/gnutls_ecc_curve_mark_enabled \ -+ functions/gnutls_ecc_curve_mark_enabled.short \ - functions/gnutls_encode_ber_digest_info \ - functions/gnutls_encode_ber_digest_info.short \ - functions/gnutls_encode_gost_rs_value \ -@@ -3403,6 +3411,10 @@ - functions/gnutls_protocol_get_version.short \ - functions/gnutls_protocol_list \ - functions/gnutls_protocol_list.short \ -+ functions/gnutls_protocol_mark_disabled \ -+ functions/gnutls_protocol_mark_disabled.short \ -+ functions/gnutls_protocol_mark_enabled \ -+ functions/gnutls_protocol_mark_enabled.short \ - functions/gnutls_psk_allocate_client_credentials \ - functions/gnutls_psk_allocate_client_credentials.short \ - functions/gnutls_psk_allocate_server_credentials \ -@@ -3692,6 +3704,10 @@ - functions/gnutls_sign_is_secure2 \ - functions/gnutls_sign_is_secure2.short \ - functions/gnutls_sign_list functions/gnutls_sign_list.short \ -+ functions/gnutls_sign_mark_insecure \ -+ functions/gnutls_sign_mark_insecure.short \ -+ functions/gnutls_sign_mark_secure \ -+ functions/gnutls_sign_mark_secure.short \ - functions/gnutls_sign_supports_pk_algorithm \ - functions/gnutls_sign_supports_pk_algorithm.short \ - functions/gnutls_srp_allocate_client_credentials \ -diff -ruN gnutls-3.7.2/doc/manpages/certtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1 ---- gnutls-3.7.2/doc/manpages/certtool.1 2021-05-29 10:15:21.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1 2021-06-28 09:35:22.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH certtool 1 "29 May 2021" "3.7.2" "User Commands" -+.TH certtool 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/manpages/danetool.1 gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1 ---- gnutls-3.7.2/doc/manpages/danetool.1 2021-05-29 10:15:24.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1 2021-06-28 09:35:24.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH danetool 1 "29 May 2021" "3.7.2" "User Commands" -+.TH danetool 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1 ---- gnutls-3.7.2/doc/manpages/gnutls-cli.1 2021-05-29 10:15:21.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1 2021-06-28 09:35:22.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH gnutls-cli 1 "29 May 2021" "3.7.2" "User Commands" -+.TH gnutls-cli 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1 ---- gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 2021-05-29 10:15:21.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1 2021-06-28 09:35:22.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH gnutls-cli-debug 1 "29 May 2021" "3.7.2" "User Commands" -+.TH gnutls-cli-debug 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3 ---- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3 2021-06-28 09:35:39.000000000 +0200 -@@ -0,0 +1,36 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_digest_mark_insecure" 3 "3.7.2" "gnutls" "gnutls" -+.SH NAME -+gnutls_digest_mark_insecure \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t " dig ");" -+.SH ARGUMENTS -+.IP "gnutls_digest_algorithm_t dig" 12 -+is a digest algorithm -+.SH "DESCRIPTION" -+Mark \fIdig\fP as insecure system wide. This only works if the allowlisting mode -+is used in the configuration file. -+.SH "SINCE" -+3.7.3 -+.SH "REPORTING BUGS" -+Report bugs to . -+.br -+Home page: https://www.gnutls.org -+ -+.SH COPYRIGHT -+Copyright \(co 2001- Free Software Foundation, Inc., and others. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. -+If the /usr/share/doc/gnutls/ -+directory does not contain the HTML form visit -+.B -+.IP https://www.gnutls.org/manual/ -+.PP -diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3 ---- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3 2021-06-28 09:35:39.000000000 +0200 -@@ -0,0 +1,36 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_digest_mark_secure" 3 "3.7.2" "gnutls" "gnutls" -+.SH NAME -+gnutls_digest_mark_secure \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_digest_mark_secure(gnutls_digest_algorithm_t " dig ");" -+.SH ARGUMENTS -+.IP "gnutls_digest_algorithm_t dig" 12 -+is a digest algorithm -+.SH "DESCRIPTION" -+Invalidate previous system wide setting that marked \fIdig\fP as insecure. This -+only works if the allowlisting mode is used in the configuration file. -+.SH "SINCE" -+3.7.3 -+.SH "REPORTING BUGS" -+Report bugs to . -+.br -+Home page: https://www.gnutls.org -+ -+.SH COPYRIGHT -+Copyright \(co 2001- Free Software Foundation, Inc., and others. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. -+If the /usr/share/doc/gnutls/ -+directory does not contain the HTML form visit -+.B -+.IP https://www.gnutls.org/manual/ -+.PP -diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3 ---- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3 2021-06-28 09:35:38.000000000 +0200 -@@ -0,0 +1,39 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_ecc_curve_mark_disabled" 3 "3.7.2" "gnutls" "gnutls" -+.SH NAME -+gnutls_ecc_curve_mark_disabled \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t " curve ");" -+.SH ARGUMENTS -+.IP "gnutls_ecc_curve_t curve" 12 -+is an ECC curve -+.SH "DESCRIPTION" -+Mark \fIcurve\fP as disabled system wide. This setting can be reverted with -+\fBgnutls_ecc_curve_mark_enabled()\fP. This only works if the configuration file -+uses the allowlisting mode. -+.SH "RETURNS" -+0 on success or negative error code otherwise. -+.SH "SINCE" -+3.7.3 -+.SH "REPORTING BUGS" -+Report bugs to . -+.br -+Home page: https://www.gnutls.org -+ -+.SH COPYRIGHT -+Copyright \(co 2001- Free Software Foundation, Inc., and others. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. -+If the /usr/share/doc/gnutls/ -+directory does not contain the HTML form visit -+.B -+.IP https://www.gnutls.org/manual/ -+.PP -diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3 ---- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3 2021-06-28 09:35:39.000000000 +0200 -@@ -0,0 +1,39 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_ecc_curve_mark_enabled" 3 "3.7.2" "gnutls" "gnutls" -+.SH NAME -+gnutls_ecc_curve_mark_enabled \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t " curve ");" -+.SH ARGUMENTS -+.IP "gnutls_ecc_curve_t curve" 12 -+is an ECC curve -+.SH "DESCRIPTION" -+Invalidate previous system wide setting that marked \fIcurve\fP as disabled. This -+only works if the curve is disabled with \fBgnutls_ecc_curve_mark_disabled()\fP or -+through the allowlisting mode in the configuration file. -+.SH "RETURNS" -+0 on success or negative error code otherwise. -+.SH "SINCE" -+3.7.3 -+.SH "REPORTING BUGS" -+Report bugs to . -+.br -+Home page: https://www.gnutls.org -+ -+.SH COPYRIGHT -+Copyright \(co 2001- Free Software Foundation, Inc., and others. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. -+If the /usr/share/doc/gnutls/ -+directory does not contain the HTML form visit -+.B -+.IP https://www.gnutls.org/manual/ -+.PP -diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3 ---- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3 2021-06-28 09:35:39.000000000 +0200 -@@ -0,0 +1,34 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_protocol_mark_disabled" 3 "3.7.2" "gnutls" "gnutls" -+.SH NAME -+gnutls_protocol_mark_disabled \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_protocol_mark_disabled(gnutls_protocol_t " version ");" -+.SH ARGUMENTS -+.IP "gnutls_protocol_t version" 12 -+is a (gnutls) version number -+.SH "DESCRIPTION" -+Mark \fIversion\fP as disabled system wide. This only works if the allowlisting -+mode is used in the configuration file. -+.SH "REPORTING BUGS" -+Report bugs to . -+.br -+Home page: https://www.gnutls.org -+ -+.SH COPYRIGHT -+Copyright \(co 2001- Free Software Foundation, Inc., and others. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. -+If the /usr/share/doc/gnutls/ -+directory does not contain the HTML form visit -+.B -+.IP https://www.gnutls.org/manual/ -+.PP -diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3 ---- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3 2021-06-28 09:35:40.000000000 +0200 -@@ -0,0 +1,35 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_protocol_mark_enabled" 3 "3.7.2" "gnutls" "gnutls" -+.SH NAME -+gnutls_protocol_mark_enabled \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_protocol_mark_enabled(gnutls_protocol_t " version ");" -+.SH ARGUMENTS -+.IP "gnutls_protocol_t version" 12 -+is a (gnutls) version number -+.SH "DESCRIPTION" -+Invalidate previous system wide setting that marked \fIversion\fP as -+disabled. This only works if the allowlisting mode is used in the -+configuration file. -+.SH "REPORTING BUGS" -+Report bugs to . -+.br -+Home page: https://www.gnutls.org -+ -+.SH COPYRIGHT -+Copyright \(co 2001- Free Software Foundation, Inc., and others. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. -+If the /usr/share/doc/gnutls/ -+directory does not contain the HTML form visit -+.B -+.IP https://www.gnutls.org/manual/ -+.PP -diff -ruN gnutls-3.7.2/doc/manpages/gnutls-serv.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1 ---- gnutls-3.7.2/doc/manpages/gnutls-serv.1 2021-05-29 10:15:21.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1 2021-06-28 09:35:22.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH gnutls-serv 1 "29 May 2021" "3.7.2" "User Commands" -+.TH gnutls-serv 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3 ---- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3 2021-06-28 09:35:39.000000000 +0200 -@@ -0,0 +1,42 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_sign_mark_insecure" 3 "3.7.2" "gnutls" "gnutls" -+.SH NAME -+gnutls_sign_mark_insecure \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");" -+.SH ARGUMENTS -+.IP "gnutls_sign_algorithm_t sign" 12 -+the sign algorithm -+.IP "unsigned flags" 12 -+\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0 -+.SH "DESCRIPTION" -+Mark \fIsign\fP as insecure system wide. This only works if the -+allowlisting mode is used in the configuration file. -+ -+If \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set, -+and the algorithm was previously considered secure for all purposes, -+it only marks the algorithm as insecure for the use with certificates. -+.SH "SINCE" -+3.7.3 -+.SH "REPORTING BUGS" -+Report bugs to . -+.br -+Home page: https://www.gnutls.org -+ -+.SH COPYRIGHT -+Copyright \(co 2001- Free Software Foundation, Inc., and others. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. -+If the /usr/share/doc/gnutls/ -+directory does not contain the HTML form visit -+.B -+.IP https://www.gnutls.org/manual/ -+.PP -diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3 ---- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3 2021-06-28 09:35:39.000000000 +0200 -@@ -0,0 +1,46 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_sign_mark_secure" 3 "3.7.2" "gnutls" "gnutls" -+.SH NAME -+gnutls_sign_mark_secure \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_sign_mark_secure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");" -+.SH ARGUMENTS -+.IP "gnutls_sign_algorithm_t sign" 12 -+the sign algorithm -+.IP "unsigned flags" 12 -+\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0 -+.SH "DESCRIPTION" -+Invalidate previous system wide setting that marked \fIsign\fP as -+insecure. This only works if the algorithm is marked as insecure -+with \fBgnutls_sign_mark_insecure()\fP or through the allowlisting mode -+in the configuration file. -+ -+If \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set, -+it marks it the algorithm as secure for all purposes. -+If the absence of this flag, it will mark it as -+"secure, but not for certificates" at most, -+but it won't restrict anything either. -+.SH "SINCE" -+3.7.3 -+.SH "REPORTING BUGS" -+Report bugs to . -+.br -+Home page: https://www.gnutls.org -+ -+.SH COPYRIGHT -+Copyright \(co 2001- Free Software Foundation, Inc., and others. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. -+If the /usr/share/doc/gnutls/ -+directory does not contain the HTML form visit -+.B -+.IP https://www.gnutls.org/manual/ -+.PP -diff -ruN gnutls-3.7.2/doc/manpages/Makefile.am gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am ---- gnutls-3.7.2/doc/manpages/Makefile.am 2021-05-27 08:08:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am 2021-06-28 09:09:14.000000000 +0200 -@@ -289,6 +289,8 @@ - APIMANS += gnutls_digest_get_name.3 - APIMANS += gnutls_digest_get_oid.3 - APIMANS += gnutls_digest_list.3 -+APIMANS += gnutls_digest_mark_insecure.3 -+APIMANS += gnutls_digest_mark_secure.3 - APIMANS += gnutls_dtls_cookie_send.3 - APIMANS += gnutls_dtls_cookie_verify.3 - APIMANS += gnutls_dtls_get_data_mtu.3 -@@ -307,6 +309,8 @@ - APIMANS += gnutls_ecc_curve_get_pk.3 - APIMANS += gnutls_ecc_curve_get_size.3 - APIMANS += gnutls_ecc_curve_list.3 -+APIMANS += gnutls_ecc_curve_mark_disabled.3 -+APIMANS += gnutls_ecc_curve_mark_enabled.3 - APIMANS += gnutls_encode_ber_digest_info.3 - APIMANS += gnutls_encode_gost_rs_value.3 - APIMANS += gnutls_encode_rs_value.3 -@@ -667,6 +671,8 @@ - APIMANS += gnutls_protocol_get_name.3 - APIMANS += gnutls_protocol_get_version.3 - APIMANS += gnutls_protocol_list.3 -+APIMANS += gnutls_protocol_mark_disabled.3 -+APIMANS += gnutls_protocol_mark_enabled.3 - APIMANS += gnutls_psk_allocate_client_credentials.3 - APIMANS += gnutls_psk_allocate_server_credentials.3 - APIMANS += gnutls_psk_client_get_hint.3 -@@ -814,6 +820,8 @@ - APIMANS += gnutls_sign_is_secure.3 - APIMANS += gnutls_sign_is_secure2.3 - APIMANS += gnutls_sign_list.3 -+APIMANS += gnutls_sign_mark_insecure.3 -+APIMANS += gnutls_sign_mark_secure.3 - APIMANS += gnutls_sign_supports_pk_algorithm.3 - APIMANS += gnutls_srp_allocate_client_credentials.3 - APIMANS += gnutls_srp_allocate_server_credentials.3 -diff -ruN gnutls-3.7.2/doc/manpages/Makefile.in gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in ---- gnutls-3.7.2/doc/manpages/Makefile.in 2021-05-29 10:11:21.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in 2021-06-28 09:11:38.000000000 +0200 -@@ -2185,6 +2185,7 @@ - gnutls_dh_params_init.3 gnutls_dh_set_prime_bits.3 \ - gnutls_digest_get_id.3 gnutls_digest_get_name.3 \ - gnutls_digest_get_oid.3 gnutls_digest_list.3 \ -+ gnutls_digest_mark_insecure.3 gnutls_digest_mark_secure.3 \ - gnutls_dtls_cookie_send.3 gnutls_dtls_cookie_verify.3 \ - gnutls_dtls_get_data_mtu.3 gnutls_dtls_get_mtu.3 \ - gnutls_dtls_get_timeout.3 gnutls_dtls_prestate_set.3 \ -@@ -2194,6 +2195,8 @@ - gnutls_ecc_curve_get_id.3 gnutls_ecc_curve_get_name.3 \ - gnutls_ecc_curve_get_oid.3 gnutls_ecc_curve_get_pk.3 \ - gnutls_ecc_curve_get_size.3 gnutls_ecc_curve_list.3 \ -+ gnutls_ecc_curve_mark_disabled.3 \ -+ gnutls_ecc_curve_mark_enabled.3 \ - gnutls_encode_ber_digest_info.3 gnutls_encode_gost_rs_value.3 \ - gnutls_encode_rs_value.3 gnutls_error_is_fatal.3 \ - gnutls_error_to_alert.3 gnutls_est_record_overhead_size.3 \ -@@ -2399,7 +2402,8 @@ - gnutls_privkey_status.3 gnutls_privkey_verify_params.3 \ - gnutls_privkey_verify_seed.3 gnutls_protocol_get_id.3 \ - gnutls_protocol_get_name.3 gnutls_protocol_get_version.3 \ -- gnutls_protocol_list.3 \ -+ gnutls_protocol_list.3 gnutls_protocol_mark_disabled.3 \ -+ gnutls_protocol_mark_enabled.3 \ - gnutls_psk_allocate_client_credentials.3 \ - gnutls_psk_allocate_server_credentials.3 \ - gnutls_psk_client_get_hint.3 \ -@@ -2498,6 +2502,7 @@ - gnutls_sign_get_name.3 gnutls_sign_get_oid.3 \ - gnutls_sign_get_pk_algorithm.3 gnutls_sign_is_secure.3 \ - gnutls_sign_is_secure2.3 gnutls_sign_list.3 \ -+ gnutls_sign_mark_insecure.3 gnutls_sign_mark_secure.3 \ - gnutls_sign_supports_pk_algorithm.3 \ - gnutls_srp_allocate_client_credentials.3 \ - gnutls_srp_allocate_server_credentials.3 \ -diff -ruN gnutls-3.7.2/doc/manpages/ocsptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1 ---- gnutls-3.7.2/doc/manpages/ocsptool.1 2021-05-29 10:15:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1 2021-06-28 09:35:23.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH ocsptool 1 "29 May 2021" "3.7.2" "User Commands" -+.TH ocsptool 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/manpages/p11tool.1 gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1 ---- gnutls-3.7.2/doc/manpages/p11tool.1 2021-05-29 10:15:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1 2021-06-28 09:35:23.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH p11tool 1 "29 May 2021" "3.7.2" "User Commands" -+.TH p11tool 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -@@ -230,8 +230,9 @@ - .NOP \f\*[B-Font]\-\-write\f[] - Writes the loaded objects to a PKCS #11 token. - .sp --It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with -- one of \--load-privkey, \--load-pubkey, \--load-certificate option. -+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option. -+.sp -+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand. - .TP - .NOP \f\*[B-Font]\-\-delete\f[] - Deletes the objects matching the given PKCS #11 URL. -diff -ruN gnutls-3.7.2/doc/manpages/psktool.1 gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1 ---- gnutls-3.7.2/doc/manpages/psktool.1 2021-05-29 10:15:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1 2021-06-28 09:35:23.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH psktool 1 "29 May 2021" "3.7.2" "User Commands" -+.TH psktool 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/manpages/srptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1 ---- gnutls-3.7.2/doc/manpages/srptool.1 2021-05-29 10:15:24.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1 2021-06-28 09:35:24.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH srptool 1 "29 May 2021" "3.7.2" "User Commands" -+.TH srptool 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/manpages/tpmtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1 ---- gnutls-3.7.2/doc/manpages/tpmtool.1 2021-05-29 10:15:23.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1 2021-06-28 09:35:23.000000000 +0200 -@@ -10,7 +10,7 @@ - .ds B-Font B - .ds I-Font I - .ds R-Font R --.TH tpmtool 1 "29 May 2021" "3.7.2" "User Commands" -+.TH tpmtool 1 "28 Jun 2021" "3.7.2" "User Commands" - .\" - .\" DO NOT EDIT THIS FILE (in-mem file) - .\" -diff -ruN gnutls-3.7.2/doc/reference/gnutls-sections.txt gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt ---- gnutls-3.7.2/doc/reference/gnutls-sections.txt 2021-05-29 10:23:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt 2021-06-28 09:56:37.000000000 +0200 -@@ -267,6 +267,8 @@ - encipher_type - GNUTLS_SIGN_FLAG_TLS13_OK - GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE -+GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE -+GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE - gnutls_sign_entry_st - gnutls_ecc_curve_entry_st - MAX_ECC_CURVE_SIZE -@@ -1486,6 +1488,14 @@ - gnutls_sign_algorithm_get_requested - gnutls_cipher_get_name - gnutls_oid_to_digest -+gnutls_ecc_curve_mark_disabled -+gnutls_ecc_curve_mark_enabled -+gnutls_sign_mark_insecure -+gnutls_sign_mark_secure -+gnutls_digest_mark_insecure -+gnutls_digest_mark_secure -+gnutls_protocol_mark_disabled -+gnutls_protocol_mark_enabled - gnutls_error_is_fatal - gnutls_perror - gnutls_strerror -@@ -2268,6 +2278,8 @@ - gnutls_group_entry_st - GNUTLS_MAC_FLAG_PREIMAGE_INSECURE - GNUTLS_MAC_FLAG_CONTINUOUS_MAC -+GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE -+GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE - mac_entry_st - version_entry_st - sign_algorithm_st -diff -ruN gnutls-3.7.2/lib/algorithms/ecc.c gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c ---- gnutls-3.7.2/lib/algorithms/ecc.c 2021-05-10 16:34:47.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c 2021-06-28 09:09:14.000000000 +0200 -@@ -351,13 +351,83 @@ - return ret; - } - --int _gnutls_ecc_curve_mark_disabled(const char *name) -+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */ -+int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve) - { - gnutls_ecc_curve_entry_st *p; - - for(p = ecc_curves; p->name != NULL; p++) { -- if (c_strcasecmp(p->name, name) == 0) { -- p->supported = 0; -+ if (p->id == curve) { -+ p->supported = false; -+ return 0; -+ } -+ } -+ -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+} -+ -+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */ -+void _gnutls_ecc_curve_mark_disabled_all(void) -+{ -+ gnutls_ecc_curve_entry_st *p; -+ -+ for(p = ecc_curves; p->name != NULL; p++) { -+ p->supported = false; -+ p->supported_revertible = true; -+ } -+} -+ -+/** -+ * gnutls_ecc_curve_mark_enabled: -+ * @curve: is an ECC curve -+ * -+ * Mark @curve as disabled system wide. This setting can be reverted with -+ * gnutls_ecc_curve_mark_enabled(). This only works if the configuration file -+ * uses the allowlisting mode. -+ * -+ * Returns: 0 on success or negative error code otherwise. -+ * -+ * Since: 3.7.3 -+ */ -+int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve) -+{ -+ gnutls_ecc_curve_entry_st *p; -+ -+ for(p = ecc_curves; p->name != NULL; p++) { -+ if (p->id == curve) { -+ if (!p->supported_revertible) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ p->supported = false; -+ return 0; -+ } -+ } -+ -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+} -+ -+/** -+ * gnutls_ecc_curve_mark_enabled: -+ * @curve: is an ECC curve -+ * -+ * Invalidate previous system wide setting that marked @curve as disabled. This -+ * only works if the curve is disabled with gnutls_ecc_curve_mark_disabled() or -+ * through the allowlisting mode in the configuration file. -+ * -+ * Returns: 0 on success or negative error code otherwise. -+ * -+ * Since: 3.7.3 -+ */ -+int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve) -+{ -+ gnutls_ecc_curve_entry_st *p; -+ -+ for(p = ecc_curves; p->name != NULL; p++) { -+ if (p->id == curve) { -+ if (!p->supported_revertible) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ p->supported = true; - return 0; - } - } -diff -ruN gnutls-3.7.2/lib/algorithms/groups.c gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c ---- gnutls-3.7.2/lib/algorithms/groups.c 2021-04-19 09:28:28.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c 2021-06-28 09:09:14.000000000 +0200 -@@ -276,6 +276,24 @@ - return ret; - } - -+ -+/* Similar to gnutls_group_get_id, except that it does not check if -+ * the curve is supported. -+ */ -+gnutls_group_t _gnutls_group_get_id(const char *name) -+{ -+ gnutls_group_t ret = GNUTLS_GROUP_INVALID; -+ -+ GNUTLS_GROUP_LOOP( -+ if (c_strcasecmp(p->name, name) == 0) { -+ ret = p->id; -+ break; -+ } -+ ); -+ -+ return ret; -+} -+ - /** - * gnutls_group_get_name: - * @group: is an element from %gnutls_group_t -diff -ruN gnutls-3.7.2/lib/algorithms/mac.c gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c ---- gnutls-3.7.2/lib/algorithms/mac.c 2021-05-27 08:08:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c 2021-06-28 09:09:14.000000000 +0200 -@@ -291,13 +291,56 @@ - return ret; - } - --int _gnutls_digest_mark_insecure(const char *name) -+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */ -+int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig) - { - #ifndef DISABLE_SYSTEM_CONFIG - mac_entry_st *p; - - for(p = hash_algorithms; p->name != NULL; p++) { -- if (p->oid != NULL && c_strcasecmp(p->name, name) == 0) { -+ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { -+ p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; -+ return 0; -+ } -+ } -+ -+#endif -+ return GNUTLS_E_INVALID_REQUEST; -+} -+ -+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */ -+void _gnutls_digest_mark_insecure_all(void) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ mac_entry_st *p; -+ -+ for(p = hash_algorithms; p->name != NULL; p++) { -+ p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE | -+ GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; -+ } -+ -+#endif -+} -+ -+/** -+ * gnutls_digest_mark_insecure: -+ * @dig: is a digest algorithm -+ * -+ * Mark @dig as insecure system wide. This only works if the allowlisting mode -+ * is used in the configuration file. -+ * -+ * Since: 3.7.3 -+ */ -+int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ mac_entry_st *p; -+ -+ for(p = hash_algorithms; p->name != NULL; p++) { -+ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { -+ if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } - p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; - return 0; - } -@@ -307,6 +350,34 @@ - return GNUTLS_E_INVALID_REQUEST; - } - -+/** -+ * gnutls_digest_mark_secure: -+ * @dig: is a digest algorithm -+ * -+ * Invalidate previous system wide setting that marked @dig as insecure. This -+ * only works if the allowlisting mode is used in the configuration file. -+ * -+ * Since: 3.7.3 -+ */ -+int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ mac_entry_st *p; -+ -+ for(p = hash_algorithms; p->name != NULL; p++) { -+ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { -+ if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ p->flags &= ~GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; -+ return 0; -+ } -+ } -+ -+#endif -+ return GNUTLS_E_INVALID_REQUEST; -+} -+ - unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig) - { - const mac_entry_st *p; -@@ -320,6 +391,21 @@ - return 1; - } - -+bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig, unsigned flags) -+{ -+ const mac_entry_st *p; -+ -+ for(p = hash_algorithms; p->name != NULL; p++) { -+ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { -+ return (p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE && -+ !(flags & GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE && -+ p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)); -+ } -+ } -+ -+ return true; -+} -+ - /** - * gnutls_mac_get_id: - * @name: is a MAC algorithm name -diff -ruN gnutls-3.7.2/lib/algorithms/protocols.c gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c ---- gnutls-3.7.2/lib/algorithms/protocols.c 2021-05-10 16:34:47.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c 2021-06-28 09:09:14.000000000 +0200 -@@ -198,14 +198,82 @@ - return 0; - } - --int _gnutls_version_mark_disabled(const char *name) -+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */ -+int _gnutls_version_mark_disabled(gnutls_protocol_t version) - { - #ifndef DISABLE_SYSTEM_CONFIG - version_entry_st *p; - - for (p = sup_versions; p->name != NULL; p++) -- if (c_strcasecmp(p->name, name) == 0) { -- p->supported = 0; -+ if (p->id == version) { -+ p->supported = false; -+ return 0; -+ } -+ -+#endif -+ return GNUTLS_E_INVALID_REQUEST; -+} -+ -+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */ -+void _gnutls_version_mark_disabled_all(void) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ version_entry_st *p; -+ -+ for (p = sup_versions; p->name != NULL; p++) { -+ p->supported = false; -+ p->supported_revertible = true; -+ } -+ -+#endif -+} -+ -+/** -+ * gnutls_protocol_mark_disabled: -+ * @version: is a (gnutls) version number -+ * -+ * Mark @version as disabled system wide. This only works if the allowlisting -+ * mode is used in the configuration file. -+ * -+ */ -+int gnutls_protocol_mark_disabled(gnutls_protocol_t version) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ version_entry_st *p; -+ -+ for (p = sup_versions; p->name != NULL; p++) -+ if (p->id == version) { -+ if (!p->supported_revertible) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ p->supported = false; -+ return 0; -+ } -+ -+#endif -+ return GNUTLS_E_INVALID_REQUEST; -+} -+ -+/** -+ * gnutls_protocol_mark_enabled: -+ * @version: is a (gnutls) version number -+ * -+ * Invalidate previous system wide setting that marked @version as -+ * disabled. This only works if the allowlisting mode is used in the -+ * configuration file. -+ * -+ */ -+int gnutls_protocol_mark_enabled(gnutls_protocol_t version) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ version_entry_st *p; -+ -+ for (p = sup_versions; p->name != NULL; p++) -+ if (p->id == version) { -+ if (!p->supported_revertible) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ p->supported = true; - return 0; - } - -@@ -469,6 +537,25 @@ - return supported_protocols; - } - -+/* Return all versions, including non-supported ones. -+ */ -+const gnutls_protocol_t *_gnutls_protocol_list(void) -+{ -+ const version_entry_st *p; -+ static gnutls_protocol_t protocols[MAX_ALGOS] = { 0 }; -+ -+ if (protocols[0] == 0) { -+ int i = 0; -+ -+ for (p = sup_versions; p->name != NULL; p++) { -+ protocols[i++] = p->id; -+ } -+ protocols[i++] = 0; -+ } -+ -+ return protocols; -+} -+ - /* Returns a version number given the major and minor numbers. - */ - gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor) -diff -ruN gnutls-3.7.2/lib/algorithms/sign.c gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c ---- gnutls-3.7.2/lib/algorithms/sign.c 2021-05-10 16:34:47.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c 2021-06-28 09:09:14.000000000 +0200 -@@ -453,16 +453,23 @@ - - bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags) - { -- if (se->hash != GNUTLS_DIG_UNKNOWN && _gnutls_digest_is_insecure(se->hash)) -- return gnutls_assert_val(0); -+ if (se->hash != GNUTLS_DIG_UNKNOWN && -+ _gnutls_digest_is_insecure2(se->hash, -+ flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE ? -+ GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE : -+ 0)) { -+ return gnutls_assert_val(false); -+ } - -- if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) -- return (se->slevel==_SECURE)?1:0; -- else -- return (se->slevel==_SECURE || se->slevel == _INSECURE_FOR_CERTS)?1:0; -+ return (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS ? -+ se->slevel == _SECURE : -+ (se->slevel == _SECURE || se->slevel == _INSECURE_FOR_CERTS)) || -+ (flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE && -+ se->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE); - } - --int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t level) -+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */ -+int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, hash_security_level_t level) - { - #ifndef DISABLE_SYSTEM_CONFIG - gnutls_sign_entry_st *p; -@@ -471,11 +478,106 @@ - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - for(p = sign_algorithms; p->name != NULL; p++) { -- if (c_strcasecmp(p->name, name) == 0) { -+ if (p->id && p->id == sign) { -+ if (p->slevel < level) - p->slevel = level; - return 0; - } - } -+#endif -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+} -+ -+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */ -+void _gnutls_sign_mark_insecure_all(hash_security_level_t level) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ gnutls_sign_entry_st *p; -+ -+ for(p = sign_algorithms; p->name != NULL; p++) { -+ if (p->slevel < level) -+ p->slevel = level; -+ p->flags |= GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE; -+ } -+#endif -+} -+ -+/** -+ * gnutls_sign_mark_insecure: -+ * @sign: the sign algorithm -+ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0 -+ * -+ * Mark @sign as insecure system wide. This only works if the -+ * allowlisting mode is used in the configuration file. -+ * -+ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set, -+ * and the algorithm was previously considered secure for all purposes, -+ * it only marks the algorithm as insecure for the use with certificates. -+ * -+ * Since: 3.7.3 -+ */ -+int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ gnutls_sign_entry_st *p; -+ -+ for(p = sign_algorithms; p->name != NULL; p++) { -+ if (p->id && p->id == sign) { -+ if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) { -+ if (p->slevel < _INSECURE_FOR_CERTS) -+ p->slevel = _INSECURE_FOR_CERTS; -+ } else { -+ p->slevel = _INSECURE; -+ } -+ return 0; -+ } -+ } -+#endif -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+} -+// TODO: really not sure about the intuitiveness of the interface of this one, -+// the flag naming isn't ideal here -+ -+/** -+ * gnutls_sign_mark_secure: -+ * @sign: the sign algorithm -+ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0 -+ * -+ * Invalidate previous system wide setting that marked @sign as -+ * insecure. This only works if the algorithm is marked as insecure -+ * with gnutls_sign_mark_insecure() or through the allowlisting mode -+ * in the configuration file. -+ * -+ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set, -+ * it marks it the algorithm as secure for all purposes. -+ * If the absence of this flag, it will mark it as -+ * "secure, but not for certificates" at most, -+ * but it won't restrict anything either. -+ * -+ * Since: 3.7.3 -+ */ -+int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags) -+{ -+#ifndef DISABLE_SYSTEM_CONFIG -+ gnutls_sign_entry_st *p; -+ -+ for(p = sign_algorithms; p->name != NULL; p++) { -+ if (p->id && p->id == sign) { -+ if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) { -+ p->slevel = _SECURE; -+ } else { -+ if (p->slevel > _INSECURE_FOR_CERTS) -+ p->slevel = _INSECURE_FOR_CERTS; -+ } -+ return 0; -+ } -+ } - #endif - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - } -diff -ruN gnutls-3.7.2/lib/algorithms.h gnutls-3.7.2-bootstrapped/lib/algorithms.h ---- gnutls-3.7.2/lib/algorithms.h 2021-05-10 16:34:47.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/algorithms.h 2021-06-28 09:09:14.000000000 +0200 -@@ -345,15 +345,27 @@ - _INSECURE - } hash_security_level_t; - --int _gnutls_ecc_curve_mark_disabled(const char *name); --int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t); --int _gnutls_digest_mark_insecure(const char *name); -+int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve); -+int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t, hash_security_level_t); -+int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig); - unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig); --int _gnutls_version_mark_disabled(const char *name); -+bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig, unsigned flags); -+const gnutls_protocol_t *_gnutls_protocol_list(void); -+int _gnutls_version_mark_disabled(gnutls_protocol_t version); - gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name); - -+/* these functions are for revertible settings, meaning that algorithms marked -+ * as disabled/insecure with mark_*_all functions can be re-enabled with -+ * mark_{enabled,secure} functions */ -+void _gnutls_ecc_curve_mark_disabled_all(void); -+void _gnutls_sign_mark_insecure_all(hash_security_level_t level); -+void _gnutls_digest_mark_insecure_all(void); -+void _gnutls_version_mark_disabled_all(void); -+ - #define GNUTLS_SIGN_FLAG_TLS13_OK 1 /* if it is ok to use under TLS1.3 */ - #define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */ -+#define GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE (1 << 2) -+#define GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3) - struct gnutls_sign_entry_st { - const char *name; - const char *oid; -@@ -448,6 +460,7 @@ - unsigned sig_size; /* the size of curve signatures in bytes (EdDSA) */ - unsigned gost_curve; - bool supported; -+ bool supported_revertible; - gnutls_group_t group; - } gnutls_ecc_curve_entry_st; - -@@ -459,6 +472,7 @@ - gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t); - const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num); - const gnutls_group_entry_st * _gnutls_id_to_group(unsigned id); -+gnutls_group_t _gnutls_group_get_id(const char *name); - - gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits); - #define MAX_ECC_CURVE_SIZE 66 -diff -ruN gnutls-3.7.2/lib/gnutls_int.h gnutls-3.7.2-bootstrapped/lib/gnutls_int.h ---- gnutls-3.7.2/lib/gnutls_int.h 2021-05-27 08:08:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/gnutls_int.h 2021-06-28 09:09:14.000000000 +0200 -@@ -662,6 +662,8 @@ - - #define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE 1 /* if this algorithm should not be trusted for pre-image attacks */ - #define GNUTLS_MAC_FLAG_CONTINUOUS_MAC (1 << 1) /* if this MAC should be used in a 'continuous' way in TLS */ -+#define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE (1 << 2) /* if this algorithm should not be trusted for pre-image attacks, but can be enabled through API */ -+#define GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3) /* when checking with _gnutls_digest_is_insecure2, don't treat revertible setting as fatal */ - /* This structure is used both for MACs and digests - */ - typedef struct mac_entry_st { -@@ -685,6 +687,7 @@ - uint8_t minor; /* defined by the protocol */ - transport_t transport; /* Type of transport, stream or datagram */ - bool supported; /* 0 not supported, > 0 is supported */ -+ bool supported_revertible; - bool explicit_iv; - bool extensions; /* whether it supports extensions */ - bool selectable_sighash; /* whether signatures can be selected */ -diff -ruN gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in ---- gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in 2021-05-27 08:08:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in 2021-06-28 09:09:14.000000000 +0200 -@@ -1438,6 +1438,16 @@ - gnutls_mac_algorithm_t * mac, - gnutls_protocol_t * min_version); - -+ /* functions for run-time enablement of algorithms */ -+int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve); -+int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve); -+int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags); -+int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags); -+int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig); -+int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig); -+int gnutls_protocol_mark_disabled(gnutls_protocol_t version); -+int gnutls_protocol_mark_enabled(gnutls_protocol_t version); -+ - /* error functions */ - int gnutls_error_is_fatal(int error) __GNUTLS_CONST__; - int gnutls_error_to_alert(int err, int *level); -diff -ruN gnutls-3.7.2/lib/libgnutls.map gnutls-3.7.2-bootstrapped/lib/libgnutls.map ---- gnutls-3.7.2/lib/libgnutls.map 2021-05-29 07:16:27.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/libgnutls.map 2021-06-28 09:09:14.000000000 +0200 -@@ -1355,6 +1355,21 @@ - *; - } GNUTLS_3_7_0; - -+GNUTLS_3_7_3 -+{ -+ global: -+ gnutls_ecc_curve_mark_disabled; -+ gnutls_ecc_curve_mark_enabled; -+ gnutls_sign_mark_insecure; -+ gnutls_sign_mark_secure; -+ gnutls_digest_mark_insecure; -+ gnutls_digest_mark_secure; -+ gnutls_protocol_mark_disabled; -+ gnutls_protocol_mark_enabled; -+ local: -+ *; -+} GNUTLS_3_7_2; -+ - GNUTLS_FIPS140_3_4 { - global: - gnutls_cipher_self_test; -diff -ruN gnutls-3.7.2/lib/priority.c gnutls-3.7.2-bootstrapped/lib/priority.c ---- gnutls-3.7.2/lib/priority.c 2021-05-27 08:08:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/lib/priority.c 2021-06-28 09:09:14.000000000 +0200 -@@ -700,6 +700,7 @@ - #define LEVEL_SUITEB128 "SUITEB128" - #define LEVEL_SUITEB192 "SUITEB192" - #define LEVEL_LEGACY "LEGACY" -+#define LEVEL_SYSTEM "SYSTEM" - - struct priority_groups_st { - const char *name; -@@ -1001,17 +1002,22 @@ - - static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN; - static name_val_array_t system_wide_priority_strings = NULL; -+static char *system_wide_priority_string = NULL; - static unsigned system_wide_priority_strings_init = 0; - static unsigned system_wide_default_priority_string = 0; - static unsigned fail_on_invalid_config = 0; --static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0}; --static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0}; --static unsigned system_wide_disabled_groups[MAX_ALGOS+1] = {0}; --static unsigned system_wide_disabled_kxs[MAX_ALGOS+1] = {0}; -+static bool system_wide_allowlisting; -+static unsigned system_wide_tls_ciphers[MAX_ALGOS+1] = {0}; -+static unsigned system_wide_tls_macs[MAX_ALGOS+1] = {0}; -+static unsigned system_wide_tls_groups[MAX_ALGOS+1] = {0}; -+static unsigned system_wide_tls_kxs[MAX_ALGOS+1] = {0}; -+static unsigned system_wide_tls_sigs[MAX_ALGOS+1] = {0}; -+static unsigned system_wide_tls_vers[MAX_ALGOS+1] = {0}; - - static const char *system_priority_file = SYSTEM_PRIORITY_FILE; - static time_t system_priority_last_mod = 0; - -+#define GLOBAL_SECTION "global" - #define CUSTOM_PRIORITY_SECTION "priorities" - #define OVERRIDES_SECTION "overrides" - #define MAX_ALGO_NAME 2048 -@@ -1051,108 +1057,479 @@ - return out; - } - --/* This function parses a gnutls configuration file and updates internal -- * settings accordingly. -+struct cfg { -+ bool allowlisting; -+ -+ name_val_array_t priority_strings; -+ bool priority_strings_init; -+ char *default_priority_string; -+ gnutls_certificate_verification_profiles_t verification_profile; -+ -+ gnutls_cipher_algorithm_t ciphers[MAX_ALGOS+1]; -+ gnutls_mac_algorithm_t macs[MAX_ALGOS+1]; -+ gnutls_group_t groups[MAX_ALGOS+1]; -+ gnutls_kx_algorithm_t kxs[MAX_ALGOS+1]; -+ -+ gnutls_digest_algorithm_t *hashes; -+ size_t hashes_size; -+ gnutls_sign_algorithm_t *sigs; -+ size_t sigs_size; -+ gnutls_sign_algorithm_t *sigs_for_cert; -+ size_t sigs_for_cert_size; -+ gnutls_protocol_t *versions; -+ size_t versions_size; -+ gnutls_ecc_curve_t *curves; -+ size_t curves_size; -+}; -+ -+static inline void -+cfg_deinit(struct cfg *cfg) -+{ -+ if (cfg->priority_strings) { -+ _name_val_array_clear(&cfg->priority_strings); -+ } -+ cfg->priority_strings_init = false; -+ gnutls_free(cfg->default_priority_string); -+ gnutls_free(cfg->hashes); -+ gnutls_free(cfg->sigs); -+ gnutls_free(cfg->sigs_for_cert); -+ gnutls_free(cfg->versions); -+ gnutls_free(cfg->curves); -+} -+ -+static inline int -+cfg_apply(struct cfg *cfg) -+{ -+ size_t i; -+ -+ system_wide_verification_profile = cfg->verification_profile; -+ -+ if (cfg->priority_strings_init) { -+ system_wide_priority_strings = cfg->priority_strings; -+ cfg->priority_strings = NULL; -+ cfg->priority_strings_init = false; -+ system_wide_priority_strings_init = 1; -+ } -+ -+ if (cfg->default_priority_string) { -+ _clear_default_system_priority(); -+ _gnutls_default_priority_string = cfg->default_priority_string; -+ cfg->default_priority_string = NULL; -+ system_wide_default_priority_string = 1; -+ } -+ -+ system_wide_allowlisting = cfg->allowlisting; -+ memcpy(system_wide_tls_ciphers, cfg->ciphers, sizeof(cfg->ciphers)); -+ memcpy(system_wide_tls_macs, cfg->macs, sizeof(cfg->macs)); -+ memcpy(system_wide_tls_groups, cfg->groups, sizeof(cfg->groups)); -+ memcpy(system_wide_tls_kxs, cfg->kxs, sizeof(cfg->kxs)); -+ -+ if (cfg->allowlisting) { -+ unsigned tls_sig_sem = 0; -+ size_t j; -+ -+ _gnutls_digest_mark_insecure_all(); -+ for (i = 0; i < cfg->hashes_size; i++) { -+ int ret = gnutls_digest_mark_secure(cfg->hashes[i]); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ _gnutls_sign_mark_insecure_all(_INSECURE); -+ for (i = 0; i < cfg->sigs_size; i++) { -+ int ret = gnutls_sign_mark_secure(cfg->sigs[i], 0); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ for (i = 0; i < cfg->sigs_for_cert_size; i++) { -+ int ret = gnutls_sign_mark_secure(cfg->sigs_for_cert[i], -+ GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ _gnutls_version_mark_disabled_all(); -+ for (i = 0, j = 0; i < cfg->versions_size; i++) { -+ const version_entry_st *vers; -+ int ret = gnutls_protocol_mark_enabled(cfg->versions[i]); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ vers = version_to_entry(cfg->versions[i]); -+ if (vers && vers->supported) { -+ tls_sig_sem |= vers->tls_sig_sem; -+ system_wide_tls_vers[j++] = vers->id; -+ } -+ } -+ _gnutls_ecc_curve_mark_disabled_all(); -+ for (i = 0; i < cfg->curves_size; i++) { -+ int ret = gnutls_ecc_curve_mark_enabled(cfg->curves[i]); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ for (i = 0, j = 0; i < cfg->sigs_size; i++) { -+ const gnutls_sign_entry_st *se; -+ -+ se = _gnutls_sign_to_entry(cfg->sigs[i]); -+ if (se != NULL && se->aid.tls_sem & tls_sig_sem && -+ _gnutls_sign_is_secure2(se, 0)) { -+ system_wide_tls_sigs[j++] = se->id; -+ } -+ } -+ } else { -+ for (i = 0; i < cfg->hashes_size; i++) { -+ int ret = _gnutls_digest_mark_insecure(cfg->hashes[i]); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ for (i = 0; i < cfg->sigs_size; i++) { -+ int ret = _gnutls_sign_mark_insecure(cfg->sigs[i], _INSECURE); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ for (i = 0; i < cfg->sigs_for_cert_size; i++) { -+ int ret = _gnutls_sign_mark_insecure(cfg->sigs_for_cert[i], _INSECURE_FOR_CERTS); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ for (i = 0; i < cfg->versions_size; i++) { -+ int ret = _gnutls_version_mark_disabled(cfg->versions[i]); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ for (i = 0; i < cfg->curves_size; i++) { -+ int ret = _gnutls_ecc_curve_mark_disabled(cfg->curves[i]); -+ if (unlikely(ret < 0)) { -+ return ret; -+ } -+ } -+ } -+ -+ return 0; -+} -+ -+/* This function parse the global section of the configuration file. -+ */ -+static int global_ini_handler(void *ctx, const char *section, const char *name, const char *value) -+{ -+ char *p; -+ char str[MAX_ALGO_NAME]; -+ struct cfg *cfg = ctx; -+ -+ if (section != NULL && c_strcasecmp(section, GLOBAL_SECTION) == 0) { -+ if (c_strcasecmp(name, "override-mode") == 0) { -+ p = clear_spaces(value, str); -+ if (c_strcasecmp(value, "allowlist") == 0) { -+ cfg->allowlisting = true; -+ } else if (c_strcasecmp(value, "blocklist") == 0) { -+ cfg->allowlisting = false; -+ } else { -+ _gnutls_debug_log("cfg: unknown override mode %s\n", -+ p); -+ if (fail_on_invalid_config) -+ return 0; -+ } -+ } else { -+ _gnutls_debug_log("unknown parameter %s\n", name); -+ if (fail_on_invalid_config) -+ return 0; -+ } -+ } -+ -+ return 1; -+} -+ -+static bool -+override_allowed(struct cfg *cfg, const char *name) -+{ -+ static const struct { -+ const char *allowlist_name; -+ const char *blocklist_name; -+ } names[] = { -+ { "secure-hash", "insecure-hash" }, -+ { "secure-sig", "insecure-sig" }, -+ { "secure-sig-for-cert", "insecure-sig-for-cert" }, -+ { "enabled-version", "disabled-version" }, -+ { "enabled-curve", "disabled-curve" }, -+ { "tls-enabled-cipher", "tls-disabled-cipher" }, -+ { "tls-enabled-group", "tls-disabled-group" }, -+ { "tls-enabled-kx", "tls-disabled-kx" }, -+ { "tls-enabled-mac", "tls-disabled-mac" } -+ }; -+ size_t i; -+ -+ for (i = 0; i < sizeof(names) / sizeof(names[0]); i++) { -+ if (c_strcasecmp(name, -+ cfg->allowlisting ? -+ names[i].blocklist_name : -+ names[i].allowlist_name) == 0) -+ return false; -+ } -+ -+ return true; -+} -+ -+/* This function parses a gnutls configuration file. Updating internal settings -+ * according to the parsed configuration is done by cfg_apply. - */ --static int cfg_ini_handler(void *_ctx, const char *section, const char *name, const char *value) -+static int cfg_ini_handler(void *ctx, const char *section, const char *name, const char *value) - { - char *p; -- int ret, type; -+ int ret; - unsigned i; - char str[MAX_ALGO_NAME]; -+ struct cfg *cfg = ctx; - - /* Note that we intentionally overwrite the value above; inih does - * not use that value after we handle it. */ - - /* Parse sections */ - if (section == NULL || section[0] == 0 || c_strcasecmp(section, CUSTOM_PRIORITY_SECTION)==0) { -- if (system_wide_priority_strings_init == 0) { -- _name_val_array_init(&system_wide_priority_strings); -- system_wide_priority_strings_init = 1; -+ if (!cfg->priority_strings_init) { -+ _name_val_array_init(&cfg->priority_strings); -+ cfg->priority_strings_init = true; - } - - _gnutls_debug_log("cfg: adding priority: %s -> %s\n", name, value); - -- ret = _name_val_array_append(&system_wide_priority_strings, name, value); -+ ret = _name_val_array_append(&cfg->priority_strings, name, value); - if (ret < 0) - return 0; - } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { -- if (c_strcasecmp(name, "default-priority-string")==0) { -- _clear_default_system_priority(); -+ if (!override_allowed(cfg, name)) { -+ _gnutls_debug_log("cfg: %s is not allowed in this mode\n", -+ name); -+ if (fail_on_invalid_config) -+ return 0; -+ } else if (c_strcasecmp(name, "default-priority-string")==0) { -+ if (cfg->default_priority_string) { -+ gnutls_free(cfg->default_priority_string); -+ cfg->default_priority_string = NULL; -+ } - p = clear_spaces(value, str); - _gnutls_debug_log("cfg: setting default-priority-string to %s\n", p); - if (strlen(p) > 0) { -- _gnutls_default_priority_string = gnutls_strdup(p); -- if (!_gnutls_default_priority_string) { -- _gnutls_default_priority_string = DEFAULT_PRIORITY_STRING; -+ cfg->default_priority_string = gnutls_strdup(p); -+ if (!cfg->default_priority_string) { - _gnutls_debug_log("cfg: failed setting default-priority-string\n"); - return 0; - } -- system_wide_default_priority_string = 1; - } else { - _gnutls_debug_log("cfg: empty default-priority-string, using default\n"); - if (fail_on_invalid_config) - return 0; - } -- } else if (c_strcasecmp(name, "insecure-hash")==0) { -+ } else if (c_strcasecmp(name, "insecure-hash") == 0 || -+ c_strcasecmp(name, "secure-hash") == 0) { -+ gnutls_digest_algorithm_t dig, *tmp; -+ - p = clear_spaces(value, str); - -- _gnutls_debug_log("cfg: marking hash %s as insecure\n", -- p); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: marking hash %s as secure\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: marking hash %s as insecure\n", -+ p); -+ } - -- ret = _gnutls_digest_mark_insecure(p); -- if (ret < 0) { -+ dig = gnutls_digest_get_id(p); -+ if (dig == GNUTLS_DIG_UNKNOWN) { - _gnutls_debug_log("cfg: found unknown hash %s in %s\n", - p, name); - if (fail_on_invalid_config) - return 0; -+ goto exit; -+ } -+ tmp = _gnutls_reallocarray(cfg->hashes, -+ cfg->hashes_size + 1, -+ sizeof(gnutls_digest_algorithm_t)); -+ if (!tmp) { -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: failed marking hash %s as secure\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: failed marking hash %s as insecure\n", -+ p); -+ } -+ if (fail_on_invalid_config) -+ return 0; -+ goto exit; - } -- } else if (c_strcasecmp(name, "insecure-sig")==0 || c_strcasecmp(name, "insecure-sig-for-cert")==0) { -+ -+ cfg->hashes = tmp; -+ cfg->hashes[cfg->hashes_size] = dig; -+ cfg->hashes_size++; -+ } else if (c_strcasecmp(name, "insecure-sig") == 0 || -+ c_strcasecmp(name, "secure-sig") == 0) { -+ gnutls_sign_algorithm_t sig, *tmp; -+ - p = clear_spaces(value, str); - -- if (c_strcasecmp(name, "insecure-sig")==0) { -- type = _INSECURE; -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: marking signature %s as secure\n", -+ p); -+ } else { - _gnutls_debug_log("cfg: marking signature %s as insecure\n", - p); -+ } -+ -+ sig = gnutls_sign_get_id(p); -+ if (sig == GNUTLS_SIGN_UNKNOWN) { -+ _gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n", -+ p, name); -+ if (fail_on_invalid_config) -+ return 0; -+ goto exit; -+ } -+ tmp = _gnutls_reallocarray(cfg->sigs, -+ cfg->sigs_size + 1, -+ sizeof(gnutls_sign_algorithm_t)); -+ if (!tmp) { -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: failed marking signature %s as secure\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: failed marking signature %s as insecure\n", -+ p); -+ } -+ if (fail_on_invalid_config) -+ return 0; -+ goto exit; -+ } -+ -+ cfg->sigs = tmp; -+ cfg->sigs[cfg->sigs_size] = sig; -+ cfg->sigs_size++; -+ } else if (c_strcasecmp(name, "insecure-sig-for-cert") == 0 || -+ c_strcasecmp(name, "secure-sig-for-cert") == 0) { -+ gnutls_sign_algorithm_t sig, *tmp; -+ -+ p = clear_spaces(value, str); -+ -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: marking signature %s as secure for certs\n", -+ p); - } else { - _gnutls_debug_log("cfg: marking signature %s as insecure for certs\n", - p); -- type = _INSECURE_FOR_CERTS; - } - -- ret = _gnutls_sign_mark_insecure(p, type); -- if (ret < 0) { -+ sig = gnutls_sign_get_id(p); -+ if (sig == GNUTLS_SIGN_UNKNOWN) { - _gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n", - p, name); - if (fail_on_invalid_config) - return 0; -+ goto exit; -+ } -+ tmp = _gnutls_reallocarray(cfg->sigs_for_cert, -+ cfg->sigs_for_cert_size + 1, -+ sizeof(gnutls_sign_algorithm_t)); -+ if (!tmp) { -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: failed marking signature %s as secure for certs\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: failed marking signature %s as insecure for certs\n", -+ p); -+ } -+ if (fail_on_invalid_config) -+ return 0; -+ goto exit; - } -- } else if (c_strcasecmp(name, "disabled-version")==0) { -+ -+ cfg->sigs_for_cert = tmp; -+ cfg->sigs_for_cert[cfg->sigs_for_cert_size] = sig; -+ cfg->sigs_for_cert_size++; -+ } else if (c_strcasecmp(name, "disabled-version") == 0 || -+ c_strcasecmp(name, "enabled-version") == 0) { -+ gnutls_protocol_t prot, *tmp; -+ - p = clear_spaces(value, str); - -- _gnutls_debug_log("cfg: disabling version %s\n", -- p); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: enabling version %s\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: disabling version %s\n", -+ p); -+ } - -- ret = _gnutls_version_mark_disabled(p); -- if (ret < 0) { -+ prot = gnutls_protocol_get_id(p); -+ if (prot == GNUTLS_VERSION_UNKNOWN) { - _gnutls_debug_log("cfg: found unknown version %s in %s\n", - p, name); - if (fail_on_invalid_config) - return 0; -+ goto exit; - } -- } else if (c_strcasecmp(name, "disabled-curve")==0) { -+ tmp = _gnutls_reallocarray(cfg->versions, -+ cfg->versions_size + 1, -+ sizeof(gnutls_protocol_t)); -+ if (!tmp) { -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: failed enabling version %s\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: failed disabling version %s\n", -+ p); -+ } -+ if (fail_on_invalid_config) -+ return 0; -+ goto exit; -+ } -+ -+ cfg->versions = tmp; -+ cfg->versions[cfg->versions_size] = prot; -+ cfg->versions_size++; -+ } else if (c_strcasecmp(name, "disabled-curve") == 0 || -+ c_strcasecmp(name, "enabled-curve") == 0) { -+ gnutls_ecc_curve_t curve, *tmp; -+ - p = clear_spaces(value, str); - -- _gnutls_debug_log("cfg: disabling curve %s\n", -- p); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: enabling curve %s\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: disabling curve %s\n", -+ p); -+ } - -- ret = _gnutls_ecc_curve_mark_disabled(p); -- if (ret < 0) { -+ curve = gnutls_ecc_curve_get_id(p); -+ if (curve == GNUTLS_ECC_CURVE_INVALID) { - _gnutls_debug_log("cfg: found unknown curve %s in %s\n", - p, name); - if (fail_on_invalid_config) - return 0; -+ goto exit; -+ } -+ tmp = _gnutls_reallocarray(cfg->curves, -+ cfg->curves_size + 1, -+ sizeof(gnutls_ecc_curve_t)); -+ if (!tmp) { -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: failed enabling curve %s\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: failed disabling curve %s\n", -+ p); -+ } -+ if (fail_on_invalid_config) -+ return 0; -+ goto exit; - } -+ -+ cfg->curves = tmp; -+ cfg->curves[cfg->curves_size] = curve; -+ cfg->curves_size++; - } else if (c_strcasecmp(name, "min-verification-profile")==0) { - gnutls_certificate_verification_profiles_t profile; - profile = gnutls_certificate_verification_profile_get_id(value); -@@ -1162,47 +1539,65 @@ - value, name); - if (fail_on_invalid_config) - return 0; -+ goto exit; - } - -- system_wide_verification_profile = profile; -- } else if (c_strcasecmp(name, "tls-disabled-cipher")==0) { -- unsigned algo; -+ cfg->verification_profile = profile; -+ } else if (c_strcasecmp(name, "tls-disabled-cipher") == 0 || -+ c_strcasecmp(name, "tls-enabled-cipher") == 0) { -+ gnutls_cipher_algorithm_t algo; - - p = clear_spaces(value, str); - -- _gnutls_debug_log("cfg: disabling cipher %s for TLS\n", -- p); -- -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: enabling cipher %s for TLS\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: disabling cipher %s for TLS\n", -+ p); -+ } - - algo = gnutls_cipher_get_id(p); -- if (algo == 0) { -+ if (algo == GNUTLS_CIPHER_UNKNOWN) { - _gnutls_debug_log("cfg: unknown algorithm %s listed at %s\n", - p, name); - if (fail_on_invalid_config) - return 0; -+ goto exit; - } - - i = 0; -- while (system_wide_disabled_ciphers[i] != 0) -+ while (cfg->ciphers[i] != 0) - i++; - - if (i > MAX_ALGOS-1) { -- _gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n", -- i, name); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: too many (%d) enabled ciphers from %s\n", -+ i, name); -+ } else { -+ _gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n", -+ i, name); -+ } - if (fail_on_invalid_config) - return 0; - goto exit; - } -- system_wide_disabled_ciphers[i] = algo; -- system_wide_disabled_ciphers[i+1] = 0; -+ cfg->ciphers[i] = algo; -+ cfg->ciphers[i+1] = 0; - -- } else if (c_strcasecmp(name, "tls-disabled-mac")==0) { -- unsigned algo; -+ } else if (c_strcasecmp(name, "tls-disabled-mac") == 0 || -+ c_strcasecmp(name, "tls-enabled-mac") == 0) { -+ gnutls_mac_algorithm_t algo; - - p = clear_spaces(value, str); - -- _gnutls_debug_log("cfg: disabling MAC %s for TLS\n", -- p); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: enabling MAC %s for TLS\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: disabling MAC %s for TLS\n", -+ p); -+ } - - algo = gnutls_mac_get_id(p); - if (algo == 0) { -@@ -1214,30 +1609,41 @@ - } - - i = 0; -- while (system_wide_disabled_macs[i] != 0) -+ while (cfg->macs[i] != 0) - i++; - - if (i > MAX_ALGOS-1) { -- _gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n", -- i, name); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: too many (%d) enabled MACs from %s\n", -+ i, name); -+ } else { -+ _gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n", -+ i, name); -+ } - if (fail_on_invalid_config) - return 0; - goto exit; - } -- system_wide_disabled_macs[i] = algo; -- system_wide_disabled_macs[i+1] = 0; -- } else if (c_strcasecmp(name, "tls-disabled-group")==0) { -- unsigned algo; -+ cfg->macs[i] = algo; -+ cfg->macs[i+1] = 0; -+ } else if (c_strcasecmp(name, "tls-disabled-group") == 0 || -+ c_strcasecmp(name, "tls-enabled-group") == 0) { -+ gnutls_group_t algo; - - p = clear_spaces(value, str); - -- if (strlen(p) > 6) -- p += 6; // skip GROUP- -+ if (c_strncasecmp(p, "GROUP-", 6) == 0) -+ p += 6; - -- _gnutls_debug_log("cfg: disabling group %s for TLS\n", -- p); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: enabling group %s for TLS\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: disabling group %s for TLS\n", -+ p); -+ } - -- algo = gnutls_group_get_id(p); -+ algo = _gnutls_group_get_id(p); - if (algo == 0) { - _gnutls_debug_log("cfg: unknown group %s listed at %s\n", - p, name); -@@ -1247,25 +1653,36 @@ - } - - i = 0; -- while (system_wide_disabled_groups[i] != 0) -+ while (cfg->groups[i] != 0) - i++; - - if (i > MAX_ALGOS-1) { -- _gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n", -- i, name); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: too many (%d) enabled groups from %s\n", -+ i, name); -+ } else { -+ _gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n", -+ i, name); -+ } - if (fail_on_invalid_config) - return 0; - goto exit; - } -- system_wide_disabled_groups[i] = algo; -- system_wide_disabled_groups[i+1] = 0; -- } else if (c_strcasecmp(name, "tls-disabled-kx")==0) { -+ cfg->groups[i] = algo; -+ cfg->groups[i+1] = 0; -+ } else if (c_strcasecmp(name, "tls-disabled-kx") == 0 || -+ c_strcasecmp(name, "tls-enabled-kx") == 0) { - unsigned algo; - - p = clear_spaces(value, str); - -- _gnutls_debug_log("cfg: disabling key exchange %s for TLS\n", -- p); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: enabling key exchange %s for TLS\n", -+ p); -+ } else { -+ _gnutls_debug_log("cfg: disabling key exchange %s for TLS\n", -+ p); -+ } - - algo = gnutls_kx_get_id(p); - if (algo == 0) { -@@ -1277,24 +1694,29 @@ - } - - i = 0; -- while (system_wide_disabled_kxs[i] != 0) -+ while (cfg->kxs[i] != 0) - i++; - - if (i > MAX_ALGOS-1) { -- _gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n", -- i, name); -+ if (cfg->allowlisting) { -+ _gnutls_debug_log("cfg: too many (%d) enabled key exchanges from %s\n", -+ i, name); -+ } else { -+ _gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n", -+ i, name); -+ } - if (fail_on_invalid_config) - return 0; - goto exit; - } -- system_wide_disabled_kxs[i] = algo; -- system_wide_disabled_kxs[i+1] = 0; -+ cfg->kxs[i] = algo; -+ cfg->kxs[i+1] = 0; - } else { - _gnutls_debug_log("unknown parameter %s\n", name); - if (fail_on_invalid_config) - return 0; - } -- } else { -+ } else if (c_strcasecmp(section, GLOBAL_SECTION) != 0) { - _gnutls_debug_log("cfg: unknown section %s\n", - section); - if (fail_on_invalid_config) -@@ -1310,6 +1732,7 @@ - int ret; - struct stat sb; - FILE *fp; -+ struct cfg cfg; - - if (stat(system_priority_file, &sb) < 0) { - _gnutls_debug_log("cfg: unable to access: %s: %d\n", -@@ -1327,21 +1750,41 @@ - if (system_wide_priority_strings_init != 0) - _name_val_array_clear(&system_wide_priority_strings); - -+ gnutls_free(system_wide_priority_string); -+ system_wide_priority_string = NULL; -+ - fp = fopen(system_priority_file, "re"); - if (fp == NULL) { - _gnutls_debug_log("cfg: unable to open: %s: %d\n", - system_priority_file, errno); - return; - } -- ret = ini_parse_file(fp, cfg_ini_handler, NULL); -+ /* Parsing the configuration file needs to be done in 2 phases: first -+ * parsing the [global] section and then the other sections, because the -+ * [global] section modifies the parsing behavior. -+ */ -+ memset(&cfg, 0, sizeof(cfg)); -+ ret = ini_parse_file(fp, global_ini_handler, &cfg); -+ if (ret == 0) { -+ if (fseek(fp, 0L, SEEK_SET) < 0) { -+ _gnutls_debug_log("cfg: unable to rewind: %s: %d\n", -+ system_priority_file, ret); -+ if (fail_on_invalid_config) -+ exit(1); -+ } -+ ret = ini_parse_file(fp, cfg_ini_handler, &cfg); -+ } - fclose(fp); - if (ret != 0) { -+ cfg_deinit(&cfg); - _gnutls_debug_log("cfg: unable to parse: %s: %d\n", - system_priority_file, ret); - if (fail_on_invalid_config) - exit(1); - return; - } -+ cfg_apply(&cfg); -+ cfg_deinit(&cfg); - - _gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n", - system_priority_file, -@@ -1368,6 +1811,7 @@ - void _gnutls_unload_system_priorities(void) - { - _name_val_array_clear(&system_wide_priority_strings); -+ gnutls_free(system_wide_priority_string); - _clear_default_system_priority(); - system_priority_last_mod = 0; - } -@@ -1391,6 +1835,124 @@ - return NULL; - } - -+static const char * -+resolve_priorities_from_system_wide_allowlisting(void) -+{ -+ gnutls_buffer_st buf; -+ int ret; -+ size_t i; -+ -+ if (system_wide_priority_string) { -+ return system_wide_priority_string; -+ } -+ -+ assert(system_wide_allowlisting); -+ -+ _gnutls_buffer_init(&buf); -+ -+ ret = _gnutls_buffer_append_str(&buf, "NONE"); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ -+ for (i = 0; system_wide_tls_kxs[i] != 0; i++) { -+ ret = _gnutls_buffer_append_str(&buf, ":+"); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ -+ ret = _gnutls_buffer_append_str(&buf, -+ gnutls_kx_get_name(system_wide_tls_kxs[i])); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ } -+ -+ for (i = 0; system_wide_tls_groups[i] != 0; i++) { -+ ret = _gnutls_buffer_append_str(&buf, ":+GROUP-"); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ -+ ret = _gnutls_buffer_append_str(&buf, -+ gnutls_group_get_name(system_wide_tls_groups[i])); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ } -+ -+ for (i = 0; system_wide_tls_ciphers[i] != 0; i++) { -+ ret = _gnutls_buffer_append_str(&buf, ":+"); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ -+ ret = _gnutls_buffer_append_str(&buf, -+ gnutls_cipher_get_name(system_wide_tls_ciphers[i])); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ } -+ -+ for (i = 0; system_wide_tls_macs[i] != 0; i++) { -+ ret = _gnutls_buffer_append_str(&buf, ":+"); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ -+ ret = _gnutls_buffer_append_str(&buf, -+ gnutls_mac_get_name(system_wide_tls_macs[i])); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ } -+ -+ for (i = 0; system_wide_tls_sigs[i] != 0; i++) { -+ ret = _gnutls_buffer_append_str(&buf, ":+SIGN-"); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ -+ ret = _gnutls_buffer_append_str(&buf, -+ gnutls_sign_get_name(system_wide_tls_sigs[i])); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ } -+ -+ for (i = 0; system_wide_tls_vers[i] != 0; i++) { -+ ret = _gnutls_buffer_append_str(&buf, ":+VERS-"); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ -+ ret = _gnutls_buffer_append_str(&buf, -+ gnutls_protocol_get_name(system_wide_tls_vers[i])); -+ if (ret < 0) { -+ _gnutls_buffer_clear(&buf); -+ return NULL; -+ } -+ } -+ -+ gnutls_free(system_wide_priority_string); -+ system_wide_priority_string = gnutls_strdup((char *)buf.data); -+ _gnutls_buffer_clear(&buf); -+ -+ return system_wide_priority_string; -+} -+ - #define S(str) ((str!=NULL)?str:"") - - /* Returns the new priorities if a priority string prefixed -@@ -1445,7 +2007,13 @@ - */ - _gnutls_update_system_priorities(); - -- p = _name_val_array_value(system_wide_priority_strings, ss, ss_len); -+ if (system_wide_allowlisting && -+ ss_len == sizeof(LEVEL_SYSTEM) - 1 && -+ strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) { -+ p = resolve_priorities_from_system_wide_allowlisting(); -+ } else { -+ p = _name_val_array_value(system_wide_priority_strings, ss, ss_len); -+ } - - _gnutls_debug_log("resolved '%.*s' to '%s', next '%.*s'\n", - ss_len, ss, S(p), ss_next_len, S(ss_next)); -@@ -1548,48 +2116,52 @@ - priority_cache->groups.size = 0; - priority_cache->groups.have_ffdhe = 0; - -- /* disable key exchanges which are globally disabled */ -- z = 0; -- while (system_wide_disabled_kxs[z] != 0) { -- for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) { -- if (priority_cache->_kx.priorities[i] != system_wide_disabled_kxs[z]) -- priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i]; -- } -- priority_cache->_kx.num_priorities = j; -- z++; -- } -- -- /* disable groups which are globally disabled */ -- z = 0; -- while (system_wide_disabled_groups[z] != 0) { -- for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) { -- if (priority_cache->_supported_ecc.priorities[i] != system_wide_disabled_groups[z]) -- priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i]; -- } -- priority_cache->_supported_ecc.num_priorities = j; -- z++; -- } -- -- /* disable ciphers which are globally disabled */ -- z = 0; -- while (system_wide_disabled_ciphers[z] != 0) { -- for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) { -- if (priority_cache->_cipher.priorities[i] != system_wide_disabled_ciphers[z]) -- priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i]; -- } -- priority_cache->_cipher.num_priorities = j; -- z++; -- } -- -- /* disable MACs which are globally disabled */ -- z = 0; -- while (system_wide_disabled_macs[z] != 0) { -- for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) { -- if (priority_cache->_mac.priorities[i] != system_wide_disabled_macs[z]) -- priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i]; -+ /* in blocklisting mode, apply system wide disablement of key exchanges, -+ * groups, MACs, and ciphers. */ -+ if (!system_wide_allowlisting) { -+ /* disable key exchanges which are globally disabled */ -+ z = 0; -+ while (system_wide_tls_kxs[z] != 0) { -+ for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) { -+ if (priority_cache->_kx.priorities[i] != system_wide_tls_kxs[z]) -+ priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i]; -+ } -+ priority_cache->_kx.num_priorities = j; -+ z++; -+ } -+ -+ /* disable groups which are globally disabled */ -+ z = 0; -+ while (system_wide_tls_groups[z] != 0) { -+ for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) { -+ if (priority_cache->_supported_ecc.priorities[i] != system_wide_tls_groups[z]) -+ priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i]; -+ } -+ priority_cache->_supported_ecc.num_priorities = j; -+ z++; -+ } -+ -+ /* disable ciphers which are globally disabled */ -+ z = 0; -+ while (system_wide_tls_ciphers[z] != 0) { -+ for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) { -+ if (priority_cache->_cipher.priorities[i] != system_wide_tls_ciphers[z]) -+ priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i]; -+ } -+ priority_cache->_cipher.num_priorities = j; -+ z++; -+ } -+ -+ /* disable MACs which are globally disabled */ -+ z = 0; -+ while (system_wide_tls_macs[z] != 0) { -+ for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) { -+ if (priority_cache->_mac.priorities[i] != system_wide_tls_macs[z]) -+ priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i]; -+ } -+ priority_cache->_mac.num_priorities = j; -+ z++; - } -- priority_cache->_mac.num_priorities = j; -- z++; - } - - for (j=0;j_cipher.num_priorities;j++) { -@@ -1737,10 +2309,15 @@ - for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) { - se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]); - if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) { -- /* if the signature algorithm semantics are not compatible with -- * the protocol's, then skip. */ -- if ((se->aid.tls_sem & tls_sig_sem) == 0) -+ /* if the signature algorithm semantics is not -+ * compatible with the protocol's, or the algorithm is -+ * marked as insecure, then skip. */ -+ if ((se->aid.tls_sem & tls_sig_sem) == 0 || -+ !_gnutls_sign_is_secure2(se, system_wide_allowlisting ? -+ GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE : -+ 0)) { - continue; -+ } - priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se; - } - } -@@ -2017,6 +2594,9 @@ - (*priority_cache)->min_record_version = 1; - gnutls_atomic_init(&(*priority_cache)->usage_cnt); - -+ if (system_wide_allowlisting && !priorities) { -+ priorities = "@" LEVEL_SYSTEM; -+ } - if (priorities == NULL) { - priorities = _gnutls_default_priority_string; - resolved_match = 0; -@@ -2150,7 +2730,7 @@ - _supported_groups_gost); - } else { - if ((algo = -- gnutls_group_get_id -+ _gnutls_group_get_id - (&broken_list[i][7])) != - GNUTLS_GROUP_INVALID) - fn(&(*priority_cache)-> -diff -ruN gnutls-3.7.2/Makefile.in gnutls-3.7.2-bootstrapped/Makefile.in ---- gnutls-3.7.2/Makefile.in 2021-05-29 10:11:20.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/Makefile.in 2021-06-28 09:11:37.000000000 +0200 -@@ -35,7 +35,7 @@ - # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - - # aminclude_static.am generated automatically by Autoconf --# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021 -+# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021 - VPATH = @srcdir@ - am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ -diff -ruN gnutls-3.7.2/NEWS gnutls-3.7.2-bootstrapped/NEWS ---- gnutls-3.7.2/NEWS 2021-05-29 10:08:56.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/NEWS 2021-06-28 09:09:14.000000000 +0200 -@@ -5,6 +5,23 @@ - Copyright (C) 2013-2019 Nikos Mavrogiannopoulos - See the end for copying conditions. - -+* Version 3.7.3 (unreleased) -+ -+** libgnutls: The allowlisting configuration mode has been added to the system-wide -+ settings. In this mode, all the algorithms are initially marked as insecure -+ or disabled, while the applications can re-enable them either through the -+ [overrides] section of the configuration file or the new API (#1172). -+ -+** API and ABI modifications: -+gnutls_ecc_curve_mark_disabled: Added. -+gnutls_ecc_curve_mark_enabled: Added. -+gnutls_sign_mark_insecure: Added. -+gnutls_sign_mark_secure: Added. -+gnutls_digest_mark_insecure: Added. -+gnutls_digest_mark_secure: Added. -+gnutls_protocol_mark_disabled: Added. -+gnutls_protocol_mark_enabled: Added. -+ - * Version 3.7.2 (released 2021-05-29) - - ** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added -diff -ruN gnutls-3.7.2/po/cs.po gnutls-3.7.2-bootstrapped/po/cs.po ---- gnutls-3.7.2/po/cs.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/cs.po 2021-06-28 09:35:00.000000000 +0200 -@@ -9,7 +9,7 @@ - msgstr "" - "Project-Id-Version: gnutls 3.6.8\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2019-06-18 07:01+02:00\n" - "Last-Translator: Petr Pisar \n" - "Language-Team: Czech \n" -diff -ruN gnutls-3.7.2/po/de.po gnutls-3.7.2-bootstrapped/po/de.po ---- gnutls-3.7.2/po/de.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/de.po 2021-06-28 09:35:00.000000000 +0200 -@@ -10,7 +10,7 @@ - msgstr "" - "Project-Id-Version: gnutls 3.2.3\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2019-05-16 20:42+0200\n" - "Last-Translator: Roland Illig \n" - "Language-Team: German \n" -diff -ruN gnutls-3.7.2/po/eo.po gnutls-3.7.2-bootstrapped/po/eo.po ---- gnutls-3.7.2/po/eo.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/eo.po 2021-06-28 09:35:00.000000000 +0200 -@@ -7,7 +7,7 @@ - msgstr "" - "Project-Id-Version: gnutls 3.6.8\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2019-07-15 13:25-0300\n" - "Last-Translator: Felipe Castro \n" - "Language-Team: Esperanto \n" -diff -ruN gnutls-3.7.2/po/es.po gnutls-3.7.2-bootstrapped/po/es.po ---- gnutls-3.7.2/po/es.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/es.po 2021-06-28 09:35:00.000000000 +0200 -@@ -7,7 +7,7 @@ - msgstr "" - "Project-Id-Version: libgnutls 3.2.3\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2018-05-02 19:11+0200\n" - "Last-Translator: Francisco Javier Serrador \n" - "Language-Team: Spanish \n" -diff -ruN gnutls-3.7.2/po/fi.po gnutls-3.7.2-bootstrapped/po/fi.po ---- gnutls-3.7.2/po/fi.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/fi.po 2021-06-28 09:35:00.000000000 +0200 -@@ -7,7 +7,7 @@ - msgstr "" - "Project-Id-Version: libgnutls 3.2.1\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2013-06-19 17:09+0300\n" - "Last-Translator: Jorma Karvonen \n" - "Language-Team: Finnish \n" -diff -ruN gnutls-3.7.2/po/fr.po gnutls-3.7.2-bootstrapped/po/fr.po ---- gnutls-3.7.2/po/fr.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/fr.po 2021-06-28 09:35:00.000000000 +0200 -@@ -12,7 +12,7 @@ - msgstr "" - "Project-Id-Version: gnutls 3.6.8\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2019-08-12 01:03+0200\n" - "Last-Translator: Stéphane Aulery \n" - "Language-Team: French \n" -diff -ruN gnutls-3.7.2/po/gnutls.pot gnutls-3.7.2-bootstrapped/po/gnutls.pot ---- gnutls-3.7.2/po/gnutls.pot 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/gnutls.pot 2021-06-28 09:35:00.000000000 +0200 -@@ -8,7 +8,7 @@ - msgstr "" - "Project-Id-Version: gnutls 3.7.2\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" - "Last-Translator: FULL NAME \n" - "Language-Team: LANGUAGE \n" -diff -ruN gnutls-3.7.2/po/it.po gnutls-3.7.2-bootstrapped/po/it.po ---- gnutls-3.7.2/po/it.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/it.po 2021-06-28 09:35:00.000000000 +0200 -@@ -8,7 +8,7 @@ - msgstr "" - "Project-Id-Version: gnutls-3.6.8\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2019-08-02 11:43+0200\n" - "Last-Translator: Milo Casagrande \n" - "Language-Team: Italian \n" -Binary files gnutls-3.7.2/po/ms.gmo and gnutls-3.7.2-bootstrapped/po/ms.gmo differ -diff -ruN gnutls-3.7.2/po/ms.po gnutls-3.7.2-bootstrapped/po/ms.po ---- gnutls-3.7.2/po/ms.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/ms.po 2021-06-28 09:35:00.000000000 +0200 -@@ -7,8 +7,8 @@ - msgstr "" - "Project-Id-Version: gnutls 3.6.8\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" --"PO-Revision-Date: 2021-04-20 16:03+0800\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" -+"PO-Revision-Date: 2021-06-14 00:17+0800\n" - "Last-Translator: Sharuzzaman Ahmat Raslan \n" - "Language-Team: Malay \n" - "Language: ms\n" -@@ -16,7 +16,7 @@ - "Content-Type: text/plain; charset=utf-8\n" - "Content-Transfer-Encoding: 8bit\n" - "X-Bugs: Report translation errors to the Language-Team address.\n" --"X-Generator: Poedit 2.4.2\n" -+"X-Generator: Poedit 3.0\n" - - #: lib/alert.c:39 - msgid "Close notify" -@@ -139,7 +139,7 @@ - #: lib/alert.c:83 - #, fuzzy - msgid "An extension was expected but was not seen" --msgstr "')' dijangka\n" -+msgstr "Sambungan tidak disokong telah dihantar" - - #: lib/alert.c:86 - msgid "No supported application protocol could be negotiated" -@@ -1224,20 +1224,19 @@ - msgstr "%s\t\t\tnamaLain OID: %.*s\n" - - #: lib/x509/output.c:152 --#, fuzzy, c-format --#| msgid "\t\t\tXMPP Address: %.*s\n" -+#, c-format - msgid "%sXMPP Address: %.*s\n" --msgstr "\t\t\tAlamat XMPP: %.*s\n" -+msgstr "%sAlamat XMPP: %.*s\n" - - #: lib/x509/output.c:156 --#, fuzzy, c-format -+#, c-format - msgid "%sKRB5Principal: %.*s\n" --msgstr "%s: %s.\n" -+msgstr "%sKRB5Principal: %.*s\n" - - #: lib/x509/output.c:160 --#, fuzzy, c-format -+#, c-format - msgid "%sUnknown name: " --msgstr "Nama" -+msgstr "%sNama tidak diketahui: " - - #: lib/x509/output.c:302 - #, c-format -@@ -1266,14 +1265,14 @@ - "\t\t\tLambakan Hex: " - - #: lib/x509/output.c:347 --#, fuzzy, c-format -+#, c-format - msgid "%s\t\t\tPermitted:\n" --msgstr "TDB: Tulis tidak dibenarkan" -+msgstr "%s\t\t\tDibenarkan:\n" - - #: lib/x509/output.c:359 --#, fuzzy, c-format -+#, c-format - msgid "%s\t\t\tExcluded:\n" --msgstr "%s%s: %.*s (%s)\n" -+msgstr "%s\t\t\tDikecualikan:\n" - - #: lib/x509/output.c:399 lib/x509/output.c:401 lib/x509/output.c:403 - #, c-format -diff -ruN gnutls-3.7.2/po/nl.po gnutls-3.7.2-bootstrapped/po/nl.po ---- gnutls-3.7.2/po/nl.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/nl.po 2021-06-28 09:35:00.000000000 +0200 -@@ -10,7 +10,7 @@ - msgstr "" - "Project-Id-Version: libgnutls-3.2.1\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2013-06-13 19:56+0200\n" - "Last-Translator: Benno Schulenberg \n" - "Language-Team: Dutch \n" -diff -ruN gnutls-3.7.2/po/pl.po gnutls-3.7.2-bootstrapped/po/pl.po ---- gnutls-3.7.2/po/pl.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/pl.po 2021-06-28 09:35:00.000000000 +0200 -@@ -7,7 +7,7 @@ - msgstr "" - "Project-Id-Version: gnutls-3.6.8\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2019-06-01 08:22+0200\n" - "Last-Translator: Jakub Bogusz \n" - "Language-Team: Polish \n" -diff -ruN gnutls-3.7.2/po/pt_BR.po gnutls-3.7.2-bootstrapped/po/pt_BR.po ---- gnutls-3.7.2/po/pt_BR.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/pt_BR.po 2021-06-28 09:35:00.000000000 +0200 -@@ -7,7 +7,7 @@ - msgstr "" - "Project-Id-Version: gnutls 3.6.8\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2019-06-11 03:55-0200\n" - "Last-Translator: Rafael Fontenelle \n" - "Language-Team: Brazilian Portuguese \n" - "Language-Team: Serbian <(nothing)>\n" -diff -ruN gnutls-3.7.2/po/sv.po gnutls-3.7.2-bootstrapped/po/sv.po ---- gnutls-3.7.2/po/sv.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/sv.po 2021-06-28 09:35:00.000000000 +0200 -@@ -8,7 +8,7 @@ - msgstr "" - "Project-Id-Version: libgnutls 3.2.3\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2017-06-22 13:44+0200\n" - "Last-Translator: Anders Jonsson \n" - "Language-Team: Swedish \n" -diff -ruN gnutls-3.7.2/po/uk.po gnutls-3.7.2-bootstrapped/po/uk.po ---- gnutls-3.7.2/po/uk.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/uk.po 2021-06-28 09:35:00.000000000 +0200 -@@ -8,7 +8,7 @@ - msgstr "" - "Project-Id-Version: gnutls 3.6.8\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2019-06-06 21:38+0300\n" - "Last-Translator: Yuri Chornoivan \n" - "Language-Team: Ukrainian \n" -diff -ruN gnutls-3.7.2/po/vi.po gnutls-3.7.2-bootstrapped/po/vi.po ---- gnutls-3.7.2/po/vi.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/vi.po 2021-06-28 09:35:00.000000000 +0200 -@@ -8,7 +8,7 @@ - msgstr "" - "Project-Id-Version: libgnutls-3.2.3\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2013-08-06 07:13+0700\n" - "Last-Translator: Trần Ngọc Quân \n" - "Language-Team: Vietnamese \n" -diff -ruN gnutls-3.7.2/po/zh_CN.po gnutls-3.7.2-bootstrapped/po/zh_CN.po ---- gnutls-3.7.2/po/zh_CN.po 2021-05-29 10:15:00.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/po/zh_CN.po 2021-06-28 09:35:00.000000000 +0200 -@@ -10,7 +10,7 @@ - msgstr "" - "Project-Id-Version: libgnutls 3.2.3\n" - "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" --"POT-Creation-Date: 2021-05-29 10:15+0200\n" -+"POT-Creation-Date: 2021-06-28 09:35+0200\n" - "PO-Revision-Date: 2015-11-10 09:47-0500\n" - "Last-Translator: Mingye Wang (Arthur2e5) \n" - "Language-Team: Chinese (simplified) \n" -diff -ruN gnutls-3.7.2/src/p11tool-args.def gnutls-3.7.2-bootstrapped/src/p11tool-args.def ---- gnutls-3.7.2/src/p11tool-args.def 2021-04-19 09:28:28.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/src/p11tool-args.def 2021-06-25 17:46:01.000000000 +0200 -@@ -268,8 +268,9 @@ - flag = { - name = write; - descrip = "Writes the loaded objects to a PKCS #11 token"; -- doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with -- one of --load-privkey, --load-pubkey, --load-certificate option."; -+ doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option. -+ -+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand."; - }; - - flag = { -diff -ruN gnutls-3.7.2/tests/Makefile.am gnutls-3.7.2-bootstrapped/tests/Makefile.am ---- gnutls-3.7.2/tests/Makefile.am 2021-05-27 08:10:21.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/tests/Makefile.am 2021-06-28 09:09:42.000000000 +0200 -@@ -108,7 +108,7 @@ - libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c - libutils_la_LIBADD = ../lib/libgnutls.la - --indirect_tests = system-override-hash system-override-sig -+indirect_tests = system-override-hash system-override-sig system-override-sig-tls - - ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \ - tls13/post-handshake-with-cert tls13/post-handshake-without-cert \ -@@ -509,7 +509,13 @@ - dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \ - system-override-versions.sh system-override-invalid.sh \ - system-override-curves.sh system-override-profiles.sh system-override-tls.sh \ -- system-override-kx.sh system-override-default-priority-string.sh -+ system-override-kx.sh system-override-default-priority-string.sh \ -+ system-override-sig-tls.sh -+ -+dist_check_SCRIPTS += system-override-sig-allowlist.sh \ -+ system-override-hash-allowlist.sh \ -+ system-override-versions-allowlist.sh \ -+ system-override-curves-allowlist.sh - endif - - dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh -@@ -605,6 +611,7 @@ - endif - - TEST_EXTENSIONS = .sh -+SH_LOG_COMPILER = $(SHELL) - LOG_COMPILER = $(VALGRIND) - - distclean-local: -diff -ruN gnutls-3.7.2/tests/Makefile.in gnutls-3.7.2-bootstrapped/tests/Makefile.in ---- gnutls-3.7.2/tests/Makefile.in 2021-05-29 10:11:25.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/tests/Makefile.in 2021-06-28 09:11:42.000000000 +0200 -@@ -191,11 +191,20 @@ - @WINDOWS_FALSE@ gnutls-cli-resume.sh profile-tests.sh \ - @WINDOWS_FALSE@ server-weak-keys.sh - @WINDOWS_FALSE@am__append_17 = dtls-stress --@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh system-override-hash.sh \ --@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions.sh system-override-invalid.sh \ --@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves.sh system-override-profiles.sh system-override-tls.sh \ --@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-kx.sh system-override-default-priority-string.sh -- -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-hash.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-invalid.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-profiles.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-tls.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-kx.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-default-priority-string.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-sig-tls.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-sig-allowlist.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-hash-allowlist.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions-allowlist.sh \ -+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves-allowlist.sh - @WINDOWS_FALSE@am__append_19 = gnutls-cli-self-signed.sh \ - @WINDOWS_FALSE@ gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \ - @WINDOWS_FALSE@ dh-fips-approved.sh -@@ -662,8 +671,8 @@ - @ENABLE_PKCS11_TRUE@@HAVE_PKCS11_TRUST_STORE_TRUE@@P11KIT_0_23_11_API_TRUE@@WINDOWS_FALSE@ pkcs11/list-objects$(EXEEXT) - @WINDOWS_FALSE@am__EXEEXT_18 = datefudge-check$(EXEEXT) - am__EXEEXT_19 = system-override-hash$(EXEEXT) \ -- system-override-sig$(EXEEXT) $(am__EXEEXT_16) $(am__EXEEXT_17) \ -- $(am__EXEEXT_18) -+ system-override-sig$(EXEEXT) system-override-sig-tls$(EXEEXT) \ -+ $(am__EXEEXT_16) $(am__EXEEXT_17) $(am__EXEEXT_18) - PROGRAMS = $(noinst_PROGRAMS) - LTLIBRARIES = $(noinst_LTLIBRARIES) - @ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock1_la_DEPENDENCIES = \ -@@ -2366,6 +2375,11 @@ - system_override_sig_LDADD = $(LDADD) - system_override_sig_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \ - $(am__DEPENDENCIES_2) -+system_override_sig_tls_SOURCES = system-override-sig-tls.c -+system_override_sig_tls_OBJECTS = system-override-sig-tls.$(OBJEXT) -+system_override_sig_tls_LDADD = $(LDADD) -+system_override_sig_tls_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \ -+ libutils.la $(am__DEPENDENCIES_2) - system_prio_file_SOURCES = system-prio-file.c - system_prio_file_OBJECTS = system-prio-file.$(OBJEXT) - system_prio_file_LDADD = $(LDADD) -@@ -2997,10 +3011,13 @@ - system-override-profiles.sh system-override-tls.sh \ - system-override-kx.sh \ - system-override-default-priority-string.sh \ -- gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \ -- gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \ -- testpkcs11.sh certtool-pkcs11.sh p11-kit-load.sh danetool.sh \ -- tpmtool_test.sh -+ system-override-sig-tls.sh system-override-sig-allowlist.sh \ -+ system-override-hash-allowlist.sh \ -+ system-override-versions-allowlist.sh \ -+ system-override-curves-allowlist.sh gnutls-cli-self-signed.sh \ -+ gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \ -+ dh-fips-approved.sh p11-kit-trust.sh testpkcs11.sh \ -+ certtool-pkcs11.sh p11-kit-load.sh danetool.sh tpmtool_test.sh - AM_V_P = $(am__v_P_@AM_V@) - am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) - am__v_P_0 = false -@@ -3216,6 +3233,7 @@ - ./$(DEPDIR)/status-request.Po ./$(DEPDIR)/str-idna.Po \ - ./$(DEPDIR)/str-unicode.Po ./$(DEPDIR)/strict-der.Po \ - ./$(DEPDIR)/system-override-hash.Po \ -+ ./$(DEPDIR)/system-override-sig-tls.Po \ - ./$(DEPDIR)/system-override-sig.Po \ - ./$(DEPDIR)/system-prio-file.Po ./$(DEPDIR)/time.Po \ - ./$(DEPDIR)/tls-channel-binding.Po \ -@@ -3522,16 +3540,16 @@ - ssl30-server-kx-neg.c status-request.c status-request-ext.c \ - status-request-ok.c status-request-revoked.c str-idna.c \ - str-unicode.c strict-der.c system-override-hash.c \ -- system-override-sig.c system-prio-file.c time.c \ -- tls-channel-binding.c tls-client-with-seccomp.c \ -- tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \ -- tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \ -- tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \ -- tls-record-size-limit-asym.c tls-session-ext-override.c \ -- tls-session-ext-register.c tls-session-supplemental.c \ -- tls-supplemental.c tls-with-seccomp.c \ -- $(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \ -- tls10-prf.c tls10-server-kx-neg.c \ -+ system-override-sig.c system-override-sig-tls.c \ -+ system-prio-file.c time.c tls-channel-binding.c \ -+ tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \ -+ tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \ -+ tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \ -+ tls-record-size-limit.c tls-record-size-limit-asym.c \ -+ tls-session-ext-override.c tls-session-ext-register.c \ -+ tls-session-supplemental.c tls-supplemental.c \ -+ tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \ -+ tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \ - $(tls11_cert_key_exchange_SOURCES) \ - $(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \ - $(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \ -@@ -3707,16 +3725,16 @@ - ssl30-server-kx-neg.c status-request.c status-request-ext.c \ - status-request-ok.c status-request-revoked.c str-idna.c \ - str-unicode.c strict-der.c system-override-hash.c \ -- system-override-sig.c system-prio-file.c time.c \ -- tls-channel-binding.c tls-client-with-seccomp.c \ -- tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \ -- tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \ -- tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \ -- tls-record-size-limit-asym.c tls-session-ext-override.c \ -- tls-session-ext-register.c tls-session-supplemental.c \ -- tls-supplemental.c tls-with-seccomp.c \ -- $(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \ -- tls10-prf.c tls10-server-kx-neg.c \ -+ system-override-sig.c system-override-sig-tls.c \ -+ system-prio-file.c time.c tls-channel-binding.c \ -+ tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \ -+ tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \ -+ tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \ -+ tls-record-size-limit.c tls-record-size-limit-asym.c \ -+ tls-session-ext-override.c tls-session-ext-register.c \ -+ tls-session-supplemental.c tls-supplemental.c \ -+ tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \ -+ tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \ - $(tls11_cert_key_exchange_SOURCES) \ - $(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \ - $(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \ -@@ -5822,7 +5840,8 @@ - libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c - libutils_la_LIBADD = ../lib/libgnutls.la - indirect_tests = system-override-hash system-override-sig \ -- $(am__append_17) $(am__append_22) $(am__append_28) -+ system-override-sig-tls $(am__append_17) $(am__append_22) \ -+ $(am__append_28) - ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \ - tls13/post-handshake-with-cert \ - tls13/post-handshake-without-cert tls13/cookie tls13/key_share \ -@@ -6115,6 +6134,7 @@ - @ENABLE_CXX_TRUE@@HAVE_CMOCKA_TRUE@ -I$(top_builddir)/gl - - TEST_EXTENSIONS = .sh -+SH_LOG_COMPILER = $(SHELL) - LOG_COMPILER = $(VALGRIND) - all: all-recursive - -@@ -7590,6 +7610,10 @@ - @rm -f system-override-sig$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(system_override_sig_OBJECTS) $(system_override_sig_LDADD) $(LIBS) - -+system-override-sig-tls$(EXEEXT): $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_DEPENDENCIES) $(EXTRA_system_override_sig_tls_DEPENDENCIES) -+ @rm -f system-override-sig-tls$(EXEEXT) -+ $(AM_V_CCLD)$(LINK) $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_LDADD) $(LIBS) -+ - system-prio-file$(EXEEXT): $(system_prio_file_OBJECTS) $(system_prio_file_DEPENDENCIES) $(EXTRA_system_prio_file_DEPENDENCIES) - @rm -f system-prio-file$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(system_prio_file_OBJECTS) $(system_prio_file_LDADD) $(LIBS) -@@ -8396,6 +8420,7 @@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str-unicode.Po@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strict-der.Po@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-hash.Po@am__quote@ # am--include-marker -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig-tls.Po@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig.Po@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-prio-file.Po@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/time.Po@am__quote@ # am--include-marker -@@ -12588,6 +12613,7 @@ - -rm -f ./$(DEPDIR)/str-unicode.Po - -rm -f ./$(DEPDIR)/strict-der.Po - -rm -f ./$(DEPDIR)/system-override-hash.Po -+ -rm -f ./$(DEPDIR)/system-override-sig-tls.Po - -rm -f ./$(DEPDIR)/system-override-sig.Po - -rm -f ./$(DEPDIR)/system-prio-file.Po - -rm -f ./$(DEPDIR)/time.Po -@@ -13075,6 +13101,7 @@ - -rm -f ./$(DEPDIR)/str-unicode.Po - -rm -f ./$(DEPDIR)/strict-der.Po - -rm -f ./$(DEPDIR)/system-override-hash.Po -+ -rm -f ./$(DEPDIR)/system-override-sig-tls.Po - -rm -f ./$(DEPDIR)/system-override-sig.Po - -rm -f ./$(DEPDIR)/system-prio-file.Po - -rm -f ./$(DEPDIR)/time.Po -diff -ruN gnutls-3.7.2/tests/suite/Makefile.am gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am ---- gnutls-3.7.2/tests/suite/Makefile.am 2021-05-27 08:08:22.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am 2021-06-28 09:09:42.000000000 +0200 -@@ -115,4 +115,5 @@ - prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) - - TEST_EXTENSIONS = .sh -+SH_LOG_COMPILER = $(SHELL) - LOG_COMPILER = $(VALGRIND) -diff -ruN gnutls-3.7.2/tests/suite/Makefile.in gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in ---- gnutls-3.7.2/tests/suite/Makefile.in 2021-05-29 10:11:26.000000000 +0200 -+++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in 2021-06-28 09:11:43.000000000 +0200 -@@ -2351,6 +2351,7 @@ - nodist_check_SCRIPTS = $(scripts_to_test) - prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) - TEST_EXTENSIONS = .sh -+SH_LOG_COMPILER = $(SHELL) - LOG_COMPILER = $(VALGRIND) - all: all-am - -diff -ruN gnutls-3.7.2/tests/system-override-curves-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh ---- gnutls-3.7.2/tests/system-override-curves-allowlist.sh 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh 2021-06-28 09:09:14.000000000 +0200 -@@ -0,0 +1,113 @@ -+#!/bin/sh -+ -+# Copyright (C) 2019 Red Hat, Inc. -+# -+# Author: Nikos Mavrogiannopoulos -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU Lesser General Public License -+# along with this program. If not, see -+ -+: ${srcdir=.} -+: ${SERV=../src/gnutls-serv${EXEEXT}} -+: ${CLI=../src/gnutls-cli${EXEEXT}} -+TMPFILE=config.$$.tmp -+TMPFILE2=log.$$.tmp -+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 -+ -+if ! test -x "${SERV}"; then -+ exit 77 -+fi -+ -+if ! test -x "${CLI}"; then -+ exit 77 -+fi -+ -+if test "${WINDIR}" != ""; then -+ exit 77 -+fi -+ -+. "${srcdir}/scripts/common.sh" -+ -+# This test doesn't work in FIPS mode -+if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then -+ exit 77 -+fi -+ -+# We intentionally add stray spaces and tabs to check our parser -+cat <<_EOF_ > ${TMPFILE} -+[global] -+override-mode = allowlist -+ -+[overrides] -+enabled-curve = secp384r1 -+_EOF_ -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" -+export GNUTLS_DEBUG_LEVEL=3 -+ -+"${CLI}" --list|grep ^Groups >${TMPFILE2} -+cat ${TMPFILE2} -+if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then -+ echo "Found disabled curve with --list" -+ exit 1 -+fi -+ -+if ! grep -i "SECP384R1" ${TMPFILE2};then -+ echo "Could not found secp384r1" -+ exit 1 -+fi -+ -+# Try whether a client connection with a disabled curve will succeed. -+ -+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem -+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem -+ -+unset GNUTLS_SYSTEM_PRIORITY_FILE -+ -+eval "${GETPORT}" -+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1} -+PID=$! -+wait_server ${PID} -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} /dev/null || -+ fail "expected connection to succeed (1)" -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} /dev/null && -+ fail "expected connection to fail (2)" -+ -+kill ${PID} -+wait -+ -+# Try whether a server connection with a disabled curve will succeed. -+ -+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem -+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem -+ -+eval "${GETPORT}" -+launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1} -+PID=$! -+wait_server ${PID} -+ -+unset GNUTLS_SYSTEM_PRIORITY_FILE -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} /dev/null && -+ fail "expected connection to fail (2)" -+ -+kill ${PID} -+wait -+ -+exit 0 -diff -ruN gnutls-3.7.2/tests/system-override-hash-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh ---- gnutls-3.7.2/tests/system-override-hash-allowlist.sh 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh 2021-06-28 09:09:14.000000000 +0200 -@@ -0,0 +1,41 @@ -+#!/bin/sh -+ -+# Copyright (C) 2019 Nikos Mavrogiannopoulos -+# -+# Author: Nikos Mavrogiannopoulos -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+: ${builddir=.} -+TMPFILE=c.$$.tmp -+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 -+ -+cat <<_EOF_ > ${TMPFILE} -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = sha384 -+secure-sig = rsa-pss-sha384 -+_EOF_ -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" -+ -+"${builddir}/system-override-hash" -+rc=$? -+rm ${TMPFILE} -+exit $rc -diff -ruN gnutls-3.7.2/tests/system-override-sig-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh ---- gnutls-3.7.2/tests/system-override-sig-allowlist.sh 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh 2021-06-28 09:09:14.000000000 +0200 -@@ -0,0 +1,43 @@ -+#!/bin/sh -+ -+# Copyright (C) 2019 Nikos Mavrogiannopoulos -+# -+# Author: Nikos Mavrogiannopoulos -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+: ${builddir=.} -+TMPFILE=c.$$.tmp -+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 -+ -+cat <<_EOF_ > ${TMPFILE} -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = sha256 -+secure-sig = rsa-sha256 -+secure-hash = sha384 -+secure-sig = rsa-pss-sha384 -+_EOF_ -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" -+ -+"${builddir}/system-override-sig" -+rc=$? -+rm ${TMPFILE} -+exit $rc -diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.c gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c ---- gnutls-3.7.2/tests/system-override-sig-tls.c 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c 2021-06-25 17:46:13.000000000 +0200 -@@ -0,0 +1,200 @@ -+/* -+ * Copyright (C) 2015-2021 Red Hat, Inc. -+ * -+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "utils.h" -+ -+#define SKIP16(pos, total) { \ -+ uint16_t _s; \ -+ if (pos+2 > total) fail("error\n"); \ -+ _s = (msg->data[pos] << 8) | msg->data[pos+1]; \ -+ if ((size_t)(pos+2+_s) > total) fail("error\n"); \ -+ pos += 2+_s; \ -+ } -+ -+#define SKIP8(pos, total) { \ -+ uint8_t _s; \ -+ if (pos+1 > total) fail("error\n"); \ -+ _s = msg->data[pos]; \ -+ if ((size_t)(pos+1+_s) > total) fail("error\n"); \ -+ pos += 1+_s; \ -+ } -+ -+#define HANDSHAKE_SESSION_ID_POS 34 -+ -+#include "eagain-common.h" -+#include "cert-common.h" -+ -+/* This tests whether the client omits signature algorithms marked as insecure, -+ * from the signature_algorithms extension. -+ */ -+ -+const char *side; -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "%s|<%d>| %s", side, level, str); -+} -+ -+#define PRIO "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:" \ -+ "+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384" -+/* rsa_pss_rsae_sha384 */ -+#define SIGALGS_EXP "\x00\x02\x08\x05" -+ -+static int -+ext_callback(void *ctx, unsigned tls_id, -+ const unsigned char *data, unsigned size) -+{ -+ if (tls_id == 13) { /* signature algorithms */ -+ if (size != sizeof(SIGALGS_EXP) - 1) { -+ fail("invalid signature_algorithms length: %u != 4\n", -+ size); -+ } -+ if (memcmp(data, SIGALGS_EXP, sizeof(SIGALGS_EXP) - 1) != 0) { -+ fail("invalid signature_algorithms\n"); -+ } -+ } -+ return 0; -+} -+ -+static int -+handshake_callback(gnutls_session_t session, unsigned int htype, -+ unsigned post, unsigned int incoming, -+ const gnutls_datum_t *msg) -+{ -+ assert(post); -+ -+ if (!incoming && htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) { -+ int ret; -+ unsigned pos; -+ gnutls_datum_t mmsg; -+ -+ assert(msg->size >= HANDSHAKE_SESSION_ID_POS); -+ pos = HANDSHAKE_SESSION_ID_POS; -+ SKIP8(pos, msg->size); -+ SKIP16(pos, msg->size); -+ SKIP8(pos, msg->size); -+ -+ mmsg.data = &msg->data[pos]; -+ mmsg.size = msg->size - pos; -+ ret = gnutls_ext_raw_parse(NULL, ext_callback, &mmsg, 0); -+ assert(ret >= 0); -+ } -+ return 0; -+} -+ -+void doit(void) -+{ -+ int ret; -+ /* Server stuff. */ -+ gnutls_certificate_credentials_t serverx509cred; -+ gnutls_session_t server; -+ int sret = GNUTLS_E_AGAIN; -+ /* Client stuff. */ -+ gnutls_certificate_credentials_t clientx509cred; -+ gnutls_session_t client; -+ int cret = GNUTLS_E_AGAIN; -+ -+ global_init(); -+ -+ /* General init. */ -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(6); -+ -+ /* Init server */ -+ gnutls_certificate_allocate_credentials(&serverx509cred); -+ gnutls_certificate_set_x509_key_mem(serverx509cred, -+ &server2_cert, &server2_key, -+ GNUTLS_X509_FMT_PEM); -+ -+ gnutls_init(&server, GNUTLS_SERVER); -+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, -+ serverx509cred); -+ -+ gnutls_priority_set_direct(server, PRIO, NULL); -+ -+ gnutls_transport_set_push_function(server, server_push); -+ gnutls_transport_set_pull_function(server, server_pull); -+ gnutls_transport_set_pull_timeout_function(server, -+ server_pull_timeout_func); -+ gnutls_transport_set_ptr(server, server); -+ -+ /* Init client */ -+ ret = gnutls_certificate_allocate_credentials(&clientx509cred); -+ if (ret < 0) -+ exit(1); -+ -+ ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca2_cert, GNUTLS_X509_FMT_PEM); -+ if (ret < 0) -+ exit(1); -+ -+ ret = gnutls_init(&client, GNUTLS_CLIENT); -+ if (ret < 0) -+ exit(1); -+ -+ ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, -+ clientx509cred); -+ if (ret < 0) -+ exit(1); -+ -+ ret = gnutls_priority_set_direct(client, PRIO, NULL); -+ if (ret < 0) -+ exit(1); -+ -+ gnutls_transport_set_push_function(client, client_push); -+ gnutls_transport_set_pull_function(client, client_pull); -+ gnutls_transport_set_pull_timeout_function(client, -+ client_pull_timeout_func); -+ gnutls_transport_set_ptr(client, client); -+ -+ gnutls_handshake_set_hook_function(client, -+ GNUTLS_HANDSHAKE_ANY, -+ GNUTLS_HOOK_POST, -+ handshake_callback); -+ -+ HANDSHAKE(client, server); -+ -+ gnutls_bye(client, GNUTLS_SHUT_RDWR); -+ gnutls_bye(server, GNUTLS_SHUT_RDWR); -+ -+ gnutls_deinit(client); -+ gnutls_deinit(server); -+ -+ gnutls_certificate_free_credentials(serverx509cred); -+ gnutls_certificate_free_credentials(clientx509cred); -+ -+ gnutls_global_deinit(); -+ -+ reset_buffers(); -+} -diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh ---- gnutls-3.7.2/tests/system-override-sig-tls.sh 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh 2021-06-25 17:46:13.000000000 +0200 -@@ -0,0 +1,39 @@ -+#!/bin/sh -+ -+# Copyright (C) 2019 Nikos Mavrogiannopoulos -+# Copyright (C) 2021 Red Hat, Inc. -+# -+# Author: Nikos Mavrogiannopoulos, Daiki Ueno -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+: ${builddir=.} -+TMPFILE=c.$$.tmp -+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 -+ -+cat <<_EOF_ > ${TMPFILE} -+[overrides] -+ -+insecure-sig = rsa-pss-rsae-sha256 -+_EOF_ -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" -+ -+"${builddir}/system-override-sig-tls" -+rc=$? -+rm ${TMPFILE} -+exit $rc -diff -ruN gnutls-3.7.2/tests/system-override-versions-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh ---- gnutls-3.7.2/tests/system-override-versions-allowlist.sh 1970-01-01 01:00:00.000000000 +0100 -+++ gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh 2021-06-28 09:09:14.000000000 +0200 -@@ -0,0 +1,109 @@ -+#!/bin/sh -+ -+# Copyright (C) 2019 Red Hat, Inc. -+# -+# Author: Nikos Mavrogiannopoulos -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+: ${srcdir=.} -+: ${SERV=../src/gnutls-serv${EXEEXT}} -+: ${CLI=../src/gnutls-cli${EXEEXT}} -+TMPFILE=config.$$.tmp -+TMPFILE2=log.$$.tmp -+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 -+ -+if ! test -x "${SERV}"; then -+ exit 77 -+fi -+ -+if ! test -x "${CLI}"; then -+ exit 77 -+fi -+ -+if test "${WINDIR}" != ""; then -+ exit 77 -+fi -+ -+. "${srcdir}/scripts/common.sh" -+ -+cat <<_EOF_ > ${TMPFILE} -+[global] -+override-mode = allowlist -+ -+[overrides] -+enabled-version = tls1.1 -+_EOF_ -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" -+export GNUTLS_DEBUG_LEVEL=3 -+ -+"${CLI}" --list|grep Protocols >${TMPFILE2} -+cat ${TMPFILE2} -+if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then -+ echo "Found disabled protocol with --list" -+ exit 1 -+fi -+ -+PRIO=@SYSTEM:+CIPHER-ALL:+MAC-ALL:+GROUP-ALL -+ -+"${CLI}" --priority "$PRIO" --list|grep Protocols >${TMPFILE2} -+cat ${TMPFILE2} -+if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then -+ echo "Found disabled protocol with --list --priority $PRIO" -+ exit 1 -+fi -+ -+# Try whether a client connection with these protocols will succeed. -+ -+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem -+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem -+ -+unset GNUTLS_SYSTEM_PRIORITY_FILE -+ -+eval "${GETPORT}" -+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1} -+PID=$! -+wait_server ${PID} -+ -+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "$PRIO" --insecure --logfile ${TMPFILE2} /dev/null && -+ fail "expected connection to fail (1)" -+ -+kill ${PID} -+wait -+ -+# Try whether a server connection with these protocols will succeed. -+ -+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem -+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem -+ -+eval "${GETPORT}" -+launch_server --echo --priority "$PRIO" --x509keyfile ${KEY1} --x509certfile ${CERT1} -+PID=$! -+wait_server ${PID} -+ -+unset GNUTLS_SYSTEM_PRIORITY_FILE -+ -+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} /dev/null && -+ fail "expected connection to fail (2)" -+ -+kill ${PID} -+wait -+ -+exit 0 diff --git a/gnutls-3.7.2-doc-hash-copy.patch b/gnutls-3.7.2-doc-hash-copy.patch deleted file mode 100644 index f55b22b..0000000 --- a/gnutls-3.7.2-doc-hash-copy.patch +++ /dev/null @@ -1,75 +0,0 @@ -From b64c8b2aa75e6668ee9115afda8e54d48b2143ac Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 22 Dec 2021 17:19:27 +0100 -Subject: [PATCH 2/2] gnutls-3.7.2-doc-hash-copy.patch - ---- - doc/functions/gnutls_hash_copy | 4 +++- - doc/functions/gnutls_hmac_copy | 4 +++- - doc/manpages/gnutls_hash_copy.3 | 4 +++- - doc/manpages/gnutls_hmac_copy.3 | 4 +++- - 4 files changed, 12 insertions(+), 4 deletions(-) - -diff --git a/doc/functions/gnutls_hash_copy b/doc/functions/gnutls_hash_copy -index 600c0e7..aac7d5d 100644 ---- a/doc/functions/gnutls_hash_copy -+++ b/doc/functions/gnutls_hash_copy -@@ -8,7 +8,9 @@ - This function will create a copy of Message Digest context, containing all - its current state. Copying contexts for Message Digests registered using - @code{gnutls_crypto_register_digest()} is not supported and will always result in --an error. -+an error. In addition to that, some of the Message Digest implementations do -+not support this operation. Applications should check the return value and -+provide a proper fallback. - - @strong{Returns:} new Message Digest context or NULL in case of an error. - -diff --git a/doc/functions/gnutls_hmac_copy b/doc/functions/gnutls_hmac_copy -index a219b21..93b20d5 100644 ---- a/doc/functions/gnutls_hmac_copy -+++ b/doc/functions/gnutls_hmac_copy -@@ -8,7 +8,9 @@ - This function will create a copy of MAC context, containing all its current - state. Copying contexts for MACs registered using - @code{gnutls_crypto_register_mac()} is not supported and will always result in an --error. -+error. In addition to that, some of the MAC implementations do not support -+this operation. Applications should check the return value and provide a -+proper fallback. - - @strong{Returns:} new MAC context or NULL in case of an error. - -diff --git a/doc/manpages/gnutls_hash_copy.3 b/doc/manpages/gnutls_hash_copy.3 -index fcf0983..19bb8c4 100644 ---- a/doc/manpages/gnutls_hash_copy.3 -+++ b/doc/manpages/gnutls_hash_copy.3 -@@ -13,7 +13,9 @@ is a \fBgnutls_hash_hd_t\fP type - This function will create a copy of Message Digest context, containing all - its current state. Copying contexts for Message Digests registered using - \fBgnutls_crypto_register_digest()\fP is not supported and will always result in --an error. -+an error. In addition to that, some of the Message Digest implementations do -+not support this operation. Applications should check the return value and -+provide a proper fallback. - .SH "RETURNS" - new Message Digest context or NULL in case of an error. - .SH "SINCE" -diff --git a/doc/manpages/gnutls_hmac_copy.3 b/doc/manpages/gnutls_hmac_copy.3 -index ba5a40d..32b0114 100644 ---- a/doc/manpages/gnutls_hmac_copy.3 -+++ b/doc/manpages/gnutls_hmac_copy.3 -@@ -13,7 +13,9 @@ is a \fBgnutls_hmac_hd_t\fP type - This function will create a copy of MAC context, containing all its current - state. Copying contexts for MACs registered using - \fBgnutls_crypto_register_mac()\fP is not supported and will always result in an --error. -+error. In addition to that, some of the MAC implementations do not support -+this operation. Applications should check the return value and provide a -+proper fallback. - .SH "RETURNS" - new MAC context or NULL in case of an error. - .SH "SINCE" --- -2.31.1 - diff --git a/gnutls-3.7.2-key-share-ecdhx.patch b/gnutls-3.7.2-key-share-ecdhx.patch deleted file mode 100644 index 21a69a5..0000000 --- a/gnutls-3.7.2-key-share-ecdhx.patch +++ /dev/null @@ -1,92 +0,0 @@ -From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 25 Jun 2021 08:39:12 +0200 -Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when - advertising - -Previously, if both X25519 and X448 groups were enabled in the -priority string, the client sent both algorithms in a key_share -extension, while it was only capable of handling one algorithm from -the same (Edwards curve) category. This adds an extra check so the -client should send either X25519 or X448. - -Signed-off-by: Daiki Ueno ---- - lib/ext/key_share.c | 24 +++++++++++++++++++++--- - tests/tls13/key_share.c | 3 +++ - 2 files changed, 24 insertions(+), 3 deletions(-) - -diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c -index a8c4bb5cf..a4db3af95 100644 ---- a/lib/ext/key_share.c -+++ b/lib/ext/key_share.c -@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session, - return 0; - } - -+static inline bool -+pk_type_is_ecdhx(gnutls_pk_algorithm_t pk) -+{ -+ return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448; -+} -+ -+static inline bool -+pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b) -+{ -+ return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b)); -+} -+ - /* returns data_size or a negative number on failure - */ - static int -@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session, - /* generate key shares for out top-(max_groups) groups - * if they are of different PK type. */ - for (i = 0; i < session->internals.priorities->groups.size; i++) { -+ unsigned int j; -+ - group = session->internals.priorities->groups.entry[i]; - -- if (generated == 1 && group->pk == selected_groups[0]) -- continue; -- else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0])) -+ for (j = 0; j < generated; j++) { -+ if (pk_type_equal(group->pk, selected_groups[j])) { -+ break; -+ } -+ } -+ if (j < generated) { - continue; -+ } - - selected_groups[generated] = group->pk; - -diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c -index 7f8f6295c..816a7d9b5 100644 ---- a/tests/tls13/key_share.c -+++ b/tests/tls13/key_share.c -@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = { - [23] = GNUTLS_GROUP_SECP256R1, - [24] = GNUTLS_GROUP_SECP384R1, - [29] = GNUTLS_GROUP_X25519, -+ [30] = GNUTLS_GROUP_X448, - [0x100] = GNUTLS_GROUP_FFDHE2048, - [0x101] = GNUTLS_GROUP_FFDHE3072 - }; -@@ -315,11 +316,13 @@ void doit(void) - start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2); - start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2); - start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2); -+ start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2); - start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2); - - start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3); - start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3); - start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3); -+ start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3); - start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3); - - /* test default behavior */ --- -2.31.1 - diff --git a/gnutls-3.7.2-libopts-covscan.patch b/gnutls-3.7.2-libopts-covscan.patch deleted file mode 100644 index a85738f..0000000 --- a/gnutls-3.7.2-libopts-covscan.patch +++ /dev/null @@ -1,72 +0,0 @@ -From de11338de900f5c8840268264bceccbf76cca34f Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 21 Oct 2021 12:19:30 +0200 -Subject: [PATCH 1/2] autoopts: makeshell: use ferror before fclose - -Signed-off-by: Daiki Ueno ---- - src/libopts/makeshell.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/src/libopts/makeshell.c b/src/libopts/makeshell.c -index b6cb441a..7eb17a1f 100644 ---- a/src/libopts/makeshell.c -+++ b/src/libopts/makeshell.c -@@ -164,9 +164,8 @@ optionParseShell(tOptions * opts) - #ifdef HAVE_FCHMOD - fchmod(STDOUT_FILENO, 0755); - #endif -- fclose(stdout); - -- if (ferror(stdout)) -+ if (ferror(stdout) || fclose(stdout)) - fserr_exit(opts->pzProgName, zwriting, zstdout_name); - - AGFREE(script_text); --- -2.31.1 - - -From 161097d36b608b615482e42e56a465c9fd740c26 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 21 Oct 2021 12:43:07 +0200 -Subject: [PATCH 2/2] autoopts: load: fix resource leak in error path - -Signed-off-by: Daiki Ueno ---- - src/libopts/load.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/libopts/load.c b/src/libopts/load.c -index 3f1ce2e6..ad1c4584 100644 ---- a/src/libopts/load.c -+++ b/src/libopts/load.c -@@ -219,8 +219,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path) - * IF we cannot find a directory name separator, - * THEN we do not have a path name to our executable file. - */ -- if (pz == NULL) -+ if (pz == NULL) { -+ if (path != prg_path) -+ AGFREE(path); - return false; -+ } - - fname += skip; - fname_len = strlen(fname) + 1; // + NUL byte -@@ -230,8 +233,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path) - * Concatenate the file name to the end of the executable path. - * The result may be either a file or a directory. - */ -- if (dir_len + fname_len > (unsigned)b_sz) -+ if (dir_len + fname_len > (unsigned)b_sz) { -+ if (path != prg_path) -+ AGFREE(path); - return false; -+ } - - memcpy(buf, path, dir_len); - memcpy(buf + dir_len, fname, fname_len); --- -2.31.1 - diff --git a/gnutls.spec b/gnutls.spec index 92a41b2..111d39f 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,15 +1,9 @@ -# This spec file has been automatically updated -Version: 3.7.2 -Release: 10%{?dist} +Version: 3.7.3 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.7.2-config-allowlisting.patch -Patch4: gnutls-3.7.2-key-share-ecdhx.patch -Patch5: gnutls-3.7.2-enable-intel-cet.patch -Patch6: gnutls-3.7.2-libopts-covscan.patch -Patch7: gnutls-3.7.2-config-allowlisting-race.patch -Patch8: gnutls-3.7.2-no-explicit-init.patch -Patch9: gnutls-3.7.2-doc-hash-copy.patch +Patch3: gnutls-3.7.2-enable-intel-cet.patch +Patch4: gnutls-3.7.2-no-explicit-init.patch %bcond_with bootstrap %bcond_without dane %if 0%{?rhel} @@ -30,7 +24,6 @@ BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3 %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo -BuildRequires: autogen-libopts-devel >= 5.18, autogen %endif BuildRequires: nettle-devel >= 3.5.1 %if %{with tpm12} @@ -170,24 +163,6 @@ rm -f lib/minitasn1/*.c lib/minitasn1/*.h echo "SYSTEM=NORMAL" >> tests/system.prio -%if !%{with bootstrap} -# These are ordered by dependency: -touch doc/functions/* doc/enums/* -touch doc/enums.texi doc/gnutls-api.texi -touch doc/invoke-gnutls-cli.texi -touch doc/invoke-gnutls-cli-debug.texi -touch doc/invoke-gnutls-serv.texi -touch doc/invoke-certtool.texi -touch doc/invoke-ocsptool.texi -touch doc/invoke-danetool.texi -touch doc/invoke-srptool.texi -touch doc/invoke-psktool.texi -touch doc/invoke-p11tool.texi -touch doc/invoke-tpmtool.texi -touch doc/stamp_functions doc/stamp_enums -touch doc/gnutls.info doc/gnutls.html doc/manpages/stamp_mans -%endif - # Note that we explicitly enable SHA1, as SHA1 deprecation is handled # via the crypto policies @@ -325,6 +300,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Jan 18 2022 Daiki Ueno - 3.7.3-1 +- Update to gnutls 3.7.3 (#2033220) + * Wed Dec 22 2021 Daiki Ueno - 3.7.2-10 - Update gnutls_{hash,hmac}_copy man-pages as well (#1999639) diff --git a/sources b/sources index 52f21ca..28ec0a1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.7.2.tar.xz) = 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329 -SHA512 (gnutls-3.7.2.tar.xz.sig) = fc3314c0ce5fb608352fcd8e19efd14435e4cfa5c0eb843d86febb6053fec7d46774b637037b96c5a621a7001f89d6c110f75bff96f94c2a77caf5d9c3aa9447 +SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077 +SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173