diff --git a/gnutls-3.7.2-config-allowlisting.patch b/gnutls-3.7.2-config-allowlisting.patch new file mode 100644 index 0000000..484f053 --- /dev/null +++ b/gnutls-3.7.2-config-allowlisting.patch @@ -0,0 +1,8352 @@ +diff -ruN gnutls-3.7.2/aminclude_static.am gnutls-3.7.2-bootstrapped/aminclude_static.am +--- gnutls-3.7.2/aminclude_static.am 2021-05-29 10:11:18.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/aminclude_static.am 2021-06-28 09:11:35.000000000 +0200 +@@ -1,6 +1,6 @@ + + # aminclude_static.am generated automatically by Autoconf +-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021 ++# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021 + + + # Code coverage +diff -ruN gnutls-3.7.2/AUTHORS gnutls-3.7.2-bootstrapped/AUTHORS +--- gnutls-3.7.2/AUTHORS 2021-05-29 10:22:59.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/AUTHORS 2021-06-28 09:56:13.000000000 +0200 +@@ -37,8 +37,8 @@ + Kevin Cernekee + Nikolay Sivov + Sahana Prasad +-Michael Catanzaro + Alexander Sosedkin ++Michael Catanzaro + Daniel Lenski + JonasZhou + Stefan Sørensen +diff -ruN gnutls-3.7.2/ChangeLog gnutls-3.7.2-bootstrapped/ChangeLog +--- gnutls-3.7.2/ChangeLog 2021-05-29 10:23:25.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/ChangeLog 2021-06-28 09:56:40.000000000 +0200 +@@ -1,4 +1,63 @@ + Author: Daiki Ueno ++Date: Mon Jun 28 07:04:55 2021 +0200 ++ ++ tests: set SH_LOG_COMPILER so sh tests run under $(SHELL) ++ ++ This omits the need of setting executable bits on shell script tests. ++ ++ Signed-off-by: Daiki Ueno ++ ++Author: Daiki Ueno ++Date: Thu May 6 12:41:40 2021 +0200 ++ ++ priority: support allowlisting in configuration file ++ ++ This adds a new mode of interpreting the [overrides] section. If ++ "override-mode" is set to "allowlisting" in the [global] section, all ++ the algorithms (hashes, signature algorithms, curves, and versions) ++ are initially marked as insecure/disabled. Then the user can enable ++ them by specifying allowlisting keywords such as "secure-hash" in the ++ [overrides] section. ++ ++ Signed-off-by: Daiki Ueno ++ Co-authored-by: Alexander Sosedkin ++ ++Author: Daiki Ueno ++Date: Wed May 5 16:27:55 2021 +0200 ++ ++ priority: refactor config file parsing ++ ++ This adds the following refactoring: ++ ++ - avoid side-effects during parsing the config file, by separating ++ application phase; the parsed configuration can be applied globally ++ with cfg_apply, after validation ++ - make _gnutls_*_mark_{disabled,insecure} take an ID instead of the ++ name ++ ++ Signed-off-by: Daiki Ueno ++ ++Author: Daiki Ueno ++Date: Fri Jun 11 06:58:43 2021 +0200 ++ ++ priority: reflect system wide config when constructing sigalgs ++ ++ Otherwise the client would advertise signature algorithms which it ++ cannot use and cause handshake to fail. ++ ++ Reported by Philip Schaten in: ++ https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html ++ ++ Signed-off-by: Daiki Ueno ++ ++Author: Daiki Ueno ++Date: Wed Jun 9 14:29:11 2021 +0200 ++ ++ p11tool: mention how CKA_IDs of certs are calculated upon --write ++ ++ Signed-off-by: Daiki Ueno ++ ++Author: Daiki Ueno + Date: Sat May 29 07:18:17 2021 +0200 + + Release 3.7.2 +@@ -49224,3 +49283,13 @@ + Date: Fri Nov 7 10:22:11 2014 +0100 + + doc: corrected values for INSECURE level ++ ++Author: Nikos Mavrogiannopoulos ++Date: Fri Nov 7 08:55:40 2014 +0100 ++ ++ pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags ++ ++Author: Nikos Mavrogiannopoulos ++Date: Fri Nov 7 08:44:46 2014 +0100 ++ ++ pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH +diff -ruN gnutls-3.7.2/doc/cha-config.texi gnutls-3.7.2-bootstrapped/doc/cha-config.texi +--- gnutls-3.7.2/doc/cha-config.texi 2021-05-10 16:34:47.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/cha-config.texi 2021-06-28 09:09:14.000000000 +0200 +@@ -74,6 +74,7 @@ + @item @code{insecure-sig-for-cert}: to mark the signature algorithm as insecure when used in certificates. + @item @code{insecure-sig}: to mark the signature algorithm as insecure for any use. + @item @code{insecure-hash}: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms). ++@item @code{disabled-curve}: to disable the specified elliptic curve. + @item @code{disabled-version}: to disable the specified TLS versions. + @item @code{tls-disabled-cipher}: to disable the specified ciphers for use in the TLS or DTLS protocols. + @item @code{tls-disabled-mac}: to disable the specified MAC algorithms for use in the TLS or DTLS protocols. +@@ -82,11 +83,39 @@ + @end itemize + + Each of the options can be repeated multiple times when multiple values need +-to be disabled. ++to be disabled or enabled. + + The valid values for the options above can be found in the 'Protocols', 'Digests' + 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of the output of @code{gnutls-cli --list}. + ++Sometimes the system administrator wants to enable only specific ++algorithms, despite the library defaults. GnuTLS provides an ++alternative mode of overriding: allowlisting. ++ ++In the allowlisting mode, all the algorithms are initially marked as ++insecure or disabled, and shall be explicitly turned on by the options ++in the @code{[overrides]} section. Those options are mutually ++exclusive to the above ones for the blocklisting mode (the default) ++@itemize ++@item @code{secure-sig-for-cert}: to mark the signature algorithm as secure when used in certificates. ++@item @code{secure-sig}: to mark the signature algorithm as secure for any use. ++@item @code{secure-hash}: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms). ++@item @code{enabled-curve}: to enable the specified elliptic curve. ++@item @code{enabled-version}: to enable the specified TLS versions. ++@item @code{tls-enabled-cipher}: to enable the specified ciphers for use in the TLS or DTLS protocols. ++@item @code{tls-enabled-mac}: to enable the specified MAC algorithms for use in the TLS or DTLS protocols. ++@item @code{tls-enabled-group}: to enable the specified group for use in the TLS or DTLS protocols. ++@item @code{tls-enabled-kx}: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier). ++@end itemize ++ ++The allowlisting mode can be enabled by adding @code{override-mode = ++allowlist} in the @code{[global]} section. ++ ++When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API. ++ ++@showfuncD{gnutls_ecc_curve_mark_enabled,gnutls_sign_mark_secure,gnutls_digest_mark_secure,gnutls_protocol_mark_enabled} ++@showfuncD{gnutls_ecc_curve_mark_disabled,gnutls_sign_mark_insecure,gnutls_digest_mark_insecure,gnutls_protocol_mark_disabled} ++ + @subsection Examples + + The following example marks as insecure all digital signature algorithms +@@ -120,6 +149,20 @@ + tls-disabled-group = group-ffdhe8192 + @end example + ++The following example demonstrates the use of the allowlisting ++mode. It disables all the signature algorithms but ++@code{RSA-SHA256}. Note that the hash algorithm @code{SHA256} also ++needs to be explicitly enabled. ++ ++@example ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = sha256 ++secure-sig = rsa-sha256 ++@end example ++ + @node Querying for disabled algorithms and protocols + @section Querying for disabled algorithms and protocols + +diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure +--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1,12 @@ ++ ++ ++ ++ ++@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig}) ++@var{dig}: is a digest algorithm ++ ++Mark @code{dig} as insecure system wide. This only works if the allowlisting mode ++is used in the configuration file. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun +diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short +--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1 @@ ++@item @var{int} @ref{gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig}) +diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure +--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1,12 @@ ++ ++ ++ ++ ++@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig}) ++@var{dig}: is a digest algorithm ++ ++Invalidate previous system wide setting that marked @code{dig} as insecure. This ++only works if the allowlisting mode is used in the configuration file. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun +diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short +--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1 @@ ++@item @var{int} @ref{gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig}) +diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled +--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1,15 @@ ++ ++ ++ ++ ++@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve}) ++@var{curve}: is an ECC curve ++ ++Mark @code{curve} as disabled system wide. This setting can be reverted with ++@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file ++uses the allowlisting mode. ++ ++@strong{Returns:} 0 on success or negative error code otherwise. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun +diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short +--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short 2021-06-28 09:39:51.000000000 +0200 +@@ -0,0 +1 @@ ++@item @var{int} @ref{gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve}) +diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled +--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1,15 @@ ++ ++ ++ ++ ++@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve}) ++@var{curve}: is an ECC curve ++ ++Invalidate previous system wide setting that marked @code{curve} as disabled. This ++only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()} or ++through the allowlisting mode in the configuration file. ++ ++@strong{Returns:} 0 on success or negative error code otherwise. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun +diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short +--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short 2021-06-28 09:39:51.000000000 +0200 +@@ -0,0 +1 @@ ++@item @var{int} @ref{gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve}) +diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled +--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version}) ++@var{version}: is a (gnutls) version number ++ ++Mark @code{version} as disabled system wide. This only works if the allowlisting ++mode is used in the configuration file. ++@end deftypefun +diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short +--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short 2021-06-28 09:39:51.000000000 +0200 +@@ -0,0 +1 @@ ++@item @var{int} @ref{gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version}) +diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled +--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1,11 @@ ++ ++ ++ ++ ++@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version}) ++@var{version}: is a (gnutls) version number ++ ++Invalidate previous system wide setting that marked @code{version} as ++disabled. This only works if the allowlisting mode is used in the ++configuration file. ++@end deftypefun +diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short +--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short 2021-06-28 09:39:51.000000000 +0200 +@@ -0,0 +1 @@ ++@item @var{int} @ref{gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version}) +diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure +--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1,18 @@ ++ ++ ++ ++ ++@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) ++@var{sign}: the sign algorithm ++ ++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0 ++ ++Mark @code{sign} as insecure system wide. This only works if the ++allowlisting mode is used in the configuration file. ++ ++If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set, ++and the algorithm was previously considered secure for all purposes, ++it only marks the algorithm as insecure for the use with certificates. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun +diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short +--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short 2021-06-28 09:39:51.000000000 +0200 +@@ -0,0 +1 @@ ++@item @var{int} @ref{gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) +diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure +--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure 2021-06-28 09:39:50.000000000 +0200 +@@ -0,0 +1,22 @@ ++ ++ ++ ++ ++@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) ++@var{sign}: the sign algorithm ++ ++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0 ++ ++Invalidate previous system wide setting that marked @code{sign} as ++insecure. This only works if the algorithm is marked as insecure ++with @code{gnutls_sign_mark_insecure()} or through the allowlisting mode ++in the configuration file. ++ ++If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set, ++it marks it the algorithm as secure for all purposes. ++If the absence of this flag, it will mark it as ++"secure, but not for certificates" at most, ++but it won't restrict anything either. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun +diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short +--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short 2021-06-28 09:39:51.000000000 +0200 +@@ -0,0 +1 @@ ++@item @var{int} @ref{gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) +diff -ruN gnutls-3.7.2/doc/gnutls-api.texi gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi +--- gnutls-3.7.2/doc/gnutls-api.texi 2021-05-29 10:19:28.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi 2021-06-28 09:39:50.000000000 +0200 +@@ -2706,6 +2706,28 @@ + integers indicating the available digests. + @end deftypefun + ++@subheading gnutls_digest_mark_insecure ++@anchor{gnutls_digest_mark_insecure} ++@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig}) ++@var{dig}: is a digest algorithm ++ ++Mark @code{dig} as insecure system wide. This only works if the allowlisting mode ++is used in the configuration file. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun ++ ++@subheading gnutls_digest_mark_secure ++@anchor{gnutls_digest_mark_secure} ++@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig}) ++@var{dig}: is a digest algorithm ++ ++Invalidate previous system wide setting that marked @code{dig} as insecure. This ++only works if the allowlisting mode is used in the configuration file. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun ++ + @subheading gnutls_early_cipher_get + @anchor{gnutls_early_cipher_get} + @deftypefun {gnutls_cipher_algorithm_t} {gnutls_early_cipher_get} (gnutls_session_t @var{session}) +@@ -2820,6 +2842,34 @@ + integers indicating the available curves. + @end deftypefun + ++@subheading gnutls_ecc_curve_mark_disabled ++@anchor{gnutls_ecc_curve_mark_disabled} ++@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve}) ++@var{curve}: is an ECC curve ++ ++Mark @code{curve} as disabled system wide. This setting can be reverted with ++@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file ++uses the allowlisting mode. ++ ++@strong{Returns:} 0 on success or negative error code otherwise. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun ++ ++@subheading gnutls_ecc_curve_mark_enabled ++@anchor{gnutls_ecc_curve_mark_enabled} ++@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve}) ++@var{curve}: is an ECC curve ++ ++Invalidate previous system wide setting that marked @code{curve} as disabled. This ++only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()} or ++through the allowlisting mode in the configuration file. ++ ++@strong{Returns:} 0 on success or negative error code otherwise. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun ++ + @subheading gnutls_error_is_fatal + @anchor{gnutls_error_is_fatal} + @deftypefun {int} {gnutls_error_is_fatal} (int @var{error}) +@@ -5026,6 +5076,25 @@ + indicating the available protocols. + @end deftypefun + ++@subheading gnutls_protocol_mark_disabled ++@anchor{gnutls_protocol_mark_disabled} ++@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version}) ++@var{version}: is a (gnutls) version number ++ ++Mark @code{version} as disabled system wide. This only works if the allowlisting ++mode is used in the configuration file. ++@end deftypefun ++ ++@subheading gnutls_protocol_mark_enabled ++@anchor{gnutls_protocol_mark_enabled} ++@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version}) ++@var{version}: is a (gnutls) version number ++ ++Invalidate previous system wide setting that marked @code{version} as ++disabled. This only works if the allowlisting mode is used in the ++configuration file. ++@end deftypefun ++ + @subheading gnutls_psk_allocate_client_credentials + @anchor{gnutls_psk_allocate_client_credentials} + @deftypefun {int} {gnutls_psk_allocate_client_credentials} (gnutls_psk_client_credentials_t * @var{sc}) +@@ -7027,6 +7096,44 @@ + integers indicating the available ciphers. + @end deftypefun + ++@subheading gnutls_sign_mark_insecure ++@anchor{gnutls_sign_mark_insecure} ++@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) ++@var{sign}: the sign algorithm ++ ++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0 ++ ++Mark @code{sign} as insecure system wide. This only works if the ++allowlisting mode is used in the configuration file. ++ ++If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set, ++and the algorithm was previously considered secure for all purposes, ++it only marks the algorithm as insecure for the use with certificates. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun ++ ++@subheading gnutls_sign_mark_secure ++@anchor{gnutls_sign_mark_secure} ++@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags}) ++@var{sign}: the sign algorithm ++ ++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0 ++ ++Invalidate previous system wide setting that marked @code{sign} as ++insecure. This only works if the algorithm is marked as insecure ++with @code{gnutls_sign_mark_insecure()} or through the allowlisting mode ++in the configuration file. ++ ++If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set, ++it marks it the algorithm as secure for all purposes. ++If the absence of this flag, it will mark it as ++"secure, but not for certificates" at most, ++but it won't restrict anything either. ++ ++@strong{Since:} 3.7.3 ++@end deftypefun ++ + @subheading gnutls_sign_supports_pk_algorithm + @anchor{gnutls_sign_supports_pk_algorithm} + @deftypefun {unsigned} {gnutls_sign_supports_pk_algorithm} (gnutls_sign_algorithm_t @var{sign}, gnutls_pk_algorithm_t @var{pk}) +diff -ruN gnutls-3.7.2/doc/gnutls.html gnutls-3.7.2-bootstrapped/doc/gnutls.html +--- gnutls-3.7.2/doc/gnutls.html 2021-05-29 10:23:25.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/gnutls.html 2021-06-28 09:56:40.000000000 +0200 +@@ -8018,8 +8018,9 @@ +

write option.

+ +

This is the “writes the loaded objects to a pkcs #11 token” option. +-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with +- one of –load-privkey, –load-pubkey, –load-certificate option. ++It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of –load-privkey, –load-pubkey, –load-certificate option. ++

++

When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand. +

id option.

+ +

This is the “sets an id for the write operation” option. +@@ -16992,6 +16993,7 @@ +

  • insecure-sig-for-cert: to mark the signature algorithm as insecure when used in certificates. +
  • insecure-sig: to mark the signature algorithm as insecure for any use. +
  • insecure-hash: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms). ++
  • disabled-curve: to disable the specified elliptic curve. +
  • disabled-version: to disable the specified TLS versions. +
  • tls-disabled-cipher: to disable the specified ciphers for use in the TLS or DTLS protocols. +
  • tls-disabled-mac: to disable the specified MAC algorithms for use in the TLS or DTLS protocols. +@@ -17000,11 +17002,49 @@ +
  • + +

    Each of the options can be repeated multiple times when multiple values need +-to be disabled. ++to be disabled or enabled. +

    +

    The valid values for the options above can be found in the ’Protocols’, ’Digests’ + ’PK-signatures’, ’Protocols’, ’Ciphrers’, and ’MACs’ fields of the output of gnutls-cli --list. +

    ++

    Sometimes the system administrator wants to enable only specific ++algorithms, despite the library defaults. GnuTLS provides an ++alternative mode of overriding: allowlisting. ++

    ++

    In the allowlisting mode, all the algorithms are initially marked as ++insecure or disabled, and shall be explicitly turned on by the options ++in the [overrides] section. Those options are mutually ++exclusive to the above ones for the blocklisting mode (the default) ++

      ++
    • secure-sig-for-cert: to mark the signature algorithm as secure when used in certificates. ++
    • secure-sig: to mark the signature algorithm as secure for any use. ++
    • secure-hash: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms). ++
    • enabled-curve: to enable the specified elliptic curve. ++
    • enabled-version: to enable the specified TLS versions. ++
    • tls-enabled-cipher: to enable the specified ciphers for use in the TLS or DTLS protocols. ++
    • tls-enabled-mac: to enable the specified MAC algorithms for use in the TLS or DTLS protocols. ++
    • tls-enabled-group: to enable the specified group for use in the TLS or DTLS protocols. ++
    • tls-enabled-kx: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier). ++
    ++ ++

    The allowlisting mode can be enabled by adding override-mode = ++allowlist in the [global] section. ++

    ++

    When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API. ++

    ++
    ++
    int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t curve)
    ++
    int gnutls_sign_mark_secure (gnutls_sign_algorithm_t sign, unsigned flags)
    ++
    int gnutls_digest_mark_secure (gnutls_digest_algorithm_t dig)
    ++
    int gnutls_protocol_mark_enabled (gnutls_protocol_t version)
    ++
    ++
    ++
    int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t curve)
    ++
    int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t sign, unsigned flags)
    ++
    int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t dig)
    ++
    int gnutls_protocol_mark_disabled (gnutls_protocol_t version)
    ++
    ++ +

    8.2.1 Examples

    + +

    The following example marks as insecure all digital signature algorithms +@@ -17038,6 +17078,20 @@ + tls-disabled-group = group-ffdhe8192 + + ++

    The following example demonstrates the use of the allowlisting ++mode. It disables all the signature algorithms but ++RSA-SHA256. Note that the hash algorithm SHA256 also ++needs to be explicitly enabled. ++

    ++
    ++
    [global]
    ++override-mode = allowlist
    ++
    ++[overrides]
    ++secure-hash = sha256
    ++secure-sig = rsa-sha256
    ++
    ++ +
    +
    +

    +@@ -23658,6 +23712,28 @@ + integers indicating the available digests. +

    + ++

    gnutls_digest_mark_insecure

    ++
    ++
    Function: int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t dig)
    ++

    dig: is a digest algorithm ++

    ++

    Mark dig as insecure system wide. This only works if the allowlisting mode ++is used in the configuration file. ++

    ++

    Since: 3.7.3 ++

    ++ ++

    gnutls_digest_mark_secure

    ++
    ++
    Function: int gnutls_digest_mark_secure (gnutls_digest_algorithm_t dig)
    ++

    dig: is a digest algorithm ++

    ++

    Invalidate previous system wide setting that marked dig as insecure. This ++only works if the allowlisting mode is used in the configuration file. ++

    ++

    Since: 3.7.3 ++

    ++ +

    gnutls_early_cipher_get

    +
    +
    Function: gnutls_cipher_algorithm_t gnutls_early_cipher_get (gnutls_session_t session)
    +@@ -23772,6 +23848,34 @@ + integers indicating the available curves. +

    + ++

    gnutls_ecc_curve_mark_disabled

    ++
    ++
    Function: int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t curve)
    ++

    curve: is an ECC curve ++

    ++

    Mark curve as disabled system wide. This setting can be reverted with ++gnutls_ecc_curve_mark_enabled() . This only works if the configuration file ++uses the allowlisting mode. ++

    ++

    Returns: 0 on success or negative error code otherwise. ++

    ++

    Since: 3.7.3 ++

    ++ ++

    gnutls_ecc_curve_mark_enabled

    ++
    ++
    Function: int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t curve)
    ++

    curve: is an ECC curve ++

    ++

    Invalidate previous system wide setting that marked curve as disabled. This ++only works if the curve is disabled with gnutls_ecc_curve_mark_disabled() or ++through the allowlisting mode in the configuration file. ++

    ++

    Returns: 0 on success or negative error code otherwise. ++

    ++

    Since: 3.7.3 ++

    ++ +

    gnutls_error_is_fatal

    +
    +
    Function: int gnutls_error_is_fatal (int error)
    +@@ -25978,6 +26082,25 @@ + indicating the available protocols. +

    + ++

    gnutls_protocol_mark_disabled

    ++
    ++
    Function: int gnutls_protocol_mark_disabled (gnutls_protocol_t version)
    ++

    version: is a (gnutls) version number ++

    ++

    Mark version as disabled system wide. This only works if the allowlisting ++mode is used in the configuration file. ++

    ++ ++

    gnutls_protocol_mark_enabled

    ++
    ++
    Function: int gnutls_protocol_mark_enabled (gnutls_protocol_t version)
    ++

    version: is a (gnutls) version number ++

    ++

    Invalidate previous system wide setting that marked version as ++disabled. This only works if the allowlisting mode is used in the ++configuration file. ++

    ++ +

    gnutls_psk_allocate_client_credentials

    +
    +
    Function: int gnutls_psk_allocate_client_credentials (gnutls_psk_client_credentials_t * sc)
    +@@ -27979,6 +28102,44 @@ + integers indicating the available ciphers. +

    + ++

    gnutls_sign_mark_insecure

    ++
    ++
    Function: int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t sign, unsigned flags)
    ++

    sign: the sign algorithm ++

    ++

    flags: GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0 ++

    ++

    Mark sign as insecure system wide. This only works if the ++allowlisting mode is used in the configuration file. ++

    ++

    If flags has GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set, ++and the algorithm was previously considered secure for all purposes, ++it only marks the algorithm as insecure for the use with certificates. ++

    ++

    Since: 3.7.3 ++

    ++ ++

    gnutls_sign_mark_secure

    ++
    ++
    Function: int gnutls_sign_mark_secure (gnutls_sign_algorithm_t sign, unsigned flags)
    ++

    sign: the sign algorithm ++

    ++

    flags: GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0 ++

    ++

    Invalidate previous system wide setting that marked sign as ++insecure. This only works if the algorithm is marked as insecure ++with gnutls_sign_mark_insecure() or through the allowlisting mode ++in the configuration file. ++

    ++

    If flags has GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set, ++it marks it the algorithm as secure for all purposes. ++If the absence of this flag, it will mark it as ++"secure, but not for certificates" at most, ++but it won’t restrict anything either. ++

    ++

    Since: 3.7.3 ++

    ++ +

    gnutls_sign_supports_pk_algorithm

    +
    +
    Function: unsigned gnutls_sign_supports_pk_algorithm (gnutls_sign_algorithm_t sign, gnutls_pk_algorithm_t pk)
    +@@ -45743,6 +45904,8 @@ + gnutls_digest_get_nameCore TLS API + gnutls_digest_get_oidCore TLS API + gnutls_digest_listCore TLS API ++gnutls_digest_mark_insecureCore TLS API ++gnutls_digest_mark_secureCore TLS API + gnutls_dtls_cookie_sendDatagram TLS API + gnutls_dtls_cookie_verifyDatagram TLS API + gnutls_dtls_get_data_mtuDatagram TLS API +@@ -45762,6 +45925,8 @@ + gnutls_ecc_curve_get_pkCore TLS API + gnutls_ecc_curve_get_sizeCore TLS API + gnutls_ecc_curve_listCore TLS API ++gnutls_ecc_curve_mark_disabledCore TLS API ++gnutls_ecc_curve_mark_enabledCore TLS API + gnutls_encode_ber_digest_infoCryptographic API + gnutls_encode_gost_rs_valueCryptographic API + gnutls_encode_rs_valueCryptographic API +@@ -46151,6 +46316,8 @@ + gnutls_protocol_get_nameCore TLS API + gnutls_protocol_get_versionCore TLS API + gnutls_protocol_listCore TLS API ++gnutls_protocol_mark_disabledCore TLS API ++gnutls_protocol_mark_enabledCore TLS API + gnutls_psk_allocate_client_credentialsCore TLS API + gnutls_psk_allocate_server_credentialsCore TLS API + gnutls_psk_client_get_hintCore TLS API +@@ -46325,6 +46492,8 @@ + gnutls_sign_is_secureCore TLS API + gnutls_sign_is_secure2Core TLS API + gnutls_sign_listCore TLS API ++gnutls_sign_mark_insecureCore TLS API ++gnutls_sign_mark_secureCore TLS API + gnutls_sign_supports_pk_algorithmCore TLS API + gnutls_srp_allocate_client_credentialsCore TLS API + gnutls_srp_allocate_server_credentialsCore TLS API +diff -ruN gnutls-3.7.2/doc/gnutls.info gnutls-3.7.2-bootstrapped/doc/gnutls.info +--- gnutls-3.7.2/doc/gnutls.info 2021-05-29 10:23:25.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/gnutls.info 2021-06-28 09:56:40.000000000 +0200 +@@ -29,12 +29,12 @@ +  + Indirect: + gnutls.info-1: 1291 +-gnutls.info-2: 322163 +-gnutls.info-3: 605942 +-gnutls.info-4: 1147244 +-gnutls.info-5: 1463965 +-gnutls.info-6: 1515571 +-gnutls.info-7: 1896190 ++gnutls.info-2: 322461 ++gnutls.info-3: 606240 ++gnutls.info-4: 1153831 ++gnutls.info-5: 1470552 ++gnutls.info-6: 1522158 ++gnutls.info-7: 1903361 +  + Tag Table: + (Indirect) +@@ -324,1507 +324,1515 @@ + Ref: p11tool set-id312425 + Ref: p11tool set-label312850 + Ref: p11tool write313198 +-Ref: p11tool id313462 +-Ref: p11tool mark-wrap313719 +-Ref: p11tool mark-trusted313966 +-Ref: p11tool mark-distrusted314330 +-Ref: p11tool mark-decrypt314784 +-Ref: p11tool mark-sign315061 +-Ref: p11tool mark-ca315338 +-Ref: p11tool mark-private315611 +-Ref: p11tool ca315909 +-Ref: p11tool private316043 +-Ref: p11tool secret-key316198 +-Ref: p11tool other-options316361 +-Ref: p11tool debug316463 +-Ref: p11tool so-login316604 +-Ref: p11tool admin-login316848 +-Ref: p11tool test-sign316989 +-Ref: p11tool sign-params317283 +-Ref: p11tool hash317623 +-Ref: p11tool generate-random317919 +-Ref: p11tool inder318093 +-Ref: p11tool inraw318318 +-Ref: p11tool outder318444 +-Ref: p11tool outraw318696 +-Ref: p11tool provider318829 +-Ref: p11tool provider-opts319038 +-Ref: p11tool batch319311 +-Ref: p11tool exit status319464 +-Ref: p11tool See Also319694 +-Ref: p11tool Examples319742 +-Node: Trusted Platform Module322163 +-Ref: Trusted Platform Module-Footnote-1323956 +-Ref: Trusted Platform Module-Footnote-2324004 +-Node: Keys in TPM324061 +-Node: Key generation325545 +-Node: Using keys327813 +-Node: tpmtool Invocation331458 +-Ref: tpmtool usage331884 +-Ref: tpmtool debug335196 +-Ref: tpmtool generate-rsa335337 +-Ref: tpmtool user335608 +-Ref: tpmtool system335967 +-Ref: tpmtool test-sign336321 +-Ref: tpmtool sec-param336604 +-Ref: tpmtool inder336930 +-Ref: tpmtool outder337231 +-Ref: tpmtool srk-well-known337450 +-Ref: tpmtool exit status337606 +-Ref: tpmtool See Also337836 +-Ref: tpmtool Examples337897 +-Node: How to use GnuTLS in applications338514 +-Node: Introduction to the library339083 +-Node: General idea339682 +-Ref: fig-gnutls-design340531 +-Ref: General idea-Footnote-1341836 +-Node: Error handling341881 +-Node: Common types344108 +-Node: Debugging and auditing345442 +-Ref: tab:environment346313 +-Node: Thread safety349180 +-Ref: Thread safety-Footnote-1351326 +-Node: Running in a sandbox351538 +-Node: Sessions and fork352932 +-Node: Callback functions353484 +-Node: Preparation354452 +-Node: Headers354871 +-Node: Initialization355160 +-Ref: Initialization-Footnote-1356154 +-Node: Version check356447 +-Node: Building the source357322 +-Node: Session initialization359433 +-Ref: gnutls_init_flags_t360910 +-Node: Associating the credentials367923 +-Ref: tab:key-exchange-cred368699 +-Node: Certificate credentials369830 +-Node: Raw public-key credentials385415 +-Node: SRP credentials386715 +-Node: PSK credentials391613 +-Node: Anonymous credentials395548 +-Node: Setting up the transport layer396394 +-Node: Asynchronous operation405947 +-Node: Reducing round-trips410248 +-Node: Zero-roundtrip mode413688 +-Node: Anti-replay protection415893 +-Node: DTLS sessions419538 +-Ref: DTLS sessions-Footnote-1421842 +-Node: DTLS and SCTP421919 +-Node: TLS handshake422939 +-Node: Data transfer and termination426857 +-Node: Buffered data transfer435999 +-Node: Handling alerts437800 +-Node: Priority Strings441182 +-Ref: tab:prio-keywords443782 +-Ref: tab:prio-algorithms450860 +-Ref: tab:prio-special1456290 +-Ref: tab:prio-special2460137 +-Ref: Priority Strings-Footnote-1466758 +-Node: Selecting cryptographic key sizes466980 +-Ref: tab:key-sizes467629 +-Node: Advanced topics472378 +-Node: Virtual hosts and credentials472876 +-Node: Session resumption476201 +-Node: Certificate verification484108 +-Ref: dane_verify_status_t493829 +-Node: TLS 1.2 re-authentication494234 +-Node: TLS 1.3 re-authentication and re-key499091 +-Node: Parameter generation500750 +-Node: Deriving keys for other applications/protocols503397 +-Node: Channel Bindings506627 +-Node: Interoperability508166 +-Node: Compatibility with the OpenSSL library509484 +-Node: GnuTLS application examples510211 +-Ref: examples510430 +-Node: Client examples510723 +-Node: Client example with X.509 certificate support511250 +-Ref: ex-verify511488 +-Node: Datagram TLS client example516532 +-Node: Client using a smart card with TLS520937 +-Ref: ex-pkcs11-client521174 +-Node: Client with Resume capability example526469 +-Ref: ex-resume-client526753 +-Node: Client example with SSH-style certificate verification531940 +-Node: Server examples536147 +-Node: Echo server with X.509 authentication536501 +-Node: DTLS echo server with X.509 authentication544225 +-Node: More advanced client and servers558636 +-Node: Client example with anonymous authentication559493 +-Node: Using a callback to select the certificate to use563417 +-Node: Obtaining session information569800 +-Node: Advanced certificate verification example574013 +-Ref: ex-verify2574289 +-Node: Client example with PSK authentication579719 +-Node: Client example with SRP authentication584085 +-Node: Legacy client example with X.509 certificate support588369 +-Ref: ex-verify-legacy588686 +-Node: Client example in C++594639 +-Node: Echo server with PSK authentication597211 +-Node: Echo server with SRP authentication605942 +-Node: Echo server with anonymous authentication612860 +-Node: Helper functions for TCP connections618188 +-Node: Helper functions for UDP connections619780 +-Node: OCSP example621685 +-Ref: Generate OCSP request621868 +-Node: Miscellaneous examples631475 +-Node: Checking for an alert631801 +-Node: X.509 certificate parsing example633250 +-Ref: ex-x509-info633507 +-Node: Listing the ciphersuites in a priority string637536 +-Node: PKCS12 structure generation example639853 +-Node: System-wide configuration of the library644058 +-Node: Application-specific priority strings645885 +-Node: Disabling algorithms and protocols647333 +-Node: Querying for disabled algorithms and protocols650217 +-Node: Overriding the parameter verification profile651339 +-Node: Overriding the default priority string652341 +-Node: Using GnuTLS as a cryptographic library652958 +-Ref: Using GnuTLS as a cryptographic library-Footnote-1653814 +-Node: Symmetric algorithms653871 +-Ref: gnutls_cipher_algorithm_t654631 +-Ref: Symmetric algorithms-Footnote-1663061 +-Node: Public key algorithms663146 +-Node: Cryptographic Message Syntax / PKCS7667868 +-Ref: gnutls_pkcs7_sign_flags671307 +-Node: Hash and MAC functions672775 +-Ref: gnutls_mac_algorithm_t673387 +-Ref: gnutls_digest_algorithm_t676759 +-Node: Random number generation677810 +-Ref: gnutls_rnd_level_t678172 +-Node: Overriding algorithms679279 +-Node: Other included programs685597 +-Node: gnutls-cli Invocation686168 +-Ref: gnutls-cli usage686730 +-Ref: gnutls-cli debug694480 +-Ref: gnutls-cli tofu694621 +-Ref: gnutls-cli strict-tofu695084 +-Ref: gnutls-cli dane695486 +-Ref: gnutls-cli local-dns695829 +-Ref: gnutls-cli ca-verification696144 +-Ref: gnutls-cli ocsp696499 +-Ref: gnutls-cli resume696741 +-Ref: gnutls-cli rehandshake696887 +-Ref: gnutls-cli sni-hostname697054 +-Ref: gnutls-cli verify-hostname697580 +-Ref: gnutls-cli starttls697813 +-Ref: gnutls-cli app-proto697997 +-Ref: gnutls-cli starttls-proto698159 +-Ref: gnutls-cli save-ocsp-multi698670 +-Ref: gnutls-cli dh-bits699127 +-Ref: gnutls-cli priority699478 +-Ref: gnutls-cli rawpkkeyfile699856 +-Ref: gnutls-cli rawpkfile700313 +-Ref: gnutls-cli ranges700854 +-Ref: gnutls-cli benchmark-ciphers701104 +-Ref: gnutls-cli benchmark-tls-ciphers701422 +-Ref: gnutls-cli list701741 +-Ref: gnutls-cli priority-list702108 +-Ref: gnutls-cli noticket702354 +-Ref: gnutls-cli alpn702515 +-Ref: gnutls-cli disable-extensions702824 +-Ref: gnutls-cli single-key-share703056 +-Ref: gnutls-cli post-handshake-auth703272 +-Ref: gnutls-cli inline-commands703469 +-Ref: gnutls-cli inline-commands-prefix703789 +-Ref: gnutls-cli provider704192 +-Ref: gnutls-cli logfile704389 +-Ref: gnutls-cli waitresumption704746 +-Ref: gnutls-cli ca-auto-retrieve705003 +-Ref: gnutls-cli exit status705407 +-Ref: gnutls-cli See Also705643 +-Ref: gnutls-cli Examples705720 +-Node: gnutls-serv Invocation709927 +-Ref: gnutls-serv usage710404 +-Ref: gnutls-serv debug715924 +-Ref: gnutls-serv sni-hostname716065 +-Ref: gnutls-serv alpn716397 +-Ref: gnutls-serv require-client-cert716684 +-Ref: gnutls-serv verify-client-cert716928 +-Ref: gnutls-serv heartbeat717157 +-Ref: gnutls-serv priority717308 +-Ref: gnutls-serv x509keyfile717677 +-Ref: gnutls-serv x509certfile718194 +-Ref: gnutls-serv x509dsakeyfile718711 +-Ref: gnutls-serv x509dsacertfile718875 +-Ref: gnutls-serv x509ecckeyfile719042 +-Ref: gnutls-serv x509ecccertfile719204 +-Ref: gnutls-serv rawpkkeyfile719371 +-Ref: gnutls-serv rawpkfile720190 +-Ref: gnutls-serv ocsp-response721045 +-Ref: gnutls-serv ignore-ocsp-response-errors721362 +-Ref: gnutls-serv list721609 +-Ref: gnutls-serv provider721847 +-Ref: gnutls-serv exit status722044 +-Ref: gnutls-serv See Also722282 +-Ref: gnutls-serv Examples722360 +-Node: gnutls-cli-debug Invocation727668 +-Ref: gnutls-cli-debug usage728490 +-Ref: gnutls-cli-debug debug730745 +-Ref: gnutls-cli-debug app-proto730886 +-Ref: gnutls-cli-debug starttls-proto731054 +-Ref: gnutls-cli-debug exit status731433 +-Ref: gnutls-cli-debug See Also731681 +-Ref: gnutls-cli-debug Examples731764 +-Node: Internal architecture of GnuTLS735261 +-Node: The TLS Protocol735867 +-Ref: fig-client-server736343 +-Node: TLS Handshake Protocol736433 +-Ref: fig-gnutls-handshake736875 +-Ref: fig-gnutls-handshake-sequence737384 +-Node: TLS Authentication Methods737482 +-Ref: TLS Authentication Methods-Footnote-1739786 +-Node: TLS Hello Extension Handling739852 +-Node: Cryptographic Backend752954 +-Ref: fig-crypto-layers753637 +-Ref: Cryptographic Backend-Footnote-1756919 +-Ref: Cryptographic Backend-Footnote-2757004 +-Node: Random Number Generators-internals757112 +-Node: FIPS140-2 mode764476 +-Ref: gnutls_fips_mode_t767112 +-Node: Upgrading from previous versions769259 +-Node: Support783253 +-Node: Getting help783501 +-Node: Commercial Support784089 +-Node: Bug Reports784360 +-Node: Contributing785724 +-Node: Certification787750 +-Node: Error codes788214 +-Node: Supported ciphersuites812847 +-Ref: ciphersuites813020 +-Node: API reference828064 +-Node: Core TLS API828474 +-Ref: gnutls_alert_get828701 +-Ref: gnutls_alert_get_name829320 +-Ref: gnutls_alert_get_strname829705 +-Ref: gnutls_alert_send830040 +-Ref: gnutls_alert_send_appropriate830918 +-Ref: gnutls_alert_set_read_function831885 +-Ref: gnutls_alpn_get_selected_protocol832269 +-Ref: gnutls_alpn_set_protocols832933 +-Ref: gnutls_anon_allocate_client_credentials833770 +-Ref: gnutls_anon_allocate_server_credentials834155 +-Ref: gnutls_anon_free_client_credentials834532 +-Ref: gnutls_anon_free_server_credentials834821 +-Ref: gnutls_anon_set_params_function835102 +-Ref: gnutls_anon_set_server_dh_params835778 +-Ref: gnutls_anon_set_server_known_dh_params836438 +-Ref: gnutls_anon_set_server_params_function837347 +-Ref: gnutls_anti_replay_deinit838010 +-Ref: gnutls_anti_replay_enable838324 +-Ref: gnutls_anti_replay_init838672 +-Ref: gnutls_anti_replay_set_add_function839200 +-Ref: gnutls_anti_replay_set_ptr840218 +-Ref: gnutls_anti_replay_set_window840553 +-Ref: gnutls_auth_client_get_type841321 +-Ref: gnutls_auth_get_type841948 +-Ref: gnutls_auth_server_get_type842760 +-Ref: gnutls_base64_decode2843389 +-Ref: gnutls_base64_encode2843945 +-Ref: gnutls_buffer_append_data844565 +-Ref: gnutls_bye844963 +-Ref: gnutls_certificate_activation_time_peers846564 +-Ref: gnutls_certificate_allocate_credentials846982 +-Ref: gnutls_certificate_client_get_request_status847379 +-Ref: gnutls_certificate_expiration_time_peers847787 +-Ref: gnutls_certificate_free_ca_names848191 +-Ref: gnutls_certificate_free_cas848860 +-Ref: gnutls_certificate_free_credentials849263 +-Ref: gnutls_certificate_free_crls849697 +-Ref: gnutls_certificate_free_keys849997 +-Ref: gnutls_certificate_get_crt_raw850431 +-Ref: gnutls_certificate_get_issuer851502 +-Ref: gnutls_certificate_get_ocsp_expiration852585 +-Ref: gnutls_certificate_get_ours853756 +-Ref: gnutls_certificate_get_peers854586 +-Ref: gnutls_certificate_get_peers_subkey_id855709 +-Ref: gnutls_certificate_get_verify_flags856065 +-Ref: gnutls_certificate_get_x509_crt856478 +-Ref: gnutls_certificate_get_x509_key858122 +-Ref: gnutls_certificate_send_x509_rdn_sequence859437 +-Ref: gnutls_certificate_server_set_request860144 +-Ref: gnutls_certificate_set_dh_params860934 +-Ref: gnutls_certificate_set_flags861753 +-Ref: gnutls_certificate_set_known_dh_params862278 +-Ref: gnutls_certificate_set_ocsp_status_request_file863206 +-Ref: gnutls_certificate_set_ocsp_status_request_file2865112 +-Ref: gnutls_certificate_set_ocsp_status_request_function866630 +-Ref: gnutls_certificate_set_ocsp_status_request_function2868118 +-Ref: gnutls_certificate_set_ocsp_status_request_mem870084 +-Ref: gnutls_certificate_set_params_function871859 +-Ref: gnutls_certificate_set_pin_function872556 +-Ref: gnutls_certificate_set_rawpk_key_file873209 +-Ref: gnutls_certificate_set_rawpk_key_mem876513 +-Ref: gnutls_certificate_set_retrieve_function879660 +-Ref: gnutls_certificate_set_verify_flags881790 +-Ref: gnutls_certificate_set_verify_function882283 +-Ref: gnutls_certificate_set_verify_limits883347 +-Ref: gnutls_certificate_set_x509_crl884028 +-Ref: gnutls_certificate_set_x509_crl_file884856 +-Ref: gnutls_certificate_set_x509_crl_mem885637 +-Ref: gnutls_certificate_set_x509_key886414 +-Ref: gnutls_certificate_set_x509_key_file888082 +-Ref: gnutls_certificate_set_x509_key_file2890318 +-Ref: gnutls_certificate_set_x509_key_mem892852 +-Ref: gnutls_certificate_set_x509_key_mem2894500 +-Ref: gnutls_certificate_set_x509_simple_pkcs12_file896313 +-Ref: gnutls_certificate_set_x509_simple_pkcs12_mem898443 +-Ref: gnutls_certificate_set_x509_system_trust900543 +-Ref: gnutls_certificate_set_x509_trust901113 +-Ref: gnutls_certificate_set_x509_trust_dir902093 +-Ref: gnutls_certificate_set_x509_trust_file902831 +-Ref: gnutls_certificate_set_x509_trust_mem904007 +-Ref: gnutls_certificate_type_get904950 +-Ref: gnutls_certificate_type_get2905797 +-Ref: gnutls_certificate_type_get_id907182 +-Ref: gnutls_certificate_type_get_name907579 +-Ref: gnutls_certificate_type_list907962 +-Ref: gnutls_certificate_verification_status_print908316 +-Ref: gnutls_certificate_verify_peers909074 +-Ref: gnutls_certificate_verify_peers2911870 +-Ref: gnutls_certificate_verify_peers3913785 +-Ref: gnutls_check_version916095 +-Ref: gnutls_cipher_get916837 +-Ref: gnutls_cipher_get_id917142 +-Ref: gnutls_cipher_get_key_size917524 +-Ref: gnutls_cipher_get_name917888 +-Ref: gnutls_cipher_list918235 +-Ref: gnutls_cipher_suite_get_name918795 +-Ref: gnutls_cipher_suite_info919663 +-Ref: gnutls_credentials_clear920846 +-Ref: gnutls_credentials_get921074 +-Ref: gnutls_credentials_set922029 +-Ref: gnutls_db_check_entry923393 +-Ref: gnutls_db_check_entry_expire_time923850 +-Ref: gnutls_db_check_entry_time924256 +-Ref: gnutls_db_get_default_cache_expiration924647 +-Ref: gnutls_db_get_ptr924842 +-Ref: gnutls_db_remove_session925154 +-Ref: gnutls_db_set_cache_expiration925691 +-Ref: gnutls_db_set_ptr926112 +-Ref: gnutls_db_set_remove_function926447 +-Ref: gnutls_db_set_retrieve_function926950 +-Ref: gnutls_db_set_store_function927636 +-Ref: gnutls_deinit928103 +-Ref: gnutls_dh_get_group928442 +-Ref: gnutls_dh_get_peers_public_bits929294 +-Ref: gnutls_dh_get_prime_bits929738 +-Ref: gnutls_dh_get_pubkey930378 +-Ref: gnutls_dh_get_secret_bits931076 +-Ref: gnutls_dh_params_cpy931508 +-Ref: gnutls_dh_params_deinit932016 +-Ref: gnutls_dh_params_export2_pkcs3932257 +-Ref: gnutls_dh_params_export_pkcs3933078 +-Ref: gnutls_dh_params_export_raw934097 +-Ref: gnutls_dh_params_generate2934850 +-Ref: gnutls_dh_params_import_dsa936104 +-Ref: gnutls_dh_params_import_pkcs3936581 +-Ref: gnutls_dh_params_import_raw937320 +-Ref: gnutls_dh_params_import_raw2937950 +-Ref: gnutls_dh_params_import_raw3938664 +-Ref: gnutls_dh_params_init939364 +-Ref: gnutls_dh_set_prime_bits939695 +-Ref: gnutls_digest_get_id940798 +-Ref: gnutls_digest_get_name941224 +-Ref: gnutls_digest_get_oid941570 +-Ref: gnutls_digest_list941961 +-Ref: gnutls_early_cipher_get942332 +-Ref: gnutls_early_prf_hash_get942705 +-Ref: gnutls_ecc_curve_get943123 +-Ref: gnutls_ecc_curve_get_id943524 +-Ref: gnutls_ecc_curve_get_name943905 +-Ref: gnutls_ecc_curve_get_oid944239 +-Ref: gnutls_ecc_curve_get_pk944584 +-Ref: gnutls_ecc_curve_get_size944888 +-Ref: gnutls_ecc_curve_list945117 +-Ref: gnutls_error_is_fatal945440 +-Ref: gnutls_error_to_alert946242 +-Ref: gnutls_est_record_overhead_size946974 +-Ref: gnutls_ext_get_current_msg947882 +-Ref: gnutls_ext_get_data948573 +-Ref: gnutls_ext_get_name949088 +-Ref: gnutls_ext_get_name2949406 +-Ref: gnutls_ext_raw_parse949916 +-Ref: gnutls_ext_register951066 +-Ref: gnutls_ext_set_data952701 +-Ref: gnutls_fingerprint953212 +-Ref: gnutls_fips140_mode_enabled954218 +-Ref: gnutls_fips140_set_mode954772 +-Ref: gnutls_get_system_config_file955825 +-Ref: gnutls_global_deinit956201 +-Ref: gnutls_global_init956651 +-Ref: gnutls_global_set_audit_log_function957926 +-Ref: gnutls_global_set_log_function958633 +-Ref: gnutls_global_set_log_level959141 +-Ref: gnutls_global_set_mutex959629 +-Ref: gnutls_global_set_time_function960731 +-Ref: gnutls_gost_paramset_get_name961168 +-Ref: gnutls_gost_paramset_get_oid961544 +-Ref: gnutls_group_get961921 +-Ref: gnutls_group_get_id962291 +-Ref: gnutls_group_get_name962638 +-Ref: gnutls_group_list962958 +-Ref: gnutls_handshake963280 +-Ref: gnutls_handshake_description_get_name965385 +-Ref: gnutls_handshake_get_last_in965773 +-Ref: gnutls_handshake_get_last_out966398 +-Ref: gnutls_handshake_set_hook_function967030 +-Ref: gnutls_handshake_set_max_packet_length968422 +-Ref: gnutls_handshake_set_post_client_hello_function969207 +-Ref: gnutls_handshake_set_private_extensions970533 +-Ref: gnutls_handshake_set_random971212 +-Ref: gnutls_handshake_set_read_function971932 +-Ref: gnutls_handshake_set_secret_function972333 +-Ref: gnutls_handshake_set_timeout972712 +-Ref: gnutls_handshake_write973402 +-Ref: gnutls_heartbeat_allowed974103 +-Ref: gnutls_heartbeat_enable974577 +-Ref: gnutls_heartbeat_get_timeout975415 +-Ref: gnutls_heartbeat_ping975954 +-Ref: gnutls_heartbeat_pong977086 +-Ref: gnutls_heartbeat_set_timeouts977493 +-Ref: gnutls_hex2bin978264 +-Ref: gnutls_hex_decode978983 +-Ref: gnutls_hex_decode2979709 +-Ref: gnutls_hex_encode980138 +-Ref: gnutls_hex_encode2980735 +-Ref: gnutls_idna_map981250 +-Ref: gnutls_idna_reverse_map982380 +-Ref: gnutls_init983145 +-Ref: gnutls_key_generate983973 +-Ref: gnutls_kx_get984390 +-Ref: gnutls_kx_get_id984976 +-Ref: gnutls_kx_get_name985320 +-Ref: gnutls_kx_list985665 +-Ref: gnutls_load_file985993 +-Ref: gnutls_mac_get986765 +-Ref: gnutls_mac_get_id987070 +-Ref: gnutls_mac_get_key_size987483 +-Ref: gnutls_mac_get_name987820 +-Ref: gnutls_mac_list988139 +-Ref: gnutls_memcmp988527 +-Ref: gnutls_memset989087 +-Ref: gnutls_ocsp_status_request_enable_client989481 +-Ref: gnutls_ocsp_status_request_get990492 +-Ref: gnutls_ocsp_status_request_get2991154 +-Ref: gnutls_ocsp_status_request_is_checked992149 +-Ref: gnutls_oid_to_digest993537 +-Ref: gnutls_oid_to_ecc_curve993946 +-Ref: gnutls_oid_to_gost_paramset994272 +-Ref: gnutls_oid_to_mac994683 +-Ref: gnutls_oid_to_pk995096 +-Ref: gnutls_oid_to_sign995468 +-Ref: gnutls_openpgp_send_cert995872 +-Ref: gnutls_packet_deinit996174 +-Ref: gnutls_packet_get996448 +-Ref: gnutls_pem_base64_decode996953 +-Ref: gnutls_pem_base64_decode2997808 +-Ref: gnutls_pem_base64_encode998803 +-Ref: gnutls_pem_base64_encode2999632 +-Ref: gnutls_perror1000568 +-Ref: gnutls_pk_algorithm_get_name1000864 +-Ref: gnutls_pk_bits_to_sec_param1001220 +-Ref: gnutls_pk_get_id1001694 +-Ref: gnutls_pk_get_name1002212 +-Ref: gnutls_pk_get_oid1002580 +-Ref: gnutls_pk_list1002979 +-Ref: gnutls_pk_to_sign1003312 +-Ref: gnutls_prf1003723 +-Ref: gnutls_prf_early1005718 +-Ref: gnutls_prf_hash_get1007373 +-Ref: gnutls_prf_raw1007905 +-Ref: gnutls_prf_rfc57051009789 +-Ref: gnutls_priority_certificate_type_list1011466 +-Ref: gnutls_priority_certificate_type_list21012162 +-Ref: gnutls_priority_cipher_list1012778 +-Ref: gnutls_priority_deinit1013165 +-Ref: gnutls_priority_ecc_curve_list1013408 +-Ref: gnutls_priority_get_cipher_suite_index1013940 +-Ref: gnutls_priority_group_list1014856 +-Ref: gnutls_priority_init1015237 +-Ref: gnutls_priority_init21016317 +-Ref: gnutls_priority_kx_list1020691 +-Ref: gnutls_priority_mac_list1021096 +-Ref: gnutls_priority_protocol_list1021501 +-Ref: gnutls_priority_set1021903 +-Ref: gnutls_priority_set_direct1022558 +-Ref: gnutls_priority_sign_list1023491 +-Ref: gnutls_priority_string_list1023907 +-Ref: gnutls_protocol_get_id1024539 +-Ref: gnutls_protocol_get_name1024855 +-Ref: gnutls_protocol_get_version1025214 +-Ref: gnutls_protocol_list1025512 +-Ref: gnutls_psk_allocate_client_credentials1025882 +-Ref: gnutls_psk_allocate_server_credentials1026302 +-Ref: gnutls_psk_client_get_hint1026698 +-Ref: gnutls_psk_free_client_credentials1027325 +-Ref: gnutls_psk_free_server_credentials1027608 +-Ref: gnutls_psk_server_get_username1027883 +-Ref: gnutls_psk_server_get_username21028590 +-Ref: gnutls_psk_set_client_credentials1029284 +-Ref: gnutls_psk_set_client_credentials21030307 +-Ref: gnutls_psk_set_client_credentials_function1031087 +-Ref: gnutls_psk_set_client_credentials_function21032090 +-Ref: gnutls_psk_set_params_function1033247 +-Ref: gnutls_psk_set_server_credentials_file1033927 +-Ref: gnutls_psk_set_server_credentials_function1034788 +-Ref: gnutls_psk_set_server_credentials_function21035742 +-Ref: gnutls_psk_set_server_credentials_hint1036865 +-Ref: gnutls_psk_set_server_dh_params1037489 +-Ref: gnutls_psk_set_server_known_dh_params1038174 +-Ref: gnutls_psk_set_server_params_function1039071 +-Ref: gnutls_random_art1039712 +-Ref: gnutls_range_split1040574 +-Ref: gnutls_reauth1041656 +-Ref: gnutls_record_can_use_length_hiding1043758 +-Ref: gnutls_record_check_corked1044509 +-Ref: gnutls_record_check_pending1044892 +-Ref: gnutls_record_cork1045303 +-Ref: gnutls_record_disable_padding1045717 +-Ref: gnutls_record_discard_queued1046325 +-Ref: gnutls_record_get_direction1046942 +-Ref: gnutls_record_get_max_early_data_size1047923 +-Ref: gnutls_record_get_max_size1048475 +-Ref: gnutls_record_get_state1048842 +-Ref: gnutls_record_overhead_size1049864 +-Ref: gnutls_record_recv1050251 +-Ref: gnutls_record_recv_early_data1051701 +-Ref: gnutls_record_recv_packet1052763 +-Ref: gnutls_record_recv_seq1053642 +-Ref: gnutls_record_send1054628 +-Ref: gnutls_record_send21056686 +-Ref: gnutls_record_send_early_data1057838 +-Ref: gnutls_record_send_range1058894 +-Ref: gnutls_record_set_max_early_data_size1060073 +-Ref: gnutls_record_set_max_recv_size1060719 +-Ref: gnutls_record_set_max_size1061423 +-Ref: gnutls_record_set_state1062602 +-Ref: gnutls_record_set_timeout1063260 +-Ref: gnutls_record_uncork1063861 +-Ref: gnutls_rehandshake1064801 +-Ref: gnutls_safe_renegotiation_status1066583 +-Ref: gnutls_sec_param_get_name1066998 +-Ref: gnutls_sec_param_to_pk_bits1067372 +-Ref: gnutls_sec_param_to_symmetric_bits1068042 +-Ref: gnutls_server_name_get1068426 +-Ref: gnutls_server_name_set1069898 +-Ref: gnutls_session_channel_binding1071056 +-Ref: gnutls_session_enable_compatibility_mode1071774 +-Ref: gnutls_session_etm_status1072481 +-Ref: gnutls_session_ext_master_secret_status1072884 +-Ref: gnutls_session_ext_register1073375 +-Ref: gnutls_session_force_valid1075637 +-Ref: gnutls_session_get_data1076058 +-Ref: gnutls_session_get_data21076718 +-Ref: gnutls_session_get_desc1078991 +-Ref: gnutls_session_get_flags1079513 +-Ref: gnutls_session_get_id1080051 +-Ref: gnutls_session_get_id21081574 +-Ref: gnutls_session_get_keylog_function1083044 +-Ref: gnutls_session_get_master_secret1083451 +-Ref: gnutls_session_get_ptr1083935 +-Ref: gnutls_session_get_random1084330 +-Ref: gnutls_session_get_verify_cert_status1084951 +-Ref: gnutls_session_is_resumed1085624 +-Ref: gnutls_session_key_update1085994 +-Ref: gnutls_session_resumption_requested1086942 +-Ref: gnutls_session_set_data1087324 +-Ref: gnutls_session_set_id1088165 +-Ref: gnutls_session_set_keylog_function1088840 +-Ref: gnutls_session_set_premaster1089239 +-Ref: gnutls_session_set_ptr1090334 +-Ref: gnutls_session_set_verify_cert1090734 +-Ref: gnutls_session_set_verify_cert21092078 +-Ref: gnutls_session_set_verify_function1093262 +-Ref: gnutls_session_supplemental_register1094374 +-Ref: gnutls_session_ticket_enable_client1095632 +-Ref: gnutls_session_ticket_enable_server1096125 +-Ref: gnutls_session_ticket_key_generate1096919 +-Ref: gnutls_session_ticket_send1097347 +-Ref: gnutls_set_default_priority1097931 +-Ref: gnutls_set_default_priority_append1099016 +-Ref: gnutls_sign_algorithm_get1100358 +-Ref: gnutls_sign_algorithm_get_client1100801 +-Ref: gnutls_sign_algorithm_get_requested1101268 +-Ref: gnutls_sign_get_hash_algorithm1102295 +-Ref: gnutls_sign_get_id1102707 +-Ref: gnutls_sign_get_name1103070 +-Ref: gnutls_sign_get_oid1103402 +-Ref: gnutls_sign_get_pk_algorithm1103788 +-Ref: gnutls_sign_is_secure1104395 +-Ref: gnutls_sign_is_secure21104665 +-Ref: gnutls_sign_list1105001 +-Ref: gnutls_sign_supports_pk_algorithm1105361 +-Ref: gnutls_srp_allocate_client_credentials1105945 +-Ref: gnutls_srp_allocate_server_credentials1106346 +-Ref: gnutls_srp_base64_decode1106719 +-Ref: gnutls_srp_base64_decode21107424 +-Ref: gnutls_srp_base64_encode1108092 +-Ref: gnutls_srp_base64_encode21108893 +-Ref: gnutls_srp_free_client_credentials1109624 +-Ref: gnutls_srp_free_server_credentials1109907 +-Ref: gnutls_srp_server_get_username1110182 +-Ref: gnutls_srp_set_client_credentials1110636 +-Ref: gnutls_srp_set_client_credentials_function1111526 +-Ref: gnutls_srp_set_prime_bits1112773 +-Ref: gnutls_srp_set_server_credentials_file1113458 +-Ref: gnutls_srp_set_server_credentials_function1114184 +-Ref: gnutls_srp_set_server_fake_salt_seed1115899 +-Ref: gnutls_srp_verifier1117402 +-Ref: gnutls_srtp_get_keys1118330 +-Ref: gnutls_srtp_get_mki1119724 +-Ref: gnutls_srtp_get_profile_id1120293 +-Ref: gnutls_srtp_get_profile_name1120751 +-Ref: gnutls_srtp_get_selected_profile1121172 +-Ref: gnutls_srtp_set_mki1121616 +-Ref: gnutls_srtp_set_profile1122065 +-Ref: gnutls_srtp_set_profile_direct1122597 +-Ref: gnutls_store_commitment1123320 +-Ref: gnutls_store_pubkey1124619 +-Ref: gnutls_strerror1126406 +-Ref: gnutls_strerror_name1126891 +-Ref: gnutls_supplemental_get_name1127360 +-Ref: gnutls_supplemental_recv1127782 +-Ref: gnutls_supplemental_register1128252 +-Ref: gnutls_supplemental_send1129364 +-Ref: gnutls_system_recv_timeout1129809 +-Ref: gnutls_tdb_deinit1130551 +-Ref: gnutls_tdb_init1130766 +-Ref: gnutls_tdb_set_store_commitment_func1131125 +-Ref: gnutls_tdb_set_store_func1131806 +-Ref: gnutls_tdb_set_verify_func1132395 +-Ref: gnutls_transport_get_int1133139 +-Ref: gnutls_transport_get_int21133547 +-Ref: gnutls_transport_get_ptr1134050 +-Ref: gnutls_transport_get_ptr21134466 +-Ref: gnutls_transport_set_errno1135000 +-Ref: gnutls_transport_set_errno_function1135987 +-Ref: gnutls_transport_set_int1136524 +-Ref: gnutls_transport_set_int21137078 +-Ref: gnutls_transport_set_ptr1137807 +-Ref: gnutls_transport_set_ptr21138220 +-Ref: gnutls_transport_set_pull_function1138864 +-Ref: gnutls_transport_set_pull_timeout_function1139644 +-Ref: gnutls_transport_set_push_function1141347 +-Ref: gnutls_transport_set_vec_push_function1142192 +-Ref: gnutls_url_is_supported1142888 +-Ref: gnutls_utf8_password_normalize1143308 +-Ref: gnutls_verify_stored_pubkey1144097 +-Node: Datagram TLS API1147244 +-Ref: gnutls_dtls_cookie_send1147520 +-Ref: gnutls_dtls_cookie_verify1148775 +-Ref: gnutls_dtls_get_data_mtu1149719 +-Ref: gnutls_dtls_get_mtu1150162 +-Ref: gnutls_dtls_get_timeout1150605 +-Ref: gnutls_dtls_prestate_set1151148 +-Ref: gnutls_dtls_set_data_mtu1151732 +-Ref: gnutls_dtls_set_mtu1152706 +-Ref: gnutls_dtls_set_timeouts1153313 +-Ref: gnutls_record_get_discarded1154317 +-Node: X509 certificate API1154591 +-Ref: gnutls_certificate_get_trust_list1154940 +-Ref: gnutls_certificate_set_trust_list1155588 +-Ref: gnutls_certificate_verification_profile_get_id1156363 +-Ref: gnutls_certificate_verification_profile_get_name1156910 +-Ref: gnutls_pkcs8_info1157293 +-Ref: gnutls_pkcs_schema_get_name1158811 +-Ref: gnutls_pkcs_schema_get_oid1159216 +-Ref: gnutls_session_set_verify_output_function1159643 +-Ref: gnutls_subject_alt_names_deinit1160800 +-Ref: gnutls_subject_alt_names_get1161079 +-Ref: gnutls_subject_alt_names_init1162089 +-Ref: gnutls_subject_alt_names_set1162469 +-Ref: gnutls_x509_aia_deinit1163288 +-Ref: gnutls_x509_aia_get1163522 +-Ref: gnutls_x509_aia_init1164681 +-Ref: gnutls_x509_aia_set1165016 +-Ref: gnutls_x509_aki_deinit1165811 +-Ref: gnutls_x509_aki_get_cert_issuer1166075 +-Ref: gnutls_x509_aki_get_id1167141 +-Ref: gnutls_x509_aki_init1167680 +-Ref: gnutls_x509_aki_set_cert_issuer1168029 +-Ref: gnutls_x509_aki_set_id1169144 +-Ref: gnutls_x509_cidr_to_rfc52801169573 +-Ref: gnutls_x509_crl_check_issuer1170471 +-Ref: gnutls_x509_crl_deinit1170919 +-Ref: gnutls_x509_crl_dist_points_deinit1171151 +-Ref: gnutls_x509_crl_dist_points_get1171446 +-Ref: gnutls_x509_crl_dist_points_init1172420 +-Ref: gnutls_x509_crl_dist_points_set1172816 +-Ref: gnutls_x509_crl_export1173519 +-Ref: gnutls_x509_crl_export21174402 +-Ref: gnutls_x509_crl_get_authority_key_gn_serial1175122 +-Ref: gnutls_x509_crl_get_authority_key_id1176436 +-Ref: gnutls_x509_crl_get_crt_count1177499 +-Ref: gnutls_x509_crl_get_crt_serial1177857 +-Ref: gnutls_x509_crl_get_dn_oid1178761 +-Ref: gnutls_x509_crl_get_extension_data1179567 +-Ref: gnutls_x509_crl_get_extension_data21180684 +-Ref: gnutls_x509_crl_get_extension_info1181563 +-Ref: gnutls_x509_crl_get_extension_oid1182827 +-Ref: gnutls_x509_crl_get_issuer_dn1183679 +-Ref: gnutls_x509_crl_get_issuer_dn21184680 +-Ref: gnutls_x509_crl_get_issuer_dn31185514 +-Ref: gnutls_x509_crl_get_issuer_dn_by_oid1186492 +-Ref: gnutls_x509_crl_get_next_update1188003 +-Ref: gnutls_x509_crl_get_number1188437 +-Ref: gnutls_x509_crl_get_raw_issuer_dn1189162 +-Ref: gnutls_x509_crl_get_signature1189616 +-Ref: gnutls_x509_crl_get_signature_algorithm1190163 +-Ref: gnutls_x509_crl_get_signature_oid1190725 +-Ref: gnutls_x509_crl_get_this_update1191386 +-Ref: gnutls_x509_crl_get_version1191711 +-Ref: gnutls_x509_crl_import1192019 +-Ref: gnutls_x509_crl_init1192643 +-Ref: gnutls_x509_crl_iter_crt_serial1193232 +-Ref: gnutls_x509_crl_iter_deinit1194378 +-Ref: gnutls_x509_crl_list_import1194623 +-Ref: gnutls_x509_crl_list_import21195625 +-Ref: gnutls_x509_crl_print1196491 +-Ref: gnutls_x509_crl_set_authority_key_id1197140 +-Ref: gnutls_x509_crl_set_crt1197793 +-Ref: gnutls_x509_crl_set_crt_serial1198366 +-Ref: gnutls_x509_crl_set_next_update1198998 +-Ref: gnutls_x509_crl_set_number1199615 +-Ref: gnutls_x509_crl_set_this_update1200192 +-Ref: gnutls_x509_crl_set_version1200596 +-Ref: gnutls_x509_crl_sign1201139 +-Ref: gnutls_x509_crl_sign21201832 +-Ref: gnutls_x509_crl_verify1203068 +-Ref: gnutls_x509_crq_deinit1204312 +-Ref: gnutls_x509_crq_export1204550 +-Ref: gnutls_x509_crq_export21205547 +-Ref: gnutls_x509_crq_get_attribute_by_oid1206321 +-Ref: gnutls_x509_crq_get_attribute_data1207346 +-Ref: gnutls_x509_crq_get_attribute_info1208458 +-Ref: gnutls_x509_crq_get_basic_constraints1209655 +-Ref: gnutls_x509_crq_get_challenge_password1210908 +-Ref: gnutls_x509_crq_get_dn1211520 +-Ref: gnutls_x509_crq_get_dn21212469 +-Ref: gnutls_x509_crq_get_dn31213326 +-Ref: gnutls_x509_crq_get_dn_by_oid1214334 +-Ref: gnutls_x509_crq_get_dn_oid1215795 +-Ref: gnutls_x509_crq_get_extension_by_oid1216582 +-Ref: gnutls_x509_crq_get_extension_by_oid21217739 +-Ref: gnutls_x509_crq_get_extension_data1218821 +-Ref: gnutls_x509_crq_get_extension_data21219951 +-Ref: gnutls_x509_crq_get_extension_info1220830 +-Ref: gnutls_x509_crq_get_key_id1222091 +-Ref: gnutls_x509_crq_get_key_purpose_oid1223158 +-Ref: gnutls_x509_crq_get_key_rsa_raw1224173 +-Ref: gnutls_x509_crq_get_key_usage1224797 +-Ref: gnutls_x509_crq_get_pk_algorithm1225883 +-Ref: gnutls_x509_crq_get_pk_oid1226604 +-Ref: gnutls_x509_crq_get_private_key_usage_period1227261 +-Ref: gnutls_x509_crq_get_signature_algorithm1227976 +-Ref: gnutls_x509_crq_get_signature_oid1228615 +-Ref: gnutls_x509_crq_get_spki1229276 +-Ref: gnutls_x509_crq_get_subject_alt_name1229836 +-Ref: gnutls_x509_crq_get_subject_alt_othername_oid1231394 +-Ref: gnutls_x509_crq_get_tlsfeatures1232874 +-Ref: gnutls_x509_crq_get_version1234003 +-Ref: gnutls_x509_crq_import1234349 +-Ref: gnutls_x509_crq_init1235031 +-Ref: gnutls_x509_crq_print1235379 +-Ref: gnutls_x509_crq_set_attribute_by_oid1236035 +-Ref: gnutls_x509_crq_set_basic_constraints1236900 +-Ref: gnutls_x509_crq_set_challenge_password1237644 +-Ref: gnutls_x509_crq_set_dn1238095 +-Ref: gnutls_x509_crq_set_dn_by_oid1238713 +-Ref: gnutls_x509_crq_set_extension_by_oid1239843 +-Ref: gnutls_x509_crq_set_key1240622 +-Ref: gnutls_x509_crq_set_key_purpose_oid1241085 +-Ref: gnutls_x509_crq_set_key_rsa_raw1241865 +-Ref: gnutls_x509_crq_set_key_usage1242441 +-Ref: gnutls_x509_crq_set_private_key_usage_period1242945 +-Ref: gnutls_x509_crq_set_spki1243450 +-Ref: gnutls_x509_crq_set_subject_alt_name1244321 +-Ref: gnutls_x509_crq_set_subject_alt_othername1245147 +-Ref: gnutls_x509_crq_set_tlsfeatures1245985 +-Ref: gnutls_x509_crq_set_version1246535 +-Ref: gnutls_x509_crq_sign1247020 +-Ref: gnutls_x509_crq_sign21247791 +-Ref: gnutls_x509_crq_verify1249123 +-Ref: gnutls_x509_crt_check_email1249716 +-Ref: gnutls_x509_crt_check_hostname1250244 +-Ref: gnutls_x509_crt_check_hostname21250956 +-Ref: gnutls_x509_crt_check_ip1252707 +-Ref: gnutls_x509_crt_check_issuer1253321 +-Ref: gnutls_x509_crt_check_key_purpose1254059 +-Ref: gnutls_x509_crt_check_revocation1254753 +-Ref: gnutls_x509_crt_cpy_crl_dist_points1255402 +-Ref: gnutls_x509_crt_deinit1255991 +-Ref: gnutls_x509_crt_equals1256209 +-Ref: gnutls_x509_crt_equals21256591 +-Ref: gnutls_x509_crt_export1257015 +-Ref: gnutls_x509_crt_export21257926 +-Ref: gnutls_x509_crt_get_activation_time1258624 +-Ref: gnutls_x509_crt_get_authority_info_access1259002 +-Ref: gnutls_x509_crt_get_authority_key_gn_serial1262476 +-Ref: gnutls_x509_crt_get_authority_key_id1263917 +-Ref: gnutls_x509_crt_get_basic_constraints1265048 +-Ref: gnutls_x509_crt_get_ca_status1266262 +-Ref: gnutls_x509_crt_get_crl_dist_points1267261 +-Ref: gnutls_x509_crt_get_dn1268586 +-Ref: gnutls_x509_crt_get_dn21269781 +-Ref: gnutls_x509_crt_get_dn31270590 +-Ref: gnutls_x509_crt_get_dn_by_oid1271550 +-Ref: gnutls_x509_crt_get_dn_oid1273319 +-Ref: gnutls_x509_crt_get_expiration_time1274347 +-Ref: gnutls_x509_crt_get_extension_by_oid1274713 +-Ref: gnutls_x509_crt_get_extension_by_oid21275840 +-Ref: gnutls_x509_crt_get_extension_data1276913 +-Ref: gnutls_x509_crt_get_extension_data21278002 +-Ref: gnutls_x509_crt_get_extension_info1278867 +-Ref: gnutls_x509_crt_get_extension_oid1280279 +-Ref: gnutls_x509_crt_get_fingerprint1281242 +-Ref: gnutls_x509_crt_get_inhibit_anypolicy1282130 +-Ref: gnutls_x509_crt_get_issuer1283099 +-Ref: gnutls_x509_crt_get_issuer_alt_name1283737 +-Ref: gnutls_x509_crt_get_issuer_alt_name21285537 +-Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1287119 +-Ref: gnutls_x509_crt_get_issuer_dn1288768 +-Ref: gnutls_x509_crt_get_issuer_dn21289889 +-Ref: gnutls_x509_crt_get_issuer_dn31290736 +-Ref: gnutls_x509_crt_get_issuer_dn_by_oid1291727 +-Ref: gnutls_x509_crt_get_issuer_dn_oid1293514 +-Ref: gnutls_x509_crt_get_issuer_unique_id1294550 +-Ref: gnutls_x509_crt_get_key_id1295645 +-Ref: gnutls_x509_crt_get_key_purpose_oid1296668 +-Ref: gnutls_x509_crt_get_key_usage1297829 +-Ref: gnutls_x509_crt_get_name_constraints1298889 +-Ref: gnutls_x509_crt_get_pk_algorithm1300297 +-Ref: gnutls_x509_crt_get_pk_dsa_raw1301086 +-Ref: gnutls_x509_crt_get_pk_ecc_raw1301754 +-Ref: gnutls_x509_crt_get_pk_gost_raw1302567 +-Ref: gnutls_x509_crt_get_pk_oid1303411 +-Ref: gnutls_x509_crt_get_pk_rsa_raw1304037 +-Ref: gnutls_x509_crt_get_policy1304615 +-Ref: gnutls_x509_crt_get_private_key_usage_period1305561 +-Ref: gnutls_x509_crt_get_proxy1306313 +-Ref: gnutls_x509_crt_get_raw_dn1307334 +-Ref: gnutls_x509_crt_get_raw_issuer_dn1307927 +-Ref: gnutls_x509_crt_get_serial1308506 +-Ref: gnutls_x509_crt_get_signature1309246 +-Ref: gnutls_x509_crt_get_signature_algorithm1309801 +-Ref: gnutls_x509_crt_get_signature_oid1310414 +-Ref: gnutls_x509_crt_get_spki1311072 +-Ref: gnutls_x509_crt_get_subject1311558 +-Ref: gnutls_x509_crt_get_subject_alt_name1312201 +-Ref: gnutls_x509_crt_get_subject_alt_name21313960 +-Ref: gnutls_x509_crt_get_subject_alt_othername_oid1315525 +-Ref: gnutls_x509_crt_get_subject_key_id1317165 +-Ref: gnutls_x509_crt_get_subject_unique_id1317997 +-Ref: gnutls_x509_crt_get_tlsfeatures1319082 +-Ref: gnutls_x509_crt_get_version1320194 +-Ref: gnutls_x509_crt_import1320521 +-Ref: gnutls_x509_crt_import_url1321222 +-Ref: gnutls_x509_crt_init1321943 +-Ref: gnutls_x509_crt_list_import1322290 +-Ref: gnutls_x509_crt_list_import21323657 +-Ref: gnutls_x509_crt_list_import_url1324729 +-Ref: gnutls_x509_crt_list_verify1325953 +-Ref: gnutls_x509_crt_print1327533 +-Ref: gnutls_x509_crt_set_activation_time1328425 +-Ref: gnutls_x509_crt_set_authority_info_access1328892 +-Ref: gnutls_x509_crt_set_authority_key_id1329787 +-Ref: gnutls_x509_crt_set_basic_constraints1330369 +-Ref: gnutls_x509_crt_set_ca_status1331068 +-Ref: gnutls_x509_crt_set_crl_dist_points1331666 +-Ref: gnutls_x509_crt_set_crl_dist_points21332318 +-Ref: gnutls_x509_crt_set_crq1333017 +-Ref: gnutls_x509_crt_set_crq_extension_by_oid1333734 +-Ref: gnutls_x509_crt_set_crq_extensions1334370 +-Ref: gnutls_x509_crt_set_dn1334836 +-Ref: gnutls_x509_crt_set_dn_by_oid1335719 +-Ref: gnutls_x509_crt_set_expiration_time1336836 +-Ref: gnutls_x509_crt_set_extension_by_oid1337381 +-Ref: gnutls_x509_crt_set_flags1338156 +-Ref: gnutls_x509_crt_set_inhibit_anypolicy1338664 +-Ref: gnutls_x509_crt_set_issuer_alt_name1339174 +-Ref: gnutls_x509_crt_set_issuer_alt_othername1340196 +-Ref: gnutls_x509_crt_set_issuer_dn1341172 +-Ref: gnutls_x509_crt_set_issuer_dn_by_oid1341811 +-Ref: gnutls_x509_crt_set_issuer_unique_id1343090 +-Ref: gnutls_x509_crt_set_key1343595 +-Ref: gnutls_x509_crt_set_key_purpose_oid1344175 +-Ref: gnutls_x509_crt_set_key_usage1344943 +-Ref: gnutls_x509_crt_set_name_constraints1345402 +-Ref: gnutls_x509_crt_set_pin_function1346024 +-Ref: gnutls_x509_crt_set_policy1346692 +-Ref: gnutls_x509_crt_set_private_key_usage_period1347545 +-Ref: gnutls_x509_crt_set_proxy1348052 +-Ref: gnutls_x509_crt_set_proxy_dn1348866 +-Ref: gnutls_x509_crt_set_serial1349885 +-Ref: gnutls_x509_crt_set_spki1350945 +-Ref: gnutls_x509_crt_set_subject_alt_name1351800 +-Ref: gnutls_x509_crt_set_subject_alt_othername1353040 +-Ref: gnutls_x509_crt_set_subject_alternative_name1354048 +-Ref: gnutls_x509_crt_set_subject_key_id1354946 +-Ref: gnutls_x509_crt_set_subject_unique_id1355466 +-Ref: gnutls_x509_crt_set_tlsfeatures1355989 +-Ref: gnutls_x509_crt_set_version1356513 +-Ref: gnutls_x509_crt_sign1357336 +-Ref: gnutls_x509_crt_sign21358031 +-Ref: gnutls_x509_crt_verify1359264 +-Ref: gnutls_x509_crt_verify_data21360313 +-Ref: gnutls_x509_dn_deinit1361317 +-Ref: gnutls_x509_dn_export1361579 +-Ref: gnutls_x509_dn_export21362473 +-Ref: gnutls_x509_dn_get_rdn_ava1363134 +-Ref: gnutls_x509_dn_get_str1364166 +-Ref: gnutls_x509_dn_get_str21364762 +-Ref: gnutls_x509_dn_import1365624 +-Ref: gnutls_x509_dn_init1366240 +-Ref: gnutls_x509_dn_oid_known1366661 +-Ref: gnutls_x509_dn_oid_name1367330 +-Ref: gnutls_x509_dn_set_str1367859 +-Ref: gnutls_x509_ext_deinit1368458 +-Ref: gnutls_x509_ext_export_aia1368702 +-Ref: gnutls_x509_ext_export_authority_key_id1369296 +-Ref: gnutls_x509_ext_export_basic_constraints1369952 +-Ref: gnutls_x509_ext_export_crl_dist_points1370649 +-Ref: gnutls_x509_ext_export_inhibit_anypolicy1371317 +-Ref: gnutls_x509_ext_export_key_purposes1371985 +-Ref: gnutls_x509_ext_export_key_usage1372604 +-Ref: gnutls_x509_ext_export_name_constraints1373220 +-Ref: gnutls_x509_ext_export_policies1373861 +-Ref: gnutls_x509_ext_export_private_key_usage_period1374524 +-Ref: gnutls_x509_ext_export_proxy1375189 +-Ref: gnutls_x509_ext_export_subject_alt_names1376175 +-Ref: gnutls_x509_ext_export_subject_key_id1376824 +-Ref: gnutls_x509_ext_export_tlsfeatures1377446 +-Ref: gnutls_x509_ext_import_aia1378064 +-Ref: gnutls_x509_ext_import_authority_key_id1378769 +-Ref: gnutls_x509_ext_import_basic_constraints1379437 +-Ref: gnutls_x509_ext_import_crl_dist_points1380063 +-Ref: gnutls_x509_ext_import_inhibit_anypolicy1380691 +-Ref: gnutls_x509_ext_import_key_purposes1381606 +-Ref: gnutls_x509_ext_import_key_usage1382240 +-Ref: gnutls_x509_ext_import_name_constraints1383256 +-Ref: gnutls_x509_ext_import_policies1384594 +-Ref: gnutls_x509_ext_import_private_key_usage_period1385201 +-Ref: gnutls_x509_ext_import_proxy1385816 +-Ref: gnutls_x509_ext_import_subject_alt_names1386902 +-Ref: gnutls_x509_ext_import_subject_key_id1387660 +-Ref: gnutls_x509_ext_import_tlsfeatures1388295 +-Ref: gnutls_x509_ext_print1389187 +-Ref: gnutls_x509_key_purpose_deinit1389898 +-Ref: gnutls_x509_key_purpose_get1390152 +-Ref: gnutls_x509_key_purpose_init1390880 +-Ref: gnutls_x509_key_purpose_set1391241 +-Ref: gnutls_x509_name_constraints_add_excluded1391696 +-Ref: gnutls_x509_name_constraints_add_permitted1392637 +-Ref: gnutls_x509_name_constraints_check1393512 +-Ref: gnutls_x509_name_constraints_check_crt1394349 +-Ref: gnutls_x509_name_constraints_deinit1395219 +-Ref: gnutls_x509_name_constraints_get_excluded1395519 +-Ref: gnutls_x509_name_constraints_get_permitted1396590 +-Ref: gnutls_x509_name_constraints_init1397644 +-Ref: gnutls_x509_othername_to_virtual1398027 +-Ref: gnutls_x509_policies_deinit1398646 +-Ref: gnutls_x509_policies_get1398926 +-Ref: gnutls_x509_policies_init1399712 +-Ref: gnutls_x509_policies_set1400077 +-Ref: gnutls_x509_policy_release1400544 +-Ref: gnutls_x509_privkey_cpy1400908 +-Ref: gnutls_x509_privkey_deinit1401378 +-Ref: gnutls_x509_privkey_export1401619 +-Ref: gnutls_x509_privkey_export21402654 +-Ref: gnutls_x509_privkey_export2_pkcs81403532 +-Ref: gnutls_x509_privkey_export_dsa_raw1404808 +-Ref: gnutls_x509_privkey_export_ecc_raw1405548 +-Ref: gnutls_x509_privkey_export_gost_raw1406431 +-Ref: gnutls_x509_privkey_export_pkcs81407516 +-Ref: gnutls_x509_privkey_export_rsa_raw1409021 +-Ref: gnutls_x509_privkey_export_rsa_raw21409882 +-Ref: gnutls_x509_privkey_fix1410868 +-Ref: gnutls_x509_privkey_generate1411253 +-Ref: gnutls_x509_privkey_generate21412778 +-Ref: gnutls_x509_privkey_get_key_id1414937 +-Ref: gnutls_x509_privkey_get_pk_algorithm1415956 +-Ref: gnutls_x509_privkey_get_pk_algorithm21416384 +-Ref: gnutls_x509_privkey_get_seed1416875 +-Ref: gnutls_x509_privkey_get_spki1417699 +-Ref: gnutls_x509_privkey_import1418234 +-Ref: gnutls_x509_privkey_import21419029 +-Ref: gnutls_x509_privkey_import_dsa_raw1420102 +-Ref: gnutls_x509_privkey_import_ecc_raw1420834 +-Ref: gnutls_x509_privkey_import_gost_raw1421650 +-Ref: gnutls_x509_privkey_import_openssl1422926 +-Ref: gnutls_x509_privkey_import_pkcs81423800 +-Ref: gnutls_x509_privkey_import_rsa_raw1425247 +-Ref: gnutls_x509_privkey_import_rsa_raw21426101 +-Ref: gnutls_x509_privkey_init1427097 +-Ref: gnutls_x509_privkey_sec_param1427442 +-Ref: gnutls_x509_privkey_set_flags1427861 +-Ref: gnutls_x509_privkey_set_pin_function1428411 +-Ref: gnutls_x509_privkey_set_spki1429029 +-Ref: gnutls_x509_privkey_sign_data1429576 +-Ref: gnutls_x509_privkey_verify_params1430797 +-Ref: gnutls_x509_privkey_verify_seed1431133 +-Ref: gnutls_x509_rdn_get1431962 +-Ref: gnutls_x509_rdn_get21432780 +-Ref: gnutls_x509_rdn_get_by_oid1433688 +-Ref: gnutls_x509_rdn_get_oid1434670 +-Ref: gnutls_x509_spki_deinit1435415 +-Ref: gnutls_x509_spki_get_rsa_pss_params1435697 +-Ref: gnutls_x509_spki_init1436258 +-Ref: gnutls_x509_spki_set_rsa_pss_params1436774 +-Ref: gnutls_x509_tlsfeatures_add1437287 +-Ref: gnutls_x509_tlsfeatures_check_crt1437743 +-Ref: gnutls_x509_tlsfeatures_deinit1438343 +-Ref: gnutls_x509_tlsfeatures_get1438621 +-Ref: gnutls_x509_tlsfeatures_init1439181 +-Ref: gnutls_x509_trust_list_add_cas1439566 +-Ref: gnutls_x509_trust_list_add_crls1440751 +-Ref: gnutls_x509_trust_list_add_named_crt1442129 +-Ref: gnutls_x509_trust_list_add_system_trust1443344 +-Ref: gnutls_x509_trust_list_add_trust_dir1444106 +-Ref: gnutls_x509_trust_list_add_trust_file1444969 +-Ref: gnutls_x509_trust_list_add_trust_mem1446116 +-Ref: gnutls_x509_trust_list_deinit1447035 +-Ref: gnutls_x509_trust_list_get_issuer1447661 +-Ref: gnutls_x509_trust_list_get_issuer_by_dn1448711 +-Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1449440 +-Ref: gnutls_x509_trust_list_get_ptr1450248 +-Ref: gnutls_x509_trust_list_init1450761 +-Ref: gnutls_x509_trust_list_iter_deinit1451266 +-Ref: gnutls_x509_trust_list_iter_get_ca1451575 +-Ref: gnutls_x509_trust_list_remove_cas1452755 +-Ref: gnutls_x509_trust_list_remove_trust_file1453610 +-Ref: gnutls_x509_trust_list_remove_trust_mem1454311 +-Ref: gnutls_x509_trust_list_set_getissuer_function1454969 +-Ref: gnutls_x509_trust_list_set_ptr1456602 +-Ref: gnutls_x509_trust_list_verify_crt1457140 +-Ref: gnutls_x509_trust_list_verify_crt21458303 +-Ref: gnutls_x509_trust_list_verify_named_crt1461237 +-Node: PKCS 7 API1463965 +-Ref: gnutls_pkcs7_add_attr1464261 +-Ref: gnutls_pkcs7_attrs_deinit1465067 +-Ref: gnutls_pkcs7_deinit1465302 +-Ref: gnutls_pkcs7_delete_crl1465507 +-Ref: gnutls_pkcs7_delete_crt1465936 +-Ref: gnutls_pkcs7_export1466382 +-Ref: gnutls_pkcs7_export21467282 +-Ref: gnutls_pkcs7_get_attr1467943 +-Ref: gnutls_pkcs7_get_crl_count1468830 +-Ref: gnutls_pkcs7_get_crl_raw1469178 +-Ref: gnutls_pkcs7_get_crl_raw21469953 +-Ref: gnutls_pkcs7_get_crt_count1470584 +-Ref: gnutls_pkcs7_get_crt_raw1470959 +-Ref: gnutls_pkcs7_get_crt_raw21471859 +-Ref: gnutls_pkcs7_get_embedded_data1472713 +-Ref: gnutls_pkcs7_get_embedded_data_oid1473713 +-Ref: gnutls_pkcs7_get_signature_count1474273 +-Ref: gnutls_pkcs7_get_signature_info1474680 +-Ref: gnutls_pkcs7_import1475353 +-Ref: gnutls_pkcs7_init1475974 +-Ref: gnutls_pkcs7_print1476398 +-Ref: gnutls_pkcs7_print_signature_info1477143 +-Ref: gnutls_pkcs7_set_crl1477948 +-Ref: gnutls_pkcs7_set_crl_raw1478349 +-Ref: gnutls_pkcs7_set_crt1478739 +-Ref: gnutls_pkcs7_set_crt_raw1479223 +-Ref: gnutls_pkcs7_sign1479636 +-Ref: gnutls_pkcs7_signature_info_deinit1481075 +-Ref: gnutls_pkcs7_verify1481428 +-Ref: gnutls_pkcs7_verify_direct1482593 +-Node: OCSP API1484053 +-Ref: gnutls_ocsp_req_add_cert1484337 +-Ref: gnutls_ocsp_req_add_cert_id1485297 +-Ref: gnutls_ocsp_req_deinit1486617 +-Ref: gnutls_ocsp_req_export1486834 +-Ref: gnutls_ocsp_req_get_cert_id1487259 +-Ref: gnutls_ocsp_req_get_extension1488851 +-Ref: gnutls_ocsp_req_get_nonce1490267 +-Ref: gnutls_ocsp_req_get_version1490921 +-Ref: gnutls_ocsp_req_import1491308 +-Ref: gnutls_ocsp_req_init1491804 +-Ref: gnutls_ocsp_req_print1492132 +-Ref: gnutls_ocsp_req_randomize_nonce1492868 +-Ref: gnutls_ocsp_req_set_extension1493301 +-Ref: gnutls_ocsp_req_set_nonce1493985 +-Ref: gnutls_ocsp_resp_check_crt1494572 +-Ref: gnutls_ocsp_resp_deinit1495156 +-Ref: gnutls_ocsp_resp_export1495380 +-Ref: gnutls_ocsp_resp_export21495806 +-Ref: gnutls_ocsp_resp_get_certs1496326 +-Ref: gnutls_ocsp_resp_get_extension1497451 +-Ref: gnutls_ocsp_resp_get_nonce1498875 +-Ref: gnutls_ocsp_resp_get_produced1499541 +-Ref: gnutls_ocsp_resp_get_responder1499888 +-Ref: gnutls_ocsp_resp_get_responder21500993 +-Ref: gnutls_ocsp_resp_get_responder_raw_id1502256 +-Ref: gnutls_ocsp_resp_get_response1503087 +-Ref: gnutls_ocsp_resp_get_signature1504313 +-Ref: gnutls_ocsp_resp_get_signature_algorithm1504802 +-Ref: gnutls_ocsp_resp_get_single1505280 +-Ref: gnutls_ocsp_resp_get_status1507222 +-Ref: gnutls_ocsp_resp_get_version1507651 +-Ref: gnutls_ocsp_resp_import1508059 +-Ref: gnutls_ocsp_resp_import21508627 +-Ref: gnutls_ocsp_resp_init1509255 +-Ref: gnutls_ocsp_resp_list_import21509604 +-Ref: gnutls_ocsp_resp_print1510795 +-Ref: gnutls_ocsp_resp_verify1511521 +-Ref: gnutls_ocsp_resp_verify_direct1513138 +-Node: PKCS 12 API1515571 +-Ref: gnutls_pkcs12_bag_decrypt1515861 +-Ref: gnutls_pkcs12_bag_deinit1516293 +-Ref: gnutls_pkcs12_bag_enc_info1516531 +-Ref: gnutls_pkcs12_bag_encrypt1517904 +-Ref: gnutls_pkcs12_bag_get_count1518409 +-Ref: gnutls_pkcs12_bag_get_data1518720 +-Ref: gnutls_pkcs12_bag_get_friendly_name1519326 +-Ref: gnutls_pkcs12_bag_get_key_id1519963 +-Ref: gnutls_pkcs12_bag_get_type1520582 +-Ref: gnutls_pkcs12_bag_init1520952 +-Ref: gnutls_pkcs12_bag_set_crl1521410 +-Ref: gnutls_pkcs12_bag_set_crt1521843 +-Ref: gnutls_pkcs12_bag_set_data1522289 +-Ref: gnutls_pkcs12_bag_set_friendly_name1522760 +-Ref: gnutls_pkcs12_bag_set_key_id1523444 +-Ref: gnutls_pkcs12_bag_set_privkey1524118 +-Ref: gnutls_pkcs12_deinit1524774 +-Ref: gnutls_pkcs12_export1524976 +-Ref: gnutls_pkcs12_export21525883 +-Ref: gnutls_pkcs12_generate_mac1526559 +-Ref: gnutls_pkcs12_generate_mac21526950 +-Ref: gnutls_pkcs12_get_bag1527394 +-Ref: gnutls_pkcs12_import1527980 +-Ref: gnutls_pkcs12_init1528701 +-Ref: gnutls_pkcs12_mac_info1529134 +-Ref: gnutls_pkcs12_set_bag1530443 +-Ref: gnutls_pkcs12_simple_parse1530849 +-Ref: gnutls_pkcs12_verify_mac1533530 +-Node: PKCS 11 API1533886 +-Ref: gnutls_pkcs11_add_provider1534215 +-Ref: gnutls_pkcs11_copy_attached_extension1534960 +-Ref: gnutls_pkcs11_copy_pubkey1535819 +-Ref: gnutls_pkcs11_copy_secret_key1536852 +-Ref: gnutls_pkcs11_copy_x509_crt1537577 +-Ref: gnutls_pkcs11_copy_x509_crt21538225 +-Ref: gnutls_pkcs11_copy_x509_privkey1539193 +-Ref: gnutls_pkcs11_copy_x509_privkey21540010 +-Ref: gnutls_pkcs11_crt_is_known1540955 +-Ref: gnutls_pkcs11_deinit1542091 +-Ref: gnutls_pkcs11_delete_url1542408 +-Ref: gnutls_pkcs11_get_pin_function1542924 +-Ref: gnutls_pkcs11_get_raw_issuer1543307 +-Ref: gnutls_pkcs11_get_raw_issuer_by_dn1544217 +-Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1545256 +-Ref: gnutls_pkcs11_init1546367 +-Ref: gnutls_pkcs11_obj_deinit1547409 +-Ref: gnutls_pkcs11_obj_export1547655 +-Ref: gnutls_pkcs11_obj_export21548500 +-Ref: gnutls_pkcs11_obj_export31549097 +-Ref: gnutls_pkcs11_obj_export_url1549770 +-Ref: gnutls_pkcs11_obj_flags_get_str1550297 +-Ref: gnutls_pkcs11_obj_get_exts1550776 +-Ref: gnutls_pkcs11_obj_get_flags1551712 +-Ref: gnutls_pkcs11_obj_get_info1552249 +-Ref: gnutls_pkcs11_obj_get_ptr1553513 +-Ref: gnutls_pkcs11_obj_get_type1554422 +-Ref: gnutls_pkcs11_obj_import_url1554772 +-Ref: gnutls_pkcs11_obj_init1555692 +-Ref: gnutls_pkcs11_obj_list_import_url31556077 +-Ref: gnutls_pkcs11_obj_list_import_url41558018 +-Ref: gnutls_pkcs11_obj_set_info1559694 +-Ref: gnutls_pkcs11_obj_set_pin_function1560473 +-Ref: gnutls_pkcs11_privkey_cpy1560984 +-Ref: gnutls_pkcs11_privkey_deinit1561485 +-Ref: gnutls_pkcs11_privkey_export_pubkey1561748 +-Ref: gnutls_pkcs11_privkey_export_url1562552 +-Ref: gnutls_pkcs11_privkey_generate1563062 +-Ref: gnutls_pkcs11_privkey_generate21563734 +-Ref: gnutls_pkcs11_privkey_generate31564964 +-Ref: gnutls_pkcs11_privkey_get_info1566474 +-Ref: gnutls_pkcs11_privkey_get_pk_algorithm1567356 +-Ref: gnutls_pkcs11_privkey_import_url1567887 +-Ref: gnutls_pkcs11_privkey_init1568588 +-Ref: gnutls_pkcs11_privkey_set_pin_function1569303 +-Ref: gnutls_pkcs11_privkey_status1569823 +-Ref: gnutls_pkcs11_reinit1570199 +-Ref: gnutls_pkcs11_set_pin_function1570759 +-Ref: gnutls_pkcs11_set_token_function1571249 +-Ref: gnutls_pkcs11_token_check_mechanism1571667 +-Ref: gnutls_pkcs11_token_get_flags1572424 +-Ref: gnutls_pkcs11_token_get_info1572966 +-Ref: gnutls_pkcs11_token_get_mechanism1573989 +-Ref: gnutls_pkcs11_token_get_ptr1574602 +-Ref: gnutls_pkcs11_token_get_random1575301 +-Ref: gnutls_pkcs11_token_get_url1575932 +-Ref: gnutls_pkcs11_token_init1576600 +-Ref: gnutls_pkcs11_token_set_pin1577238 +-Ref: gnutls_pkcs11_type_get_name1578078 +-Ref: gnutls_x509_crt_import_pkcs111578567 +-Ref: gnutls_x509_crt_list_import_pkcs111579089 +-Node: TPM API1579698 +-Ref: gnutls_tpm_get_registered1579977 +-Ref: gnutls_tpm_key_list_deinit1580370 +-Ref: gnutls_tpm_key_list_get_url1580638 +-Ref: gnutls_tpm_privkey_delete1581291 +-Ref: gnutls_tpm_privkey_generate1581729 +-Node: Abstract key API1583079 +-Ref: gnutls_certificate_set_key1583400 +-Ref: gnutls_certificate_set_retrieve_function21585536 +-Ref: gnutls_certificate_set_retrieve_function31587786 +-Ref: gnutls_pcert_deinit1590646 +-Ref: gnutls_pcert_export_openpgp1590891 +-Ref: gnutls_pcert_export_x5091591240 +-Ref: gnutls_pcert_import_openpgp1591890 +-Ref: gnutls_pcert_import_openpgp_raw1592289 +-Ref: gnutls_pcert_import_rawpk1592858 +-Ref: gnutls_pcert_import_rawpk_raw1593711 +-Ref: gnutls_pcert_import_x5091594960 +-Ref: gnutls_pcert_import_x509_list1595557 +-Ref: gnutls_pcert_import_x509_raw1596747 +-Ref: gnutls_pcert_list_import_x509_file1597453 +-Ref: gnutls_pcert_list_import_x509_raw1598885 +-Ref: gnutls_privkey_decrypt_data1600219 +-Ref: gnutls_privkey_decrypt_data21600867 +-Ref: gnutls_privkey_deinit1601692 +-Ref: gnutls_privkey_export_dsa_raw1601941 +-Ref: gnutls_privkey_export_dsa_raw21602671 +-Ref: gnutls_privkey_export_ecc_raw1603477 +-Ref: gnutls_privkey_export_ecc_raw21604339 +-Ref: gnutls_privkey_export_gost_raw21605281 +-Ref: gnutls_privkey_export_openpgp1606415 +-Ref: gnutls_privkey_export_pkcs111606767 +-Ref: gnutls_privkey_export_rsa_raw1607379 +-Ref: gnutls_privkey_export_rsa_raw21608410 +-Ref: gnutls_privkey_export_x5091609456 +-Ref: gnutls_privkey_generate1610104 +-Ref: gnutls_privkey_generate21611595 +-Ref: gnutls_privkey_get_pk_algorithm1613723 +-Ref: gnutls_privkey_get_seed1614337 +-Ref: gnutls_privkey_get_spki1615136 +-Ref: gnutls_privkey_get_type1615716 +-Ref: gnutls_privkey_import_dsa_raw1616205 +-Ref: gnutls_privkey_import_ecc_raw1616917 +-Ref: gnutls_privkey_import_ext1617730 +-Ref: gnutls_privkey_import_ext21618880 +-Ref: gnutls_privkey_import_ext31620237 +-Ref: gnutls_privkey_import_ext41621851 +-Ref: gnutls_privkey_import_gost_raw1624611 +-Ref: gnutls_privkey_import_openpgp1625819 +-Ref: gnutls_privkey_import_openpgp_raw1626228 +-Ref: gnutls_privkey_import_pkcs111626817 +-Ref: gnutls_privkey_import_pkcs11_url1627575 +-Ref: gnutls_privkey_import_rsa_raw1628024 +-Ref: gnutls_privkey_import_tpm_raw1629020 +-Ref: gnutls_privkey_import_tpm_url1629887 +-Ref: gnutls_privkey_import_url1630990 +-Ref: gnutls_privkey_import_x5091631537 +-Ref: gnutls_privkey_import_x509_raw1632285 +-Ref: gnutls_privkey_init1633064 +-Ref: gnutls_privkey_set_flags1633982 +-Ref: gnutls_privkey_set_pin_function1634507 +-Ref: gnutls_privkey_set_spki1635077 +-Ref: gnutls_privkey_sign_data1635650 +-Ref: gnutls_privkey_sign_data21636670 +-Ref: gnutls_privkey_sign_hash1637568 +-Ref: gnutls_privkey_sign_hash21639005 +-Ref: gnutls_privkey_status1640271 +-Ref: gnutls_privkey_verify_params1640815 +-Ref: gnutls_privkey_verify_seed1641177 +-Ref: gnutls_pubkey_deinit1641889 +-Ref: gnutls_pubkey_encrypt_data1642129 +-Ref: gnutls_pubkey_export1642771 +-Ref: gnutls_pubkey_export21643785 +-Ref: gnutls_pubkey_export_dsa_raw1644558 +-Ref: gnutls_pubkey_export_dsa_raw21645370 +-Ref: gnutls_pubkey_export_ecc_raw1646254 +-Ref: gnutls_pubkey_export_ecc_raw21647153 +-Ref: gnutls_pubkey_export_ecc_x9621648132 +-Ref: gnutls_pubkey_export_gost_raw21648791 +-Ref: gnutls_pubkey_export_rsa_raw1649935 +-Ref: gnutls_pubkey_export_rsa_raw21650632 +-Ref: gnutls_pubkey_get_key_id1651393 +-Ref: gnutls_pubkey_get_key_usage1652418 +-Ref: gnutls_pubkey_get_openpgp_key_id1652915 +-Ref: gnutls_pubkey_get_pk_algorithm1653554 +-Ref: gnutls_pubkey_get_preferred_hash_algorithm1654202 +-Ref: gnutls_pubkey_get_spki1655143 +-Ref: gnutls_pubkey_import1655711 +-Ref: gnutls_pubkey_import_dsa_raw1656395 +-Ref: gnutls_pubkey_import_ecc_raw1657056 +-Ref: gnutls_pubkey_import_ecc_x9621657824 +-Ref: gnutls_pubkey_import_gost_raw1658460 +-Ref: gnutls_pubkey_import_openpgp1659607 +-Ref: gnutls_pubkey_import_openpgp_raw1659999 +-Ref: gnutls_pubkey_import_pkcs111660568 +-Ref: gnutls_pubkey_import_privkey1661110 +-Ref: gnutls_pubkey_import_rsa_raw1661812 +-Ref: gnutls_pubkey_import_tpm_raw1662336 +-Ref: gnutls_pubkey_import_tpm_url1663113 +-Ref: gnutls_pubkey_import_url1664005 +-Ref: gnutls_pubkey_import_x5091664478 +-Ref: gnutls_pubkey_import_x509_crq1664978 +-Ref: gnutls_pubkey_import_x509_raw1665481 +-Ref: gnutls_pubkey_init1666058 +-Ref: gnutls_pubkey_print1666387 +-Ref: gnutls_pubkey_set_key_usage1667121 +-Ref: gnutls_pubkey_set_pin_function1667690 +-Ref: gnutls_pubkey_set_spki1668255 +-Ref: gnutls_pubkey_verify_data21668826 +-Ref: gnutls_pubkey_verify_hash21669734 +-Ref: gnutls_pubkey_verify_params1670858 +-Ref: gnutls_register_custom_url1671216 +-Ref: gnutls_system_key_add_x5091672154 +-Ref: gnutls_system_key_delete1672899 +-Ref: gnutls_system_key_iter_deinit1673323 +-Ref: gnutls_system_key_iter_get_info1673591 +-Ref: gnutls_x509_crl_privkey_sign1674865 +-Ref: gnutls_x509_crq_privkey_sign1676134 +-Ref: gnutls_x509_crq_set_pubkey1677496 +-Ref: gnutls_x509_crt_privkey_sign1678004 +-Ref: gnutls_x509_crt_set_pubkey1679247 +-Node: Socket specific API1679700 +-Ref: gnutls_transport_set_fastopen1679993 +-Node: DANE API1681539 +-Ref: dane_cert_type_name1681913 +-Ref: dane_cert_usage_name1682203 +-Ref: dane_match_type_name1682515 +-Ref: dane_query_data1682798 +-Ref: dane_query_deinit1683477 +-Ref: dane_query_entries1683682 +-Ref: dane_query_status1683924 +-Ref: dane_query_tlsa1684218 +-Ref: dane_query_to_raw_tlsa1684809 +-Ref: dane_raw_tlsa1686151 +-Ref: dane_state_deinit1687228 +-Ref: dane_state_init1687420 +-Ref: dane_state_set_dlv_file1687934 +-Ref: dane_strerror1688235 +-Ref: dane_verification_status_print1688734 +-Ref: dane_verify_crt1689328 +-Ref: dane_verify_crt_raw1691515 +-Ref: dane_verify_session_crt1692748 +-Node: Cryptographic API1694150 +-Ref: gnutls_aead_cipher_decrypt1694651 +-Ref: gnutls_aead_cipher_decryptv21696030 +-Ref: gnutls_aead_cipher_deinit1696955 +-Ref: gnutls_aead_cipher_encrypt1697283 +-Ref: gnutls_aead_cipher_encryptv1698392 +-Ref: gnutls_aead_cipher_encryptv21699540 +-Ref: gnutls_aead_cipher_init1700468 +-Ref: gnutls_cipher_add_auth1701134 +-Ref: gnutls_cipher_decrypt1701714 +-Ref: gnutls_cipher_decrypt21702338 +-Ref: gnutls_cipher_deinit1703264 +-Ref: gnutls_cipher_encrypt1703543 +-Ref: gnutls_cipher_encrypt21704003 +-Ref: gnutls_cipher_get_block_size1704780 +-Ref: gnutls_cipher_get_iv_size1705060 +-Ref: gnutls_cipher_get_tag_size1705542 +-Ref: gnutls_cipher_init1705948 +-Ref: gnutls_cipher_set_iv1706678 +-Ref: gnutls_cipher_tag1707023 +-Ref: gnutls_crypto_register_aead_cipher1707525 +-Ref: gnutls_crypto_register_cipher1709129 +-Ref: gnutls_crypto_register_digest1710910 +-Ref: gnutls_crypto_register_mac1712134 +-Ref: gnutls_decode_ber_digest_info1713562 +-Ref: gnutls_decode_gost_rs_value1714361 +-Ref: gnutls_decode_rs_value1715161 +-Ref: gnutls_encode_ber_digest_info1715946 +-Ref: gnutls_encode_gost_rs_value1716590 +-Ref: gnutls_encode_rs_value1717336 +-Ref: gnutls_hash1717956 +-Ref: gnutls_hash_copy1718387 +-Ref: gnutls_hash_deinit1718904 +-Ref: gnutls_hash_fast1719232 +-Ref: gnutls_hash_get_len1719749 +-Ref: gnutls_hash_init1720082 +-Ref: gnutls_hash_output1720618 +-Ref: gnutls_hkdf_expand1720950 +-Ref: gnutls_hkdf_extract1721653 +-Ref: gnutls_hmac1722196 +-Ref: gnutls_hmac_copy1722627 +-Ref: gnutls_hmac_deinit1723108 +-Ref: gnutls_hmac_fast1723435 +-Ref: gnutls_hmac_get_key_size1724159 +-Ref: gnutls_hmac_get_len1724620 +-Ref: gnutls_hmac_init1724950 +-Ref: gnutls_hmac_output1725733 +-Ref: gnutls_hmac_set_nonce1726068 +-Ref: gnutls_mac_get_nonce_size1726435 +-Ref: gnutls_pbkdf21726751 +-Ref: gnutls_rnd1727384 +-Ref: gnutls_rnd_refresh1728022 +-Node: Compatibility API1728308 +-Ref: gnutls_compression_get1728650 +-Ref: gnutls_compression_get_id1729002 +-Ref: gnutls_compression_get_name1729366 +-Ref: gnutls_compression_list1729748 +-Ref: gnutls_global_set_mem_functions1730080 +-Ref: gnutls_openpgp_privkey_sign_hash1731455 +-Ref: gnutls_priority_compression_list1731884 +-Ref: gnutls_x509_crt_get_preferred_hash_algorithm1732336 +-Ref: gnutls_x509_privkey_sign_hash1733217 +-Node: Copying Information1734087 +-Node: Bibliography1759264 +-Ref: CBCATT1759403 +-Ref: GPGH1759581 +-Ref: GUTPKI1759704 +-Ref: PRNGATTACKS1759879 +-Ref: KEYPIN1760079 +-Ref: NISTSP800571760254 +-Ref: RFC74131760502 +-Ref: RFC79181760669 +-Ref: RFC61251760846 +-Ref: RFC76851761187 +-Ref: RFC76131761362 +-Ref: RFC22461761610 +-Ref: RFC60831761771 +-Ref: RFC44181762008 +-Ref: RFC46801762175 +-Ref: RFC76331762333 +-Ref: RFC79191762505 +-Ref: RFC45141762709 +-Ref: RFC43461762913 +-Ref: RFC43471763063 +-Ref: RFC52461763230 +-Ref: RFC24401763381 +-Ref: RFC48801763563 +-Ref: RFC42111763757 +-Ref: RFC28171763951 +-Ref: RFC28181764104 +-Ref: RFC29451764218 +-Ref: RFC73011764368 +-Ref: RFC29861764588 +-Ref: PKIX1764777 +-Ref: RFC37491765040 +-Ref: RFC38201765206 +-Ref: RFC65201765449 +-Ref: RFC57461765688 +-Ref: RFC52801765897 +-Ref: TLSTKT1766164 +-Ref: PKCS121766396 +-Ref: PKCS111766537 +-Ref: RESCORLA1766683 +-Ref: SELKEY1766779 +-Ref: SSL31766938 +-Ref: STEVENS1767129 +-Ref: TLSEXT1767237 +-Ref: TLSPGP1767454 +-Ref: TLSSRP1767619 +-Ref: TLSPSK1767816 +-Ref: TOMSRP1767985 +-Ref: WEGER1768098 +-Ref: ECRYPT1768290 +-Ref: RFC50561768495 +-Ref: RFC57641768648 +-Ref: RFC59291768936 +-Ref: PKCS11URI1769079 +-Ref: TPMURI1769215 +-Ref: ANDERSON1769409 +-Ref: RFC48211769555 +-Ref: RFC25601769708 +-Ref: RIVESTCRL1769902 +-Node: Function and Data Index1770263 +-Node: Concept Index1896190 ++Ref: p11tool id313760 ++Ref: p11tool mark-wrap314017 ++Ref: p11tool mark-trusted314264 ++Ref: p11tool mark-distrusted314628 ++Ref: p11tool mark-decrypt315082 ++Ref: p11tool mark-sign315359 ++Ref: p11tool mark-ca315636 ++Ref: p11tool mark-private315909 ++Ref: p11tool ca316207 ++Ref: p11tool private316341 ++Ref: p11tool secret-key316496 ++Ref: p11tool other-options316659 ++Ref: p11tool debug316761 ++Ref: p11tool so-login316902 ++Ref: p11tool admin-login317146 ++Ref: p11tool test-sign317287 ++Ref: p11tool sign-params317581 ++Ref: p11tool hash317921 ++Ref: p11tool generate-random318217 ++Ref: p11tool inder318391 ++Ref: p11tool inraw318616 ++Ref: p11tool outder318742 ++Ref: p11tool outraw318994 ++Ref: p11tool provider319127 ++Ref: p11tool provider-opts319336 ++Ref: p11tool batch319609 ++Ref: p11tool exit status319762 ++Ref: p11tool See Also319992 ++Ref: p11tool Examples320040 ++Node: Trusted Platform Module322461 ++Ref: Trusted Platform Module-Footnote-1324254 ++Ref: Trusted Platform Module-Footnote-2324302 ++Node: Keys in TPM324359 ++Node: Key generation325843 ++Node: Using keys328111 ++Node: tpmtool Invocation331756 ++Ref: tpmtool usage332182 ++Ref: tpmtool debug335494 ++Ref: tpmtool generate-rsa335635 ++Ref: tpmtool user335906 ++Ref: tpmtool system336265 ++Ref: tpmtool test-sign336619 ++Ref: tpmtool sec-param336902 ++Ref: tpmtool inder337228 ++Ref: tpmtool outder337529 ++Ref: tpmtool srk-well-known337748 ++Ref: tpmtool exit status337904 ++Ref: tpmtool See Also338134 ++Ref: tpmtool Examples338195 ++Node: How to use GnuTLS in applications338812 ++Node: Introduction to the library339381 ++Node: General idea339980 ++Ref: fig-gnutls-design340829 ++Ref: General idea-Footnote-1342134 ++Node: Error handling342179 ++Node: Common types344406 ++Node: Debugging and auditing345740 ++Ref: tab:environment346611 ++Node: Thread safety349478 ++Ref: Thread safety-Footnote-1351624 ++Node: Running in a sandbox351836 ++Node: Sessions and fork353230 ++Node: Callback functions353782 ++Node: Preparation354750 ++Node: Headers355169 ++Node: Initialization355458 ++Ref: Initialization-Footnote-1356452 ++Node: Version check356745 ++Node: Building the source357620 ++Node: Session initialization359731 ++Ref: gnutls_init_flags_t361208 ++Node: Associating the credentials368221 ++Ref: tab:key-exchange-cred368997 ++Node: Certificate credentials370128 ++Node: Raw public-key credentials385713 ++Node: SRP credentials387013 ++Node: PSK credentials391911 ++Node: Anonymous credentials395846 ++Node: Setting up the transport layer396692 ++Node: Asynchronous operation406245 ++Node: Reducing round-trips410546 ++Node: Zero-roundtrip mode413986 ++Node: Anti-replay protection416191 ++Node: DTLS sessions419836 ++Ref: DTLS sessions-Footnote-1422140 ++Node: DTLS and SCTP422217 ++Node: TLS handshake423237 ++Node: Data transfer and termination427155 ++Node: Buffered data transfer436297 ++Node: Handling alerts438098 ++Node: Priority Strings441480 ++Ref: tab:prio-keywords444080 ++Ref: tab:prio-algorithms451158 ++Ref: tab:prio-special1456588 ++Ref: tab:prio-special2460435 ++Ref: Priority Strings-Footnote-1467056 ++Node: Selecting cryptographic key sizes467278 ++Ref: tab:key-sizes467927 ++Node: Advanced topics472676 ++Node: Virtual hosts and credentials473174 ++Node: Session resumption476499 ++Node: Certificate verification484406 ++Ref: dane_verify_status_t494127 ++Node: TLS 1.2 re-authentication494532 ++Node: TLS 1.3 re-authentication and re-key499389 ++Node: Parameter generation501048 ++Node: Deriving keys for other applications/protocols503695 ++Node: Channel Bindings506925 ++Node: Interoperability508464 ++Node: Compatibility with the OpenSSL library509782 ++Node: GnuTLS application examples510509 ++Ref: examples510728 ++Node: Client examples511021 ++Node: Client example with X.509 certificate support511548 ++Ref: ex-verify511786 ++Node: Datagram TLS client example516830 ++Node: Client using a smart card with TLS521235 ++Ref: ex-pkcs11-client521472 ++Node: Client with Resume capability example526767 ++Ref: ex-resume-client527051 ++Node: Client example with SSH-style certificate verification532238 ++Node: Server examples536445 ++Node: Echo server with X.509 authentication536799 ++Node: DTLS echo server with X.509 authentication544523 ++Node: More advanced client and servers558934 ++Node: Client example with anonymous authentication559791 ++Node: Using a callback to select the certificate to use563715 ++Node: Obtaining session information570098 ++Node: Advanced certificate verification example574311 ++Ref: ex-verify2574587 ++Node: Client example with PSK authentication580017 ++Node: Client example with SRP authentication584383 ++Node: Legacy client example with X.509 certificate support588667 ++Ref: ex-verify-legacy588984 ++Node: Client example in C++594937 ++Node: Echo server with PSK authentication597509 ++Node: Echo server with SRP authentication606240 ++Node: Echo server with anonymous authentication613158 ++Node: Helper functions for TCP connections618486 ++Node: Helper functions for UDP connections620078 ++Node: OCSP example621983 ++Ref: Generate OCSP request622166 ++Node: Miscellaneous examples631773 ++Node: Checking for an alert632099 ++Node: X.509 certificate parsing example633548 ++Ref: ex-x509-info633805 ++Node: Listing the ciphersuites in a priority string637834 ++Node: PKCS12 structure generation example640151 ++Node: System-wide configuration of the library644356 ++Node: Application-specific priority strings646183 ++Node: Disabling algorithms and protocols647631 ++Node: Querying for disabled algorithms and protocols653128 ++Node: Overriding the parameter verification profile654250 ++Node: Overriding the default priority string655252 ++Node: Using GnuTLS as a cryptographic library655869 ++Ref: Using GnuTLS as a cryptographic library-Footnote-1656725 ++Node: Symmetric algorithms656782 ++Ref: gnutls_cipher_algorithm_t657542 ++Ref: Symmetric algorithms-Footnote-1665972 ++Node: Public key algorithms666057 ++Node: Cryptographic Message Syntax / PKCS7670779 ++Ref: gnutls_pkcs7_sign_flags674218 ++Node: Hash and MAC functions675686 ++Ref: gnutls_mac_algorithm_t676298 ++Ref: gnutls_digest_algorithm_t679670 ++Node: Random number generation680721 ++Ref: gnutls_rnd_level_t681083 ++Node: Overriding algorithms682190 ++Node: Other included programs688508 ++Node: gnutls-cli Invocation689079 ++Ref: gnutls-cli usage689641 ++Ref: gnutls-cli debug697391 ++Ref: gnutls-cli tofu697532 ++Ref: gnutls-cli strict-tofu697995 ++Ref: gnutls-cli dane698397 ++Ref: gnutls-cli local-dns698740 ++Ref: gnutls-cli ca-verification699055 ++Ref: gnutls-cli ocsp699410 ++Ref: gnutls-cli resume699652 ++Ref: gnutls-cli rehandshake699798 ++Ref: gnutls-cli sni-hostname699965 ++Ref: gnutls-cli verify-hostname700491 ++Ref: gnutls-cli starttls700724 ++Ref: gnutls-cli app-proto700908 ++Ref: gnutls-cli starttls-proto701070 ++Ref: gnutls-cli save-ocsp-multi701581 ++Ref: gnutls-cli dh-bits702038 ++Ref: gnutls-cli priority702389 ++Ref: gnutls-cli rawpkkeyfile702767 ++Ref: gnutls-cli rawpkfile703224 ++Ref: gnutls-cli ranges703765 ++Ref: gnutls-cli benchmark-ciphers704015 ++Ref: gnutls-cli benchmark-tls-ciphers704333 ++Ref: gnutls-cli list704652 ++Ref: gnutls-cli priority-list705019 ++Ref: gnutls-cli noticket705265 ++Ref: gnutls-cli alpn705426 ++Ref: gnutls-cli disable-extensions705735 ++Ref: gnutls-cli single-key-share705967 ++Ref: gnutls-cli post-handshake-auth706183 ++Ref: gnutls-cli inline-commands706380 ++Ref: gnutls-cli inline-commands-prefix706700 ++Ref: gnutls-cli provider707103 ++Ref: gnutls-cli logfile707300 ++Ref: gnutls-cli waitresumption707657 ++Ref: gnutls-cli ca-auto-retrieve707914 ++Ref: gnutls-cli exit status708318 ++Ref: gnutls-cli See Also708554 ++Ref: gnutls-cli Examples708631 ++Node: gnutls-serv Invocation712838 ++Ref: gnutls-serv usage713315 ++Ref: gnutls-serv debug718835 ++Ref: gnutls-serv sni-hostname718976 ++Ref: gnutls-serv alpn719308 ++Ref: gnutls-serv require-client-cert719595 ++Ref: gnutls-serv verify-client-cert719839 ++Ref: gnutls-serv heartbeat720068 ++Ref: gnutls-serv priority720219 ++Ref: gnutls-serv x509keyfile720588 ++Ref: gnutls-serv x509certfile721105 ++Ref: gnutls-serv x509dsakeyfile721622 ++Ref: gnutls-serv x509dsacertfile721786 ++Ref: gnutls-serv x509ecckeyfile721953 ++Ref: gnutls-serv x509ecccertfile722115 ++Ref: gnutls-serv rawpkkeyfile722282 ++Ref: gnutls-serv rawpkfile723101 ++Ref: gnutls-serv ocsp-response723956 ++Ref: gnutls-serv ignore-ocsp-response-errors724273 ++Ref: gnutls-serv list724520 ++Ref: gnutls-serv provider724758 ++Ref: gnutls-serv exit status724955 ++Ref: gnutls-serv See Also725193 ++Ref: gnutls-serv Examples725271 ++Node: gnutls-cli-debug Invocation730579 ++Ref: gnutls-cli-debug usage731401 ++Ref: gnutls-cli-debug debug733656 ++Ref: gnutls-cli-debug app-proto733797 ++Ref: gnutls-cli-debug starttls-proto733965 ++Ref: gnutls-cli-debug exit status734344 ++Ref: gnutls-cli-debug See Also734592 ++Ref: gnutls-cli-debug Examples734675 ++Node: Internal architecture of GnuTLS738172 ++Node: The TLS Protocol738778 ++Ref: fig-client-server739254 ++Node: TLS Handshake Protocol739344 ++Ref: fig-gnutls-handshake739786 ++Ref: fig-gnutls-handshake-sequence740295 ++Node: TLS Authentication Methods740393 ++Ref: TLS Authentication Methods-Footnote-1742697 ++Node: TLS Hello Extension Handling742763 ++Node: Cryptographic Backend755865 ++Ref: fig-crypto-layers756548 ++Ref: Cryptographic Backend-Footnote-1759830 ++Ref: Cryptographic Backend-Footnote-2759915 ++Node: Random Number Generators-internals760023 ++Node: FIPS140-2 mode767387 ++Ref: gnutls_fips_mode_t770023 ++Node: Upgrading from previous versions772170 ++Node: Support786164 ++Node: Getting help786412 ++Node: Commercial Support787000 ++Node: Bug Reports787271 ++Node: Contributing788635 ++Node: Certification790661 ++Node: Error codes791125 ++Node: Supported ciphersuites815758 ++Ref: ciphersuites815931 ++Node: API reference830975 ++Node: Core TLS API831385 ++Ref: gnutls_alert_get831612 ++Ref: gnutls_alert_get_name832231 ++Ref: gnutls_alert_get_strname832616 ++Ref: gnutls_alert_send832951 ++Ref: gnutls_alert_send_appropriate833829 ++Ref: gnutls_alert_set_read_function834796 ++Ref: gnutls_alpn_get_selected_protocol835180 ++Ref: gnutls_alpn_set_protocols835844 ++Ref: gnutls_anon_allocate_client_credentials836681 ++Ref: gnutls_anon_allocate_server_credentials837066 ++Ref: gnutls_anon_free_client_credentials837443 ++Ref: gnutls_anon_free_server_credentials837732 ++Ref: gnutls_anon_set_params_function838013 ++Ref: gnutls_anon_set_server_dh_params838689 ++Ref: gnutls_anon_set_server_known_dh_params839349 ++Ref: gnutls_anon_set_server_params_function840258 ++Ref: gnutls_anti_replay_deinit840921 ++Ref: gnutls_anti_replay_enable841235 ++Ref: gnutls_anti_replay_init841583 ++Ref: gnutls_anti_replay_set_add_function842111 ++Ref: gnutls_anti_replay_set_ptr843129 ++Ref: gnutls_anti_replay_set_window843464 ++Ref: gnutls_auth_client_get_type844232 ++Ref: gnutls_auth_get_type844859 ++Ref: gnutls_auth_server_get_type845671 ++Ref: gnutls_base64_decode2846300 ++Ref: gnutls_base64_encode2846856 ++Ref: gnutls_buffer_append_data847476 ++Ref: gnutls_bye847874 ++Ref: gnutls_certificate_activation_time_peers849475 ++Ref: gnutls_certificate_allocate_credentials849893 ++Ref: gnutls_certificate_client_get_request_status850290 ++Ref: gnutls_certificate_expiration_time_peers850698 ++Ref: gnutls_certificate_free_ca_names851102 ++Ref: gnutls_certificate_free_cas851771 ++Ref: gnutls_certificate_free_credentials852174 ++Ref: gnutls_certificate_free_crls852608 ++Ref: gnutls_certificate_free_keys852908 ++Ref: gnutls_certificate_get_crt_raw853342 ++Ref: gnutls_certificate_get_issuer854413 ++Ref: gnutls_certificate_get_ocsp_expiration855496 ++Ref: gnutls_certificate_get_ours856667 ++Ref: gnutls_certificate_get_peers857497 ++Ref: gnutls_certificate_get_peers_subkey_id858620 ++Ref: gnutls_certificate_get_verify_flags858976 ++Ref: gnutls_certificate_get_x509_crt859389 ++Ref: gnutls_certificate_get_x509_key861033 ++Ref: gnutls_certificate_send_x509_rdn_sequence862348 ++Ref: gnutls_certificate_server_set_request863055 ++Ref: gnutls_certificate_set_dh_params863845 ++Ref: gnutls_certificate_set_flags864664 ++Ref: gnutls_certificate_set_known_dh_params865189 ++Ref: gnutls_certificate_set_ocsp_status_request_file866117 ++Ref: gnutls_certificate_set_ocsp_status_request_file2868023 ++Ref: gnutls_certificate_set_ocsp_status_request_function869541 ++Ref: gnutls_certificate_set_ocsp_status_request_function2871029 ++Ref: gnutls_certificate_set_ocsp_status_request_mem872995 ++Ref: gnutls_certificate_set_params_function874770 ++Ref: gnutls_certificate_set_pin_function875467 ++Ref: gnutls_certificate_set_rawpk_key_file876120 ++Ref: gnutls_certificate_set_rawpk_key_mem879424 ++Ref: gnutls_certificate_set_retrieve_function882571 ++Ref: gnutls_certificate_set_verify_flags884701 ++Ref: gnutls_certificate_set_verify_function885194 ++Ref: gnutls_certificate_set_verify_limits886258 ++Ref: gnutls_certificate_set_x509_crl886939 ++Ref: gnutls_certificate_set_x509_crl_file887767 ++Ref: gnutls_certificate_set_x509_crl_mem888548 ++Ref: gnutls_certificate_set_x509_key889325 ++Ref: gnutls_certificate_set_x509_key_file890993 ++Ref: gnutls_certificate_set_x509_key_file2893229 ++Ref: gnutls_certificate_set_x509_key_mem895763 ++Ref: gnutls_certificate_set_x509_key_mem2897411 ++Ref: gnutls_certificate_set_x509_simple_pkcs12_file899224 ++Ref: gnutls_certificate_set_x509_simple_pkcs12_mem901354 ++Ref: gnutls_certificate_set_x509_system_trust903454 ++Ref: gnutls_certificate_set_x509_trust904024 ++Ref: gnutls_certificate_set_x509_trust_dir905004 ++Ref: gnutls_certificate_set_x509_trust_file905742 ++Ref: gnutls_certificate_set_x509_trust_mem906918 ++Ref: gnutls_certificate_type_get907861 ++Ref: gnutls_certificate_type_get2908708 ++Ref: gnutls_certificate_type_get_id910093 ++Ref: gnutls_certificate_type_get_name910490 ++Ref: gnutls_certificate_type_list910873 ++Ref: gnutls_certificate_verification_status_print911227 ++Ref: gnutls_certificate_verify_peers911985 ++Ref: gnutls_certificate_verify_peers2914781 ++Ref: gnutls_certificate_verify_peers3916696 ++Ref: gnutls_check_version919006 ++Ref: gnutls_cipher_get919748 ++Ref: gnutls_cipher_get_id920053 ++Ref: gnutls_cipher_get_key_size920435 ++Ref: gnutls_cipher_get_name920799 ++Ref: gnutls_cipher_list921146 ++Ref: gnutls_cipher_suite_get_name921706 ++Ref: gnutls_cipher_suite_info922574 ++Ref: gnutls_credentials_clear923757 ++Ref: gnutls_credentials_get923985 ++Ref: gnutls_credentials_set924940 ++Ref: gnutls_db_check_entry926304 ++Ref: gnutls_db_check_entry_expire_time926761 ++Ref: gnutls_db_check_entry_time927167 ++Ref: gnutls_db_get_default_cache_expiration927558 ++Ref: gnutls_db_get_ptr927753 ++Ref: gnutls_db_remove_session928065 ++Ref: gnutls_db_set_cache_expiration928602 ++Ref: gnutls_db_set_ptr929023 ++Ref: gnutls_db_set_remove_function929358 ++Ref: gnutls_db_set_retrieve_function929861 ++Ref: gnutls_db_set_store_function930547 ++Ref: gnutls_deinit931014 ++Ref: gnutls_dh_get_group931353 ++Ref: gnutls_dh_get_peers_public_bits932205 ++Ref: gnutls_dh_get_prime_bits932649 ++Ref: gnutls_dh_get_pubkey933289 ++Ref: gnutls_dh_get_secret_bits933987 ++Ref: gnutls_dh_params_cpy934419 ++Ref: gnutls_dh_params_deinit934927 ++Ref: gnutls_dh_params_export2_pkcs3935168 ++Ref: gnutls_dh_params_export_pkcs3935989 ++Ref: gnutls_dh_params_export_raw937008 ++Ref: gnutls_dh_params_generate2937761 ++Ref: gnutls_dh_params_import_dsa939015 ++Ref: gnutls_dh_params_import_pkcs3939492 ++Ref: gnutls_dh_params_import_raw940231 ++Ref: gnutls_dh_params_import_raw2940861 ++Ref: gnutls_dh_params_import_raw3941575 ++Ref: gnutls_dh_params_init942275 ++Ref: gnutls_dh_set_prime_bits942606 ++Ref: gnutls_digest_get_id943709 ++Ref: gnutls_digest_get_name944135 ++Ref: gnutls_digest_get_oid944481 ++Ref: gnutls_digest_list944872 ++Ref: gnutls_digest_mark_insecure945251 ++Ref: gnutls_digest_mark_secure945570 ++Ref: gnutls_early_cipher_get945923 ++Ref: gnutls_early_prf_hash_get946296 ++Ref: gnutls_ecc_curve_get946714 ++Ref: gnutls_ecc_curve_get_id947115 ++Ref: gnutls_ecc_curve_get_name947496 ++Ref: gnutls_ecc_curve_get_oid947830 ++Ref: gnutls_ecc_curve_get_pk948175 ++Ref: gnutls_ecc_curve_get_size948479 ++Ref: gnutls_ecc_curve_list948708 ++Ref: gnutls_ecc_curve_mark_disabled949049 ++Ref: gnutls_ecc_curve_mark_enabled949506 ++Ref: gnutls_error_is_fatal949986 ++Ref: gnutls_error_to_alert950788 ++Ref: gnutls_est_record_overhead_size951520 ++Ref: gnutls_ext_get_current_msg952428 ++Ref: gnutls_ext_get_data953119 ++Ref: gnutls_ext_get_name953634 ++Ref: gnutls_ext_get_name2953952 ++Ref: gnutls_ext_raw_parse954462 ++Ref: gnutls_ext_register955612 ++Ref: gnutls_ext_set_data957247 ++Ref: gnutls_fingerprint957758 ++Ref: gnutls_fips140_mode_enabled958764 ++Ref: gnutls_fips140_set_mode959318 ++Ref: gnutls_get_system_config_file960371 ++Ref: gnutls_global_deinit960747 ++Ref: gnutls_global_init961197 ++Ref: gnutls_global_set_audit_log_function962472 ++Ref: gnutls_global_set_log_function963179 ++Ref: gnutls_global_set_log_level963687 ++Ref: gnutls_global_set_mutex964175 ++Ref: gnutls_global_set_time_function965277 ++Ref: gnutls_gost_paramset_get_name965714 ++Ref: gnutls_gost_paramset_get_oid966090 ++Ref: gnutls_group_get966467 ++Ref: gnutls_group_get_id966837 ++Ref: gnutls_group_get_name967184 ++Ref: gnutls_group_list967504 ++Ref: gnutls_handshake967826 ++Ref: gnutls_handshake_description_get_name969931 ++Ref: gnutls_handshake_get_last_in970319 ++Ref: gnutls_handshake_get_last_out970944 ++Ref: gnutls_handshake_set_hook_function971576 ++Ref: gnutls_handshake_set_max_packet_length972968 ++Ref: gnutls_handshake_set_post_client_hello_function973753 ++Ref: gnutls_handshake_set_private_extensions975079 ++Ref: gnutls_handshake_set_random975758 ++Ref: gnutls_handshake_set_read_function976478 ++Ref: gnutls_handshake_set_secret_function976879 ++Ref: gnutls_handshake_set_timeout977258 ++Ref: gnutls_handshake_write977948 ++Ref: gnutls_heartbeat_allowed978649 ++Ref: gnutls_heartbeat_enable979123 ++Ref: gnutls_heartbeat_get_timeout979961 ++Ref: gnutls_heartbeat_ping980500 ++Ref: gnutls_heartbeat_pong981632 ++Ref: gnutls_heartbeat_set_timeouts982039 ++Ref: gnutls_hex2bin982810 ++Ref: gnutls_hex_decode983529 ++Ref: gnutls_hex_decode2984255 ++Ref: gnutls_hex_encode984684 ++Ref: gnutls_hex_encode2985281 ++Ref: gnutls_idna_map985796 ++Ref: gnutls_idna_reverse_map986926 ++Ref: gnutls_init987691 ++Ref: gnutls_key_generate988519 ++Ref: gnutls_kx_get988936 ++Ref: gnutls_kx_get_id989522 ++Ref: gnutls_kx_get_name989866 ++Ref: gnutls_kx_list990211 ++Ref: gnutls_load_file990539 ++Ref: gnutls_mac_get991311 ++Ref: gnutls_mac_get_id991616 ++Ref: gnutls_mac_get_key_size992029 ++Ref: gnutls_mac_get_name992366 ++Ref: gnutls_mac_list992685 ++Ref: gnutls_memcmp993073 ++Ref: gnutls_memset993633 ++Ref: gnutls_ocsp_status_request_enable_client994027 ++Ref: gnutls_ocsp_status_request_get995038 ++Ref: gnutls_ocsp_status_request_get2995700 ++Ref: gnutls_ocsp_status_request_is_checked996695 ++Ref: gnutls_oid_to_digest998083 ++Ref: gnutls_oid_to_ecc_curve998492 ++Ref: gnutls_oid_to_gost_paramset998818 ++Ref: gnutls_oid_to_mac999229 ++Ref: gnutls_oid_to_pk999642 ++Ref: gnutls_oid_to_sign1000014 ++Ref: gnutls_openpgp_send_cert1000418 ++Ref: gnutls_packet_deinit1000720 ++Ref: gnutls_packet_get1000994 ++Ref: gnutls_pem_base64_decode1001499 ++Ref: gnutls_pem_base64_decode21002354 ++Ref: gnutls_pem_base64_encode1003349 ++Ref: gnutls_pem_base64_encode21004178 ++Ref: gnutls_perror1005114 ++Ref: gnutls_pk_algorithm_get_name1005410 ++Ref: gnutls_pk_bits_to_sec_param1005766 ++Ref: gnutls_pk_get_id1006240 ++Ref: gnutls_pk_get_name1006758 ++Ref: gnutls_pk_get_oid1007126 ++Ref: gnutls_pk_list1007525 ++Ref: gnutls_pk_to_sign1007858 ++Ref: gnutls_prf1008269 ++Ref: gnutls_prf_early1010264 ++Ref: gnutls_prf_hash_get1011919 ++Ref: gnutls_prf_raw1012451 ++Ref: gnutls_prf_rfc57051014335 ++Ref: gnutls_priority_certificate_type_list1016012 ++Ref: gnutls_priority_certificate_type_list21016708 ++Ref: gnutls_priority_cipher_list1017324 ++Ref: gnutls_priority_deinit1017711 ++Ref: gnutls_priority_ecc_curve_list1017954 ++Ref: gnutls_priority_get_cipher_suite_index1018486 ++Ref: gnutls_priority_group_list1019402 ++Ref: gnutls_priority_init1019783 ++Ref: gnutls_priority_init21020863 ++Ref: gnutls_priority_kx_list1025237 ++Ref: gnutls_priority_mac_list1025642 ++Ref: gnutls_priority_protocol_list1026047 ++Ref: gnutls_priority_set1026449 ++Ref: gnutls_priority_set_direct1027104 ++Ref: gnutls_priority_sign_list1028037 ++Ref: gnutls_priority_string_list1028453 ++Ref: gnutls_protocol_get_id1029085 ++Ref: gnutls_protocol_get_name1029401 ++Ref: gnutls_protocol_get_version1029760 ++Ref: gnutls_protocol_list1030058 ++Ref: gnutls_protocol_mark_disabled1030410 ++Ref: gnutls_protocol_mark_enabled1030727 ++Ref: gnutls_psk_allocate_client_credentials1031103 ++Ref: gnutls_psk_allocate_server_credentials1031523 ++Ref: gnutls_psk_client_get_hint1031919 ++Ref: gnutls_psk_free_client_credentials1032546 ++Ref: gnutls_psk_free_server_credentials1032829 ++Ref: gnutls_psk_server_get_username1033104 ++Ref: gnutls_psk_server_get_username21033811 ++Ref: gnutls_psk_set_client_credentials1034505 ++Ref: gnutls_psk_set_client_credentials21035528 ++Ref: gnutls_psk_set_client_credentials_function1036308 ++Ref: gnutls_psk_set_client_credentials_function21037311 ++Ref: gnutls_psk_set_params_function1038468 ++Ref: gnutls_psk_set_server_credentials_file1039148 ++Ref: gnutls_psk_set_server_credentials_function1040009 ++Ref: gnutls_psk_set_server_credentials_function21040963 ++Ref: gnutls_psk_set_server_credentials_hint1042086 ++Ref: gnutls_psk_set_server_dh_params1042710 ++Ref: gnutls_psk_set_server_known_dh_params1043395 ++Ref: gnutls_psk_set_server_params_function1044292 ++Ref: gnutls_random_art1044933 ++Ref: gnutls_range_split1045795 ++Ref: gnutls_reauth1046877 ++Ref: gnutls_record_can_use_length_hiding1048979 ++Ref: gnutls_record_check_corked1049730 ++Ref: gnutls_record_check_pending1050113 ++Ref: gnutls_record_cork1050524 ++Ref: gnutls_record_disable_padding1050938 ++Ref: gnutls_record_discard_queued1051546 ++Ref: gnutls_record_get_direction1052163 ++Ref: gnutls_record_get_max_early_data_size1053144 ++Ref: gnutls_record_get_max_size1053696 ++Ref: gnutls_record_get_state1054063 ++Ref: gnutls_record_overhead_size1055085 ++Ref: gnutls_record_recv1055472 ++Ref: gnutls_record_recv_early_data1056922 ++Ref: gnutls_record_recv_packet1057984 ++Ref: gnutls_record_recv_seq1058863 ++Ref: gnutls_record_send1059849 ++Ref: gnutls_record_send21061907 ++Ref: gnutls_record_send_early_data1063059 ++Ref: gnutls_record_send_range1064115 ++Ref: gnutls_record_set_max_early_data_size1065294 ++Ref: gnutls_record_set_max_recv_size1065940 ++Ref: gnutls_record_set_max_size1066644 ++Ref: gnutls_record_set_state1067823 ++Ref: gnutls_record_set_timeout1068481 ++Ref: gnutls_record_uncork1069082 ++Ref: gnutls_rehandshake1070022 ++Ref: gnutls_safe_renegotiation_status1071804 ++Ref: gnutls_sec_param_get_name1072219 ++Ref: gnutls_sec_param_to_pk_bits1072593 ++Ref: gnutls_sec_param_to_symmetric_bits1073263 ++Ref: gnutls_server_name_get1073647 ++Ref: gnutls_server_name_set1075119 ++Ref: gnutls_session_channel_binding1076277 ++Ref: gnutls_session_enable_compatibility_mode1076995 ++Ref: gnutls_session_etm_status1077702 ++Ref: gnutls_session_ext_master_secret_status1078105 ++Ref: gnutls_session_ext_register1078596 ++Ref: gnutls_session_force_valid1080858 ++Ref: gnutls_session_get_data1081279 ++Ref: gnutls_session_get_data21081939 ++Ref: gnutls_session_get_desc1084212 ++Ref: gnutls_session_get_flags1084734 ++Ref: gnutls_session_get_id1085272 ++Ref: gnutls_session_get_id21086795 ++Ref: gnutls_session_get_keylog_function1088265 ++Ref: gnutls_session_get_master_secret1088672 ++Ref: gnutls_session_get_ptr1089156 ++Ref: gnutls_session_get_random1089551 ++Ref: gnutls_session_get_verify_cert_status1090172 ++Ref: gnutls_session_is_resumed1090845 ++Ref: gnutls_session_key_update1091215 ++Ref: gnutls_session_resumption_requested1092163 ++Ref: gnutls_session_set_data1092545 ++Ref: gnutls_session_set_id1093386 ++Ref: gnutls_session_set_keylog_function1094061 ++Ref: gnutls_session_set_premaster1094460 ++Ref: gnutls_session_set_ptr1095555 ++Ref: gnutls_session_set_verify_cert1095955 ++Ref: gnutls_session_set_verify_cert21097299 ++Ref: gnutls_session_set_verify_function1098483 ++Ref: gnutls_session_supplemental_register1099595 ++Ref: gnutls_session_ticket_enable_client1100853 ++Ref: gnutls_session_ticket_enable_server1101346 ++Ref: gnutls_session_ticket_key_generate1102140 ++Ref: gnutls_session_ticket_send1102568 ++Ref: gnutls_set_default_priority1103152 ++Ref: gnutls_set_default_priority_append1104237 ++Ref: gnutls_sign_algorithm_get1105579 ++Ref: gnutls_sign_algorithm_get_client1106022 ++Ref: gnutls_sign_algorithm_get_requested1106489 ++Ref: gnutls_sign_get_hash_algorithm1107516 ++Ref: gnutls_sign_get_id1107928 ++Ref: gnutls_sign_get_name1108291 ++Ref: gnutls_sign_get_oid1108623 ++Ref: gnutls_sign_get_pk_algorithm1109009 ++Ref: gnutls_sign_is_secure1109616 ++Ref: gnutls_sign_is_secure21109886 ++Ref: gnutls_sign_list1110222 ++Ref: gnutls_sign_mark_insecure1110566 ++Ref: gnutls_sign_mark_secure1111163 ++Ref: gnutls_sign_supports_pk_algorithm1111948 ++Ref: gnutls_srp_allocate_client_credentials1112532 ++Ref: gnutls_srp_allocate_server_credentials1112933 ++Ref: gnutls_srp_base64_decode1113306 ++Ref: gnutls_srp_base64_decode21114011 ++Ref: gnutls_srp_base64_encode1114679 ++Ref: gnutls_srp_base64_encode21115480 ++Ref: gnutls_srp_free_client_credentials1116211 ++Ref: gnutls_srp_free_server_credentials1116494 ++Ref: gnutls_srp_server_get_username1116769 ++Ref: gnutls_srp_set_client_credentials1117223 ++Ref: gnutls_srp_set_client_credentials_function1118113 ++Ref: gnutls_srp_set_prime_bits1119360 ++Ref: gnutls_srp_set_server_credentials_file1120045 ++Ref: gnutls_srp_set_server_credentials_function1120771 ++Ref: gnutls_srp_set_server_fake_salt_seed1122486 ++Ref: gnutls_srp_verifier1123989 ++Ref: gnutls_srtp_get_keys1124917 ++Ref: gnutls_srtp_get_mki1126311 ++Ref: gnutls_srtp_get_profile_id1126880 ++Ref: gnutls_srtp_get_profile_name1127338 ++Ref: gnutls_srtp_get_selected_profile1127759 ++Ref: gnutls_srtp_set_mki1128203 ++Ref: gnutls_srtp_set_profile1128652 ++Ref: gnutls_srtp_set_profile_direct1129184 ++Ref: gnutls_store_commitment1129907 ++Ref: gnutls_store_pubkey1131206 ++Ref: gnutls_strerror1132993 ++Ref: gnutls_strerror_name1133478 ++Ref: gnutls_supplemental_get_name1133947 ++Ref: gnutls_supplemental_recv1134369 ++Ref: gnutls_supplemental_register1134839 ++Ref: gnutls_supplemental_send1135951 ++Ref: gnutls_system_recv_timeout1136396 ++Ref: gnutls_tdb_deinit1137138 ++Ref: gnutls_tdb_init1137353 ++Ref: gnutls_tdb_set_store_commitment_func1137712 ++Ref: gnutls_tdb_set_store_func1138393 ++Ref: gnutls_tdb_set_verify_func1138982 ++Ref: gnutls_transport_get_int1139726 ++Ref: gnutls_transport_get_int21140134 ++Ref: gnutls_transport_get_ptr1140637 ++Ref: gnutls_transport_get_ptr21141053 ++Ref: gnutls_transport_set_errno1141587 ++Ref: gnutls_transport_set_errno_function1142574 ++Ref: gnutls_transport_set_int1143111 ++Ref: gnutls_transport_set_int21143665 ++Ref: gnutls_transport_set_ptr1144394 ++Ref: gnutls_transport_set_ptr21144807 ++Ref: gnutls_transport_set_pull_function1145451 ++Ref: gnutls_transport_set_pull_timeout_function1146231 ++Ref: gnutls_transport_set_push_function1147934 ++Ref: gnutls_transport_set_vec_push_function1148779 ++Ref: gnutls_url_is_supported1149475 ++Ref: gnutls_utf8_password_normalize1149895 ++Ref: gnutls_verify_stored_pubkey1150684 ++Node: Datagram TLS API1153831 ++Ref: gnutls_dtls_cookie_send1154107 ++Ref: gnutls_dtls_cookie_verify1155362 ++Ref: gnutls_dtls_get_data_mtu1156306 ++Ref: gnutls_dtls_get_mtu1156749 ++Ref: gnutls_dtls_get_timeout1157192 ++Ref: gnutls_dtls_prestate_set1157735 ++Ref: gnutls_dtls_set_data_mtu1158319 ++Ref: gnutls_dtls_set_mtu1159293 ++Ref: gnutls_dtls_set_timeouts1159900 ++Ref: gnutls_record_get_discarded1160904 ++Node: X509 certificate API1161178 ++Ref: gnutls_certificate_get_trust_list1161527 ++Ref: gnutls_certificate_set_trust_list1162175 ++Ref: gnutls_certificate_verification_profile_get_id1162950 ++Ref: gnutls_certificate_verification_profile_get_name1163497 ++Ref: gnutls_pkcs8_info1163880 ++Ref: gnutls_pkcs_schema_get_name1165398 ++Ref: gnutls_pkcs_schema_get_oid1165803 ++Ref: gnutls_session_set_verify_output_function1166230 ++Ref: gnutls_subject_alt_names_deinit1167387 ++Ref: gnutls_subject_alt_names_get1167666 ++Ref: gnutls_subject_alt_names_init1168676 ++Ref: gnutls_subject_alt_names_set1169056 ++Ref: gnutls_x509_aia_deinit1169875 ++Ref: gnutls_x509_aia_get1170109 ++Ref: gnutls_x509_aia_init1171268 ++Ref: gnutls_x509_aia_set1171603 ++Ref: gnutls_x509_aki_deinit1172398 ++Ref: gnutls_x509_aki_get_cert_issuer1172662 ++Ref: gnutls_x509_aki_get_id1173728 ++Ref: gnutls_x509_aki_init1174267 ++Ref: gnutls_x509_aki_set_cert_issuer1174616 ++Ref: gnutls_x509_aki_set_id1175731 ++Ref: gnutls_x509_cidr_to_rfc52801176160 ++Ref: gnutls_x509_crl_check_issuer1177058 ++Ref: gnutls_x509_crl_deinit1177506 ++Ref: gnutls_x509_crl_dist_points_deinit1177738 ++Ref: gnutls_x509_crl_dist_points_get1178033 ++Ref: gnutls_x509_crl_dist_points_init1179007 ++Ref: gnutls_x509_crl_dist_points_set1179403 ++Ref: gnutls_x509_crl_export1180106 ++Ref: gnutls_x509_crl_export21180989 ++Ref: gnutls_x509_crl_get_authority_key_gn_serial1181709 ++Ref: gnutls_x509_crl_get_authority_key_id1183023 ++Ref: gnutls_x509_crl_get_crt_count1184086 ++Ref: gnutls_x509_crl_get_crt_serial1184444 ++Ref: gnutls_x509_crl_get_dn_oid1185348 ++Ref: gnutls_x509_crl_get_extension_data1186154 ++Ref: gnutls_x509_crl_get_extension_data21187271 ++Ref: gnutls_x509_crl_get_extension_info1188150 ++Ref: gnutls_x509_crl_get_extension_oid1189414 ++Ref: gnutls_x509_crl_get_issuer_dn1190266 ++Ref: gnutls_x509_crl_get_issuer_dn21191267 ++Ref: gnutls_x509_crl_get_issuer_dn31192101 ++Ref: gnutls_x509_crl_get_issuer_dn_by_oid1193079 ++Ref: gnutls_x509_crl_get_next_update1194590 ++Ref: gnutls_x509_crl_get_number1195024 ++Ref: gnutls_x509_crl_get_raw_issuer_dn1195749 ++Ref: gnutls_x509_crl_get_signature1196203 ++Ref: gnutls_x509_crl_get_signature_algorithm1196750 ++Ref: gnutls_x509_crl_get_signature_oid1197312 ++Ref: gnutls_x509_crl_get_this_update1197973 ++Ref: gnutls_x509_crl_get_version1198298 ++Ref: gnutls_x509_crl_import1198606 ++Ref: gnutls_x509_crl_init1199230 ++Ref: gnutls_x509_crl_iter_crt_serial1199819 ++Ref: gnutls_x509_crl_iter_deinit1200965 ++Ref: gnutls_x509_crl_list_import1201210 ++Ref: gnutls_x509_crl_list_import21202212 ++Ref: gnutls_x509_crl_print1203078 ++Ref: gnutls_x509_crl_set_authority_key_id1203727 ++Ref: gnutls_x509_crl_set_crt1204380 ++Ref: gnutls_x509_crl_set_crt_serial1204953 ++Ref: gnutls_x509_crl_set_next_update1205585 ++Ref: gnutls_x509_crl_set_number1206202 ++Ref: gnutls_x509_crl_set_this_update1206779 ++Ref: gnutls_x509_crl_set_version1207183 ++Ref: gnutls_x509_crl_sign1207726 ++Ref: gnutls_x509_crl_sign21208419 ++Ref: gnutls_x509_crl_verify1209655 ++Ref: gnutls_x509_crq_deinit1210899 ++Ref: gnutls_x509_crq_export1211137 ++Ref: gnutls_x509_crq_export21212134 ++Ref: gnutls_x509_crq_get_attribute_by_oid1212908 ++Ref: gnutls_x509_crq_get_attribute_data1213933 ++Ref: gnutls_x509_crq_get_attribute_info1215045 ++Ref: gnutls_x509_crq_get_basic_constraints1216242 ++Ref: gnutls_x509_crq_get_challenge_password1217495 ++Ref: gnutls_x509_crq_get_dn1218107 ++Ref: gnutls_x509_crq_get_dn21219056 ++Ref: gnutls_x509_crq_get_dn31219913 ++Ref: gnutls_x509_crq_get_dn_by_oid1220921 ++Ref: gnutls_x509_crq_get_dn_oid1222382 ++Ref: gnutls_x509_crq_get_extension_by_oid1223169 ++Ref: gnutls_x509_crq_get_extension_by_oid21224326 ++Ref: gnutls_x509_crq_get_extension_data1225408 ++Ref: gnutls_x509_crq_get_extension_data21226538 ++Ref: gnutls_x509_crq_get_extension_info1227417 ++Ref: gnutls_x509_crq_get_key_id1228678 ++Ref: gnutls_x509_crq_get_key_purpose_oid1229745 ++Ref: gnutls_x509_crq_get_key_rsa_raw1230760 ++Ref: gnutls_x509_crq_get_key_usage1231384 ++Ref: gnutls_x509_crq_get_pk_algorithm1232470 ++Ref: gnutls_x509_crq_get_pk_oid1233191 ++Ref: gnutls_x509_crq_get_private_key_usage_period1233848 ++Ref: gnutls_x509_crq_get_signature_algorithm1234563 ++Ref: gnutls_x509_crq_get_signature_oid1235202 ++Ref: gnutls_x509_crq_get_spki1235863 ++Ref: gnutls_x509_crq_get_subject_alt_name1236423 ++Ref: gnutls_x509_crq_get_subject_alt_othername_oid1237981 ++Ref: gnutls_x509_crq_get_tlsfeatures1239461 ++Ref: gnutls_x509_crq_get_version1240590 ++Ref: gnutls_x509_crq_import1240936 ++Ref: gnutls_x509_crq_init1241618 ++Ref: gnutls_x509_crq_print1241966 ++Ref: gnutls_x509_crq_set_attribute_by_oid1242622 ++Ref: gnutls_x509_crq_set_basic_constraints1243487 ++Ref: gnutls_x509_crq_set_challenge_password1244231 ++Ref: gnutls_x509_crq_set_dn1244682 ++Ref: gnutls_x509_crq_set_dn_by_oid1245300 ++Ref: gnutls_x509_crq_set_extension_by_oid1246430 ++Ref: gnutls_x509_crq_set_key1247209 ++Ref: gnutls_x509_crq_set_key_purpose_oid1247672 ++Ref: gnutls_x509_crq_set_key_rsa_raw1248452 ++Ref: gnutls_x509_crq_set_key_usage1249028 ++Ref: gnutls_x509_crq_set_private_key_usage_period1249532 ++Ref: gnutls_x509_crq_set_spki1250037 ++Ref: gnutls_x509_crq_set_subject_alt_name1250908 ++Ref: gnutls_x509_crq_set_subject_alt_othername1251734 ++Ref: gnutls_x509_crq_set_tlsfeatures1252572 ++Ref: gnutls_x509_crq_set_version1253122 ++Ref: gnutls_x509_crq_sign1253607 ++Ref: gnutls_x509_crq_sign21254378 ++Ref: gnutls_x509_crq_verify1255710 ++Ref: gnutls_x509_crt_check_email1256303 ++Ref: gnutls_x509_crt_check_hostname1256831 ++Ref: gnutls_x509_crt_check_hostname21257543 ++Ref: gnutls_x509_crt_check_ip1259294 ++Ref: gnutls_x509_crt_check_issuer1259908 ++Ref: gnutls_x509_crt_check_key_purpose1260646 ++Ref: gnutls_x509_crt_check_revocation1261340 ++Ref: gnutls_x509_crt_cpy_crl_dist_points1261989 ++Ref: gnutls_x509_crt_deinit1262578 ++Ref: gnutls_x509_crt_equals1262796 ++Ref: gnutls_x509_crt_equals21263178 ++Ref: gnutls_x509_crt_export1263602 ++Ref: gnutls_x509_crt_export21264513 ++Ref: gnutls_x509_crt_get_activation_time1265211 ++Ref: gnutls_x509_crt_get_authority_info_access1265589 ++Ref: gnutls_x509_crt_get_authority_key_gn_serial1269063 ++Ref: gnutls_x509_crt_get_authority_key_id1270504 ++Ref: gnutls_x509_crt_get_basic_constraints1271635 ++Ref: gnutls_x509_crt_get_ca_status1272849 ++Ref: gnutls_x509_crt_get_crl_dist_points1273848 ++Ref: gnutls_x509_crt_get_dn1275173 ++Ref: gnutls_x509_crt_get_dn21276368 ++Ref: gnutls_x509_crt_get_dn31277177 ++Ref: gnutls_x509_crt_get_dn_by_oid1278137 ++Ref: gnutls_x509_crt_get_dn_oid1279906 ++Ref: gnutls_x509_crt_get_expiration_time1280934 ++Ref: gnutls_x509_crt_get_extension_by_oid1281300 ++Ref: gnutls_x509_crt_get_extension_by_oid21282427 ++Ref: gnutls_x509_crt_get_extension_data1283500 ++Ref: gnutls_x509_crt_get_extension_data21284589 ++Ref: gnutls_x509_crt_get_extension_info1285454 ++Ref: gnutls_x509_crt_get_extension_oid1286866 ++Ref: gnutls_x509_crt_get_fingerprint1287829 ++Ref: gnutls_x509_crt_get_inhibit_anypolicy1288717 ++Ref: gnutls_x509_crt_get_issuer1289686 ++Ref: gnutls_x509_crt_get_issuer_alt_name1290324 ++Ref: gnutls_x509_crt_get_issuer_alt_name21292124 ++Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1293706 ++Ref: gnutls_x509_crt_get_issuer_dn1295355 ++Ref: gnutls_x509_crt_get_issuer_dn21296476 ++Ref: gnutls_x509_crt_get_issuer_dn31297323 ++Ref: gnutls_x509_crt_get_issuer_dn_by_oid1298314 ++Ref: gnutls_x509_crt_get_issuer_dn_oid1300101 ++Ref: gnutls_x509_crt_get_issuer_unique_id1301137 ++Ref: gnutls_x509_crt_get_key_id1302232 ++Ref: gnutls_x509_crt_get_key_purpose_oid1303255 ++Ref: gnutls_x509_crt_get_key_usage1304416 ++Ref: gnutls_x509_crt_get_name_constraints1305476 ++Ref: gnutls_x509_crt_get_pk_algorithm1306884 ++Ref: gnutls_x509_crt_get_pk_dsa_raw1307673 ++Ref: gnutls_x509_crt_get_pk_ecc_raw1308341 ++Ref: gnutls_x509_crt_get_pk_gost_raw1309154 ++Ref: gnutls_x509_crt_get_pk_oid1309998 ++Ref: gnutls_x509_crt_get_pk_rsa_raw1310624 ++Ref: gnutls_x509_crt_get_policy1311202 ++Ref: gnutls_x509_crt_get_private_key_usage_period1312148 ++Ref: gnutls_x509_crt_get_proxy1312900 ++Ref: gnutls_x509_crt_get_raw_dn1313921 ++Ref: gnutls_x509_crt_get_raw_issuer_dn1314514 ++Ref: gnutls_x509_crt_get_serial1315093 ++Ref: gnutls_x509_crt_get_signature1315833 ++Ref: gnutls_x509_crt_get_signature_algorithm1316388 ++Ref: gnutls_x509_crt_get_signature_oid1317001 ++Ref: gnutls_x509_crt_get_spki1317659 ++Ref: gnutls_x509_crt_get_subject1318145 ++Ref: gnutls_x509_crt_get_subject_alt_name1318788 ++Ref: gnutls_x509_crt_get_subject_alt_name21320547 ++Ref: gnutls_x509_crt_get_subject_alt_othername_oid1322112 ++Ref: gnutls_x509_crt_get_subject_key_id1323752 ++Ref: gnutls_x509_crt_get_subject_unique_id1324584 ++Ref: gnutls_x509_crt_get_tlsfeatures1325669 ++Ref: gnutls_x509_crt_get_version1326781 ++Ref: gnutls_x509_crt_import1327108 ++Ref: gnutls_x509_crt_import_url1327809 ++Ref: gnutls_x509_crt_init1328530 ++Ref: gnutls_x509_crt_list_import1328877 ++Ref: gnutls_x509_crt_list_import21330244 ++Ref: gnutls_x509_crt_list_import_url1331316 ++Ref: gnutls_x509_crt_list_verify1332540 ++Ref: gnutls_x509_crt_print1334120 ++Ref: gnutls_x509_crt_set_activation_time1335012 ++Ref: gnutls_x509_crt_set_authority_info_access1335479 ++Ref: gnutls_x509_crt_set_authority_key_id1336374 ++Ref: gnutls_x509_crt_set_basic_constraints1336956 ++Ref: gnutls_x509_crt_set_ca_status1337655 ++Ref: gnutls_x509_crt_set_crl_dist_points1338253 ++Ref: gnutls_x509_crt_set_crl_dist_points21338905 ++Ref: gnutls_x509_crt_set_crq1339604 ++Ref: gnutls_x509_crt_set_crq_extension_by_oid1340321 ++Ref: gnutls_x509_crt_set_crq_extensions1340957 ++Ref: gnutls_x509_crt_set_dn1341423 ++Ref: gnutls_x509_crt_set_dn_by_oid1342306 ++Ref: gnutls_x509_crt_set_expiration_time1343423 ++Ref: gnutls_x509_crt_set_extension_by_oid1343968 ++Ref: gnutls_x509_crt_set_flags1344743 ++Ref: gnutls_x509_crt_set_inhibit_anypolicy1345251 ++Ref: gnutls_x509_crt_set_issuer_alt_name1345761 ++Ref: gnutls_x509_crt_set_issuer_alt_othername1346783 ++Ref: gnutls_x509_crt_set_issuer_dn1347759 ++Ref: gnutls_x509_crt_set_issuer_dn_by_oid1348398 ++Ref: gnutls_x509_crt_set_issuer_unique_id1349677 ++Ref: gnutls_x509_crt_set_key1350182 ++Ref: gnutls_x509_crt_set_key_purpose_oid1350762 ++Ref: gnutls_x509_crt_set_key_usage1351530 ++Ref: gnutls_x509_crt_set_name_constraints1351989 ++Ref: gnutls_x509_crt_set_pin_function1352611 ++Ref: gnutls_x509_crt_set_policy1353279 ++Ref: gnutls_x509_crt_set_private_key_usage_period1354132 ++Ref: gnutls_x509_crt_set_proxy1354639 ++Ref: gnutls_x509_crt_set_proxy_dn1355453 ++Ref: gnutls_x509_crt_set_serial1356472 ++Ref: gnutls_x509_crt_set_spki1357532 ++Ref: gnutls_x509_crt_set_subject_alt_name1358387 ++Ref: gnutls_x509_crt_set_subject_alt_othername1359627 ++Ref: gnutls_x509_crt_set_subject_alternative_name1360635 ++Ref: gnutls_x509_crt_set_subject_key_id1361533 ++Ref: gnutls_x509_crt_set_subject_unique_id1362053 ++Ref: gnutls_x509_crt_set_tlsfeatures1362576 ++Ref: gnutls_x509_crt_set_version1363100 ++Ref: gnutls_x509_crt_sign1363923 ++Ref: gnutls_x509_crt_sign21364618 ++Ref: gnutls_x509_crt_verify1365851 ++Ref: gnutls_x509_crt_verify_data21366900 ++Ref: gnutls_x509_dn_deinit1367904 ++Ref: gnutls_x509_dn_export1368166 ++Ref: gnutls_x509_dn_export21369060 ++Ref: gnutls_x509_dn_get_rdn_ava1369721 ++Ref: gnutls_x509_dn_get_str1370753 ++Ref: gnutls_x509_dn_get_str21371349 ++Ref: gnutls_x509_dn_import1372211 ++Ref: gnutls_x509_dn_init1372827 ++Ref: gnutls_x509_dn_oid_known1373248 ++Ref: gnutls_x509_dn_oid_name1373917 ++Ref: gnutls_x509_dn_set_str1374446 ++Ref: gnutls_x509_ext_deinit1375045 ++Ref: gnutls_x509_ext_export_aia1375289 ++Ref: gnutls_x509_ext_export_authority_key_id1375883 ++Ref: gnutls_x509_ext_export_basic_constraints1376539 ++Ref: gnutls_x509_ext_export_crl_dist_points1377236 ++Ref: gnutls_x509_ext_export_inhibit_anypolicy1377904 ++Ref: gnutls_x509_ext_export_key_purposes1378572 ++Ref: gnutls_x509_ext_export_key_usage1379191 ++Ref: gnutls_x509_ext_export_name_constraints1379807 ++Ref: gnutls_x509_ext_export_policies1380448 ++Ref: gnutls_x509_ext_export_private_key_usage_period1381111 ++Ref: gnutls_x509_ext_export_proxy1381776 ++Ref: gnutls_x509_ext_export_subject_alt_names1382762 ++Ref: gnutls_x509_ext_export_subject_key_id1383411 ++Ref: gnutls_x509_ext_export_tlsfeatures1384033 ++Ref: gnutls_x509_ext_import_aia1384651 ++Ref: gnutls_x509_ext_import_authority_key_id1385356 ++Ref: gnutls_x509_ext_import_basic_constraints1386024 ++Ref: gnutls_x509_ext_import_crl_dist_points1386650 ++Ref: gnutls_x509_ext_import_inhibit_anypolicy1387278 ++Ref: gnutls_x509_ext_import_key_purposes1388193 ++Ref: gnutls_x509_ext_import_key_usage1388827 ++Ref: gnutls_x509_ext_import_name_constraints1389843 ++Ref: gnutls_x509_ext_import_policies1391181 ++Ref: gnutls_x509_ext_import_private_key_usage_period1391788 ++Ref: gnutls_x509_ext_import_proxy1392403 ++Ref: gnutls_x509_ext_import_subject_alt_names1393489 ++Ref: gnutls_x509_ext_import_subject_key_id1394247 ++Ref: gnutls_x509_ext_import_tlsfeatures1394882 ++Ref: gnutls_x509_ext_print1395774 ++Ref: gnutls_x509_key_purpose_deinit1396485 ++Ref: gnutls_x509_key_purpose_get1396739 ++Ref: gnutls_x509_key_purpose_init1397467 ++Ref: gnutls_x509_key_purpose_set1397828 ++Ref: gnutls_x509_name_constraints_add_excluded1398283 ++Ref: gnutls_x509_name_constraints_add_permitted1399224 ++Ref: gnutls_x509_name_constraints_check1400099 ++Ref: gnutls_x509_name_constraints_check_crt1400936 ++Ref: gnutls_x509_name_constraints_deinit1401806 ++Ref: gnutls_x509_name_constraints_get_excluded1402106 ++Ref: gnutls_x509_name_constraints_get_permitted1403177 ++Ref: gnutls_x509_name_constraints_init1404231 ++Ref: gnutls_x509_othername_to_virtual1404614 ++Ref: gnutls_x509_policies_deinit1405233 ++Ref: gnutls_x509_policies_get1405513 ++Ref: gnutls_x509_policies_init1406299 ++Ref: gnutls_x509_policies_set1406664 ++Ref: gnutls_x509_policy_release1407131 ++Ref: gnutls_x509_privkey_cpy1407495 ++Ref: gnutls_x509_privkey_deinit1407965 ++Ref: gnutls_x509_privkey_export1408206 ++Ref: gnutls_x509_privkey_export21409241 ++Ref: gnutls_x509_privkey_export2_pkcs81410119 ++Ref: gnutls_x509_privkey_export_dsa_raw1411395 ++Ref: gnutls_x509_privkey_export_ecc_raw1412135 ++Ref: gnutls_x509_privkey_export_gost_raw1413018 ++Ref: gnutls_x509_privkey_export_pkcs81414103 ++Ref: gnutls_x509_privkey_export_rsa_raw1415608 ++Ref: gnutls_x509_privkey_export_rsa_raw21416469 ++Ref: gnutls_x509_privkey_fix1417455 ++Ref: gnutls_x509_privkey_generate1417840 ++Ref: gnutls_x509_privkey_generate21419365 ++Ref: gnutls_x509_privkey_get_key_id1421524 ++Ref: gnutls_x509_privkey_get_pk_algorithm1422543 ++Ref: gnutls_x509_privkey_get_pk_algorithm21422971 ++Ref: gnutls_x509_privkey_get_seed1423462 ++Ref: gnutls_x509_privkey_get_spki1424286 ++Ref: gnutls_x509_privkey_import1424821 ++Ref: gnutls_x509_privkey_import21425616 ++Ref: gnutls_x509_privkey_import_dsa_raw1426689 ++Ref: gnutls_x509_privkey_import_ecc_raw1427421 ++Ref: gnutls_x509_privkey_import_gost_raw1428237 ++Ref: gnutls_x509_privkey_import_openssl1429513 ++Ref: gnutls_x509_privkey_import_pkcs81430387 ++Ref: gnutls_x509_privkey_import_rsa_raw1431834 ++Ref: gnutls_x509_privkey_import_rsa_raw21432688 ++Ref: gnutls_x509_privkey_init1433684 ++Ref: gnutls_x509_privkey_sec_param1434029 ++Ref: gnutls_x509_privkey_set_flags1434448 ++Ref: gnutls_x509_privkey_set_pin_function1434998 ++Ref: gnutls_x509_privkey_set_spki1435616 ++Ref: gnutls_x509_privkey_sign_data1436163 ++Ref: gnutls_x509_privkey_verify_params1437384 ++Ref: gnutls_x509_privkey_verify_seed1437720 ++Ref: gnutls_x509_rdn_get1438549 ++Ref: gnutls_x509_rdn_get21439367 ++Ref: gnutls_x509_rdn_get_by_oid1440275 ++Ref: gnutls_x509_rdn_get_oid1441257 ++Ref: gnutls_x509_spki_deinit1442002 ++Ref: gnutls_x509_spki_get_rsa_pss_params1442284 ++Ref: gnutls_x509_spki_init1442845 ++Ref: gnutls_x509_spki_set_rsa_pss_params1443361 ++Ref: gnutls_x509_tlsfeatures_add1443874 ++Ref: gnutls_x509_tlsfeatures_check_crt1444330 ++Ref: gnutls_x509_tlsfeatures_deinit1444930 ++Ref: gnutls_x509_tlsfeatures_get1445208 ++Ref: gnutls_x509_tlsfeatures_init1445768 ++Ref: gnutls_x509_trust_list_add_cas1446153 ++Ref: gnutls_x509_trust_list_add_crls1447338 ++Ref: gnutls_x509_trust_list_add_named_crt1448716 ++Ref: gnutls_x509_trust_list_add_system_trust1449931 ++Ref: gnutls_x509_trust_list_add_trust_dir1450693 ++Ref: gnutls_x509_trust_list_add_trust_file1451556 ++Ref: gnutls_x509_trust_list_add_trust_mem1452703 ++Ref: gnutls_x509_trust_list_deinit1453622 ++Ref: gnutls_x509_trust_list_get_issuer1454248 ++Ref: gnutls_x509_trust_list_get_issuer_by_dn1455298 ++Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1456027 ++Ref: gnutls_x509_trust_list_get_ptr1456835 ++Ref: gnutls_x509_trust_list_init1457348 ++Ref: gnutls_x509_trust_list_iter_deinit1457853 ++Ref: gnutls_x509_trust_list_iter_get_ca1458162 ++Ref: gnutls_x509_trust_list_remove_cas1459342 ++Ref: gnutls_x509_trust_list_remove_trust_file1460197 ++Ref: gnutls_x509_trust_list_remove_trust_mem1460898 ++Ref: gnutls_x509_trust_list_set_getissuer_function1461556 ++Ref: gnutls_x509_trust_list_set_ptr1463189 ++Ref: gnutls_x509_trust_list_verify_crt1463727 ++Ref: gnutls_x509_trust_list_verify_crt21464890 ++Ref: gnutls_x509_trust_list_verify_named_crt1467824 ++Node: PKCS 7 API1470552 ++Ref: gnutls_pkcs7_add_attr1470848 ++Ref: gnutls_pkcs7_attrs_deinit1471654 ++Ref: gnutls_pkcs7_deinit1471889 ++Ref: gnutls_pkcs7_delete_crl1472094 ++Ref: gnutls_pkcs7_delete_crt1472523 ++Ref: gnutls_pkcs7_export1472969 ++Ref: gnutls_pkcs7_export21473869 ++Ref: gnutls_pkcs7_get_attr1474530 ++Ref: gnutls_pkcs7_get_crl_count1475417 ++Ref: gnutls_pkcs7_get_crl_raw1475765 ++Ref: gnutls_pkcs7_get_crl_raw21476540 ++Ref: gnutls_pkcs7_get_crt_count1477171 ++Ref: gnutls_pkcs7_get_crt_raw1477546 ++Ref: gnutls_pkcs7_get_crt_raw21478446 ++Ref: gnutls_pkcs7_get_embedded_data1479300 ++Ref: gnutls_pkcs7_get_embedded_data_oid1480300 ++Ref: gnutls_pkcs7_get_signature_count1480860 ++Ref: gnutls_pkcs7_get_signature_info1481267 ++Ref: gnutls_pkcs7_import1481940 ++Ref: gnutls_pkcs7_init1482561 ++Ref: gnutls_pkcs7_print1482985 ++Ref: gnutls_pkcs7_print_signature_info1483730 ++Ref: gnutls_pkcs7_set_crl1484535 ++Ref: gnutls_pkcs7_set_crl_raw1484936 ++Ref: gnutls_pkcs7_set_crt1485326 ++Ref: gnutls_pkcs7_set_crt_raw1485810 ++Ref: gnutls_pkcs7_sign1486223 ++Ref: gnutls_pkcs7_signature_info_deinit1487662 ++Ref: gnutls_pkcs7_verify1488015 ++Ref: gnutls_pkcs7_verify_direct1489180 ++Node: OCSP API1490640 ++Ref: gnutls_ocsp_req_add_cert1490924 ++Ref: gnutls_ocsp_req_add_cert_id1491884 ++Ref: gnutls_ocsp_req_deinit1493204 ++Ref: gnutls_ocsp_req_export1493421 ++Ref: gnutls_ocsp_req_get_cert_id1493846 ++Ref: gnutls_ocsp_req_get_extension1495438 ++Ref: gnutls_ocsp_req_get_nonce1496854 ++Ref: gnutls_ocsp_req_get_version1497508 ++Ref: gnutls_ocsp_req_import1497895 ++Ref: gnutls_ocsp_req_init1498391 ++Ref: gnutls_ocsp_req_print1498719 ++Ref: gnutls_ocsp_req_randomize_nonce1499455 ++Ref: gnutls_ocsp_req_set_extension1499888 ++Ref: gnutls_ocsp_req_set_nonce1500572 ++Ref: gnutls_ocsp_resp_check_crt1501159 ++Ref: gnutls_ocsp_resp_deinit1501743 ++Ref: gnutls_ocsp_resp_export1501967 ++Ref: gnutls_ocsp_resp_export21502393 ++Ref: gnutls_ocsp_resp_get_certs1502913 ++Ref: gnutls_ocsp_resp_get_extension1504038 ++Ref: gnutls_ocsp_resp_get_nonce1505462 ++Ref: gnutls_ocsp_resp_get_produced1506128 ++Ref: gnutls_ocsp_resp_get_responder1506475 ++Ref: gnutls_ocsp_resp_get_responder21507580 ++Ref: gnutls_ocsp_resp_get_responder_raw_id1508843 ++Ref: gnutls_ocsp_resp_get_response1509674 ++Ref: gnutls_ocsp_resp_get_signature1510900 ++Ref: gnutls_ocsp_resp_get_signature_algorithm1511389 ++Ref: gnutls_ocsp_resp_get_single1511867 ++Ref: gnutls_ocsp_resp_get_status1513809 ++Ref: gnutls_ocsp_resp_get_version1514238 ++Ref: gnutls_ocsp_resp_import1514646 ++Ref: gnutls_ocsp_resp_import21515214 ++Ref: gnutls_ocsp_resp_init1515842 ++Ref: gnutls_ocsp_resp_list_import21516191 ++Ref: gnutls_ocsp_resp_print1517382 ++Ref: gnutls_ocsp_resp_verify1518108 ++Ref: gnutls_ocsp_resp_verify_direct1519725 ++Node: PKCS 12 API1522158 ++Ref: gnutls_pkcs12_bag_decrypt1522448 ++Ref: gnutls_pkcs12_bag_deinit1522880 ++Ref: gnutls_pkcs12_bag_enc_info1523118 ++Ref: gnutls_pkcs12_bag_encrypt1524491 ++Ref: gnutls_pkcs12_bag_get_count1524996 ++Ref: gnutls_pkcs12_bag_get_data1525307 ++Ref: gnutls_pkcs12_bag_get_friendly_name1525913 ++Ref: gnutls_pkcs12_bag_get_key_id1526550 ++Ref: gnutls_pkcs12_bag_get_type1527169 ++Ref: gnutls_pkcs12_bag_init1527539 ++Ref: gnutls_pkcs12_bag_set_crl1527997 ++Ref: gnutls_pkcs12_bag_set_crt1528430 ++Ref: gnutls_pkcs12_bag_set_data1528876 ++Ref: gnutls_pkcs12_bag_set_friendly_name1529347 ++Ref: gnutls_pkcs12_bag_set_key_id1530031 ++Ref: gnutls_pkcs12_bag_set_privkey1530705 ++Ref: gnutls_pkcs12_deinit1531361 ++Ref: gnutls_pkcs12_export1531563 ++Ref: gnutls_pkcs12_export21532470 ++Ref: gnutls_pkcs12_generate_mac1533146 ++Ref: gnutls_pkcs12_generate_mac21533537 ++Ref: gnutls_pkcs12_get_bag1533981 ++Ref: gnutls_pkcs12_import1534567 ++Ref: gnutls_pkcs12_init1535288 ++Ref: gnutls_pkcs12_mac_info1535721 ++Ref: gnutls_pkcs12_set_bag1537030 ++Ref: gnutls_pkcs12_simple_parse1537436 ++Ref: gnutls_pkcs12_verify_mac1540117 ++Node: PKCS 11 API1540473 ++Ref: gnutls_pkcs11_add_provider1540802 ++Ref: gnutls_pkcs11_copy_attached_extension1541547 ++Ref: gnutls_pkcs11_copy_pubkey1542406 ++Ref: gnutls_pkcs11_copy_secret_key1543439 ++Ref: gnutls_pkcs11_copy_x509_crt1544164 ++Ref: gnutls_pkcs11_copy_x509_crt21544812 ++Ref: gnutls_pkcs11_copy_x509_privkey1545780 ++Ref: gnutls_pkcs11_copy_x509_privkey21546597 ++Ref: gnutls_pkcs11_crt_is_known1547542 ++Ref: gnutls_pkcs11_deinit1548678 ++Ref: gnutls_pkcs11_delete_url1548995 ++Ref: gnutls_pkcs11_get_pin_function1549511 ++Ref: gnutls_pkcs11_get_raw_issuer1549894 ++Ref: gnutls_pkcs11_get_raw_issuer_by_dn1550804 ++Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1551843 ++Ref: gnutls_pkcs11_init1552954 ++Ref: gnutls_pkcs11_obj_deinit1553996 ++Ref: gnutls_pkcs11_obj_export1554242 ++Ref: gnutls_pkcs11_obj_export21555087 ++Ref: gnutls_pkcs11_obj_export31555684 ++Ref: gnutls_pkcs11_obj_export_url1556357 ++Ref: gnutls_pkcs11_obj_flags_get_str1556884 ++Ref: gnutls_pkcs11_obj_get_exts1557363 ++Ref: gnutls_pkcs11_obj_get_flags1558299 ++Ref: gnutls_pkcs11_obj_get_info1558836 ++Ref: gnutls_pkcs11_obj_get_ptr1560100 ++Ref: gnutls_pkcs11_obj_get_type1561009 ++Ref: gnutls_pkcs11_obj_import_url1561359 ++Ref: gnutls_pkcs11_obj_init1562279 ++Ref: gnutls_pkcs11_obj_list_import_url31562664 ++Ref: gnutls_pkcs11_obj_list_import_url41564605 ++Ref: gnutls_pkcs11_obj_set_info1566281 ++Ref: gnutls_pkcs11_obj_set_pin_function1567060 ++Ref: gnutls_pkcs11_privkey_cpy1567571 ++Ref: gnutls_pkcs11_privkey_deinit1568072 ++Ref: gnutls_pkcs11_privkey_export_pubkey1568335 ++Ref: gnutls_pkcs11_privkey_export_url1569139 ++Ref: gnutls_pkcs11_privkey_generate1569649 ++Ref: gnutls_pkcs11_privkey_generate21570321 ++Ref: gnutls_pkcs11_privkey_generate31571551 ++Ref: gnutls_pkcs11_privkey_get_info1573061 ++Ref: gnutls_pkcs11_privkey_get_pk_algorithm1573943 ++Ref: gnutls_pkcs11_privkey_import_url1574474 ++Ref: gnutls_pkcs11_privkey_init1575175 ++Ref: gnutls_pkcs11_privkey_set_pin_function1575890 ++Ref: gnutls_pkcs11_privkey_status1576410 ++Ref: gnutls_pkcs11_reinit1576786 ++Ref: gnutls_pkcs11_set_pin_function1577346 ++Ref: gnutls_pkcs11_set_token_function1577836 ++Ref: gnutls_pkcs11_token_check_mechanism1578254 ++Ref: gnutls_pkcs11_token_get_flags1579011 ++Ref: gnutls_pkcs11_token_get_info1579553 ++Ref: gnutls_pkcs11_token_get_mechanism1580576 ++Ref: gnutls_pkcs11_token_get_ptr1581189 ++Ref: gnutls_pkcs11_token_get_random1581888 ++Ref: gnutls_pkcs11_token_get_url1582519 ++Ref: gnutls_pkcs11_token_init1583187 ++Ref: gnutls_pkcs11_token_set_pin1583825 ++Ref: gnutls_pkcs11_type_get_name1584665 ++Ref: gnutls_x509_crt_import_pkcs111585154 ++Ref: gnutls_x509_crt_list_import_pkcs111585676 ++Node: TPM API1586285 ++Ref: gnutls_tpm_get_registered1586564 ++Ref: gnutls_tpm_key_list_deinit1586957 ++Ref: gnutls_tpm_key_list_get_url1587225 ++Ref: gnutls_tpm_privkey_delete1587878 ++Ref: gnutls_tpm_privkey_generate1588316 ++Node: Abstract key API1589666 ++Ref: gnutls_certificate_set_key1589987 ++Ref: gnutls_certificate_set_retrieve_function21592123 ++Ref: gnutls_certificate_set_retrieve_function31594373 ++Ref: gnutls_pcert_deinit1597233 ++Ref: gnutls_pcert_export_openpgp1597478 ++Ref: gnutls_pcert_export_x5091597827 ++Ref: gnutls_pcert_import_openpgp1598477 ++Ref: gnutls_pcert_import_openpgp_raw1598876 ++Ref: gnutls_pcert_import_rawpk1599445 ++Ref: gnutls_pcert_import_rawpk_raw1600298 ++Ref: gnutls_pcert_import_x5091601547 ++Ref: gnutls_pcert_import_x509_list1602144 ++Ref: gnutls_pcert_import_x509_raw1603334 ++Ref: gnutls_pcert_list_import_x509_file1604040 ++Ref: gnutls_pcert_list_import_x509_raw1605472 ++Ref: gnutls_privkey_decrypt_data1606806 ++Ref: gnutls_privkey_decrypt_data21607454 ++Ref: gnutls_privkey_deinit1608279 ++Ref: gnutls_privkey_export_dsa_raw1608528 ++Ref: gnutls_privkey_export_dsa_raw21609258 ++Ref: gnutls_privkey_export_ecc_raw1610064 ++Ref: gnutls_privkey_export_ecc_raw21610926 ++Ref: gnutls_privkey_export_gost_raw21611868 ++Ref: gnutls_privkey_export_openpgp1613002 ++Ref: gnutls_privkey_export_pkcs111613354 ++Ref: gnutls_privkey_export_rsa_raw1613966 ++Ref: gnutls_privkey_export_rsa_raw21614997 ++Ref: gnutls_privkey_export_x5091616043 ++Ref: gnutls_privkey_generate1616691 ++Ref: gnutls_privkey_generate21618182 ++Ref: gnutls_privkey_get_pk_algorithm1620310 ++Ref: gnutls_privkey_get_seed1620924 ++Ref: gnutls_privkey_get_spki1621723 ++Ref: gnutls_privkey_get_type1622303 ++Ref: gnutls_privkey_import_dsa_raw1622792 ++Ref: gnutls_privkey_import_ecc_raw1623504 ++Ref: gnutls_privkey_import_ext1624317 ++Ref: gnutls_privkey_import_ext21625467 ++Ref: gnutls_privkey_import_ext31626824 ++Ref: gnutls_privkey_import_ext41628438 ++Ref: gnutls_privkey_import_gost_raw1631198 ++Ref: gnutls_privkey_import_openpgp1632406 ++Ref: gnutls_privkey_import_openpgp_raw1632815 ++Ref: gnutls_privkey_import_pkcs111633404 ++Ref: gnutls_privkey_import_pkcs11_url1634162 ++Ref: gnutls_privkey_import_rsa_raw1634611 ++Ref: gnutls_privkey_import_tpm_raw1635607 ++Ref: gnutls_privkey_import_tpm_url1636474 ++Ref: gnutls_privkey_import_url1637577 ++Ref: gnutls_privkey_import_x5091638124 ++Ref: gnutls_privkey_import_x509_raw1638872 ++Ref: gnutls_privkey_init1639651 ++Ref: gnutls_privkey_set_flags1640569 ++Ref: gnutls_privkey_set_pin_function1641094 ++Ref: gnutls_privkey_set_spki1641664 ++Ref: gnutls_privkey_sign_data1642237 ++Ref: gnutls_privkey_sign_data21643257 ++Ref: gnutls_privkey_sign_hash1644155 ++Ref: gnutls_privkey_sign_hash21645592 ++Ref: gnutls_privkey_status1646858 ++Ref: gnutls_privkey_verify_params1647402 ++Ref: gnutls_privkey_verify_seed1647764 ++Ref: gnutls_pubkey_deinit1648476 ++Ref: gnutls_pubkey_encrypt_data1648716 ++Ref: gnutls_pubkey_export1649358 ++Ref: gnutls_pubkey_export21650372 ++Ref: gnutls_pubkey_export_dsa_raw1651145 ++Ref: gnutls_pubkey_export_dsa_raw21651957 ++Ref: gnutls_pubkey_export_ecc_raw1652841 ++Ref: gnutls_pubkey_export_ecc_raw21653740 ++Ref: gnutls_pubkey_export_ecc_x9621654719 ++Ref: gnutls_pubkey_export_gost_raw21655378 ++Ref: gnutls_pubkey_export_rsa_raw1656522 ++Ref: gnutls_pubkey_export_rsa_raw21657219 ++Ref: gnutls_pubkey_get_key_id1657980 ++Ref: gnutls_pubkey_get_key_usage1659005 ++Ref: gnutls_pubkey_get_openpgp_key_id1659502 ++Ref: gnutls_pubkey_get_pk_algorithm1660141 ++Ref: gnutls_pubkey_get_preferred_hash_algorithm1660789 ++Ref: gnutls_pubkey_get_spki1661730 ++Ref: gnutls_pubkey_import1662298 ++Ref: gnutls_pubkey_import_dsa_raw1662982 ++Ref: gnutls_pubkey_import_ecc_raw1663643 ++Ref: gnutls_pubkey_import_ecc_x9621664411 ++Ref: gnutls_pubkey_import_gost_raw1665047 ++Ref: gnutls_pubkey_import_openpgp1666194 ++Ref: gnutls_pubkey_import_openpgp_raw1666586 ++Ref: gnutls_pubkey_import_pkcs111667155 ++Ref: gnutls_pubkey_import_privkey1667697 ++Ref: gnutls_pubkey_import_rsa_raw1668399 ++Ref: gnutls_pubkey_import_tpm_raw1668923 ++Ref: gnutls_pubkey_import_tpm_url1669700 ++Ref: gnutls_pubkey_import_url1670592 ++Ref: gnutls_pubkey_import_x5091671065 ++Ref: gnutls_pubkey_import_x509_crq1671565 ++Ref: gnutls_pubkey_import_x509_raw1672068 ++Ref: gnutls_pubkey_init1672645 ++Ref: gnutls_pubkey_print1672974 ++Ref: gnutls_pubkey_set_key_usage1673708 ++Ref: gnutls_pubkey_set_pin_function1674277 ++Ref: gnutls_pubkey_set_spki1674842 ++Ref: gnutls_pubkey_verify_data21675413 ++Ref: gnutls_pubkey_verify_hash21676321 ++Ref: gnutls_pubkey_verify_params1677445 ++Ref: gnutls_register_custom_url1677803 ++Ref: gnutls_system_key_add_x5091678741 ++Ref: gnutls_system_key_delete1679486 ++Ref: gnutls_system_key_iter_deinit1679910 ++Ref: gnutls_system_key_iter_get_info1680178 ++Ref: gnutls_x509_crl_privkey_sign1681452 ++Ref: gnutls_x509_crq_privkey_sign1682721 ++Ref: gnutls_x509_crq_set_pubkey1684083 ++Ref: gnutls_x509_crt_privkey_sign1684591 ++Ref: gnutls_x509_crt_set_pubkey1685834 ++Node: Socket specific API1686287 ++Ref: gnutls_transport_set_fastopen1686580 ++Node: DANE API1688126 ++Ref: dane_cert_type_name1688500 ++Ref: dane_cert_usage_name1688790 ++Ref: dane_match_type_name1689102 ++Ref: dane_query_data1689385 ++Ref: dane_query_deinit1690064 ++Ref: dane_query_entries1690269 ++Ref: dane_query_status1690511 ++Ref: dane_query_tlsa1690805 ++Ref: dane_query_to_raw_tlsa1691396 ++Ref: dane_raw_tlsa1692738 ++Ref: dane_state_deinit1693815 ++Ref: dane_state_init1694007 ++Ref: dane_state_set_dlv_file1694521 ++Ref: dane_strerror1694822 ++Ref: dane_verification_status_print1695321 ++Ref: dane_verify_crt1695915 ++Ref: dane_verify_crt_raw1698102 ++Ref: dane_verify_session_crt1699335 ++Node: Cryptographic API1700737 ++Ref: gnutls_aead_cipher_decrypt1701238 ++Ref: gnutls_aead_cipher_decryptv21702617 ++Ref: gnutls_aead_cipher_deinit1703542 ++Ref: gnutls_aead_cipher_encrypt1703870 ++Ref: gnutls_aead_cipher_encryptv1704979 ++Ref: gnutls_aead_cipher_encryptv21706127 ++Ref: gnutls_aead_cipher_init1707055 ++Ref: gnutls_cipher_add_auth1707721 ++Ref: gnutls_cipher_decrypt1708301 ++Ref: gnutls_cipher_decrypt21708925 ++Ref: gnutls_cipher_deinit1709851 ++Ref: gnutls_cipher_encrypt1710130 ++Ref: gnutls_cipher_encrypt21710590 ++Ref: gnutls_cipher_get_block_size1711367 ++Ref: gnutls_cipher_get_iv_size1711647 ++Ref: gnutls_cipher_get_tag_size1712129 ++Ref: gnutls_cipher_init1712535 ++Ref: gnutls_cipher_set_iv1713265 ++Ref: gnutls_cipher_tag1713610 ++Ref: gnutls_crypto_register_aead_cipher1714112 ++Ref: gnutls_crypto_register_cipher1715716 ++Ref: gnutls_crypto_register_digest1717497 ++Ref: gnutls_crypto_register_mac1718721 ++Ref: gnutls_decode_ber_digest_info1720149 ++Ref: gnutls_decode_gost_rs_value1720948 ++Ref: gnutls_decode_rs_value1721748 ++Ref: gnutls_encode_ber_digest_info1722533 ++Ref: gnutls_encode_gost_rs_value1723177 ++Ref: gnutls_encode_rs_value1723923 ++Ref: gnutls_hash1724543 ++Ref: gnutls_hash_copy1724974 ++Ref: gnutls_hash_deinit1725491 ++Ref: gnutls_hash_fast1725819 ++Ref: gnutls_hash_get_len1726336 ++Ref: gnutls_hash_init1726669 ++Ref: gnutls_hash_output1727205 ++Ref: gnutls_hkdf_expand1727537 ++Ref: gnutls_hkdf_extract1728240 ++Ref: gnutls_hmac1728783 ++Ref: gnutls_hmac_copy1729214 ++Ref: gnutls_hmac_deinit1729695 ++Ref: gnutls_hmac_fast1730022 ++Ref: gnutls_hmac_get_key_size1730746 ++Ref: gnutls_hmac_get_len1731207 ++Ref: gnutls_hmac_init1731537 ++Ref: gnutls_hmac_output1732320 ++Ref: gnutls_hmac_set_nonce1732655 ++Ref: gnutls_mac_get_nonce_size1733022 ++Ref: gnutls_pbkdf21733338 ++Ref: gnutls_rnd1733971 ++Ref: gnutls_rnd_refresh1734609 ++Node: Compatibility API1734895 ++Ref: gnutls_compression_get1735237 ++Ref: gnutls_compression_get_id1735589 ++Ref: gnutls_compression_get_name1735953 ++Ref: gnutls_compression_list1736335 ++Ref: gnutls_global_set_mem_functions1736667 ++Ref: gnutls_openpgp_privkey_sign_hash1738042 ++Ref: gnutls_priority_compression_list1738471 ++Ref: gnutls_x509_crt_get_preferred_hash_algorithm1738923 ++Ref: gnutls_x509_privkey_sign_hash1739804 ++Node: Copying Information1740674 ++Node: Bibliography1765851 ++Ref: CBCATT1765990 ++Ref: GPGH1766168 ++Ref: GUTPKI1766291 ++Ref: PRNGATTACKS1766466 ++Ref: KEYPIN1766666 ++Ref: NISTSP800571766841 ++Ref: RFC74131767089 ++Ref: RFC79181767256 ++Ref: RFC61251767433 ++Ref: RFC76851767774 ++Ref: RFC76131767949 ++Ref: RFC22461768197 ++Ref: RFC60831768358 ++Ref: RFC44181768595 ++Ref: RFC46801768762 ++Ref: RFC76331768920 ++Ref: RFC79191769092 ++Ref: RFC45141769296 ++Ref: RFC43461769500 ++Ref: RFC43471769650 ++Ref: RFC52461769817 ++Ref: RFC24401769968 ++Ref: RFC48801770150 ++Ref: RFC42111770344 ++Ref: RFC28171770538 ++Ref: RFC28181770691 ++Ref: RFC29451770805 ++Ref: RFC73011770955 ++Ref: RFC29861771175 ++Ref: PKIX1771364 ++Ref: RFC37491771627 ++Ref: RFC38201771793 ++Ref: RFC65201772036 ++Ref: RFC57461772275 ++Ref: RFC52801772484 ++Ref: TLSTKT1772751 ++Ref: PKCS121772983 ++Ref: PKCS111773124 ++Ref: RESCORLA1773270 ++Ref: SELKEY1773366 ++Ref: SSL31773525 ++Ref: STEVENS1773716 ++Ref: TLSEXT1773824 ++Ref: TLSPGP1774041 ++Ref: TLSSRP1774206 ++Ref: TLSPSK1774403 ++Ref: TOMSRP1774572 ++Ref: WEGER1774685 ++Ref: ECRYPT1774877 ++Ref: RFC50561775082 ++Ref: RFC57641775235 ++Ref: RFC59291775523 ++Ref: PKCS11URI1775666 ++Ref: TPMURI1775802 ++Ref: ANDERSON1775996 ++Ref: RFC48211776142 ++Ref: RFC25601776295 ++Ref: RIVESTCRL1776489 ++Node: Function and Data Index1776850 ++Node: Concept Index1903361 +  + End Tag Table + +diff -ruN gnutls-3.7.2/doc/gnutls.info-1 gnutls-3.7.2-bootstrapped/doc/gnutls.info-1 +--- gnutls-3.7.2/doc/gnutls.info-1 2021-05-29 10:19:34.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-1 2021-06-28 09:39:56.000000000 +0200 +@@ -7426,6 +7426,12 @@ + to a token. Must be combined with one of -load-privkey, -load-pubkey, + -load-certificate option. + ++When writing a certificate object, its CKA_ID is set to the same CKA_ID ++of the corresponding public key, if it exists on the token; otherwise it ++will be derived from the X.509 Subject Key Identifier of the ++certificate. If this behavior is undesired, write the public key to the ++token beforehand. ++ + id option. + .......... + +diff -ruN gnutls-3.7.2/doc/gnutls.info-3 gnutls-3.7.2-bootstrapped/doc/gnutls.info-3 +--- gnutls-3.7.2/doc/gnutls.info-3 2021-05-29 10:19:36.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-3 2021-06-28 09:39:58.000000000 +0200 +@@ -1350,6 +1350,7 @@ + * 'insecure-hash': to mark the hash algorithm as insecure for digital + signature use (provides a more generic way to disable digital + signatures for broken hash algorithms). ++ * 'disabled-curve': to disable the specified elliptic curve. + * 'disabled-version': to disable the specified TLS versions. + * 'tls-disabled-cipher': to disable the specified ciphers for use in + the TLS or DTLS protocols. +@@ -1362,12 +1363,54 @@ + earlier). + + Each of the options can be repeated multiple times when multiple values +-need to be disabled. ++need to be disabled or enabled. + + The valid values for the options above can be found in the 'Protocols', + 'Digests' 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of + the output of 'gnutls-cli --list'. + ++Sometimes the system administrator wants to enable only specific ++algorithms, despite the library defaults. GnuTLS provides an ++alternative mode of overriding: allowlisting. ++ ++In the allowlisting mode, all the algorithms are initially marked as ++insecure or disabled, and shall be explicitly turned on by the options ++in the '[overrides]' section. Those options are mutually exclusive to ++the above ones for the blocklisting mode (the default) ++ * 'secure-sig-for-cert': to mark the signature algorithm as secure ++ when used in certificates. ++ * 'secure-sig': to mark the signature algorithm as secure for any ++ use. ++ * 'secure-hash': to mark the hash algorithm as secure for digital ++ signature use (provides a more generic way to enable digital ++ signatures for broken hash algorithms). ++ * 'enabled-curve': to enable the specified elliptic curve. ++ * 'enabled-version': to enable the specified TLS versions. ++ * 'tls-enabled-cipher': to enable the specified ciphers for use in ++ the TLS or DTLS protocols. ++ * 'tls-enabled-mac': to enable the specified MAC algorithms for use ++ in the TLS or DTLS protocols. ++ * 'tls-enabled-group': to enable the specified group for use in the ++ TLS or DTLS protocols. ++ * 'tls-enabled-kx': to enable the specified key exchange algorithms ++ for use in the TLS or DTLS protocols (applies to TLS1.2 or ++ earlier). ++ ++The allowlisting mode can be enabled by adding 'override-mode = ++allowlist' in the '[global]' section. ++ ++When the allowlisting mode is in effect, it is also possible for the ++applications to modify the setting through the API. ++ ++'INT *note gnutls_ecc_curve_mark_enabled:: (gnutls_ecc_curve_t CURVE)' ++'INT *note gnutls_sign_mark_secure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)' ++'INT *note gnutls_digest_mark_secure:: (gnutls_digest_algorithm_t DIG)' ++'INT *note gnutls_protocol_mark_enabled:: (gnutls_protocol_t VERSION)' ++'INT *note gnutls_ecc_curve_mark_disabled:: (gnutls_ecc_curve_t CURVE)' ++'INT *note gnutls_sign_mark_insecure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)' ++'INT *note gnutls_digest_mark_insecure:: (gnutls_digest_algorithm_t DIG)' ++'INT *note gnutls_protocol_mark_disabled:: (gnutls_protocol_t VERSION)' ++ + 8.2.1 Examples + -------------- + +@@ -1396,6 +1439,17 @@ + tls-disabled-mac = sha1 + tls-disabled-group = group-ffdhe8192 + ++The following example demonstrates the use of the allowlisting mode. It ++disables all the signature algorithms but 'RSA-SHA256'. Note that the ++hash algorithm 'SHA256' also needs to be explicitly enabled. ++ ++ [global] ++ override-mode = allowlist ++ ++ [overrides] ++ secure-hash = sha256 ++ secure-sig = rsa-sha256 ++ +  + File: gnutls.info, Node: Querying for disabled algorithms and protocols, Next: Overriding the parameter verification profile, Prev: Disabling algorithms and protocols, Up: System-wide configuration of the library + +@@ -8538,6 +8592,31 @@ + 'gnutls_digest_algorithm_t' integers indicating the available + digests. + ++gnutls_digest_mark_insecure ++--------------------------- ++ ++ -- Function: int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t ++ DIG) ++ DIG: is a digest algorithm ++ ++ Mark 'dig' as insecure system wide. This only works if the ++ allowlisting mode is used in the configuration file. ++ ++ *Since:* 3.7.3 ++ ++gnutls_digest_mark_secure ++------------------------- ++ ++ -- Function: int gnutls_digest_mark_secure (gnutls_digest_algorithm_t ++ DIG) ++ DIG: is a digest algorithm ++ ++ Invalidate previous system wide setting that marked 'dig' as ++ insecure. This only works if the allowlisting mode is used in the ++ configuration file. ++ ++ *Since:* 3.7.3 ++ + gnutls_early_cipher_get + ----------------------- + +@@ -8657,6 +8736,37 @@ + *Returns:* Return a (0)-terminated list of 'gnutls_ecc_curve_t' + integers indicating the available curves. + ++gnutls_ecc_curve_mark_disabled ++------------------------------ ++ ++ -- Function: int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t ++ CURVE) ++ CURVE: is an ECC curve ++ ++ Mark 'curve' as disabled system wide. This setting can be reverted ++ with 'gnutls_ecc_curve_mark_enabled()' . This only works if the ++ configuration file uses the allowlisting mode. ++ ++ *Returns:* 0 on success or negative error code otherwise. ++ ++ *Since:* 3.7.3 ++ ++gnutls_ecc_curve_mark_enabled ++----------------------------- ++ ++ -- Function: int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t ++ CURVE) ++ CURVE: is an ECC curve ++ ++ Invalidate previous system wide setting that marked 'curve' as ++ disabled. This only works if the curve is disabled with ++ 'gnutls_ecc_curve_mark_disabled()' or through the allowlisting mode ++ in the configuration file. ++ ++ *Returns:* 0 on success or negative error code otherwise. ++ ++ *Since:* 3.7.3 ++ + gnutls_error_is_fatal + --------------------- + +@@ -11047,6 +11157,27 @@ + *Returns:* a (0)-terminated list of 'gnutls_protocol_t' integers + indicating the available protocols. + ++gnutls_protocol_mark_disabled ++----------------------------- ++ ++ -- Function: int gnutls_protocol_mark_disabled (gnutls_protocol_t ++ VERSION) ++ VERSION: is a (gnutls) version number ++ ++ Mark 'version' as disabled system wide. This only works if the ++ allowlisting mode is used in the configuration file. ++ ++gnutls_protocol_mark_enabled ++---------------------------- ++ ++ -- Function: int gnutls_protocol_mark_enabled (gnutls_protocol_t ++ VERSION) ++ VERSION: is a (gnutls) version number ++ ++ Invalidate previous system wide setting that marked 'version' as ++ disabled. This only works if the allowlisting mode is used in the ++ configuration file. ++ + gnutls_psk_allocate_client_credentials + -------------------------------------- + +@@ -13235,6 +13366,45 @@ + *Returns:* a (0)-terminated list of 'gnutls_sign_algorithm_t' + integers indicating the available ciphers. + ++gnutls_sign_mark_insecure ++------------------------- ++ ++ -- Function: int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t ++ SIGN, unsigned FLAGS) ++ SIGN: the sign algorithm ++ ++ FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0 ++ ++ Mark 'sign' as insecure system wide. This only works if the ++ allowlisting mode is used in the configuration file. ++ ++ If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, and the ++ algorithm was previously considered secure for all purposes, it ++ only marks the algorithm as insecure for the use with certificates. ++ ++ *Since:* 3.7.3 ++ ++gnutls_sign_mark_secure ++----------------------- ++ ++ -- Function: int gnutls_sign_mark_secure (gnutls_sign_algorithm_t SIGN, ++ unsigned FLAGS) ++ SIGN: the sign algorithm ++ ++ FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0 ++ ++ Invalidate previous system wide setting that marked 'sign' as ++ insecure. This only works if the algorithm is marked as insecure ++ with 'gnutls_sign_mark_insecure()' or through the allowlisting mode ++ in the configuration file. ++ ++ If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, it ++ marks it the algorithm as secure for all purposes. If the absence ++ of this flag, it will mark it as "secure, but not for certificates" ++ at most, but it won't restrict anything either. ++ ++ *Since:* 3.7.3 ++ + gnutls_sign_supports_pk_algorithm + --------------------------------- + +diff -ruN gnutls-3.7.2/doc/gnutls.info-6 gnutls-3.7.2-bootstrapped/doc/gnutls.info-6 +--- gnutls-3.7.2/doc/gnutls.info-6 2021-05-29 10:19:38.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-6 2021-06-28 09:40:00.000000000 +0200 +@@ -7847,6 +7847,8 @@ + * gnutls_digest_get_name: Core TLS API. (line 3005) + * gnutls_digest_get_oid: Core TLS API. (line 3017) + * gnutls_digest_list: Core TLS API. (line 3032) ++* gnutls_digest_mark_insecure: Core TLS API. (line 3046) ++* gnutls_digest_mark_secure: Core TLS API. (line 3058) + * gnutls_dtls_cookie_send: Datagram TLS API. (line 11) + * gnutls_dtls_cookie_verify: Datagram TLS API. (line 45) + * gnutls_dtls_get_data_mtu: Datagram TLS API. (line 74) +@@ -7858,71 +7860,73 @@ + * gnutls_dtls_set_data_mtu: Datagram TLS API. (line 139) + * gnutls_dtls_set_mtu: Datagram TLS API. (line 165) + * gnutls_dtls_set_timeouts: Datagram TLS API. (line 182) +-* gnutls_early_cipher_get: Core TLS API. (line 3046) +-* gnutls_early_prf_hash_get: Core TLS API. (line 3060) +-* gnutls_ecc_curve_get: Core TLS API. (line 3075) +-* gnutls_ecc_curve_get_id: Core TLS API. (line 3089) +-* gnutls_ecc_curve_get_name: Core TLS API. (line 3103) +-* gnutls_ecc_curve_get_oid: Core TLS API. (line 3117) +-* gnutls_ecc_curve_get_pk: Core TLS API. (line 3131) +-* gnutls_ecc_curve_get_size: Core TLS API. (line 3143) +-* gnutls_ecc_curve_list: Core TLS API. (line 3153) ++* gnutls_early_cipher_get: Core TLS API. (line 3071) ++* gnutls_early_prf_hash_get: Core TLS API. (line 3085) ++* gnutls_ecc_curve_get: Core TLS API. (line 3100) ++* gnutls_ecc_curve_get_id: Core TLS API. (line 3114) ++* gnutls_ecc_curve_get_name: Core TLS API. (line 3128) ++* gnutls_ecc_curve_get_oid: Core TLS API. (line 3142) ++* gnutls_ecc_curve_get_pk: Core TLS API. (line 3156) ++* gnutls_ecc_curve_get_size: Core TLS API. (line 3168) ++* gnutls_ecc_curve_list: Core TLS API. (line 3178) ++* gnutls_ecc_curve_mark_disabled: Core TLS API. (line 3190) ++* gnutls_ecc_curve_mark_enabled: Core TLS API. (line 3205) + * gnutls_encode_ber_digest_info: Cryptographic API. (line 689) + * gnutls_encode_gost_rs_value: Cryptographic API. (line 709) + * gnutls_encode_rs_value: Cryptographic API. (line 732) + * gnutls_error_is_fatal: Data transfer and termination. + (line 82) +-* gnutls_error_is_fatal <1>: Core TLS API. (line 3165) ++* gnutls_error_is_fatal <1>: Core TLS API. (line 3221) + * gnutls_error_to_alert: Handling alerts. (line 66) +-* gnutls_error_to_alert <1>: Core TLS API. (line 3185) +-* gnutls_est_record_overhead_size: Core TLS API. (line 3204) +-* gnutls_ext_get_current_msg: Core TLS API. (line 3231) +-* gnutls_ext_get_data: Core TLS API. (line 3249) +-* gnutls_ext_get_name: Core TLS API. (line 3268) +-* gnutls_ext_get_name2: Core TLS API. (line 3279) +-* gnutls_ext_raw_parse: Core TLS API. (line 3296) +-* gnutls_ext_register: Core TLS API. (line 3327) +-* gnutls_ext_set_data: Core TLS API. (line 3374) +-* gnutls_fingerprint: Core TLS API. (line 3391) +-* gnutls_fips140_mode_enabled: Core TLS API. (line 3418) +-* gnutls_fips140_set_mode: Core TLS API. (line 3436) ++* gnutls_error_to_alert <1>: Core TLS API. (line 3241) ++* gnutls_est_record_overhead_size: Core TLS API. (line 3260) ++* gnutls_ext_get_current_msg: Core TLS API. (line 3287) ++* gnutls_ext_get_data: Core TLS API. (line 3305) ++* gnutls_ext_get_name: Core TLS API. (line 3324) ++* gnutls_ext_get_name2: Core TLS API. (line 3335) ++* gnutls_ext_raw_parse: Core TLS API. (line 3352) ++* gnutls_ext_register: Core TLS API. (line 3383) ++* gnutls_ext_set_data: Core TLS API. (line 3430) ++* gnutls_fingerprint: Core TLS API. (line 3447) ++* gnutls_fips140_mode_enabled: Core TLS API. (line 3474) ++* gnutls_fips140_set_mode: Core TLS API. (line 3492) + * gnutls_get_system_config_file: System-wide configuration of the library. + (line 24) +-* gnutls_get_system_config_file <1>: Core TLS API. (line 3462) +-* gnutls_global_deinit: Core TLS API. (line 3476) +-* gnutls_global_init: Core TLS API. (line 3489) ++* gnutls_get_system_config_file <1>: Core TLS API. (line 3518) ++* gnutls_global_deinit: Core TLS API. (line 3532) ++* gnutls_global_init: Core TLS API. (line 3545) + * gnutls_global_set_audit_log_function: Debugging and auditing. + (line 64) +-* gnutls_global_set_audit_log_function <1>: Core TLS API. (line 3518) +-* gnutls_global_set_log_function: Core TLS API. (line 3537) +-* gnutls_global_set_log_level: Core TLS API. (line 3552) ++* gnutls_global_set_audit_log_function <1>: Core TLS API. (line 3574) ++* gnutls_global_set_log_function: Core TLS API. (line 3593) ++* gnutls_global_set_log_level: Core TLS API. (line 3608) + * gnutls_global_set_mem_functions: Compatibility API. (line 60) +-* gnutls_global_set_mutex: Core TLS API. (line 3565) +-* gnutls_global_set_time_function: Core TLS API. (line 3594) +-* gnutls_gost_paramset_get_name: Core TLS API. (line 3608) +-* gnutls_gost_paramset_get_oid: Core TLS API. (line 3622) +-* gnutls_group_get: Core TLS API. (line 3636) +-* gnutls_group_get_id: Core TLS API. (line 3649) +-* gnutls_group_get_name: Core TLS API. (line 3662) +-* gnutls_group_list: Core TLS API. (line 3675) ++* gnutls_global_set_mutex: Core TLS API. (line 3621) ++* gnutls_global_set_time_function: Core TLS API. (line 3650) ++* gnutls_gost_paramset_get_name: Core TLS API. (line 3664) ++* gnutls_gost_paramset_get_oid: Core TLS API. (line 3678) ++* gnutls_group_get: Core TLS API. (line 3692) ++* gnutls_group_get_id: Core TLS API. (line 3705) ++* gnutls_group_get_name: Core TLS API. (line 3718) ++* gnutls_group_list: Core TLS API. (line 3731) + * gnutls_handshake: TLS handshake. (line 10) +-* gnutls_handshake <1>: Core TLS API. (line 3689) +-* gnutls_handshake_description_get_name: Core TLS API. (line 3732) +-* gnutls_handshake_get_last_in: Core TLS API. (line 3744) +-* gnutls_handshake_get_last_out: Core TLS API. (line 3761) ++* gnutls_handshake <1>: Core TLS API. (line 3745) ++* gnutls_handshake_description_get_name: Core TLS API. (line 3788) ++* gnutls_handshake_get_last_in: Core TLS API. (line 3800) ++* gnutls_handshake_get_last_out: Core TLS API. (line 3817) + * gnutls_handshake_set_hook_function: Virtual hosts and credentials. + (line 56) +-* gnutls_handshake_set_hook_function <1>: Core TLS API. (line 3778) +-* gnutls_handshake_set_max_packet_length: Core TLS API. (line 3815) ++* gnutls_handshake_set_hook_function <1>: Core TLS API. (line 3834) ++* gnutls_handshake_set_max_packet_length: Core TLS API. (line 3871) + * gnutls_handshake_set_post_client_hello_function: Core TLS API. +- (line 3836) +-* gnutls_handshake_set_private_extensions: Core TLS API. (line 3867) +-* gnutls_handshake_set_random: Core TLS API. (line 3886) +-* gnutls_handshake_set_read_function: Core TLS API. (line 3908) +-* gnutls_handshake_set_secret_function: Core TLS API. (line 3922) ++ (line 3892) ++* gnutls_handshake_set_private_extensions: Core TLS API. (line 3923) ++* gnutls_handshake_set_random: Core TLS API. (line 3942) ++* gnutls_handshake_set_read_function: Core TLS API. (line 3964) ++* gnutls_handshake_set_secret_function: Core TLS API. (line 3978) + * gnutls_handshake_set_timeout: TLS handshake. (line 50) +-* gnutls_handshake_set_timeout <1>: Core TLS API. (line 3936) +-* gnutls_handshake_write: Core TLS API. (line 3956) ++* gnutls_handshake_set_timeout <1>: Core TLS API. (line 3992) ++* gnutls_handshake_write: Core TLS API. (line 4012) + * gnutls_hash: Cryptographic API. (line 753) + * gnutls_hash_copy: Cryptographic API. (line 771) + * gnutls_hash_deinit: Cryptographic API. (line 787) +@@ -7930,17 +7934,17 @@ + * gnutls_hash_get_len: Cryptographic API. (line 821) + * gnutls_hash_init: Cryptographic API. (line 835) + * gnutls_hash_output: Cryptographic API. (line 853) +-* gnutls_heartbeat_allowed: Core TLS API. (line 3977) +-* gnutls_heartbeat_enable: Core TLS API. (line 3994) +-* gnutls_heartbeat_get_timeout: Core TLS API. (line 4018) +-* gnutls_heartbeat_ping: Core TLS API. (line 4034) +-* gnutls_heartbeat_pong: Core TLS API. (line 4066) +-* gnutls_heartbeat_set_timeouts: Core TLS API. (line 4082) +-* gnutls_hex2bin: Core TLS API. (line 4104) +-* gnutls_hex_decode: Core TLS API. (line 4127) +-* gnutls_hex_decode2: Core TLS API. (line 4149) +-* gnutls_hex_encode: Core TLS API. (line 4164) +-* gnutls_hex_encode2: Core TLS API. (line 4183) ++* gnutls_heartbeat_allowed: Core TLS API. (line 4033) ++* gnutls_heartbeat_enable: Core TLS API. (line 4050) ++* gnutls_heartbeat_get_timeout: Core TLS API. (line 4074) ++* gnutls_heartbeat_ping: Core TLS API. (line 4090) ++* gnutls_heartbeat_pong: Core TLS API. (line 4122) ++* gnutls_heartbeat_set_timeouts: Core TLS API. (line 4138) ++* gnutls_hex2bin: Core TLS API. (line 4160) ++* gnutls_hex_decode: Core TLS API. (line 4183) ++* gnutls_hex_decode2: Core TLS API. (line 4205) ++* gnutls_hex_encode: Core TLS API. (line 4220) ++* gnutls_hex_encode2: Core TLS API. (line 4239) + * gnutls_hkdf_expand: Cryptographic API. (line 867) + * gnutls_hkdf_extract: Cryptographic API. (line 891) + * gnutls_hmac: Cryptographic API. (line 912) +@@ -7952,25 +7956,25 @@ + * gnutls_hmac_init: Cryptographic API. (line 1015) + * gnutls_hmac_output: Cryptographic API. (line 1041) + * gnutls_hmac_set_nonce: Cryptographic API. (line 1055) +-* gnutls_idna_map: Core TLS API. (line 4201) +-* gnutls_idna_reverse_map: Core TLS API. (line 4232) ++* gnutls_idna_map: Core TLS API. (line 4257) ++* gnutls_idna_reverse_map: Core TLS API. (line 4288) + * gnutls_init: Session initialization. + (line 14) +-* gnutls_init <1>: Core TLS API. (line 4258) +-* gnutls_key_generate: Core TLS API. (line 4281) +-* gnutls_kx_get: Core TLS API. (line 4298) +-* gnutls_kx_get_id: Core TLS API. (line 4315) +-* gnutls_kx_get_name: Core TLS API. (line 4327) +-* gnutls_kx_list: Core TLS API. (line 4339) +-* gnutls_load_file: Core TLS API. (line 4351) +-* gnutls_mac_get: Core TLS API. (line 4374) +-* gnutls_mac_get_id: Core TLS API. (line 4386) +-* gnutls_mac_get_key_size: Core TLS API. (line 4399) +-* gnutls_mac_get_name: Core TLS API. (line 4411) ++* gnutls_init <1>: Core TLS API. (line 4314) ++* gnutls_key_generate: Core TLS API. (line 4337) ++* gnutls_kx_get: Core TLS API. (line 4354) ++* gnutls_kx_get_id: Core TLS API. (line 4371) ++* gnutls_kx_get_name: Core TLS API. (line 4383) ++* gnutls_kx_list: Core TLS API. (line 4395) ++* gnutls_load_file: Core TLS API. (line 4407) ++* gnutls_mac_get: Core TLS API. (line 4430) ++* gnutls_mac_get_id: Core TLS API. (line 4442) ++* gnutls_mac_get_key_size: Core TLS API. (line 4455) ++* gnutls_mac_get_name: Core TLS API. (line 4467) + * gnutls_mac_get_nonce_size: Cryptographic API. (line 1070) +-* gnutls_mac_list: Core TLS API. (line 4423) +-* gnutls_memcmp: Core TLS API. (line 4435) +-* gnutls_memset: Core TLS API. (line 4456) ++* gnutls_mac_list: Core TLS API. (line 4479) ++* gnutls_memcmp: Core TLS API. (line 4491) ++* gnutls_memset: Core TLS API. (line 4512) + * gnutls_ocsp_req_add_cert: OCSP API. (line 12) + * gnutls_ocsp_req_add_cert_id: OCSP API. (line 36) + * gnutls_ocsp_req_deinit: OCSP API. (line 69) +@@ -8011,20 +8015,20 @@ + * gnutls_ocsp_resp_print: OCSP API. (line 757) + * gnutls_ocsp_resp_verify: OCSP API. (line 780) + * gnutls_ocsp_resp_verify_direct: OCSP API. (line 818) +-* gnutls_ocsp_status_request_enable_client: Core TLS API. (line 4471) +-* gnutls_ocsp_status_request_get: Core TLS API. (line 4499) +-* gnutls_ocsp_status_request_get2: Core TLS API. (line 4518) +-* gnutls_ocsp_status_request_is_checked: Core TLS API. (line 4544) +-* gnutls_oid_to_digest: Core TLS API. (line 4578) +-* gnutls_oid_to_ecc_curve: Core TLS API. (line 4593) +-* gnutls_oid_to_gost_paramset: Core TLS API. (line 4605) +-* gnutls_oid_to_mac: Core TLS API. (line 4620) +-* gnutls_oid_to_pk: Core TLS API. (line 4635) +-* gnutls_oid_to_sign: Core TLS API. (line 4649) ++* gnutls_ocsp_status_request_enable_client: Core TLS API. (line 4527) ++* gnutls_ocsp_status_request_get: Core TLS API. (line 4555) ++* gnutls_ocsp_status_request_get2: Core TLS API. (line 4574) ++* gnutls_ocsp_status_request_is_checked: Core TLS API. (line 4600) ++* gnutls_oid_to_digest: Core TLS API. (line 4634) ++* gnutls_oid_to_ecc_curve: Core TLS API. (line 4649) ++* gnutls_oid_to_gost_paramset: Core TLS API. (line 4661) ++* gnutls_oid_to_mac: Core TLS API. (line 4676) ++* gnutls_oid_to_pk: Core TLS API. (line 4691) ++* gnutls_oid_to_sign: Core TLS API. (line 4705) + * gnutls_openpgp_privkey_sign_hash: Compatibility API. (line 95) +-* gnutls_openpgp_send_cert: Core TLS API. (line 4664) +-* gnutls_packet_deinit: Core TLS API. (line 4677) +-* gnutls_packet_get: Core TLS API. (line 4688) ++* gnutls_openpgp_send_cert: Core TLS API. (line 4720) ++* gnutls_packet_deinit: Core TLS API. (line 4733) ++* gnutls_packet_get: Core TLS API. (line 4744) + * gnutls_pbkdf2: Cryptographic API. (line 1083) + * gnutls_pcert_deinit: Abstract key API. (line 176) + * gnutls_pcert_export_openpgp: Abstract key API. (line 186) +@@ -8038,11 +8042,11 @@ + * gnutls_pcert_import_x509_raw: Abstract key API. (line 370) + * gnutls_pcert_list_import_x509_file: Abstract key API. (line 393) + * gnutls_pcert_list_import_x509_raw: Abstract key API. (line 430) +-* gnutls_pem_base64_decode: Core TLS API. (line 4706) +-* gnutls_pem_base64_decode2: Core TLS API. (line 4730) +-* gnutls_pem_base64_encode: Core TLS API. (line 4758) +-* gnutls_pem_base64_encode2: Core TLS API. (line 4781) +-* gnutls_perror: Core TLS API. (line 4809) ++* gnutls_pem_base64_decode: Core TLS API. (line 4762) ++* gnutls_pem_base64_decode2: Core TLS API. (line 4786) ++* gnutls_pem_base64_encode: Core TLS API. (line 4814) ++* gnutls_pem_base64_encode2: Core TLS API. (line 4837) ++* gnutls_perror: Core TLS API. (line 4865) + * gnutls_pkcs11_add_provider: PKCS11 Manual Initialization. + (line 13) + * gnutls_pkcs11_add_provider <1>: PKCS 11 API. (line 12) +@@ -8183,39 +8187,39 @@ + (line 122) + * gnutls_pkcs_schema_get_oid: X509 certificate API. + (line 137) +-* gnutls_pk_algorithm_get_name: Core TLS API. (line 4818) ++* gnutls_pk_algorithm_get_name: Core TLS API. (line 4874) + * gnutls_pk_bits_to_sec_param: Selecting cryptographic key sizes. + (line 91) +-* gnutls_pk_bits_to_sec_param <1>: Core TLS API. (line 4830) +-* gnutls_pk_get_id: Core TLS API. (line 4847) +-* gnutls_pk_get_name: Core TLS API. (line 4862) +-* gnutls_pk_get_oid: Core TLS API. (line 4876) +-* gnutls_pk_list: Core TLS API. (line 4891) +-* gnutls_pk_to_sign: Core TLS API. (line 4905) +-* gnutls_prf: Core TLS API. (line 4920) +-* gnutls_prf_early: Core TLS API. (line 4970) +-* gnutls_prf_hash_get: Core TLS API. (line 5015) +-* gnutls_prf_raw: Core TLS API. (line 5032) ++* gnutls_pk_bits_to_sec_param <1>: Core TLS API. (line 4886) ++* gnutls_pk_get_id: Core TLS API. (line 4903) ++* gnutls_pk_get_name: Core TLS API. (line 4918) ++* gnutls_pk_get_oid: Core TLS API. (line 4932) ++* gnutls_pk_list: Core TLS API. (line 4947) ++* gnutls_pk_to_sign: Core TLS API. (line 4961) ++* gnutls_prf: Core TLS API. (line 4976) ++* gnutls_prf_early: Core TLS API. (line 5026) ++* gnutls_prf_hash_get: Core TLS API. (line 5071) ++* gnutls_prf_raw: Core TLS API. (line 5088) + * gnutls_prf_rfc5705: Deriving keys for other applications/protocols. + (line 16) +-* gnutls_prf_rfc5705 <1>: Core TLS API. (line 5077) +-* gnutls_priority_certificate_type_list: Core TLS API. (line 5124) +-* gnutls_priority_certificate_type_list2: Core TLS API. (line 5145) +-* gnutls_priority_cipher_list: Core TLS API. (line 5165) ++* gnutls_prf_rfc5705 <1>: Core TLS API. (line 5133) ++* gnutls_priority_certificate_type_list: Core TLS API. (line 5180) ++* gnutls_priority_certificate_type_list2: Core TLS API. (line 5201) ++* gnutls_priority_cipher_list: Core TLS API. (line 5221) + * gnutls_priority_compression_list: Compatibility API. (line 111) +-* gnutls_priority_deinit: Core TLS API. (line 5180) +-* gnutls_priority_ecc_curve_list: Core TLS API. (line 5189) +-* gnutls_priority_get_cipher_suite_index: Core TLS API. (line 5207) +-* gnutls_priority_group_list: Core TLS API. (line 5232) +-* gnutls_priority_init: Core TLS API. (line 5247) +-* gnutls_priority_init2: Core TLS API. (line 5275) +-* gnutls_priority_kx_list: Core TLS API. (line 5383) +-* gnutls_priority_mac_list: Core TLS API. (line 5399) +-* gnutls_priority_protocol_list: Core TLS API. (line 5414) +-* gnutls_priority_set: Core TLS API. (line 5430) +-* gnutls_priority_set_direct: Core TLS API. (line 5448) +-* gnutls_priority_sign_list: Core TLS API. (line 5472) +-* gnutls_priority_string_list: Core TLS API. (line 5488) ++* gnutls_priority_deinit: Core TLS API. (line 5236) ++* gnutls_priority_ecc_curve_list: Core TLS API. (line 5245) ++* gnutls_priority_get_cipher_suite_index: Core TLS API. (line 5263) ++* gnutls_priority_group_list: Core TLS API. (line 5288) ++* gnutls_priority_init: Core TLS API. (line 5303) ++* gnutls_priority_init2: Core TLS API. (line 5331) ++* gnutls_priority_kx_list: Core TLS API. (line 5439) ++* gnutls_priority_mac_list: Core TLS API. (line 5455) ++* gnutls_priority_protocol_list: Core TLS API. (line 5470) ++* gnutls_priority_set: Core TLS API. (line 5486) ++* gnutls_priority_set_direct: Core TLS API. (line 5504) ++* gnutls_priority_sign_list: Core TLS API. (line 5528) ++* gnutls_priority_string_list: Core TLS API. (line 5544) + * gnutls_privkey_decrypt_data: Operations. (line 144) + * gnutls_privkey_decrypt_data <1>: Abstract key API. (line 465) + * gnutls_privkey_decrypt_data2: Abstract key API. (line 488) +@@ -8275,33 +8279,35 @@ + * gnutls_privkey_status: Abstract key API. (line 1705) + * gnutls_privkey_verify_params: Abstract key API. (line 1721) + * gnutls_privkey_verify_seed: Abstract key API. (line 1734) +-* gnutls_protocol_get_id: Core TLS API. (line 5508) +-* gnutls_protocol_get_name: Core TLS API. (line 5520) +-* gnutls_protocol_get_version: Core TLS API. (line 5532) +-* gnutls_protocol_list: Core TLS API. (line 5543) +-* gnutls_psk_allocate_client_credentials: Core TLS API. (line 5555) +-* gnutls_psk_allocate_server_credentials: Core TLS API. (line 5567) +-* gnutls_psk_client_get_hint: Core TLS API. (line 5579) +-* gnutls_psk_free_client_credentials: Core TLS API. (line 5598) +-* gnutls_psk_free_server_credentials: Core TLS API. (line 5607) +-* gnutls_psk_server_get_username: Core TLS API. (line 5616) +-* gnutls_psk_server_get_username2: Core TLS API. (line 5636) +-* gnutls_psk_set_client_credentials: Core TLS API. (line 5657) +-* gnutls_psk_set_client_credentials2: Core TLS API. (line 5683) ++* gnutls_protocol_get_id: Core TLS API. (line 5564) ++* gnutls_protocol_get_name: Core TLS API. (line 5576) ++* gnutls_protocol_get_version: Core TLS API. (line 5588) ++* gnutls_protocol_list: Core TLS API. (line 5599) ++* gnutls_protocol_mark_disabled: Core TLS API. (line 5611) ++* gnutls_protocol_mark_enabled: Core TLS API. (line 5621) ++* gnutls_psk_allocate_client_credentials: Core TLS API. (line 5632) ++* gnutls_psk_allocate_server_credentials: Core TLS API. (line 5644) ++* gnutls_psk_client_get_hint: Core TLS API. (line 5656) ++* gnutls_psk_free_client_credentials: Core TLS API. (line 5675) ++* gnutls_psk_free_server_credentials: Core TLS API. (line 5684) ++* gnutls_psk_server_get_username: Core TLS API. (line 5693) ++* gnutls_psk_server_get_username2: Core TLS API. (line 5713) ++* gnutls_psk_set_client_credentials: Core TLS API. (line 5734) ++* gnutls_psk_set_client_credentials2: Core TLS API. (line 5760) + * gnutls_psk_set_client_credentials_function: PSK credentials. + (line 22) + * gnutls_psk_set_client_credentials_function <1>: Core TLS API. +- (line 5706) +-* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5731) +-* gnutls_psk_set_params_function: Core TLS API. (line 5760) ++ (line 5783) ++* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5808) ++* gnutls_psk_set_params_function: Core TLS API. (line 5837) + * gnutls_psk_set_server_credentials_file: PSK credentials. (line 59) +-* gnutls_psk_set_server_credentials_file <1>: Core TLS API. (line 5778) +-* gnutls_psk_set_server_credentials_function: Core TLS API. (line 5800) +-* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5825) +-* gnutls_psk_set_server_credentials_hint: Core TLS API. (line 5854) +-* gnutls_psk_set_server_dh_params: Core TLS API. (line 5873) +-* gnutls_psk_set_server_known_dh_params: Core TLS API. (line 5891) +-* gnutls_psk_set_server_params_function: Core TLS API. (line 5915) ++* gnutls_psk_set_server_credentials_file <1>: Core TLS API. (line 5855) ++* gnutls_psk_set_server_credentials_function: Core TLS API. (line 5877) ++* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5902) ++* gnutls_psk_set_server_credentials_hint: Core TLS API. (line 5931) ++* gnutls_psk_set_server_dh_params: Core TLS API. (line 5950) ++* gnutls_psk_set_server_known_dh_params: Core TLS API. (line 5968) ++* gnutls_psk_set_server_params_function: Core TLS API. (line 5992) + * gnutls_pubkey_deinit: Abstract key API. (line 1758) + * gnutls_pubkey_encrypt_data: Operations. (line 60) + * gnutls_pubkey_encrypt_data <1>: Abstract key API. (line 1768) +@@ -8351,169 +8357,171 @@ + * gnutls_pubkey_verify_hash2: Operations. (line 33) + * gnutls_pubkey_verify_hash2 <1>: Abstract key API. (line 2681) + * gnutls_pubkey_verify_params: Abstract key API. (line 2711) +-* gnutls_random_art: Core TLS API. (line 5933) +-* gnutls_range_split: Core TLS API. (line 5960) +-* gnutls_reauth: Core TLS API. (line 5986) +-* gnutls_record_can_use_length_hiding: Core TLS API. (line 6032) +-* gnutls_record_check_corked: Core TLS API. (line 6050) ++* gnutls_random_art: Core TLS API. (line 6010) ++* gnutls_range_split: Core TLS API. (line 6037) ++* gnutls_reauth: Core TLS API. (line 6063) ++* gnutls_record_can_use_length_hiding: Core TLS API. (line 6109) ++* gnutls_record_check_corked: Core TLS API. (line 6127) + * gnutls_record_check_pending: Data transfer and termination. + (line 138) +-* gnutls_record_check_pending <1>: Core TLS API. (line 6064) ++* gnutls_record_check_pending <1>: Core TLS API. (line 6141) + * gnutls_record_cork: Buffered data transfer. + (line 12) +-* gnutls_record_cork <1>: Core TLS API. (line 6077) +-* gnutls_record_disable_padding: Core TLS API. (line 6091) +-* gnutls_record_discard_queued: Core TLS API. (line 6106) ++* gnutls_record_cork <1>: Core TLS API. (line 6154) ++* gnutls_record_disable_padding: Core TLS API. (line 6168) ++* gnutls_record_discard_queued: Core TLS API. (line 6183) + * gnutls_record_get_direction: Asynchronous operation. + (line 65) +-* gnutls_record_get_direction <1>: Core TLS API. (line 6125) ++* gnutls_record_get_direction <1>: Core TLS API. (line 6202) + * gnutls_record_get_discarded: Datagram TLS API. (line 209) +-* gnutls_record_get_max_early_data_size: Core TLS API. (line 6148) +-* gnutls_record_get_max_size: Core TLS API. (line 6164) +-* gnutls_record_get_state: Core TLS API. (line 6176) +-* gnutls_record_overhead_size: Core TLS API. (line 6207) ++* gnutls_record_get_max_early_data_size: Core TLS API. (line 6225) ++* gnutls_record_get_max_size: Core TLS API. (line 6241) ++* gnutls_record_get_state: Core TLS API. (line 6253) ++* gnutls_record_overhead_size: Core TLS API. (line 6284) + * gnutls_record_recv: Data transfer and termination. + (line 53) +-* gnutls_record_recv <1>: Core TLS API. (line 6220) +-* gnutls_record_recv_early_data: Core TLS API. (line 6252) +-* gnutls_record_recv_packet: Core TLS API. (line 6280) ++* gnutls_record_recv <1>: Core TLS API. (line 6297) ++* gnutls_record_recv_early_data: Core TLS API. (line 6329) ++* gnutls_record_recv_packet: Core TLS API. (line 6357) + * gnutls_record_recv_seq: Data transfer and termination. + (line 108) +-* gnutls_record_recv_seq <1>: Core TLS API. (line 6304) ++* gnutls_record_recv_seq <1>: Core TLS API. (line 6381) + * gnutls_record_send: Data transfer and termination. + (line 12) +-* gnutls_record_send <1>: Core TLS API. (line 6331) ++* gnutls_record_send <1>: Core TLS API. (line 6408) + * gnutls_record_send2: On Record Padding. (line 23) +-* gnutls_record_send2 <1>: Core TLS API. (line 6375) +-* gnutls_record_send_early_data: Core TLS API. (line 6408) +-* gnutls_record_send_range: Core TLS API. (line 6436) +-* gnutls_record_set_max_early_data_size: Core TLS API. (line 6465) +-* gnutls_record_set_max_recv_size: Core TLS API. (line 6484) +-* gnutls_record_set_max_size: Core TLS API. (line 6506) +-* gnutls_record_set_state: Core TLS API. (line 6535) +-* gnutls_record_set_timeout: Core TLS API. (line 6556) ++* gnutls_record_send2 <1>: Core TLS API. (line 6452) ++* gnutls_record_send_early_data: Core TLS API. (line 6485) ++* gnutls_record_send_range: Core TLS API. (line 6513) ++* gnutls_record_set_max_early_data_size: Core TLS API. (line 6542) ++* gnutls_record_set_max_recv_size: Core TLS API. (line 6561) ++* gnutls_record_set_max_size: Core TLS API. (line 6583) ++* gnutls_record_set_state: Core TLS API. (line 6612) ++* gnutls_record_set_timeout: Core TLS API. (line 6633) + * gnutls_record_uncork: Buffered data transfer. + (line 23) +-* gnutls_record_uncork <1>: Core TLS API. (line 6575) ++* gnutls_record_uncork <1>: Core TLS API. (line 6652) + * gnutls_register_custom_url: Application-specific keys. + (line 69) + * gnutls_register_custom_url <1>: Abstract key API. (line 2724) + * gnutls_rehandshake: TLS 1.2 re-authentication. + (line 70) +-* gnutls_rehandshake <1>: Core TLS API. (line 6600) ++* gnutls_rehandshake <1>: Core TLS API. (line 6677) + * gnutls_rnd: Random number generation. + (line 21) + * gnutls_rnd <1>: Cryptographic API. (line 1108) + * gnutls_rnd_refresh: Cryptographic API. (line 1130) + * gnutls_safe_renegotiation_status: TLS 1.2 re-authentication. + (line 44) +-* gnutls_safe_renegotiation_status <1>: Core TLS API. (line 6640) +-* gnutls_sec_param_get_name: Core TLS API. (line 6655) ++* gnutls_safe_renegotiation_status <1>: Core TLS API. (line 6717) ++* gnutls_sec_param_get_name: Core TLS API. (line 6732) + * gnutls_sec_param_to_pk_bits: Selecting cryptographic key sizes. + (line 75) +-* gnutls_sec_param_to_pk_bits <1>: Core TLS API. (line 6669) +-* gnutls_sec_param_to_symmetric_bits: Core TLS API. (line 6688) +-* gnutls_server_name_get: Core TLS API. (line 6702) +-* gnutls_server_name_set: Core TLS API. (line 6741) +-* gnutls_session_channel_binding: Core TLS API. (line 6772) +-* gnutls_session_enable_compatibility_mode: Core TLS API. (line 6793) +-* gnutls_session_etm_status: Core TLS API. (line 6813) +-* gnutls_session_ext_master_secret_status: Core TLS API. (line 6826) +-* gnutls_session_ext_register: Core TLS API. (line 6840) +-* gnutls_session_force_valid: Core TLS API. (line 6896) +-* gnutls_session_get_data: Core TLS API. (line 6907) +-* gnutls_session_get_data2: Core TLS API. (line 6927) +-* gnutls_session_get_desc: Core TLS API. (line 6975) +-* gnutls_session_get_flags: Core TLS API. (line 6992) +-* gnutls_session_get_id: Core TLS API. (line 7011) ++* gnutls_sec_param_to_pk_bits <1>: Core TLS API. (line 6746) ++* gnutls_sec_param_to_symmetric_bits: Core TLS API. (line 6765) ++* gnutls_server_name_get: Core TLS API. (line 6779) ++* gnutls_server_name_set: Core TLS API. (line 6818) ++* gnutls_session_channel_binding: Core TLS API. (line 6849) ++* gnutls_session_enable_compatibility_mode: Core TLS API. (line 6870) ++* gnutls_session_etm_status: Core TLS API. (line 6890) ++* gnutls_session_ext_master_secret_status: Core TLS API. (line 6903) ++* gnutls_session_ext_register: Core TLS API. (line 6917) ++* gnutls_session_force_valid: Core TLS API. (line 6973) ++* gnutls_session_get_data: Core TLS API. (line 6984) ++* gnutls_session_get_data2: Core TLS API. (line 7004) ++* gnutls_session_get_desc: Core TLS API. (line 7052) ++* gnutls_session_get_flags: Core TLS API. (line 7069) ++* gnutls_session_get_id: Core TLS API. (line 7088) + * gnutls_session_get_id2: Session resumption. (line 49) +-* gnutls_session_get_id2 <1>: Core TLS API. (line 7045) +-* gnutls_session_get_keylog_function: Core TLS API. (line 7078) +-* gnutls_session_get_master_secret: Core TLS API. (line 7092) +-* gnutls_session_get_ptr: Core TLS API. (line 7108) +-* gnutls_session_get_random: Core TLS API. (line 7120) +-* gnutls_session_get_verify_cert_status: Core TLS API. (line 7140) ++* gnutls_session_get_id2 <1>: Core TLS API. (line 7122) ++* gnutls_session_get_keylog_function: Core TLS API. (line 7155) ++* gnutls_session_get_master_secret: Core TLS API. (line 7169) ++* gnutls_session_get_ptr: Core TLS API. (line 7185) ++* gnutls_session_get_random: Core TLS API. (line 7197) ++* gnutls_session_get_verify_cert_status: Core TLS API. (line 7217) + * gnutls_session_is_resumed: Session resumption. (line 40) +-* gnutls_session_is_resumed <1>: Core TLS API. (line 7160) +-* gnutls_session_key_update: Core TLS API. (line 7172) ++* gnutls_session_is_resumed <1>: Core TLS API. (line 7237) ++* gnutls_session_key_update: Core TLS API. (line 7249) + * gnutls_session_resumption_requested: Session resumption. (line 150) +-* gnutls_session_resumption_requested <1>: Core TLS API. (line 7199) +-* gnutls_session_set_data: Core TLS API. (line 7212) +-* gnutls_session_set_id: Core TLS API. (line 7235) +-* gnutls_session_set_keylog_function: Core TLS API. (line 7256) +-* gnutls_session_set_premaster: Core TLS API. (line 7270) +-* gnutls_session_set_ptr: Core TLS API. (line 7305) ++* gnutls_session_resumption_requested <1>: Core TLS API. (line 7276) ++* gnutls_session_set_data: Core TLS API. (line 7289) ++* gnutls_session_set_id: Core TLS API. (line 7312) ++* gnutls_session_set_keylog_function: Core TLS API. (line 7333) ++* gnutls_session_set_premaster: Core TLS API. (line 7347) ++* gnutls_session_set_ptr: Core TLS API. (line 7382) + * gnutls_session_set_verify_cert: Certificate credentials. + (line 267) +-* gnutls_session_set_verify_cert <1>: Core TLS API. (line 7318) +-* gnutls_session_set_verify_cert2: Core TLS API. (line 7351) +-* gnutls_session_set_verify_function: Core TLS API. (line 7383) ++* gnutls_session_set_verify_cert <1>: Core TLS API. (line 7395) ++* gnutls_session_set_verify_cert2: Core TLS API. (line 7428) ++* gnutls_session_set_verify_function: Core TLS API. (line 7460) + * gnutls_session_set_verify_output_function: X509 certificate API. + (line 152) +-* gnutls_session_supplemental_register: Core TLS API. (line 7412) +-* gnutls_session_ticket_enable_client: Core TLS API. (line 7448) ++* gnutls_session_supplemental_register: Core TLS API. (line 7489) ++* gnutls_session_ticket_enable_client: Core TLS API. (line 7525) + * gnutls_session_ticket_enable_server: Session resumption. (line 117) +-* gnutls_session_ticket_enable_server <1>: Core TLS API. (line 7464) ++* gnutls_session_ticket_enable_server <1>: Core TLS API. (line 7541) + * gnutls_session_ticket_key_generate: Session resumption. (line 137) +-* gnutls_session_ticket_key_generate <1>: Core TLS API. (line 7487) ++* gnutls_session_ticket_key_generate <1>: Core TLS API. (line 7564) + * gnutls_session_ticket_send: Session resumption. (line 170) +-* gnutls_session_ticket_send <1>: Core TLS API. (line 7503) +-* gnutls_set_default_priority: Core TLS API. (line 7521) +-* gnutls_set_default_priority_append: Core TLS API. (line 7547) +-* gnutls_sign_algorithm_get: Core TLS API. (line 7583) +-* gnutls_sign_algorithm_get_client: Core TLS API. (line 7597) +-* gnutls_sign_algorithm_get_requested: Core TLS API. (line 7612) +-* gnutls_sign_get_hash_algorithm: Core TLS API. (line 7639) +-* gnutls_sign_get_id: Core TLS API. (line 7654) +-* gnutls_sign_get_name: Core TLS API. (line 7666) +-* gnutls_sign_get_oid: Core TLS API. (line 7678) +-* gnutls_sign_get_pk_algorithm: Core TLS API. (line 7692) +-* gnutls_sign_is_secure: Core TLS API. (line 7710) +-* gnutls_sign_is_secure2: Core TLS API. (line 7720) +-* gnutls_sign_list: Core TLS API. (line 7732) +-* gnutls_sign_supports_pk_algorithm: Core TLS API. (line 7743) +-* gnutls_srp_allocate_client_credentials: Core TLS API. (line 7761) +-* gnutls_srp_allocate_server_credentials: Core TLS API. (line 7773) +-* gnutls_srp_base64_decode: Core TLS API. (line 7785) +-* gnutls_srp_base64_decode2: Core TLS API. (line 7807) +-* gnutls_srp_base64_encode: Core TLS API. (line 7827) +-* gnutls_srp_base64_encode2: Core TLS API. (line 7849) +-* gnutls_srp_free_client_credentials: Core TLS API. (line 7870) +-* gnutls_srp_free_server_credentials: Core TLS API. (line 7879) +-* gnutls_srp_server_get_username: Core TLS API. (line 7888) +-* gnutls_srp_set_client_credentials: Core TLS API. (line 7901) ++* gnutls_session_ticket_send <1>: Core TLS API. (line 7580) ++* gnutls_set_default_priority: Core TLS API. (line 7598) ++* gnutls_set_default_priority_append: Core TLS API. (line 7624) ++* gnutls_sign_algorithm_get: Core TLS API. (line 7660) ++* gnutls_sign_algorithm_get_client: Core TLS API. (line 7674) ++* gnutls_sign_algorithm_get_requested: Core TLS API. (line 7689) ++* gnutls_sign_get_hash_algorithm: Core TLS API. (line 7716) ++* gnutls_sign_get_id: Core TLS API. (line 7731) ++* gnutls_sign_get_name: Core TLS API. (line 7743) ++* gnutls_sign_get_oid: Core TLS API. (line 7755) ++* gnutls_sign_get_pk_algorithm: Core TLS API. (line 7769) ++* gnutls_sign_is_secure: Core TLS API. (line 7787) ++* gnutls_sign_is_secure2: Core TLS API. (line 7797) ++* gnutls_sign_list: Core TLS API. (line 7809) ++* gnutls_sign_mark_insecure: Core TLS API. (line 7820) ++* gnutls_sign_mark_secure: Core TLS API. (line 7838) ++* gnutls_sign_supports_pk_algorithm: Core TLS API. (line 7859) ++* gnutls_srp_allocate_client_credentials: Core TLS API. (line 7877) ++* gnutls_srp_allocate_server_credentials: Core TLS API. (line 7889) ++* gnutls_srp_base64_decode: Core TLS API. (line 7901) ++* gnutls_srp_base64_decode2: Core TLS API. (line 7923) ++* gnutls_srp_base64_encode: Core TLS API. (line 7943) ++* gnutls_srp_base64_encode2: Core TLS API. (line 7965) ++* gnutls_srp_free_client_credentials: Core TLS API. (line 7986) ++* gnutls_srp_free_server_credentials: Core TLS API. (line 7995) ++* gnutls_srp_server_get_username: Core TLS API. (line 8004) ++* gnutls_srp_set_client_credentials: Core TLS API. (line 8017) + * gnutls_srp_set_client_credentials_function: SRP credentials. + (line 19) + * gnutls_srp_set_client_credentials_function <1>: Core TLS API. +- (line 7924) +-* gnutls_srp_set_prime_bits: Core TLS API. (line 7957) ++ (line 8040) ++* gnutls_srp_set_prime_bits: Core TLS API. (line 8073) + * gnutls_srp_set_server_credentials_file: SRP credentials. (line 56) +-* gnutls_srp_set_server_credentials_file <1>: Core TLS API. (line 7978) ++* gnutls_srp_set_server_credentials_file <1>: Core TLS API. (line 8094) + * gnutls_srp_set_server_credentials_function: SRP credentials. + (line 72) + * gnutls_srp_set_server_credentials_function <1>: Core TLS API. +- (line 7997) +-* gnutls_srp_set_server_fake_salt_seed: Core TLS API. (line 8035) ++ (line 8113) ++* gnutls_srp_set_server_fake_salt_seed: Core TLS API. (line 8151) + * gnutls_srp_verifier: Authentication using SRP. + (line 45) +-* gnutls_srp_verifier <1>: Core TLS API. (line 8072) ++* gnutls_srp_verifier <1>: Core TLS API. (line 8188) + * gnutls_srtp_get_keys: SRTP. (line 31) +-* gnutls_srtp_get_keys <1>: Core TLS API. (line 8101) +-* gnutls_srtp_get_mki: Core TLS API. (line 8139) +-* gnutls_srtp_get_profile_id: Core TLS API. (line 8157) +-* gnutls_srtp_get_profile_name: Core TLS API. (line 8173) +-* gnutls_srtp_get_selected_profile: Core TLS API. (line 8188) +-* gnutls_srtp_set_mki: Core TLS API. (line 8204) +-* gnutls_srtp_set_profile: Core TLS API. (line 8221) +-* gnutls_srtp_set_profile_direct: Core TLS API. (line 8238) ++* gnutls_srtp_get_keys <1>: Core TLS API. (line 8217) ++* gnutls_srtp_get_mki: Core TLS API. (line 8255) ++* gnutls_srtp_get_profile_id: Core TLS API. (line 8273) ++* gnutls_srtp_get_profile_name: Core TLS API. (line 8289) ++* gnutls_srtp_get_selected_profile: Core TLS API. (line 8304) ++* gnutls_srtp_set_mki: Core TLS API. (line 8320) ++* gnutls_srtp_set_profile: Core TLS API. (line 8337) ++* gnutls_srtp_set_profile_direct: Core TLS API. (line 8354) + * gnutls_store_commitment: Certificate verification. + (line 115) +-* gnutls_store_commitment <1>: Core TLS API. (line 8259) ++* gnutls_store_commitment <1>: Core TLS API. (line 8375) + * gnutls_store_pubkey: Certificate verification. + (line 64) +-* gnutls_store_pubkey <1>: Core TLS API. (line 8299) +-* gnutls_strerror: Core TLS API. (line 8348) +-* gnutls_strerror_name: Core TLS API. (line 8362) ++* gnutls_store_pubkey <1>: Core TLS API. (line 8415) ++* gnutls_strerror: Core TLS API. (line 8464) ++* gnutls_strerror_name: Core TLS API. (line 8478) + * gnutls_subject_alt_names_deinit: X509 certificate API. + (line 181) + * gnutls_subject_alt_names_get: X509 certificate API. +@@ -8522,22 +8530,22 @@ + (line 221) + * gnutls_subject_alt_names_set: X509 certificate API. + (line 235) +-* gnutls_supplemental_get_name: Core TLS API. (line 8377) +-* gnutls_supplemental_recv: Core TLS API. (line 8390) +-* gnutls_supplemental_register: Core TLS API. (line 8405) +-* gnutls_supplemental_send: Core TLS API. (line 8436) ++* gnutls_supplemental_get_name: Core TLS API. (line 8493) ++* gnutls_supplemental_recv: Core TLS API. (line 8506) ++* gnutls_supplemental_register: Core TLS API. (line 8521) ++* gnutls_supplemental_send: Core TLS API. (line 8552) + * gnutls_system_key_add_x509: Abstract key API. (line 2750) + * gnutls_system_key_delete: Abstract key API. (line 2776) + * gnutls_system_key_iter_deinit: Abstract key API. (line 2792) + * gnutls_system_key_iter_get_info: Application-specific keys. + (line 20) + * gnutls_system_key_iter_get_info <1>: Abstract key API. (line 2803) +-* gnutls_system_recv_timeout: Core TLS API. (line 8450) +-* gnutls_tdb_deinit: Core TLS API. (line 8473) +-* gnutls_tdb_init: Core TLS API. (line 8482) +-* gnutls_tdb_set_store_commitment_func: Core TLS API. (line 8493) +-* gnutls_tdb_set_store_func: Core TLS API. (line 8513) +-* gnutls_tdb_set_verify_func: Core TLS API. (line 8532) ++* gnutls_system_recv_timeout: Core TLS API. (line 8566) ++* gnutls_tdb_deinit: Core TLS API. (line 8589) ++* gnutls_tdb_init: Core TLS API. (line 8598) ++* gnutls_tdb_set_store_commitment_func: Core TLS API. (line 8609) ++* gnutls_tdb_set_store_func: Core TLS API. (line 8629) ++* gnutls_tdb_set_verify_func: Core TLS API. (line 8648) + * gnutls_tpm_get_registered: TPM API. (line 12) + * gnutls_tpm_key_list_deinit: TPM API. (line 27) + * gnutls_tpm_key_list_get_url: TPM API. (line 38) +@@ -8546,44 +8554,44 @@ + * gnutls_tpm_privkey_delete <2>: TPM API. (line 60) + * gnutls_tpm_privkey_generate: Key generation. (line 9) + * gnutls_tpm_privkey_generate <1>: TPM API. (line 76) +-* gnutls_transport_get_int: Core TLS API. (line 8554) +-* gnutls_transport_get_int2: Core TLS API. (line 8568) +-* gnutls_transport_get_ptr: Core TLS API. (line 8585) +-* gnutls_transport_get_ptr2: Core TLS API. (line 8598) ++* gnutls_transport_get_int: Core TLS API. (line 8670) ++* gnutls_transport_get_int2: Core TLS API. (line 8684) ++* gnutls_transport_get_ptr: Core TLS API. (line 8701) ++* gnutls_transport_get_ptr2: Core TLS API. (line 8714) + * gnutls_transport_set_errno: Setting up the transport layer. + (line 116) +-* gnutls_transport_set_errno <1>: Core TLS API. (line 8614) +-* gnutls_transport_set_errno_function: Core TLS API. (line 8637) ++* gnutls_transport_set_errno <1>: Core TLS API. (line 8730) ++* gnutls_transport_set_errno_function: Core TLS API. (line 8753) + * gnutls_transport_set_fastopen: Reducing round-trips. + (line 22) + * gnutls_transport_set_fastopen <1>: Socket specific API. + (line 11) +-* gnutls_transport_set_int: Core TLS API. (line 8655) +-* gnutls_transport_set_int2: Core TLS API. (line 8673) +-* gnutls_transport_set_ptr: Core TLS API. (line 8695) +-* gnutls_transport_set_ptr2: Core TLS API. (line 8708) ++* gnutls_transport_set_int: Core TLS API. (line 8771) ++* gnutls_transport_set_int2: Core TLS API. (line 8789) ++* gnutls_transport_set_ptr: Core TLS API. (line 8811) ++* gnutls_transport_set_ptr2: Core TLS API. (line 8824) + * gnutls_transport_set_pull_function: Setting up the transport layer. + (line 56) +-* gnutls_transport_set_pull_function <1>: Core TLS API. (line 8725) ++* gnutls_transport_set_pull_function <1>: Core TLS API. (line 8841) + * gnutls_transport_set_pull_timeout_function: Setting up the transport layer. + (line 71) + * gnutls_transport_set_pull_timeout_function <1>: Setting up the transport layer. + (line 156) + * gnutls_transport_set_pull_timeout_function <2>: Core TLS API. +- (line 8743) ++ (line 8859) + * gnutls_transport_set_push_function: Setting up the transport layer. + (line 23) +-* gnutls_transport_set_push_function <1>: Core TLS API. (line 8783) ++* gnutls_transport_set_push_function <1>: Core TLS API. (line 8899) + * gnutls_transport_set_vec_push_function: Setting up the transport layer. + (line 40) +-* gnutls_transport_set_vec_push_function <1>: Core TLS API. (line 8803) ++* gnutls_transport_set_vec_push_function <1>: Core TLS API. (line 8919) + * gnutls_url_is_supported: Abstract public keys. + (line 57) +-* gnutls_url_is_supported <1>: Core TLS API. (line 8822) +-* gnutls_utf8_password_normalize: Core TLS API. (line 8836) ++* gnutls_url_is_supported <1>: Core TLS API. (line 8938) ++* gnutls_utf8_password_normalize: Core TLS API. (line 8952) + * gnutls_verify_stored_pubkey: Certificate verification. + (line 18) +-* gnutls_verify_stored_pubkey <1>: Core TLS API. (line 8861) ++* gnutls_verify_stored_pubkey <1>: Core TLS API. (line 8977) + * gnutls_x509_aia_deinit: X509 certificate API. + (line 262) + * gnutls_x509_aia_get: X509 certificate API. +diff -ruN gnutls-3.7.2/doc/invoke-p11tool.texi gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi +--- gnutls-3.7.2/doc/invoke-p11tool.texi 2021-05-29 10:19:05.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi 2021-06-28 09:39:25.000000000 +0200 +@@ -403,8 +403,9 @@ + @anchor{p11tool write} + + This is the ``writes the loaded objects to a pkcs #11 token'' option. +-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with +- one of --load-privkey, --load-pubkey, --load-certificate option. ++It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option. ++ ++When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand. + @subsubheading id option. + @anchor{p11tool id} + +diff -ruN gnutls-3.7.2/doc/Makefile.am gnutls-3.7.2-bootstrapped/doc/Makefile.am +--- gnutls-3.7.2/doc/Makefile.am 2021-05-27 08:08:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/Makefile.am 2021-06-28 09:09:14.000000000 +0200 +@@ -974,6 +974,10 @@ + FUNCS += functions/gnutls_digest_get_oid.short + FUNCS += functions/gnutls_digest_list + FUNCS += functions/gnutls_digest_list.short ++FUNCS += functions/gnutls_digest_mark_insecure ++FUNCS += functions/gnutls_digest_mark_insecure.short ++FUNCS += functions/gnutls_digest_mark_secure ++FUNCS += functions/gnutls_digest_mark_secure.short + FUNCS += functions/gnutls_dtls_cookie_send + FUNCS += functions/gnutls_dtls_cookie_send.short + FUNCS += functions/gnutls_dtls_cookie_verify +@@ -1010,6 +1014,10 @@ + FUNCS += functions/gnutls_ecc_curve_get_size.short + FUNCS += functions/gnutls_ecc_curve_list + FUNCS += functions/gnutls_ecc_curve_list.short ++FUNCS += functions/gnutls_ecc_curve_mark_disabled ++FUNCS += functions/gnutls_ecc_curve_mark_disabled.short ++FUNCS += functions/gnutls_ecc_curve_mark_enabled ++FUNCS += functions/gnutls_ecc_curve_mark_enabled.short + FUNCS += functions/gnutls_encode_ber_digest_info + FUNCS += functions/gnutls_encode_ber_digest_info.short + FUNCS += functions/gnutls_encode_gost_rs_value +@@ -1730,6 +1738,10 @@ + FUNCS += functions/gnutls_protocol_get_version.short + FUNCS += functions/gnutls_protocol_list + FUNCS += functions/gnutls_protocol_list.short ++FUNCS += functions/gnutls_protocol_mark_disabled ++FUNCS += functions/gnutls_protocol_mark_disabled.short ++FUNCS += functions/gnutls_protocol_mark_enabled ++FUNCS += functions/gnutls_protocol_mark_enabled.short + FUNCS += functions/gnutls_psk_allocate_client_credentials + FUNCS += functions/gnutls_psk_allocate_client_credentials.short + FUNCS += functions/gnutls_psk_allocate_server_credentials +@@ -2024,6 +2036,10 @@ + FUNCS += functions/gnutls_sign_is_secure2.short + FUNCS += functions/gnutls_sign_list + FUNCS += functions/gnutls_sign_list.short ++FUNCS += functions/gnutls_sign_mark_insecure ++FUNCS += functions/gnutls_sign_mark_insecure.short ++FUNCS += functions/gnutls_sign_mark_secure ++FUNCS += functions/gnutls_sign_mark_secure.short + FUNCS += functions/gnutls_sign_supports_pk_algorithm + FUNCS += functions/gnutls_sign_supports_pk_algorithm.short + FUNCS += functions/gnutls_srp_allocate_client_credentials +diff -ruN gnutls-3.7.2/doc/Makefile.in gnutls-3.7.2-bootstrapped/doc/Makefile.in +--- gnutls-3.7.2/doc/Makefile.in 2021-05-29 10:11:20.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/Makefile.in 2021-06-28 09:11:37.000000000 +0200 +@@ -2697,6 +2697,10 @@ + functions/gnutls_digest_get_oid.short \ + functions/gnutls_digest_list \ + functions/gnutls_digest_list.short \ ++ functions/gnutls_digest_mark_insecure \ ++ functions/gnutls_digest_mark_insecure.short \ ++ functions/gnutls_digest_mark_secure \ ++ functions/gnutls_digest_mark_secure.short \ + functions/gnutls_dtls_cookie_send \ + functions/gnutls_dtls_cookie_send.short \ + functions/gnutls_dtls_cookie_verify \ +@@ -2733,6 +2737,10 @@ + functions/gnutls_ecc_curve_get_size.short \ + functions/gnutls_ecc_curve_list \ + functions/gnutls_ecc_curve_list.short \ ++ functions/gnutls_ecc_curve_mark_disabled \ ++ functions/gnutls_ecc_curve_mark_disabled.short \ ++ functions/gnutls_ecc_curve_mark_enabled \ ++ functions/gnutls_ecc_curve_mark_enabled.short \ + functions/gnutls_encode_ber_digest_info \ + functions/gnutls_encode_ber_digest_info.short \ + functions/gnutls_encode_gost_rs_value \ +@@ -3403,6 +3411,10 @@ + functions/gnutls_protocol_get_version.short \ + functions/gnutls_protocol_list \ + functions/gnutls_protocol_list.short \ ++ functions/gnutls_protocol_mark_disabled \ ++ functions/gnutls_protocol_mark_disabled.short \ ++ functions/gnutls_protocol_mark_enabled \ ++ functions/gnutls_protocol_mark_enabled.short \ + functions/gnutls_psk_allocate_client_credentials \ + functions/gnutls_psk_allocate_client_credentials.short \ + functions/gnutls_psk_allocate_server_credentials \ +@@ -3692,6 +3704,10 @@ + functions/gnutls_sign_is_secure2 \ + functions/gnutls_sign_is_secure2.short \ + functions/gnutls_sign_list functions/gnutls_sign_list.short \ ++ functions/gnutls_sign_mark_insecure \ ++ functions/gnutls_sign_mark_insecure.short \ ++ functions/gnutls_sign_mark_secure \ ++ functions/gnutls_sign_mark_secure.short \ + functions/gnutls_sign_supports_pk_algorithm \ + functions/gnutls_sign_supports_pk_algorithm.short \ + functions/gnutls_srp_allocate_client_credentials \ +diff -ruN gnutls-3.7.2/doc/manpages/certtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1 +--- gnutls-3.7.2/doc/manpages/certtool.1 2021-05-29 10:15:21.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1 2021-06-28 09:35:22.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH certtool 1 "29 May 2021" "3.7.2" "User Commands" ++.TH certtool 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/manpages/danetool.1 gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1 +--- gnutls-3.7.2/doc/manpages/danetool.1 2021-05-29 10:15:24.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1 2021-06-28 09:35:24.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH danetool 1 "29 May 2021" "3.7.2" "User Commands" ++.TH danetool 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1 +--- gnutls-3.7.2/doc/manpages/gnutls-cli.1 2021-05-29 10:15:21.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1 2021-06-28 09:35:22.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH gnutls-cli 1 "29 May 2021" "3.7.2" "User Commands" ++.TH gnutls-cli 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1 +--- gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 2021-05-29 10:15:21.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1 2021-06-28 09:35:22.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH gnutls-cli-debug 1 "29 May 2021" "3.7.2" "User Commands" ++.TH gnutls-cli-debug 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3 +--- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3 2021-06-28 09:35:39.000000000 +0200 +@@ -0,0 +1,36 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_digest_mark_insecure" 3 "3.7.2" "gnutls" "gnutls" ++.SH NAME ++gnutls_digest_mark_insecure \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t " dig ");" ++.SH ARGUMENTS ++.IP "gnutls_digest_algorithm_t dig" 12 ++is a digest algorithm ++.SH "DESCRIPTION" ++Mark \fIdig\fP as insecure system wide. This only works if the allowlisting mode ++is used in the configuration file. ++.SH "SINCE" ++3.7.3 ++.SH "REPORTING BUGS" ++Report bugs to . ++.br ++Home page: https://www.gnutls.org ++ ++.SH COPYRIGHT ++Copyright \(co 2001- Free Software Foundation, Inc., and others. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. ++If the /usr/share/doc/gnutls/ ++directory does not contain the HTML form visit ++.B ++.IP https://www.gnutls.org/manual/ ++.PP +diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3 +--- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3 2021-06-28 09:35:39.000000000 +0200 +@@ -0,0 +1,36 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_digest_mark_secure" 3 "3.7.2" "gnutls" "gnutls" ++.SH NAME ++gnutls_digest_mark_secure \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_digest_mark_secure(gnutls_digest_algorithm_t " dig ");" ++.SH ARGUMENTS ++.IP "gnutls_digest_algorithm_t dig" 12 ++is a digest algorithm ++.SH "DESCRIPTION" ++Invalidate previous system wide setting that marked \fIdig\fP as insecure. This ++only works if the allowlisting mode is used in the configuration file. ++.SH "SINCE" ++3.7.3 ++.SH "REPORTING BUGS" ++Report bugs to . ++.br ++Home page: https://www.gnutls.org ++ ++.SH COPYRIGHT ++Copyright \(co 2001- Free Software Foundation, Inc., and others. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. ++If the /usr/share/doc/gnutls/ ++directory does not contain the HTML form visit ++.B ++.IP https://www.gnutls.org/manual/ ++.PP +diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3 +--- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3 2021-06-28 09:35:38.000000000 +0200 +@@ -0,0 +1,39 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_ecc_curve_mark_disabled" 3 "3.7.2" "gnutls" "gnutls" ++.SH NAME ++gnutls_ecc_curve_mark_disabled \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t " curve ");" ++.SH ARGUMENTS ++.IP "gnutls_ecc_curve_t curve" 12 ++is an ECC curve ++.SH "DESCRIPTION" ++Mark \fIcurve\fP as disabled system wide. This setting can be reverted with ++\fBgnutls_ecc_curve_mark_enabled()\fP. This only works if the configuration file ++uses the allowlisting mode. ++.SH "RETURNS" ++0 on success or negative error code otherwise. ++.SH "SINCE" ++3.7.3 ++.SH "REPORTING BUGS" ++Report bugs to . ++.br ++Home page: https://www.gnutls.org ++ ++.SH COPYRIGHT ++Copyright \(co 2001- Free Software Foundation, Inc., and others. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. ++If the /usr/share/doc/gnutls/ ++directory does not contain the HTML form visit ++.B ++.IP https://www.gnutls.org/manual/ ++.PP +diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3 +--- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3 2021-06-28 09:35:39.000000000 +0200 +@@ -0,0 +1,39 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_ecc_curve_mark_enabled" 3 "3.7.2" "gnutls" "gnutls" ++.SH NAME ++gnutls_ecc_curve_mark_enabled \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t " curve ");" ++.SH ARGUMENTS ++.IP "gnutls_ecc_curve_t curve" 12 ++is an ECC curve ++.SH "DESCRIPTION" ++Invalidate previous system wide setting that marked \fIcurve\fP as disabled. This ++only works if the curve is disabled with \fBgnutls_ecc_curve_mark_disabled()\fP or ++through the allowlisting mode in the configuration file. ++.SH "RETURNS" ++0 on success or negative error code otherwise. ++.SH "SINCE" ++3.7.3 ++.SH "REPORTING BUGS" ++Report bugs to . ++.br ++Home page: https://www.gnutls.org ++ ++.SH COPYRIGHT ++Copyright \(co 2001- Free Software Foundation, Inc., and others. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. ++If the /usr/share/doc/gnutls/ ++directory does not contain the HTML form visit ++.B ++.IP https://www.gnutls.org/manual/ ++.PP +diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3 +--- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3 2021-06-28 09:35:39.000000000 +0200 +@@ -0,0 +1,34 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_protocol_mark_disabled" 3 "3.7.2" "gnutls" "gnutls" ++.SH NAME ++gnutls_protocol_mark_disabled \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_protocol_mark_disabled(gnutls_protocol_t " version ");" ++.SH ARGUMENTS ++.IP "gnutls_protocol_t version" 12 ++is a (gnutls) version number ++.SH "DESCRIPTION" ++Mark \fIversion\fP as disabled system wide. This only works if the allowlisting ++mode is used in the configuration file. ++.SH "REPORTING BUGS" ++Report bugs to . ++.br ++Home page: https://www.gnutls.org ++ ++.SH COPYRIGHT ++Copyright \(co 2001- Free Software Foundation, Inc., and others. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. ++If the /usr/share/doc/gnutls/ ++directory does not contain the HTML form visit ++.B ++.IP https://www.gnutls.org/manual/ ++.PP +diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3 +--- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3 2021-06-28 09:35:40.000000000 +0200 +@@ -0,0 +1,35 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_protocol_mark_enabled" 3 "3.7.2" "gnutls" "gnutls" ++.SH NAME ++gnutls_protocol_mark_enabled \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_protocol_mark_enabled(gnutls_protocol_t " version ");" ++.SH ARGUMENTS ++.IP "gnutls_protocol_t version" 12 ++is a (gnutls) version number ++.SH "DESCRIPTION" ++Invalidate previous system wide setting that marked \fIversion\fP as ++disabled. This only works if the allowlisting mode is used in the ++configuration file. ++.SH "REPORTING BUGS" ++Report bugs to . ++.br ++Home page: https://www.gnutls.org ++ ++.SH COPYRIGHT ++Copyright \(co 2001- Free Software Foundation, Inc., and others. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. ++If the /usr/share/doc/gnutls/ ++directory does not contain the HTML form visit ++.B ++.IP https://www.gnutls.org/manual/ ++.PP +diff -ruN gnutls-3.7.2/doc/manpages/gnutls-serv.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1 +--- gnutls-3.7.2/doc/manpages/gnutls-serv.1 2021-05-29 10:15:21.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1 2021-06-28 09:35:22.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH gnutls-serv 1 "29 May 2021" "3.7.2" "User Commands" ++.TH gnutls-serv 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3 +--- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3 2021-06-28 09:35:39.000000000 +0200 +@@ -0,0 +1,42 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_sign_mark_insecure" 3 "3.7.2" "gnutls" "gnutls" ++.SH NAME ++gnutls_sign_mark_insecure \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");" ++.SH ARGUMENTS ++.IP "gnutls_sign_algorithm_t sign" 12 ++the sign algorithm ++.IP "unsigned flags" 12 ++\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0 ++.SH "DESCRIPTION" ++Mark \fIsign\fP as insecure system wide. This only works if the ++allowlisting mode is used in the configuration file. ++ ++If \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set, ++and the algorithm was previously considered secure for all purposes, ++it only marks the algorithm as insecure for the use with certificates. ++.SH "SINCE" ++3.7.3 ++.SH "REPORTING BUGS" ++Report bugs to . ++.br ++Home page: https://www.gnutls.org ++ ++.SH COPYRIGHT ++Copyright \(co 2001- Free Software Foundation, Inc., and others. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. ++If the /usr/share/doc/gnutls/ ++directory does not contain the HTML form visit ++.B ++.IP https://www.gnutls.org/manual/ ++.PP +diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3 +--- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3 2021-06-28 09:35:39.000000000 +0200 +@@ -0,0 +1,46 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_sign_mark_secure" 3 "3.7.2" "gnutls" "gnutls" ++.SH NAME ++gnutls_sign_mark_secure \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_sign_mark_secure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");" ++.SH ARGUMENTS ++.IP "gnutls_sign_algorithm_t sign" 12 ++the sign algorithm ++.IP "unsigned flags" 12 ++\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0 ++.SH "DESCRIPTION" ++Invalidate previous system wide setting that marked \fIsign\fP as ++insecure. This only works if the algorithm is marked as insecure ++with \fBgnutls_sign_mark_insecure()\fP or through the allowlisting mode ++in the configuration file. ++ ++If \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set, ++it marks it the algorithm as secure for all purposes. ++If the absence of this flag, it will mark it as ++"secure, but not for certificates" at most, ++but it won't restrict anything either. ++.SH "SINCE" ++3.7.3 ++.SH "REPORTING BUGS" ++Report bugs to . ++.br ++Home page: https://www.gnutls.org ++ ++.SH COPYRIGHT ++Copyright \(co 2001- Free Software Foundation, Inc., and others. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. ++If the /usr/share/doc/gnutls/ ++directory does not contain the HTML form visit ++.B ++.IP https://www.gnutls.org/manual/ ++.PP +diff -ruN gnutls-3.7.2/doc/manpages/Makefile.am gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am +--- gnutls-3.7.2/doc/manpages/Makefile.am 2021-05-27 08:08:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am 2021-06-28 09:09:14.000000000 +0200 +@@ -289,6 +289,8 @@ + APIMANS += gnutls_digest_get_name.3 + APIMANS += gnutls_digest_get_oid.3 + APIMANS += gnutls_digest_list.3 ++APIMANS += gnutls_digest_mark_insecure.3 ++APIMANS += gnutls_digest_mark_secure.3 + APIMANS += gnutls_dtls_cookie_send.3 + APIMANS += gnutls_dtls_cookie_verify.3 + APIMANS += gnutls_dtls_get_data_mtu.3 +@@ -307,6 +309,8 @@ + APIMANS += gnutls_ecc_curve_get_pk.3 + APIMANS += gnutls_ecc_curve_get_size.3 + APIMANS += gnutls_ecc_curve_list.3 ++APIMANS += gnutls_ecc_curve_mark_disabled.3 ++APIMANS += gnutls_ecc_curve_mark_enabled.3 + APIMANS += gnutls_encode_ber_digest_info.3 + APIMANS += gnutls_encode_gost_rs_value.3 + APIMANS += gnutls_encode_rs_value.3 +@@ -667,6 +671,8 @@ + APIMANS += gnutls_protocol_get_name.3 + APIMANS += gnutls_protocol_get_version.3 + APIMANS += gnutls_protocol_list.3 ++APIMANS += gnutls_protocol_mark_disabled.3 ++APIMANS += gnutls_protocol_mark_enabled.3 + APIMANS += gnutls_psk_allocate_client_credentials.3 + APIMANS += gnutls_psk_allocate_server_credentials.3 + APIMANS += gnutls_psk_client_get_hint.3 +@@ -814,6 +820,8 @@ + APIMANS += gnutls_sign_is_secure.3 + APIMANS += gnutls_sign_is_secure2.3 + APIMANS += gnutls_sign_list.3 ++APIMANS += gnutls_sign_mark_insecure.3 ++APIMANS += gnutls_sign_mark_secure.3 + APIMANS += gnutls_sign_supports_pk_algorithm.3 + APIMANS += gnutls_srp_allocate_client_credentials.3 + APIMANS += gnutls_srp_allocate_server_credentials.3 +diff -ruN gnutls-3.7.2/doc/manpages/Makefile.in gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in +--- gnutls-3.7.2/doc/manpages/Makefile.in 2021-05-29 10:11:21.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in 2021-06-28 09:11:38.000000000 +0200 +@@ -2185,6 +2185,7 @@ + gnutls_dh_params_init.3 gnutls_dh_set_prime_bits.3 \ + gnutls_digest_get_id.3 gnutls_digest_get_name.3 \ + gnutls_digest_get_oid.3 gnutls_digest_list.3 \ ++ gnutls_digest_mark_insecure.3 gnutls_digest_mark_secure.3 \ + gnutls_dtls_cookie_send.3 gnutls_dtls_cookie_verify.3 \ + gnutls_dtls_get_data_mtu.3 gnutls_dtls_get_mtu.3 \ + gnutls_dtls_get_timeout.3 gnutls_dtls_prestate_set.3 \ +@@ -2194,6 +2195,8 @@ + gnutls_ecc_curve_get_id.3 gnutls_ecc_curve_get_name.3 \ + gnutls_ecc_curve_get_oid.3 gnutls_ecc_curve_get_pk.3 \ + gnutls_ecc_curve_get_size.3 gnutls_ecc_curve_list.3 \ ++ gnutls_ecc_curve_mark_disabled.3 \ ++ gnutls_ecc_curve_mark_enabled.3 \ + gnutls_encode_ber_digest_info.3 gnutls_encode_gost_rs_value.3 \ + gnutls_encode_rs_value.3 gnutls_error_is_fatal.3 \ + gnutls_error_to_alert.3 gnutls_est_record_overhead_size.3 \ +@@ -2399,7 +2402,8 @@ + gnutls_privkey_status.3 gnutls_privkey_verify_params.3 \ + gnutls_privkey_verify_seed.3 gnutls_protocol_get_id.3 \ + gnutls_protocol_get_name.3 gnutls_protocol_get_version.3 \ +- gnutls_protocol_list.3 \ ++ gnutls_protocol_list.3 gnutls_protocol_mark_disabled.3 \ ++ gnutls_protocol_mark_enabled.3 \ + gnutls_psk_allocate_client_credentials.3 \ + gnutls_psk_allocate_server_credentials.3 \ + gnutls_psk_client_get_hint.3 \ +@@ -2498,6 +2502,7 @@ + gnutls_sign_get_name.3 gnutls_sign_get_oid.3 \ + gnutls_sign_get_pk_algorithm.3 gnutls_sign_is_secure.3 \ + gnutls_sign_is_secure2.3 gnutls_sign_list.3 \ ++ gnutls_sign_mark_insecure.3 gnutls_sign_mark_secure.3 \ + gnutls_sign_supports_pk_algorithm.3 \ + gnutls_srp_allocate_client_credentials.3 \ + gnutls_srp_allocate_server_credentials.3 \ +diff -ruN gnutls-3.7.2/doc/manpages/ocsptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1 +--- gnutls-3.7.2/doc/manpages/ocsptool.1 2021-05-29 10:15:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1 2021-06-28 09:35:23.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH ocsptool 1 "29 May 2021" "3.7.2" "User Commands" ++.TH ocsptool 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/manpages/p11tool.1 gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1 +--- gnutls-3.7.2/doc/manpages/p11tool.1 2021-05-29 10:15:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1 2021-06-28 09:35:23.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH p11tool 1 "29 May 2021" "3.7.2" "User Commands" ++.TH p11tool 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +@@ -230,8 +230,9 @@ + .NOP \f\*[B-Font]\-\-write\f[] + Writes the loaded objects to a PKCS #11 token. + .sp +-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with +- one of \--load-privkey, \--load-pubkey, \--load-certificate option. ++It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option. ++.sp ++When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand. + .TP + .NOP \f\*[B-Font]\-\-delete\f[] + Deletes the objects matching the given PKCS #11 URL. +diff -ruN gnutls-3.7.2/doc/manpages/psktool.1 gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1 +--- gnutls-3.7.2/doc/manpages/psktool.1 2021-05-29 10:15:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1 2021-06-28 09:35:23.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH psktool 1 "29 May 2021" "3.7.2" "User Commands" ++.TH psktool 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/manpages/srptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1 +--- gnutls-3.7.2/doc/manpages/srptool.1 2021-05-29 10:15:24.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1 2021-06-28 09:35:24.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH srptool 1 "29 May 2021" "3.7.2" "User Commands" ++.TH srptool 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/manpages/tpmtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1 +--- gnutls-3.7.2/doc/manpages/tpmtool.1 2021-05-29 10:15:23.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1 2021-06-28 09:35:23.000000000 +0200 +@@ -10,7 +10,7 @@ + .ds B-Font B + .ds I-Font I + .ds R-Font R +-.TH tpmtool 1 "29 May 2021" "3.7.2" "User Commands" ++.TH tpmtool 1 "28 Jun 2021" "3.7.2" "User Commands" + .\" + .\" DO NOT EDIT THIS FILE (in-mem file) + .\" +diff -ruN gnutls-3.7.2/doc/reference/gnutls-sections.txt gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt +--- gnutls-3.7.2/doc/reference/gnutls-sections.txt 2021-05-29 10:23:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt 2021-06-28 09:56:37.000000000 +0200 +@@ -267,6 +267,8 @@ + encipher_type + GNUTLS_SIGN_FLAG_TLS13_OK + GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE ++GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE ++GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE + gnutls_sign_entry_st + gnutls_ecc_curve_entry_st + MAX_ECC_CURVE_SIZE +@@ -1486,6 +1488,14 @@ + gnutls_sign_algorithm_get_requested + gnutls_cipher_get_name + gnutls_oid_to_digest ++gnutls_ecc_curve_mark_disabled ++gnutls_ecc_curve_mark_enabled ++gnutls_sign_mark_insecure ++gnutls_sign_mark_secure ++gnutls_digest_mark_insecure ++gnutls_digest_mark_secure ++gnutls_protocol_mark_disabled ++gnutls_protocol_mark_enabled + gnutls_error_is_fatal + gnutls_perror + gnutls_strerror +@@ -2268,6 +2278,8 @@ + gnutls_group_entry_st + GNUTLS_MAC_FLAG_PREIMAGE_INSECURE + GNUTLS_MAC_FLAG_CONTINUOUS_MAC ++GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE ++GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE + mac_entry_st + version_entry_st + sign_algorithm_st +diff -ruN gnutls-3.7.2/lib/algorithms/ecc.c gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c +--- gnutls-3.7.2/lib/algorithms/ecc.c 2021-05-10 16:34:47.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c 2021-06-28 09:09:14.000000000 +0200 +@@ -351,13 +351,83 @@ + return ret; + } + +-int _gnutls_ecc_curve_mark_disabled(const char *name) ++/* This is only called by cfg_apply in priority.c, in blocklisting mode. */ ++int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve) + { + gnutls_ecc_curve_entry_st *p; + + for(p = ecc_curves; p->name != NULL; p++) { +- if (c_strcasecmp(p->name, name) == 0) { +- p->supported = 0; ++ if (p->id == curve) { ++ p->supported = false; ++ return 0; ++ } ++ } ++ ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++} ++ ++/* This is only called by cfg_apply in priority.c, in allowlisting mode. */ ++void _gnutls_ecc_curve_mark_disabled_all(void) ++{ ++ gnutls_ecc_curve_entry_st *p; ++ ++ for(p = ecc_curves; p->name != NULL; p++) { ++ p->supported = false; ++ p->supported_revertible = true; ++ } ++} ++ ++/** ++ * gnutls_ecc_curve_mark_enabled: ++ * @curve: is an ECC curve ++ * ++ * Mark @curve as disabled system wide. This setting can be reverted with ++ * gnutls_ecc_curve_mark_enabled(). This only works if the configuration file ++ * uses the allowlisting mode. ++ * ++ * Returns: 0 on success or negative error code otherwise. ++ * ++ * Since: 3.7.3 ++ */ ++int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve) ++{ ++ gnutls_ecc_curve_entry_st *p; ++ ++ for(p = ecc_curves; p->name != NULL; p++) { ++ if (p->id == curve) { ++ if (!p->supported_revertible) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ p->supported = false; ++ return 0; ++ } ++ } ++ ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++} ++ ++/** ++ * gnutls_ecc_curve_mark_enabled: ++ * @curve: is an ECC curve ++ * ++ * Invalidate previous system wide setting that marked @curve as disabled. This ++ * only works if the curve is disabled with gnutls_ecc_curve_mark_disabled() or ++ * through the allowlisting mode in the configuration file. ++ * ++ * Returns: 0 on success or negative error code otherwise. ++ * ++ * Since: 3.7.3 ++ */ ++int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve) ++{ ++ gnutls_ecc_curve_entry_st *p; ++ ++ for(p = ecc_curves; p->name != NULL; p++) { ++ if (p->id == curve) { ++ if (!p->supported_revertible) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ p->supported = true; + return 0; + } + } +diff -ruN gnutls-3.7.2/lib/algorithms/groups.c gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c +--- gnutls-3.7.2/lib/algorithms/groups.c 2021-04-19 09:28:28.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c 2021-06-28 09:09:14.000000000 +0200 +@@ -276,6 +276,24 @@ + return ret; + } + ++ ++/* Similar to gnutls_group_get_id, except that it does not check if ++ * the curve is supported. ++ */ ++gnutls_group_t _gnutls_group_get_id(const char *name) ++{ ++ gnutls_group_t ret = GNUTLS_GROUP_INVALID; ++ ++ GNUTLS_GROUP_LOOP( ++ if (c_strcasecmp(p->name, name) == 0) { ++ ret = p->id; ++ break; ++ } ++ ); ++ ++ return ret; ++} ++ + /** + * gnutls_group_get_name: + * @group: is an element from %gnutls_group_t +diff -ruN gnutls-3.7.2/lib/algorithms/mac.c gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c +--- gnutls-3.7.2/lib/algorithms/mac.c 2021-05-27 08:08:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c 2021-06-28 09:09:14.000000000 +0200 +@@ -291,13 +291,56 @@ + return ret; + } + +-int _gnutls_digest_mark_insecure(const char *name) ++/* This is only called by cfg_apply in priority.c, in blocklisting mode. */ ++int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig) + { + #ifndef DISABLE_SYSTEM_CONFIG + mac_entry_st *p; + + for(p = hash_algorithms; p->name != NULL; p++) { +- if (p->oid != NULL && c_strcasecmp(p->name, name) == 0) { ++ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { ++ p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; ++ return 0; ++ } ++ } ++ ++#endif ++ return GNUTLS_E_INVALID_REQUEST; ++} ++ ++/* This is only called by cfg_apply in priority.c, in allowlisting mode. */ ++void _gnutls_digest_mark_insecure_all(void) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ mac_entry_st *p; ++ ++ for(p = hash_algorithms; p->name != NULL; p++) { ++ p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE | ++ GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; ++ } ++ ++#endif ++} ++ ++/** ++ * gnutls_digest_mark_insecure: ++ * @dig: is a digest algorithm ++ * ++ * Mark @dig as insecure system wide. This only works if the allowlisting mode ++ * is used in the configuration file. ++ * ++ * Since: 3.7.3 ++ */ ++int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ mac_entry_st *p; ++ ++ for(p = hash_algorithms; p->name != NULL; p++) { ++ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { ++ if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } + p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; + return 0; + } +@@ -307,6 +350,34 @@ + return GNUTLS_E_INVALID_REQUEST; + } + ++/** ++ * gnutls_digest_mark_secure: ++ * @dig: is a digest algorithm ++ * ++ * Invalidate previous system wide setting that marked @dig as insecure. This ++ * only works if the allowlisting mode is used in the configuration file. ++ * ++ * Since: 3.7.3 ++ */ ++int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ mac_entry_st *p; ++ ++ for(p = hash_algorithms; p->name != NULL; p++) { ++ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { ++ if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ p->flags &= ~GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; ++ return 0; ++ } ++ } ++ ++#endif ++ return GNUTLS_E_INVALID_REQUEST; ++} ++ + unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig) + { + const mac_entry_st *p; +@@ -320,6 +391,21 @@ + return 1; + } + ++bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig, unsigned flags) ++{ ++ const mac_entry_st *p; ++ ++ for(p = hash_algorithms; p->name != NULL; p++) { ++ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { ++ return (p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE && ++ !(flags & GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE && ++ p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)); ++ } ++ } ++ ++ return true; ++} ++ + /** + * gnutls_mac_get_id: + * @name: is a MAC algorithm name +diff -ruN gnutls-3.7.2/lib/algorithms/protocols.c gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c +--- gnutls-3.7.2/lib/algorithms/protocols.c 2021-05-10 16:34:47.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c 2021-06-28 09:09:14.000000000 +0200 +@@ -198,14 +198,82 @@ + return 0; + } + +-int _gnutls_version_mark_disabled(const char *name) ++/* This is only called by cfg_apply in priority.c, in blocklisting mode. */ ++int _gnutls_version_mark_disabled(gnutls_protocol_t version) + { + #ifndef DISABLE_SYSTEM_CONFIG + version_entry_st *p; + + for (p = sup_versions; p->name != NULL; p++) +- if (c_strcasecmp(p->name, name) == 0) { +- p->supported = 0; ++ if (p->id == version) { ++ p->supported = false; ++ return 0; ++ } ++ ++#endif ++ return GNUTLS_E_INVALID_REQUEST; ++} ++ ++/* This is only called by cfg_apply in priority.c, in allowlisting mode. */ ++void _gnutls_version_mark_disabled_all(void) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ version_entry_st *p; ++ ++ for (p = sup_versions; p->name != NULL; p++) { ++ p->supported = false; ++ p->supported_revertible = true; ++ } ++ ++#endif ++} ++ ++/** ++ * gnutls_protocol_mark_disabled: ++ * @version: is a (gnutls) version number ++ * ++ * Mark @version as disabled system wide. This only works if the allowlisting ++ * mode is used in the configuration file. ++ * ++ */ ++int gnutls_protocol_mark_disabled(gnutls_protocol_t version) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ version_entry_st *p; ++ ++ for (p = sup_versions; p->name != NULL; p++) ++ if (p->id == version) { ++ if (!p->supported_revertible) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ p->supported = false; ++ return 0; ++ } ++ ++#endif ++ return GNUTLS_E_INVALID_REQUEST; ++} ++ ++/** ++ * gnutls_protocol_mark_enabled: ++ * @version: is a (gnutls) version number ++ * ++ * Invalidate previous system wide setting that marked @version as ++ * disabled. This only works if the allowlisting mode is used in the ++ * configuration file. ++ * ++ */ ++int gnutls_protocol_mark_enabled(gnutls_protocol_t version) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ version_entry_st *p; ++ ++ for (p = sup_versions; p->name != NULL; p++) ++ if (p->id == version) { ++ if (!p->supported_revertible) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ p->supported = true; + return 0; + } + +@@ -469,6 +537,25 @@ + return supported_protocols; + } + ++/* Return all versions, including non-supported ones. ++ */ ++const gnutls_protocol_t *_gnutls_protocol_list(void) ++{ ++ const version_entry_st *p; ++ static gnutls_protocol_t protocols[MAX_ALGOS] = { 0 }; ++ ++ if (protocols[0] == 0) { ++ int i = 0; ++ ++ for (p = sup_versions; p->name != NULL; p++) { ++ protocols[i++] = p->id; ++ } ++ protocols[i++] = 0; ++ } ++ ++ return protocols; ++} ++ + /* Returns a version number given the major and minor numbers. + */ + gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor) +diff -ruN gnutls-3.7.2/lib/algorithms/sign.c gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c +--- gnutls-3.7.2/lib/algorithms/sign.c 2021-05-10 16:34:47.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c 2021-06-28 09:09:14.000000000 +0200 +@@ -453,16 +453,23 @@ + + bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags) + { +- if (se->hash != GNUTLS_DIG_UNKNOWN && _gnutls_digest_is_insecure(se->hash)) +- return gnutls_assert_val(0); ++ if (se->hash != GNUTLS_DIG_UNKNOWN && ++ _gnutls_digest_is_insecure2(se->hash, ++ flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE ? ++ GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE : ++ 0)) { ++ return gnutls_assert_val(false); ++ } + +- if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) +- return (se->slevel==_SECURE)?1:0; +- else +- return (se->slevel==_SECURE || se->slevel == _INSECURE_FOR_CERTS)?1:0; ++ return (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS ? ++ se->slevel == _SECURE : ++ (se->slevel == _SECURE || se->slevel == _INSECURE_FOR_CERTS)) || ++ (flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE && ++ se->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE); + } + +-int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t level) ++/* This is only called by cfg_apply in priority.c, in blocklisting mode. */ ++int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, hash_security_level_t level) + { + #ifndef DISABLE_SYSTEM_CONFIG + gnutls_sign_entry_st *p; +@@ -471,11 +478,106 @@ + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + for(p = sign_algorithms; p->name != NULL; p++) { +- if (c_strcasecmp(p->name, name) == 0) { ++ if (p->id && p->id == sign) { ++ if (p->slevel < level) + p->slevel = level; + return 0; + } + } ++#endif ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++} ++ ++/* This is only called by cfg_apply in priority.c, in allowlisting mode. */ ++void _gnutls_sign_mark_insecure_all(hash_security_level_t level) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ gnutls_sign_entry_st *p; ++ ++ for(p = sign_algorithms; p->name != NULL; p++) { ++ if (p->slevel < level) ++ p->slevel = level; ++ p->flags |= GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE; ++ } ++#endif ++} ++ ++/** ++ * gnutls_sign_mark_insecure: ++ * @sign: the sign algorithm ++ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0 ++ * ++ * Mark @sign as insecure system wide. This only works if the ++ * allowlisting mode is used in the configuration file. ++ * ++ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set, ++ * and the algorithm was previously considered secure for all purposes, ++ * it only marks the algorithm as insecure for the use with certificates. ++ * ++ * Since: 3.7.3 ++ */ ++int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ gnutls_sign_entry_st *p; ++ ++ for(p = sign_algorithms; p->name != NULL; p++) { ++ if (p->id && p->id == sign) { ++ if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) { ++ if (p->slevel < _INSECURE_FOR_CERTS) ++ p->slevel = _INSECURE_FOR_CERTS; ++ } else { ++ p->slevel = _INSECURE; ++ } ++ return 0; ++ } ++ } ++#endif ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++} ++// TODO: really not sure about the intuitiveness of the interface of this one, ++// the flag naming isn't ideal here ++ ++/** ++ * gnutls_sign_mark_secure: ++ * @sign: the sign algorithm ++ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0 ++ * ++ * Invalidate previous system wide setting that marked @sign as ++ * insecure. This only works if the algorithm is marked as insecure ++ * with gnutls_sign_mark_insecure() or through the allowlisting mode ++ * in the configuration file. ++ * ++ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set, ++ * it marks it the algorithm as secure for all purposes. ++ * If the absence of this flag, it will mark it as ++ * "secure, but not for certificates" at most, ++ * but it won't restrict anything either. ++ * ++ * Since: 3.7.3 ++ */ ++int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags) ++{ ++#ifndef DISABLE_SYSTEM_CONFIG ++ gnutls_sign_entry_st *p; ++ ++ for(p = sign_algorithms; p->name != NULL; p++) { ++ if (p->id && p->id == sign) { ++ if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) { ++ p->slevel = _SECURE; ++ } else { ++ if (p->slevel > _INSECURE_FOR_CERTS) ++ p->slevel = _INSECURE_FOR_CERTS; ++ } ++ return 0; ++ } ++ } + #endif + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } +diff -ruN gnutls-3.7.2/lib/algorithms.h gnutls-3.7.2-bootstrapped/lib/algorithms.h +--- gnutls-3.7.2/lib/algorithms.h 2021-05-10 16:34:47.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/algorithms.h 2021-06-28 09:09:14.000000000 +0200 +@@ -345,15 +345,27 @@ + _INSECURE + } hash_security_level_t; + +-int _gnutls_ecc_curve_mark_disabled(const char *name); +-int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t); +-int _gnutls_digest_mark_insecure(const char *name); ++int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve); ++int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t, hash_security_level_t); ++int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig); + unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig); +-int _gnutls_version_mark_disabled(const char *name); ++bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig, unsigned flags); ++const gnutls_protocol_t *_gnutls_protocol_list(void); ++int _gnutls_version_mark_disabled(gnutls_protocol_t version); + gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name); + ++/* these functions are for revertible settings, meaning that algorithms marked ++ * as disabled/insecure with mark_*_all functions can be re-enabled with ++ * mark_{enabled,secure} functions */ ++void _gnutls_ecc_curve_mark_disabled_all(void); ++void _gnutls_sign_mark_insecure_all(hash_security_level_t level); ++void _gnutls_digest_mark_insecure_all(void); ++void _gnutls_version_mark_disabled_all(void); ++ + #define GNUTLS_SIGN_FLAG_TLS13_OK 1 /* if it is ok to use under TLS1.3 */ + #define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */ ++#define GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE (1 << 2) ++#define GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3) + struct gnutls_sign_entry_st { + const char *name; + const char *oid; +@@ -448,6 +460,7 @@ + unsigned sig_size; /* the size of curve signatures in bytes (EdDSA) */ + unsigned gost_curve; + bool supported; ++ bool supported_revertible; + gnutls_group_t group; + } gnutls_ecc_curve_entry_st; + +@@ -459,6 +472,7 @@ + gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t); + const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num); + const gnutls_group_entry_st * _gnutls_id_to_group(unsigned id); ++gnutls_group_t _gnutls_group_get_id(const char *name); + + gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits); + #define MAX_ECC_CURVE_SIZE 66 +diff -ruN gnutls-3.7.2/lib/gnutls_int.h gnutls-3.7.2-bootstrapped/lib/gnutls_int.h +--- gnutls-3.7.2/lib/gnutls_int.h 2021-05-27 08:08:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/gnutls_int.h 2021-06-28 09:09:14.000000000 +0200 +@@ -662,6 +662,8 @@ + + #define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE 1 /* if this algorithm should not be trusted for pre-image attacks */ + #define GNUTLS_MAC_FLAG_CONTINUOUS_MAC (1 << 1) /* if this MAC should be used in a 'continuous' way in TLS */ ++#define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE (1 << 2) /* if this algorithm should not be trusted for pre-image attacks, but can be enabled through API */ ++#define GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3) /* when checking with _gnutls_digest_is_insecure2, don't treat revertible setting as fatal */ + /* This structure is used both for MACs and digests + */ + typedef struct mac_entry_st { +@@ -685,6 +687,7 @@ + uint8_t minor; /* defined by the protocol */ + transport_t transport; /* Type of transport, stream or datagram */ + bool supported; /* 0 not supported, > 0 is supported */ ++ bool supported_revertible; + bool explicit_iv; + bool extensions; /* whether it supports extensions */ + bool selectable_sighash; /* whether signatures can be selected */ +diff -ruN gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in +--- gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in 2021-05-27 08:08:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in 2021-06-28 09:09:14.000000000 +0200 +@@ -1438,6 +1438,16 @@ + gnutls_mac_algorithm_t * mac, + gnutls_protocol_t * min_version); + ++ /* functions for run-time enablement of algorithms */ ++int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve); ++int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve); ++int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags); ++int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags); ++int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig); ++int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig); ++int gnutls_protocol_mark_disabled(gnutls_protocol_t version); ++int gnutls_protocol_mark_enabled(gnutls_protocol_t version); ++ + /* error functions */ + int gnutls_error_is_fatal(int error) __GNUTLS_CONST__; + int gnutls_error_to_alert(int err, int *level); +diff -ruN gnutls-3.7.2/lib/libgnutls.map gnutls-3.7.2-bootstrapped/lib/libgnutls.map +--- gnutls-3.7.2/lib/libgnutls.map 2021-05-29 07:16:27.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/libgnutls.map 2021-06-28 09:09:14.000000000 +0200 +@@ -1355,6 +1355,21 @@ + *; + } GNUTLS_3_7_0; + ++GNUTLS_3_7_3 ++{ ++ global: ++ gnutls_ecc_curve_mark_disabled; ++ gnutls_ecc_curve_mark_enabled; ++ gnutls_sign_mark_insecure; ++ gnutls_sign_mark_secure; ++ gnutls_digest_mark_insecure; ++ gnutls_digest_mark_secure; ++ gnutls_protocol_mark_disabled; ++ gnutls_protocol_mark_enabled; ++ local: ++ *; ++} GNUTLS_3_7_2; ++ + GNUTLS_FIPS140_3_4 { + global: + gnutls_cipher_self_test; +diff -ruN gnutls-3.7.2/lib/priority.c gnutls-3.7.2-bootstrapped/lib/priority.c +--- gnutls-3.7.2/lib/priority.c 2021-05-27 08:08:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/lib/priority.c 2021-06-28 09:09:14.000000000 +0200 +@@ -700,6 +700,7 @@ + #define LEVEL_SUITEB128 "SUITEB128" + #define LEVEL_SUITEB192 "SUITEB192" + #define LEVEL_LEGACY "LEGACY" ++#define LEVEL_SYSTEM "SYSTEM" + + struct priority_groups_st { + const char *name; +@@ -1001,17 +1002,22 @@ + + static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN; + static name_val_array_t system_wide_priority_strings = NULL; ++static char *system_wide_priority_string = NULL; + static unsigned system_wide_priority_strings_init = 0; + static unsigned system_wide_default_priority_string = 0; + static unsigned fail_on_invalid_config = 0; +-static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0}; +-static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0}; +-static unsigned system_wide_disabled_groups[MAX_ALGOS+1] = {0}; +-static unsigned system_wide_disabled_kxs[MAX_ALGOS+1] = {0}; ++static bool system_wide_allowlisting; ++static unsigned system_wide_tls_ciphers[MAX_ALGOS+1] = {0}; ++static unsigned system_wide_tls_macs[MAX_ALGOS+1] = {0}; ++static unsigned system_wide_tls_groups[MAX_ALGOS+1] = {0}; ++static unsigned system_wide_tls_kxs[MAX_ALGOS+1] = {0}; ++static unsigned system_wide_tls_sigs[MAX_ALGOS+1] = {0}; ++static unsigned system_wide_tls_vers[MAX_ALGOS+1] = {0}; + + static const char *system_priority_file = SYSTEM_PRIORITY_FILE; + static time_t system_priority_last_mod = 0; + ++#define GLOBAL_SECTION "global" + #define CUSTOM_PRIORITY_SECTION "priorities" + #define OVERRIDES_SECTION "overrides" + #define MAX_ALGO_NAME 2048 +@@ -1051,108 +1057,479 @@ + return out; + } + +-/* This function parses a gnutls configuration file and updates internal +- * settings accordingly. ++struct cfg { ++ bool allowlisting; ++ ++ name_val_array_t priority_strings; ++ bool priority_strings_init; ++ char *default_priority_string; ++ gnutls_certificate_verification_profiles_t verification_profile; ++ ++ gnutls_cipher_algorithm_t ciphers[MAX_ALGOS+1]; ++ gnutls_mac_algorithm_t macs[MAX_ALGOS+1]; ++ gnutls_group_t groups[MAX_ALGOS+1]; ++ gnutls_kx_algorithm_t kxs[MAX_ALGOS+1]; ++ ++ gnutls_digest_algorithm_t *hashes; ++ size_t hashes_size; ++ gnutls_sign_algorithm_t *sigs; ++ size_t sigs_size; ++ gnutls_sign_algorithm_t *sigs_for_cert; ++ size_t sigs_for_cert_size; ++ gnutls_protocol_t *versions; ++ size_t versions_size; ++ gnutls_ecc_curve_t *curves; ++ size_t curves_size; ++}; ++ ++static inline void ++cfg_deinit(struct cfg *cfg) ++{ ++ if (cfg->priority_strings) { ++ _name_val_array_clear(&cfg->priority_strings); ++ } ++ cfg->priority_strings_init = false; ++ gnutls_free(cfg->default_priority_string); ++ gnutls_free(cfg->hashes); ++ gnutls_free(cfg->sigs); ++ gnutls_free(cfg->sigs_for_cert); ++ gnutls_free(cfg->versions); ++ gnutls_free(cfg->curves); ++} ++ ++static inline int ++cfg_apply(struct cfg *cfg) ++{ ++ size_t i; ++ ++ system_wide_verification_profile = cfg->verification_profile; ++ ++ if (cfg->priority_strings_init) { ++ system_wide_priority_strings = cfg->priority_strings; ++ cfg->priority_strings = NULL; ++ cfg->priority_strings_init = false; ++ system_wide_priority_strings_init = 1; ++ } ++ ++ if (cfg->default_priority_string) { ++ _clear_default_system_priority(); ++ _gnutls_default_priority_string = cfg->default_priority_string; ++ cfg->default_priority_string = NULL; ++ system_wide_default_priority_string = 1; ++ } ++ ++ system_wide_allowlisting = cfg->allowlisting; ++ memcpy(system_wide_tls_ciphers, cfg->ciphers, sizeof(cfg->ciphers)); ++ memcpy(system_wide_tls_macs, cfg->macs, sizeof(cfg->macs)); ++ memcpy(system_wide_tls_groups, cfg->groups, sizeof(cfg->groups)); ++ memcpy(system_wide_tls_kxs, cfg->kxs, sizeof(cfg->kxs)); ++ ++ if (cfg->allowlisting) { ++ unsigned tls_sig_sem = 0; ++ size_t j; ++ ++ _gnutls_digest_mark_insecure_all(); ++ for (i = 0; i < cfg->hashes_size; i++) { ++ int ret = gnutls_digest_mark_secure(cfg->hashes[i]); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ _gnutls_sign_mark_insecure_all(_INSECURE); ++ for (i = 0; i < cfg->sigs_size; i++) { ++ int ret = gnutls_sign_mark_secure(cfg->sigs[i], 0); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ for (i = 0; i < cfg->sigs_for_cert_size; i++) { ++ int ret = gnutls_sign_mark_secure(cfg->sigs_for_cert[i], ++ GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ _gnutls_version_mark_disabled_all(); ++ for (i = 0, j = 0; i < cfg->versions_size; i++) { ++ const version_entry_st *vers; ++ int ret = gnutls_protocol_mark_enabled(cfg->versions[i]); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ vers = version_to_entry(cfg->versions[i]); ++ if (vers && vers->supported) { ++ tls_sig_sem |= vers->tls_sig_sem; ++ system_wide_tls_vers[j++] = vers->id; ++ } ++ } ++ _gnutls_ecc_curve_mark_disabled_all(); ++ for (i = 0; i < cfg->curves_size; i++) { ++ int ret = gnutls_ecc_curve_mark_enabled(cfg->curves[i]); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ for (i = 0, j = 0; i < cfg->sigs_size; i++) { ++ const gnutls_sign_entry_st *se; ++ ++ se = _gnutls_sign_to_entry(cfg->sigs[i]); ++ if (se != NULL && se->aid.tls_sem & tls_sig_sem && ++ _gnutls_sign_is_secure2(se, 0)) { ++ system_wide_tls_sigs[j++] = se->id; ++ } ++ } ++ } else { ++ for (i = 0; i < cfg->hashes_size; i++) { ++ int ret = _gnutls_digest_mark_insecure(cfg->hashes[i]); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ for (i = 0; i < cfg->sigs_size; i++) { ++ int ret = _gnutls_sign_mark_insecure(cfg->sigs[i], _INSECURE); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ for (i = 0; i < cfg->sigs_for_cert_size; i++) { ++ int ret = _gnutls_sign_mark_insecure(cfg->sigs_for_cert[i], _INSECURE_FOR_CERTS); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ for (i = 0; i < cfg->versions_size; i++) { ++ int ret = _gnutls_version_mark_disabled(cfg->versions[i]); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ for (i = 0; i < cfg->curves_size; i++) { ++ int ret = _gnutls_ecc_curve_mark_disabled(cfg->curves[i]); ++ if (unlikely(ret < 0)) { ++ return ret; ++ } ++ } ++ } ++ ++ return 0; ++} ++ ++/* This function parse the global section of the configuration file. ++ */ ++static int global_ini_handler(void *ctx, const char *section, const char *name, const char *value) ++{ ++ char *p; ++ char str[MAX_ALGO_NAME]; ++ struct cfg *cfg = ctx; ++ ++ if (section != NULL && c_strcasecmp(section, GLOBAL_SECTION) == 0) { ++ if (c_strcasecmp(name, "override-mode") == 0) { ++ p = clear_spaces(value, str); ++ if (c_strcasecmp(value, "allowlist") == 0) { ++ cfg->allowlisting = true; ++ } else if (c_strcasecmp(value, "blocklist") == 0) { ++ cfg->allowlisting = false; ++ } else { ++ _gnutls_debug_log("cfg: unknown override mode %s\n", ++ p); ++ if (fail_on_invalid_config) ++ return 0; ++ } ++ } else { ++ _gnutls_debug_log("unknown parameter %s\n", name); ++ if (fail_on_invalid_config) ++ return 0; ++ } ++ } ++ ++ return 1; ++} ++ ++static bool ++override_allowed(struct cfg *cfg, const char *name) ++{ ++ static const struct { ++ const char *allowlist_name; ++ const char *blocklist_name; ++ } names[] = { ++ { "secure-hash", "insecure-hash" }, ++ { "secure-sig", "insecure-sig" }, ++ { "secure-sig-for-cert", "insecure-sig-for-cert" }, ++ { "enabled-version", "disabled-version" }, ++ { "enabled-curve", "disabled-curve" }, ++ { "tls-enabled-cipher", "tls-disabled-cipher" }, ++ { "tls-enabled-group", "tls-disabled-group" }, ++ { "tls-enabled-kx", "tls-disabled-kx" }, ++ { "tls-enabled-mac", "tls-disabled-mac" } ++ }; ++ size_t i; ++ ++ for (i = 0; i < sizeof(names) / sizeof(names[0]); i++) { ++ if (c_strcasecmp(name, ++ cfg->allowlisting ? ++ names[i].blocklist_name : ++ names[i].allowlist_name) == 0) ++ return false; ++ } ++ ++ return true; ++} ++ ++/* This function parses a gnutls configuration file. Updating internal settings ++ * according to the parsed configuration is done by cfg_apply. + */ +-static int cfg_ini_handler(void *_ctx, const char *section, const char *name, const char *value) ++static int cfg_ini_handler(void *ctx, const char *section, const char *name, const char *value) + { + char *p; +- int ret, type; ++ int ret; + unsigned i; + char str[MAX_ALGO_NAME]; ++ struct cfg *cfg = ctx; + + /* Note that we intentionally overwrite the value above; inih does + * not use that value after we handle it. */ + + /* Parse sections */ + if (section == NULL || section[0] == 0 || c_strcasecmp(section, CUSTOM_PRIORITY_SECTION)==0) { +- if (system_wide_priority_strings_init == 0) { +- _name_val_array_init(&system_wide_priority_strings); +- system_wide_priority_strings_init = 1; ++ if (!cfg->priority_strings_init) { ++ _name_val_array_init(&cfg->priority_strings); ++ cfg->priority_strings_init = true; + } + + _gnutls_debug_log("cfg: adding priority: %s -> %s\n", name, value); + +- ret = _name_val_array_append(&system_wide_priority_strings, name, value); ++ ret = _name_val_array_append(&cfg->priority_strings, name, value); + if (ret < 0) + return 0; + } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { +- if (c_strcasecmp(name, "default-priority-string")==0) { +- _clear_default_system_priority(); ++ if (!override_allowed(cfg, name)) { ++ _gnutls_debug_log("cfg: %s is not allowed in this mode\n", ++ name); ++ if (fail_on_invalid_config) ++ return 0; ++ } else if (c_strcasecmp(name, "default-priority-string")==0) { ++ if (cfg->default_priority_string) { ++ gnutls_free(cfg->default_priority_string); ++ cfg->default_priority_string = NULL; ++ } + p = clear_spaces(value, str); + _gnutls_debug_log("cfg: setting default-priority-string to %s\n", p); + if (strlen(p) > 0) { +- _gnutls_default_priority_string = gnutls_strdup(p); +- if (!_gnutls_default_priority_string) { +- _gnutls_default_priority_string = DEFAULT_PRIORITY_STRING; ++ cfg->default_priority_string = gnutls_strdup(p); ++ if (!cfg->default_priority_string) { + _gnutls_debug_log("cfg: failed setting default-priority-string\n"); + return 0; + } +- system_wide_default_priority_string = 1; + } else { + _gnutls_debug_log("cfg: empty default-priority-string, using default\n"); + if (fail_on_invalid_config) + return 0; + } +- } else if (c_strcasecmp(name, "insecure-hash")==0) { ++ } else if (c_strcasecmp(name, "insecure-hash") == 0 || ++ c_strcasecmp(name, "secure-hash") == 0) { ++ gnutls_digest_algorithm_t dig, *tmp; ++ + p = clear_spaces(value, str); + +- _gnutls_debug_log("cfg: marking hash %s as insecure\n", +- p); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: marking hash %s as secure\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: marking hash %s as insecure\n", ++ p); ++ } + +- ret = _gnutls_digest_mark_insecure(p); +- if (ret < 0) { ++ dig = gnutls_digest_get_id(p); ++ if (dig == GNUTLS_DIG_UNKNOWN) { + _gnutls_debug_log("cfg: found unknown hash %s in %s\n", + p, name); + if (fail_on_invalid_config) + return 0; ++ goto exit; ++ } ++ tmp = _gnutls_reallocarray(cfg->hashes, ++ cfg->hashes_size + 1, ++ sizeof(gnutls_digest_algorithm_t)); ++ if (!tmp) { ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: failed marking hash %s as secure\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: failed marking hash %s as insecure\n", ++ p); ++ } ++ if (fail_on_invalid_config) ++ return 0; ++ goto exit; + } +- } else if (c_strcasecmp(name, "insecure-sig")==0 || c_strcasecmp(name, "insecure-sig-for-cert")==0) { ++ ++ cfg->hashes = tmp; ++ cfg->hashes[cfg->hashes_size] = dig; ++ cfg->hashes_size++; ++ } else if (c_strcasecmp(name, "insecure-sig") == 0 || ++ c_strcasecmp(name, "secure-sig") == 0) { ++ gnutls_sign_algorithm_t sig, *tmp; ++ + p = clear_spaces(value, str); + +- if (c_strcasecmp(name, "insecure-sig")==0) { +- type = _INSECURE; ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: marking signature %s as secure\n", ++ p); ++ } else { + _gnutls_debug_log("cfg: marking signature %s as insecure\n", + p); ++ } ++ ++ sig = gnutls_sign_get_id(p); ++ if (sig == GNUTLS_SIGN_UNKNOWN) { ++ _gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n", ++ p, name); ++ if (fail_on_invalid_config) ++ return 0; ++ goto exit; ++ } ++ tmp = _gnutls_reallocarray(cfg->sigs, ++ cfg->sigs_size + 1, ++ sizeof(gnutls_sign_algorithm_t)); ++ if (!tmp) { ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: failed marking signature %s as secure\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: failed marking signature %s as insecure\n", ++ p); ++ } ++ if (fail_on_invalid_config) ++ return 0; ++ goto exit; ++ } ++ ++ cfg->sigs = tmp; ++ cfg->sigs[cfg->sigs_size] = sig; ++ cfg->sigs_size++; ++ } else if (c_strcasecmp(name, "insecure-sig-for-cert") == 0 || ++ c_strcasecmp(name, "secure-sig-for-cert") == 0) { ++ gnutls_sign_algorithm_t sig, *tmp; ++ ++ p = clear_spaces(value, str); ++ ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: marking signature %s as secure for certs\n", ++ p); + } else { + _gnutls_debug_log("cfg: marking signature %s as insecure for certs\n", + p); +- type = _INSECURE_FOR_CERTS; + } + +- ret = _gnutls_sign_mark_insecure(p, type); +- if (ret < 0) { ++ sig = gnutls_sign_get_id(p); ++ if (sig == GNUTLS_SIGN_UNKNOWN) { + _gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n", + p, name); + if (fail_on_invalid_config) + return 0; ++ goto exit; ++ } ++ tmp = _gnutls_reallocarray(cfg->sigs_for_cert, ++ cfg->sigs_for_cert_size + 1, ++ sizeof(gnutls_sign_algorithm_t)); ++ if (!tmp) { ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: failed marking signature %s as secure for certs\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: failed marking signature %s as insecure for certs\n", ++ p); ++ } ++ if (fail_on_invalid_config) ++ return 0; ++ goto exit; + } +- } else if (c_strcasecmp(name, "disabled-version")==0) { ++ ++ cfg->sigs_for_cert = tmp; ++ cfg->sigs_for_cert[cfg->sigs_for_cert_size] = sig; ++ cfg->sigs_for_cert_size++; ++ } else if (c_strcasecmp(name, "disabled-version") == 0 || ++ c_strcasecmp(name, "enabled-version") == 0) { ++ gnutls_protocol_t prot, *tmp; ++ + p = clear_spaces(value, str); + +- _gnutls_debug_log("cfg: disabling version %s\n", +- p); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: enabling version %s\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: disabling version %s\n", ++ p); ++ } + +- ret = _gnutls_version_mark_disabled(p); +- if (ret < 0) { ++ prot = gnutls_protocol_get_id(p); ++ if (prot == GNUTLS_VERSION_UNKNOWN) { + _gnutls_debug_log("cfg: found unknown version %s in %s\n", + p, name); + if (fail_on_invalid_config) + return 0; ++ goto exit; + } +- } else if (c_strcasecmp(name, "disabled-curve")==0) { ++ tmp = _gnutls_reallocarray(cfg->versions, ++ cfg->versions_size + 1, ++ sizeof(gnutls_protocol_t)); ++ if (!tmp) { ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: failed enabling version %s\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: failed disabling version %s\n", ++ p); ++ } ++ if (fail_on_invalid_config) ++ return 0; ++ goto exit; ++ } ++ ++ cfg->versions = tmp; ++ cfg->versions[cfg->versions_size] = prot; ++ cfg->versions_size++; ++ } else if (c_strcasecmp(name, "disabled-curve") == 0 || ++ c_strcasecmp(name, "enabled-curve") == 0) { ++ gnutls_ecc_curve_t curve, *tmp; ++ + p = clear_spaces(value, str); + +- _gnutls_debug_log("cfg: disabling curve %s\n", +- p); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: enabling curve %s\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: disabling curve %s\n", ++ p); ++ } + +- ret = _gnutls_ecc_curve_mark_disabled(p); +- if (ret < 0) { ++ curve = gnutls_ecc_curve_get_id(p); ++ if (curve == GNUTLS_ECC_CURVE_INVALID) { + _gnutls_debug_log("cfg: found unknown curve %s in %s\n", + p, name); + if (fail_on_invalid_config) + return 0; ++ goto exit; ++ } ++ tmp = _gnutls_reallocarray(cfg->curves, ++ cfg->curves_size + 1, ++ sizeof(gnutls_ecc_curve_t)); ++ if (!tmp) { ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: failed enabling curve %s\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: failed disabling curve %s\n", ++ p); ++ } ++ if (fail_on_invalid_config) ++ return 0; ++ goto exit; + } ++ ++ cfg->curves = tmp; ++ cfg->curves[cfg->curves_size] = curve; ++ cfg->curves_size++; + } else if (c_strcasecmp(name, "min-verification-profile")==0) { + gnutls_certificate_verification_profiles_t profile; + profile = gnutls_certificate_verification_profile_get_id(value); +@@ -1162,47 +1539,65 @@ + value, name); + if (fail_on_invalid_config) + return 0; ++ goto exit; + } + +- system_wide_verification_profile = profile; +- } else if (c_strcasecmp(name, "tls-disabled-cipher")==0) { +- unsigned algo; ++ cfg->verification_profile = profile; ++ } else if (c_strcasecmp(name, "tls-disabled-cipher") == 0 || ++ c_strcasecmp(name, "tls-enabled-cipher") == 0) { ++ gnutls_cipher_algorithm_t algo; + + p = clear_spaces(value, str); + +- _gnutls_debug_log("cfg: disabling cipher %s for TLS\n", +- p); +- ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: enabling cipher %s for TLS\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: disabling cipher %s for TLS\n", ++ p); ++ } + + algo = gnutls_cipher_get_id(p); +- if (algo == 0) { ++ if (algo == GNUTLS_CIPHER_UNKNOWN) { + _gnutls_debug_log("cfg: unknown algorithm %s listed at %s\n", + p, name); + if (fail_on_invalid_config) + return 0; ++ goto exit; + } + + i = 0; +- while (system_wide_disabled_ciphers[i] != 0) ++ while (cfg->ciphers[i] != 0) + i++; + + if (i > MAX_ALGOS-1) { +- _gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n", +- i, name); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: too many (%d) enabled ciphers from %s\n", ++ i, name); ++ } else { ++ _gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n", ++ i, name); ++ } + if (fail_on_invalid_config) + return 0; + goto exit; + } +- system_wide_disabled_ciphers[i] = algo; +- system_wide_disabled_ciphers[i+1] = 0; ++ cfg->ciphers[i] = algo; ++ cfg->ciphers[i+1] = 0; + +- } else if (c_strcasecmp(name, "tls-disabled-mac")==0) { +- unsigned algo; ++ } else if (c_strcasecmp(name, "tls-disabled-mac") == 0 || ++ c_strcasecmp(name, "tls-enabled-mac") == 0) { ++ gnutls_mac_algorithm_t algo; + + p = clear_spaces(value, str); + +- _gnutls_debug_log("cfg: disabling MAC %s for TLS\n", +- p); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: enabling MAC %s for TLS\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: disabling MAC %s for TLS\n", ++ p); ++ } + + algo = gnutls_mac_get_id(p); + if (algo == 0) { +@@ -1214,30 +1609,41 @@ + } + + i = 0; +- while (system_wide_disabled_macs[i] != 0) ++ while (cfg->macs[i] != 0) + i++; + + if (i > MAX_ALGOS-1) { +- _gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n", +- i, name); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: too many (%d) enabled MACs from %s\n", ++ i, name); ++ } else { ++ _gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n", ++ i, name); ++ } + if (fail_on_invalid_config) + return 0; + goto exit; + } +- system_wide_disabled_macs[i] = algo; +- system_wide_disabled_macs[i+1] = 0; +- } else if (c_strcasecmp(name, "tls-disabled-group")==0) { +- unsigned algo; ++ cfg->macs[i] = algo; ++ cfg->macs[i+1] = 0; ++ } else if (c_strcasecmp(name, "tls-disabled-group") == 0 || ++ c_strcasecmp(name, "tls-enabled-group") == 0) { ++ gnutls_group_t algo; + + p = clear_spaces(value, str); + +- if (strlen(p) > 6) +- p += 6; // skip GROUP- ++ if (c_strncasecmp(p, "GROUP-", 6) == 0) ++ p += 6; + +- _gnutls_debug_log("cfg: disabling group %s for TLS\n", +- p); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: enabling group %s for TLS\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: disabling group %s for TLS\n", ++ p); ++ } + +- algo = gnutls_group_get_id(p); ++ algo = _gnutls_group_get_id(p); + if (algo == 0) { + _gnutls_debug_log("cfg: unknown group %s listed at %s\n", + p, name); +@@ -1247,25 +1653,36 @@ + } + + i = 0; +- while (system_wide_disabled_groups[i] != 0) ++ while (cfg->groups[i] != 0) + i++; + + if (i > MAX_ALGOS-1) { +- _gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n", +- i, name); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: too many (%d) enabled groups from %s\n", ++ i, name); ++ } else { ++ _gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n", ++ i, name); ++ } + if (fail_on_invalid_config) + return 0; + goto exit; + } +- system_wide_disabled_groups[i] = algo; +- system_wide_disabled_groups[i+1] = 0; +- } else if (c_strcasecmp(name, "tls-disabled-kx")==0) { ++ cfg->groups[i] = algo; ++ cfg->groups[i+1] = 0; ++ } else if (c_strcasecmp(name, "tls-disabled-kx") == 0 || ++ c_strcasecmp(name, "tls-enabled-kx") == 0) { + unsigned algo; + + p = clear_spaces(value, str); + +- _gnutls_debug_log("cfg: disabling key exchange %s for TLS\n", +- p); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: enabling key exchange %s for TLS\n", ++ p); ++ } else { ++ _gnutls_debug_log("cfg: disabling key exchange %s for TLS\n", ++ p); ++ } + + algo = gnutls_kx_get_id(p); + if (algo == 0) { +@@ -1277,24 +1694,29 @@ + } + + i = 0; +- while (system_wide_disabled_kxs[i] != 0) ++ while (cfg->kxs[i] != 0) + i++; + + if (i > MAX_ALGOS-1) { +- _gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n", +- i, name); ++ if (cfg->allowlisting) { ++ _gnutls_debug_log("cfg: too many (%d) enabled key exchanges from %s\n", ++ i, name); ++ } else { ++ _gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n", ++ i, name); ++ } + if (fail_on_invalid_config) + return 0; + goto exit; + } +- system_wide_disabled_kxs[i] = algo; +- system_wide_disabled_kxs[i+1] = 0; ++ cfg->kxs[i] = algo; ++ cfg->kxs[i+1] = 0; + } else { + _gnutls_debug_log("unknown parameter %s\n", name); + if (fail_on_invalid_config) + return 0; + } +- } else { ++ } else if (c_strcasecmp(section, GLOBAL_SECTION) != 0) { + _gnutls_debug_log("cfg: unknown section %s\n", + section); + if (fail_on_invalid_config) +@@ -1310,6 +1732,7 @@ + int ret; + struct stat sb; + FILE *fp; ++ struct cfg cfg; + + if (stat(system_priority_file, &sb) < 0) { + _gnutls_debug_log("cfg: unable to access: %s: %d\n", +@@ -1327,21 +1750,41 @@ + if (system_wide_priority_strings_init != 0) + _name_val_array_clear(&system_wide_priority_strings); + ++ gnutls_free(system_wide_priority_string); ++ system_wide_priority_string = NULL; ++ + fp = fopen(system_priority_file, "re"); + if (fp == NULL) { + _gnutls_debug_log("cfg: unable to open: %s: %d\n", + system_priority_file, errno); + return; + } +- ret = ini_parse_file(fp, cfg_ini_handler, NULL); ++ /* Parsing the configuration file needs to be done in 2 phases: first ++ * parsing the [global] section and then the other sections, because the ++ * [global] section modifies the parsing behavior. ++ */ ++ memset(&cfg, 0, sizeof(cfg)); ++ ret = ini_parse_file(fp, global_ini_handler, &cfg); ++ if (ret == 0) { ++ if (fseek(fp, 0L, SEEK_SET) < 0) { ++ _gnutls_debug_log("cfg: unable to rewind: %s: %d\n", ++ system_priority_file, ret); ++ if (fail_on_invalid_config) ++ exit(1); ++ } ++ ret = ini_parse_file(fp, cfg_ini_handler, &cfg); ++ } + fclose(fp); + if (ret != 0) { ++ cfg_deinit(&cfg); + _gnutls_debug_log("cfg: unable to parse: %s: %d\n", + system_priority_file, ret); + if (fail_on_invalid_config) + exit(1); + return; + } ++ cfg_apply(&cfg); ++ cfg_deinit(&cfg); + + _gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n", + system_priority_file, +@@ -1368,6 +1811,7 @@ + void _gnutls_unload_system_priorities(void) + { + _name_val_array_clear(&system_wide_priority_strings); ++ gnutls_free(system_wide_priority_string); + _clear_default_system_priority(); + system_priority_last_mod = 0; + } +@@ -1391,6 +1835,124 @@ + return NULL; + } + ++static const char * ++resolve_priorities_from_system_wide_allowlisting(void) ++{ ++ gnutls_buffer_st buf; ++ int ret; ++ size_t i; ++ ++ if (system_wide_priority_string) { ++ return system_wide_priority_string; ++ } ++ ++ assert(system_wide_allowlisting); ++ ++ _gnutls_buffer_init(&buf); ++ ++ ret = _gnutls_buffer_append_str(&buf, "NONE"); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ ++ for (i = 0; system_wide_tls_kxs[i] != 0; i++) { ++ ret = _gnutls_buffer_append_str(&buf, ":+"); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ ++ ret = _gnutls_buffer_append_str(&buf, ++ gnutls_kx_get_name(system_wide_tls_kxs[i])); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ } ++ ++ for (i = 0; system_wide_tls_groups[i] != 0; i++) { ++ ret = _gnutls_buffer_append_str(&buf, ":+GROUP-"); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ ++ ret = _gnutls_buffer_append_str(&buf, ++ gnutls_group_get_name(system_wide_tls_groups[i])); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ } ++ ++ for (i = 0; system_wide_tls_ciphers[i] != 0; i++) { ++ ret = _gnutls_buffer_append_str(&buf, ":+"); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ ++ ret = _gnutls_buffer_append_str(&buf, ++ gnutls_cipher_get_name(system_wide_tls_ciphers[i])); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ } ++ ++ for (i = 0; system_wide_tls_macs[i] != 0; i++) { ++ ret = _gnutls_buffer_append_str(&buf, ":+"); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ ++ ret = _gnutls_buffer_append_str(&buf, ++ gnutls_mac_get_name(system_wide_tls_macs[i])); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ } ++ ++ for (i = 0; system_wide_tls_sigs[i] != 0; i++) { ++ ret = _gnutls_buffer_append_str(&buf, ":+SIGN-"); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ ++ ret = _gnutls_buffer_append_str(&buf, ++ gnutls_sign_get_name(system_wide_tls_sigs[i])); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ } ++ ++ for (i = 0; system_wide_tls_vers[i] != 0; i++) { ++ ret = _gnutls_buffer_append_str(&buf, ":+VERS-"); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ ++ ret = _gnutls_buffer_append_str(&buf, ++ gnutls_protocol_get_name(system_wide_tls_vers[i])); ++ if (ret < 0) { ++ _gnutls_buffer_clear(&buf); ++ return NULL; ++ } ++ } ++ ++ gnutls_free(system_wide_priority_string); ++ system_wide_priority_string = gnutls_strdup((char *)buf.data); ++ _gnutls_buffer_clear(&buf); ++ ++ return system_wide_priority_string; ++} ++ + #define S(str) ((str!=NULL)?str:"") + + /* Returns the new priorities if a priority string prefixed +@@ -1445,7 +2007,13 @@ + */ + _gnutls_update_system_priorities(); + +- p = _name_val_array_value(system_wide_priority_strings, ss, ss_len); ++ if (system_wide_allowlisting && ++ ss_len == sizeof(LEVEL_SYSTEM) - 1 && ++ strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) { ++ p = resolve_priorities_from_system_wide_allowlisting(); ++ } else { ++ p = _name_val_array_value(system_wide_priority_strings, ss, ss_len); ++ } + + _gnutls_debug_log("resolved '%.*s' to '%s', next '%.*s'\n", + ss_len, ss, S(p), ss_next_len, S(ss_next)); +@@ -1548,48 +2116,52 @@ + priority_cache->groups.size = 0; + priority_cache->groups.have_ffdhe = 0; + +- /* disable key exchanges which are globally disabled */ +- z = 0; +- while (system_wide_disabled_kxs[z] != 0) { +- for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) { +- if (priority_cache->_kx.priorities[i] != system_wide_disabled_kxs[z]) +- priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i]; +- } +- priority_cache->_kx.num_priorities = j; +- z++; +- } +- +- /* disable groups which are globally disabled */ +- z = 0; +- while (system_wide_disabled_groups[z] != 0) { +- for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) { +- if (priority_cache->_supported_ecc.priorities[i] != system_wide_disabled_groups[z]) +- priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i]; +- } +- priority_cache->_supported_ecc.num_priorities = j; +- z++; +- } +- +- /* disable ciphers which are globally disabled */ +- z = 0; +- while (system_wide_disabled_ciphers[z] != 0) { +- for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) { +- if (priority_cache->_cipher.priorities[i] != system_wide_disabled_ciphers[z]) +- priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i]; +- } +- priority_cache->_cipher.num_priorities = j; +- z++; +- } +- +- /* disable MACs which are globally disabled */ +- z = 0; +- while (system_wide_disabled_macs[z] != 0) { +- for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) { +- if (priority_cache->_mac.priorities[i] != system_wide_disabled_macs[z]) +- priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i]; ++ /* in blocklisting mode, apply system wide disablement of key exchanges, ++ * groups, MACs, and ciphers. */ ++ if (!system_wide_allowlisting) { ++ /* disable key exchanges which are globally disabled */ ++ z = 0; ++ while (system_wide_tls_kxs[z] != 0) { ++ for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) { ++ if (priority_cache->_kx.priorities[i] != system_wide_tls_kxs[z]) ++ priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i]; ++ } ++ priority_cache->_kx.num_priorities = j; ++ z++; ++ } ++ ++ /* disable groups which are globally disabled */ ++ z = 0; ++ while (system_wide_tls_groups[z] != 0) { ++ for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) { ++ if (priority_cache->_supported_ecc.priorities[i] != system_wide_tls_groups[z]) ++ priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i]; ++ } ++ priority_cache->_supported_ecc.num_priorities = j; ++ z++; ++ } ++ ++ /* disable ciphers which are globally disabled */ ++ z = 0; ++ while (system_wide_tls_ciphers[z] != 0) { ++ for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) { ++ if (priority_cache->_cipher.priorities[i] != system_wide_tls_ciphers[z]) ++ priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i]; ++ } ++ priority_cache->_cipher.num_priorities = j; ++ z++; ++ } ++ ++ /* disable MACs which are globally disabled */ ++ z = 0; ++ while (system_wide_tls_macs[z] != 0) { ++ for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) { ++ if (priority_cache->_mac.priorities[i] != system_wide_tls_macs[z]) ++ priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i]; ++ } ++ priority_cache->_mac.num_priorities = j; ++ z++; + } +- priority_cache->_mac.num_priorities = j; +- z++; + } + + for (j=0;j_cipher.num_priorities;j++) { +@@ -1737,10 +2309,15 @@ + for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) { + se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]); + if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) { +- /* if the signature algorithm semantics are not compatible with +- * the protocol's, then skip. */ +- if ((se->aid.tls_sem & tls_sig_sem) == 0) ++ /* if the signature algorithm semantics is not ++ * compatible with the protocol's, or the algorithm is ++ * marked as insecure, then skip. */ ++ if ((se->aid.tls_sem & tls_sig_sem) == 0 || ++ !_gnutls_sign_is_secure2(se, system_wide_allowlisting ? ++ GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE : ++ 0)) { + continue; ++ } + priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se; + } + } +@@ -2017,6 +2594,9 @@ + (*priority_cache)->min_record_version = 1; + gnutls_atomic_init(&(*priority_cache)->usage_cnt); + ++ if (system_wide_allowlisting && !priorities) { ++ priorities = "@" LEVEL_SYSTEM; ++ } + if (priorities == NULL) { + priorities = _gnutls_default_priority_string; + resolved_match = 0; +@@ -2150,7 +2730,7 @@ + _supported_groups_gost); + } else { + if ((algo = +- gnutls_group_get_id ++ _gnutls_group_get_id + (&broken_list[i][7])) != + GNUTLS_GROUP_INVALID) + fn(&(*priority_cache)-> +diff -ruN gnutls-3.7.2/Makefile.in gnutls-3.7.2-bootstrapped/Makefile.in +--- gnutls-3.7.2/Makefile.in 2021-05-29 10:11:20.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/Makefile.in 2021-06-28 09:11:37.000000000 +0200 +@@ -35,7 +35,7 @@ + # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + # aminclude_static.am generated automatically by Autoconf +-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021 ++# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021 + VPATH = @srcdir@ + am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ +diff -ruN gnutls-3.7.2/NEWS gnutls-3.7.2-bootstrapped/NEWS +--- gnutls-3.7.2/NEWS 2021-05-29 10:08:56.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/NEWS 2021-06-28 09:09:14.000000000 +0200 +@@ -5,6 +5,23 @@ + Copyright (C) 2013-2019 Nikos Mavrogiannopoulos + See the end for copying conditions. + ++* Version 3.7.3 (unreleased) ++ ++** libgnutls: The allowlisting configuration mode has been added to the system-wide ++ settings. In this mode, all the algorithms are initially marked as insecure ++ or disabled, while the applications can re-enable them either through the ++ [overrides] section of the configuration file or the new API (#1172). ++ ++** API and ABI modifications: ++gnutls_ecc_curve_mark_disabled: Added. ++gnutls_ecc_curve_mark_enabled: Added. ++gnutls_sign_mark_insecure: Added. ++gnutls_sign_mark_secure: Added. ++gnutls_digest_mark_insecure: Added. ++gnutls_digest_mark_secure: Added. ++gnutls_protocol_mark_disabled: Added. ++gnutls_protocol_mark_enabled: Added. ++ + * Version 3.7.2 (released 2021-05-29) + + ** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added +diff -ruN gnutls-3.7.2/po/cs.po gnutls-3.7.2-bootstrapped/po/cs.po +--- gnutls-3.7.2/po/cs.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/cs.po 2021-06-28 09:35:00.000000000 +0200 +@@ -9,7 +9,7 @@ + msgstr "" + "Project-Id-Version: gnutls 3.6.8\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2019-06-18 07:01+02:00\n" + "Last-Translator: Petr Pisar \n" + "Language-Team: Czech \n" +diff -ruN gnutls-3.7.2/po/de.po gnutls-3.7.2-bootstrapped/po/de.po +--- gnutls-3.7.2/po/de.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/de.po 2021-06-28 09:35:00.000000000 +0200 +@@ -10,7 +10,7 @@ + msgstr "" + "Project-Id-Version: gnutls 3.2.3\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2019-05-16 20:42+0200\n" + "Last-Translator: Roland Illig \n" + "Language-Team: German \n" +diff -ruN gnutls-3.7.2/po/eo.po gnutls-3.7.2-bootstrapped/po/eo.po +--- gnutls-3.7.2/po/eo.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/eo.po 2021-06-28 09:35:00.000000000 +0200 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: gnutls 3.6.8\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2019-07-15 13:25-0300\n" + "Last-Translator: Felipe Castro \n" + "Language-Team: Esperanto \n" +diff -ruN gnutls-3.7.2/po/es.po gnutls-3.7.2-bootstrapped/po/es.po +--- gnutls-3.7.2/po/es.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/es.po 2021-06-28 09:35:00.000000000 +0200 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: libgnutls 3.2.3\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2018-05-02 19:11+0200\n" + "Last-Translator: Francisco Javier Serrador \n" + "Language-Team: Spanish \n" +diff -ruN gnutls-3.7.2/po/fi.po gnutls-3.7.2-bootstrapped/po/fi.po +--- gnutls-3.7.2/po/fi.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/fi.po 2021-06-28 09:35:00.000000000 +0200 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: libgnutls 3.2.1\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2013-06-19 17:09+0300\n" + "Last-Translator: Jorma Karvonen \n" + "Language-Team: Finnish \n" +diff -ruN gnutls-3.7.2/po/fr.po gnutls-3.7.2-bootstrapped/po/fr.po +--- gnutls-3.7.2/po/fr.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/fr.po 2021-06-28 09:35:00.000000000 +0200 +@@ -12,7 +12,7 @@ + msgstr "" + "Project-Id-Version: gnutls 3.6.8\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2019-08-12 01:03+0200\n" + "Last-Translator: Stéphane Aulery \n" + "Language-Team: French \n" +diff -ruN gnutls-3.7.2/po/gnutls.pot gnutls-3.7.2-bootstrapped/po/gnutls.pot +--- gnutls-3.7.2/po/gnutls.pot 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/gnutls.pot 2021-06-28 09:35:00.000000000 +0200 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: gnutls 3.7.2\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" +diff -ruN gnutls-3.7.2/po/it.po gnutls-3.7.2-bootstrapped/po/it.po +--- gnutls-3.7.2/po/it.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/it.po 2021-06-28 09:35:00.000000000 +0200 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: gnutls-3.6.8\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2019-08-02 11:43+0200\n" + "Last-Translator: Milo Casagrande \n" + "Language-Team: Italian \n" +Binary files gnutls-3.7.2/po/ms.gmo and gnutls-3.7.2-bootstrapped/po/ms.gmo differ +diff -ruN gnutls-3.7.2/po/ms.po gnutls-3.7.2-bootstrapped/po/ms.po +--- gnutls-3.7.2/po/ms.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/ms.po 2021-06-28 09:35:00.000000000 +0200 +@@ -7,8 +7,8 @@ + msgstr "" + "Project-Id-Version: gnutls 3.6.8\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" +-"PO-Revision-Date: 2021-04-20 16:03+0800\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" ++"PO-Revision-Date: 2021-06-14 00:17+0800\n" + "Last-Translator: Sharuzzaman Ahmat Raslan \n" + "Language-Team: Malay \n" + "Language: ms\n" +@@ -16,7 +16,7 @@ + "Content-Type: text/plain; charset=utf-8\n" + "Content-Transfer-Encoding: 8bit\n" + "X-Bugs: Report translation errors to the Language-Team address.\n" +-"X-Generator: Poedit 2.4.2\n" ++"X-Generator: Poedit 3.0\n" + + #: lib/alert.c:39 + msgid "Close notify" +@@ -139,7 +139,7 @@ + #: lib/alert.c:83 + #, fuzzy + msgid "An extension was expected but was not seen" +-msgstr "')' dijangka\n" ++msgstr "Sambungan tidak disokong telah dihantar" + + #: lib/alert.c:86 + msgid "No supported application protocol could be negotiated" +@@ -1224,20 +1224,19 @@ + msgstr "%s\t\t\tnamaLain OID: %.*s\n" + + #: lib/x509/output.c:152 +-#, fuzzy, c-format +-#| msgid "\t\t\tXMPP Address: %.*s\n" ++#, c-format + msgid "%sXMPP Address: %.*s\n" +-msgstr "\t\t\tAlamat XMPP: %.*s\n" ++msgstr "%sAlamat XMPP: %.*s\n" + + #: lib/x509/output.c:156 +-#, fuzzy, c-format ++#, c-format + msgid "%sKRB5Principal: %.*s\n" +-msgstr "%s: %s.\n" ++msgstr "%sKRB5Principal: %.*s\n" + + #: lib/x509/output.c:160 +-#, fuzzy, c-format ++#, c-format + msgid "%sUnknown name: " +-msgstr "Nama" ++msgstr "%sNama tidak diketahui: " + + #: lib/x509/output.c:302 + #, c-format +@@ -1266,14 +1265,14 @@ + "\t\t\tLambakan Hex: " + + #: lib/x509/output.c:347 +-#, fuzzy, c-format ++#, c-format + msgid "%s\t\t\tPermitted:\n" +-msgstr "TDB: Tulis tidak dibenarkan" ++msgstr "%s\t\t\tDibenarkan:\n" + + #: lib/x509/output.c:359 +-#, fuzzy, c-format ++#, c-format + msgid "%s\t\t\tExcluded:\n" +-msgstr "%s%s: %.*s (%s)\n" ++msgstr "%s\t\t\tDikecualikan:\n" + + #: lib/x509/output.c:399 lib/x509/output.c:401 lib/x509/output.c:403 + #, c-format +diff -ruN gnutls-3.7.2/po/nl.po gnutls-3.7.2-bootstrapped/po/nl.po +--- gnutls-3.7.2/po/nl.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/nl.po 2021-06-28 09:35:00.000000000 +0200 +@@ -10,7 +10,7 @@ + msgstr "" + "Project-Id-Version: libgnutls-3.2.1\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2013-06-13 19:56+0200\n" + "Last-Translator: Benno Schulenberg \n" + "Language-Team: Dutch \n" +diff -ruN gnutls-3.7.2/po/pl.po gnutls-3.7.2-bootstrapped/po/pl.po +--- gnutls-3.7.2/po/pl.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/pl.po 2021-06-28 09:35:00.000000000 +0200 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: gnutls-3.6.8\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2019-06-01 08:22+0200\n" + "Last-Translator: Jakub Bogusz \n" + "Language-Team: Polish \n" +diff -ruN gnutls-3.7.2/po/pt_BR.po gnutls-3.7.2-bootstrapped/po/pt_BR.po +--- gnutls-3.7.2/po/pt_BR.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/pt_BR.po 2021-06-28 09:35:00.000000000 +0200 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: gnutls 3.6.8\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2019-06-11 03:55-0200\n" + "Last-Translator: Rafael Fontenelle \n" + "Language-Team: Brazilian Portuguese \n" + "Language-Team: Serbian <(nothing)>\n" +diff -ruN gnutls-3.7.2/po/sv.po gnutls-3.7.2-bootstrapped/po/sv.po +--- gnutls-3.7.2/po/sv.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/sv.po 2021-06-28 09:35:00.000000000 +0200 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: libgnutls 3.2.3\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2017-06-22 13:44+0200\n" + "Last-Translator: Anders Jonsson \n" + "Language-Team: Swedish \n" +diff -ruN gnutls-3.7.2/po/uk.po gnutls-3.7.2-bootstrapped/po/uk.po +--- gnutls-3.7.2/po/uk.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/uk.po 2021-06-28 09:35:00.000000000 +0200 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: gnutls 3.6.8\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2019-06-06 21:38+0300\n" + "Last-Translator: Yuri Chornoivan \n" + "Language-Team: Ukrainian \n" +diff -ruN gnutls-3.7.2/po/vi.po gnutls-3.7.2-bootstrapped/po/vi.po +--- gnutls-3.7.2/po/vi.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/vi.po 2021-06-28 09:35:00.000000000 +0200 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: libgnutls-3.2.3\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2013-08-06 07:13+0700\n" + "Last-Translator: Trần Ngọc Quân \n" + "Language-Team: Vietnamese \n" +diff -ruN gnutls-3.7.2/po/zh_CN.po gnutls-3.7.2-bootstrapped/po/zh_CN.po +--- gnutls-3.7.2/po/zh_CN.po 2021-05-29 10:15:00.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/po/zh_CN.po 2021-06-28 09:35:00.000000000 +0200 +@@ -10,7 +10,7 @@ + msgstr "" + "Project-Id-Version: libgnutls 3.2.3\n" + "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n" +-"POT-Creation-Date: 2021-05-29 10:15+0200\n" ++"POT-Creation-Date: 2021-06-28 09:35+0200\n" + "PO-Revision-Date: 2015-11-10 09:47-0500\n" + "Last-Translator: Mingye Wang (Arthur2e5) \n" + "Language-Team: Chinese (simplified) \n" +diff -ruN gnutls-3.7.2/src/p11tool-args.def gnutls-3.7.2-bootstrapped/src/p11tool-args.def +--- gnutls-3.7.2/src/p11tool-args.def 2021-04-19 09:28:28.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/src/p11tool-args.def 2021-06-25 17:46:01.000000000 +0200 +@@ -268,8 +268,9 @@ + flag = { + name = write; + descrip = "Writes the loaded objects to a PKCS #11 token"; +- doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with +- one of --load-privkey, --load-pubkey, --load-certificate option."; ++ doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option. ++ ++When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand."; + }; + + flag = { +diff -ruN gnutls-3.7.2/tests/Makefile.am gnutls-3.7.2-bootstrapped/tests/Makefile.am +--- gnutls-3.7.2/tests/Makefile.am 2021-05-27 08:10:21.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/tests/Makefile.am 2021-06-28 09:09:42.000000000 +0200 +@@ -108,7 +108,7 @@ + libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c + libutils_la_LIBADD = ../lib/libgnutls.la + +-indirect_tests = system-override-hash system-override-sig ++indirect_tests = system-override-hash system-override-sig system-override-sig-tls + + ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \ + tls13/post-handshake-with-cert tls13/post-handshake-without-cert \ +@@ -509,7 +509,13 @@ + dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \ + system-override-versions.sh system-override-invalid.sh \ + system-override-curves.sh system-override-profiles.sh system-override-tls.sh \ +- system-override-kx.sh system-override-default-priority-string.sh ++ system-override-kx.sh system-override-default-priority-string.sh \ ++ system-override-sig-tls.sh ++ ++dist_check_SCRIPTS += system-override-sig-allowlist.sh \ ++ system-override-hash-allowlist.sh \ ++ system-override-versions-allowlist.sh \ ++ system-override-curves-allowlist.sh + endif + + dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh +@@ -605,6 +611,7 @@ + endif + + TEST_EXTENSIONS = .sh ++SH_LOG_COMPILER = $(SHELL) + LOG_COMPILER = $(VALGRIND) + + distclean-local: +diff -ruN gnutls-3.7.2/tests/Makefile.in gnutls-3.7.2-bootstrapped/tests/Makefile.in +--- gnutls-3.7.2/tests/Makefile.in 2021-05-29 10:11:25.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/tests/Makefile.in 2021-06-28 09:11:42.000000000 +0200 +@@ -191,11 +191,20 @@ + @WINDOWS_FALSE@ gnutls-cli-resume.sh profile-tests.sh \ + @WINDOWS_FALSE@ server-weak-keys.sh + @WINDOWS_FALSE@am__append_17 = dtls-stress +-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh system-override-hash.sh \ +-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions.sh system-override-invalid.sh \ +-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves.sh system-override-profiles.sh system-override-tls.sh \ +-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-kx.sh system-override-default-priority-string.sh +- ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-hash.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-invalid.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-profiles.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-tls.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-kx.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-default-priority-string.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-sig-tls.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-sig-allowlist.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-hash-allowlist.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions-allowlist.sh \ ++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves-allowlist.sh + @WINDOWS_FALSE@am__append_19 = gnutls-cli-self-signed.sh \ + @WINDOWS_FALSE@ gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \ + @WINDOWS_FALSE@ dh-fips-approved.sh +@@ -662,8 +671,8 @@ + @ENABLE_PKCS11_TRUE@@HAVE_PKCS11_TRUST_STORE_TRUE@@P11KIT_0_23_11_API_TRUE@@WINDOWS_FALSE@ pkcs11/list-objects$(EXEEXT) + @WINDOWS_FALSE@am__EXEEXT_18 = datefudge-check$(EXEEXT) + am__EXEEXT_19 = system-override-hash$(EXEEXT) \ +- system-override-sig$(EXEEXT) $(am__EXEEXT_16) $(am__EXEEXT_17) \ +- $(am__EXEEXT_18) ++ system-override-sig$(EXEEXT) system-override-sig-tls$(EXEEXT) \ ++ $(am__EXEEXT_16) $(am__EXEEXT_17) $(am__EXEEXT_18) + PROGRAMS = $(noinst_PROGRAMS) + LTLIBRARIES = $(noinst_LTLIBRARIES) + @ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock1_la_DEPENDENCIES = \ +@@ -2366,6 +2375,11 @@ + system_override_sig_LDADD = $(LDADD) + system_override_sig_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \ + $(am__DEPENDENCIES_2) ++system_override_sig_tls_SOURCES = system-override-sig-tls.c ++system_override_sig_tls_OBJECTS = system-override-sig-tls.$(OBJEXT) ++system_override_sig_tls_LDADD = $(LDADD) ++system_override_sig_tls_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \ ++ libutils.la $(am__DEPENDENCIES_2) + system_prio_file_SOURCES = system-prio-file.c + system_prio_file_OBJECTS = system-prio-file.$(OBJEXT) + system_prio_file_LDADD = $(LDADD) +@@ -2997,10 +3011,13 @@ + system-override-profiles.sh system-override-tls.sh \ + system-override-kx.sh \ + system-override-default-priority-string.sh \ +- gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \ +- gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \ +- testpkcs11.sh certtool-pkcs11.sh p11-kit-load.sh danetool.sh \ +- tpmtool_test.sh ++ system-override-sig-tls.sh system-override-sig-allowlist.sh \ ++ system-override-hash-allowlist.sh \ ++ system-override-versions-allowlist.sh \ ++ system-override-curves-allowlist.sh gnutls-cli-self-signed.sh \ ++ gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \ ++ dh-fips-approved.sh p11-kit-trust.sh testpkcs11.sh \ ++ certtool-pkcs11.sh p11-kit-load.sh danetool.sh tpmtool_test.sh + AM_V_P = $(am__v_P_@AM_V@) + am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) + am__v_P_0 = false +@@ -3216,6 +3233,7 @@ + ./$(DEPDIR)/status-request.Po ./$(DEPDIR)/str-idna.Po \ + ./$(DEPDIR)/str-unicode.Po ./$(DEPDIR)/strict-der.Po \ + ./$(DEPDIR)/system-override-hash.Po \ ++ ./$(DEPDIR)/system-override-sig-tls.Po \ + ./$(DEPDIR)/system-override-sig.Po \ + ./$(DEPDIR)/system-prio-file.Po ./$(DEPDIR)/time.Po \ + ./$(DEPDIR)/tls-channel-binding.Po \ +@@ -3522,16 +3540,16 @@ + ssl30-server-kx-neg.c status-request.c status-request-ext.c \ + status-request-ok.c status-request-revoked.c str-idna.c \ + str-unicode.c strict-der.c system-override-hash.c \ +- system-override-sig.c system-prio-file.c time.c \ +- tls-channel-binding.c tls-client-with-seccomp.c \ +- tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \ +- tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \ +- tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \ +- tls-record-size-limit-asym.c tls-session-ext-override.c \ +- tls-session-ext-register.c tls-session-supplemental.c \ +- tls-supplemental.c tls-with-seccomp.c \ +- $(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \ +- tls10-prf.c tls10-server-kx-neg.c \ ++ system-override-sig.c system-override-sig-tls.c \ ++ system-prio-file.c time.c tls-channel-binding.c \ ++ tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \ ++ tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \ ++ tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \ ++ tls-record-size-limit.c tls-record-size-limit-asym.c \ ++ tls-session-ext-override.c tls-session-ext-register.c \ ++ tls-session-supplemental.c tls-supplemental.c \ ++ tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \ ++ tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \ + $(tls11_cert_key_exchange_SOURCES) \ + $(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \ + $(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \ +@@ -3707,16 +3725,16 @@ + ssl30-server-kx-neg.c status-request.c status-request-ext.c \ + status-request-ok.c status-request-revoked.c str-idna.c \ + str-unicode.c strict-der.c system-override-hash.c \ +- system-override-sig.c system-prio-file.c time.c \ +- tls-channel-binding.c tls-client-with-seccomp.c \ +- tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \ +- tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \ +- tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \ +- tls-record-size-limit-asym.c tls-session-ext-override.c \ +- tls-session-ext-register.c tls-session-supplemental.c \ +- tls-supplemental.c tls-with-seccomp.c \ +- $(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \ +- tls10-prf.c tls10-server-kx-neg.c \ ++ system-override-sig.c system-override-sig-tls.c \ ++ system-prio-file.c time.c tls-channel-binding.c \ ++ tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \ ++ tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \ ++ tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \ ++ tls-record-size-limit.c tls-record-size-limit-asym.c \ ++ tls-session-ext-override.c tls-session-ext-register.c \ ++ tls-session-supplemental.c tls-supplemental.c \ ++ tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \ ++ tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \ + $(tls11_cert_key_exchange_SOURCES) \ + $(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \ + $(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \ +@@ -5822,7 +5840,8 @@ + libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c + libutils_la_LIBADD = ../lib/libgnutls.la + indirect_tests = system-override-hash system-override-sig \ +- $(am__append_17) $(am__append_22) $(am__append_28) ++ system-override-sig-tls $(am__append_17) $(am__append_22) \ ++ $(am__append_28) + ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \ + tls13/post-handshake-with-cert \ + tls13/post-handshake-without-cert tls13/cookie tls13/key_share \ +@@ -6115,6 +6134,7 @@ + @ENABLE_CXX_TRUE@@HAVE_CMOCKA_TRUE@ -I$(top_builddir)/gl + + TEST_EXTENSIONS = .sh ++SH_LOG_COMPILER = $(SHELL) + LOG_COMPILER = $(VALGRIND) + all: all-recursive + +@@ -7590,6 +7610,10 @@ + @rm -f system-override-sig$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(system_override_sig_OBJECTS) $(system_override_sig_LDADD) $(LIBS) + ++system-override-sig-tls$(EXEEXT): $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_DEPENDENCIES) $(EXTRA_system_override_sig_tls_DEPENDENCIES) ++ @rm -f system-override-sig-tls$(EXEEXT) ++ $(AM_V_CCLD)$(LINK) $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_LDADD) $(LIBS) ++ + system-prio-file$(EXEEXT): $(system_prio_file_OBJECTS) $(system_prio_file_DEPENDENCIES) $(EXTRA_system_prio_file_DEPENDENCIES) + @rm -f system-prio-file$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(system_prio_file_OBJECTS) $(system_prio_file_LDADD) $(LIBS) +@@ -8396,6 +8420,7 @@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str-unicode.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strict-der.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-hash.Po@am__quote@ # am--include-marker ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig-tls.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-prio-file.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/time.Po@am__quote@ # am--include-marker +@@ -12588,6 +12613,7 @@ + -rm -f ./$(DEPDIR)/str-unicode.Po + -rm -f ./$(DEPDIR)/strict-der.Po + -rm -f ./$(DEPDIR)/system-override-hash.Po ++ -rm -f ./$(DEPDIR)/system-override-sig-tls.Po + -rm -f ./$(DEPDIR)/system-override-sig.Po + -rm -f ./$(DEPDIR)/system-prio-file.Po + -rm -f ./$(DEPDIR)/time.Po +@@ -13075,6 +13101,7 @@ + -rm -f ./$(DEPDIR)/str-unicode.Po + -rm -f ./$(DEPDIR)/strict-der.Po + -rm -f ./$(DEPDIR)/system-override-hash.Po ++ -rm -f ./$(DEPDIR)/system-override-sig-tls.Po + -rm -f ./$(DEPDIR)/system-override-sig.Po + -rm -f ./$(DEPDIR)/system-prio-file.Po + -rm -f ./$(DEPDIR)/time.Po +diff -ruN gnutls-3.7.2/tests/suite/Makefile.am gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am +--- gnutls-3.7.2/tests/suite/Makefile.am 2021-05-27 08:08:22.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am 2021-06-28 09:09:42.000000000 +0200 +@@ -115,4 +115,5 @@ + prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) + + TEST_EXTENSIONS = .sh ++SH_LOG_COMPILER = $(SHELL) + LOG_COMPILER = $(VALGRIND) +diff -ruN gnutls-3.7.2/tests/suite/Makefile.in gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in +--- gnutls-3.7.2/tests/suite/Makefile.in 2021-05-29 10:11:26.000000000 +0200 ++++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in 2021-06-28 09:11:43.000000000 +0200 +@@ -2351,6 +2351,7 @@ + nodist_check_SCRIPTS = $(scripts_to_test) + prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) + TEST_EXTENSIONS = .sh ++SH_LOG_COMPILER = $(SHELL) + LOG_COMPILER = $(VALGRIND) + all: all-am + +diff -ruN gnutls-3.7.2/tests/system-override-curves-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh +--- gnutls-3.7.2/tests/system-override-curves-allowlist.sh 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh 2021-06-28 09:09:14.000000000 +0200 +@@ -0,0 +1,113 @@ ++#!/bin/sh ++ ++# Copyright (C) 2019 Red Hat, Inc. ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public License ++# along with this program. If not, see ++ ++: ${srcdir=.} ++: ${SERV=../src/gnutls-serv${EXEEXT}} ++: ${CLI=../src/gnutls-cli${EXEEXT}} ++TMPFILE=config.$$.tmp ++TMPFILE2=log.$$.tmp ++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++. "${srcdir}/scripts/common.sh" ++ ++# This test doesn't work in FIPS mode ++if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then ++ exit 77 ++fi ++ ++# We intentionally add stray spaces and tabs to check our parser ++cat <<_EOF_ > ${TMPFILE} ++[global] ++override-mode = allowlist ++ ++[overrides] ++enabled-curve = secp384r1 ++_EOF_ ++ ++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" ++export GNUTLS_DEBUG_LEVEL=3 ++ ++"${CLI}" --list|grep ^Groups >${TMPFILE2} ++cat ${TMPFILE2} ++if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then ++ echo "Found disabled curve with --list" ++ exit 1 ++fi ++ ++if ! grep -i "SECP384R1" ${TMPFILE2};then ++ echo "Could not found secp384r1" ++ exit 1 ++fi ++ ++# Try whether a client connection with a disabled curve will succeed. ++ ++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem ++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem ++ ++unset GNUTLS_SYSTEM_PRIORITY_FILE ++ ++eval "${GETPORT}" ++launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1} ++PID=$! ++wait_server ${PID} ++ ++"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} /dev/null || ++ fail "expected connection to succeed (1)" ++ ++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" ++ ++"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} /dev/null && ++ fail "expected connection to fail (2)" ++ ++kill ${PID} ++wait ++ ++# Try whether a server connection with a disabled curve will succeed. ++ ++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem ++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem ++ ++eval "${GETPORT}" ++launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1} ++PID=$! ++wait_server ${PID} ++ ++unset GNUTLS_SYSTEM_PRIORITY_FILE ++ ++"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} /dev/null && ++ fail "expected connection to fail (2)" ++ ++kill ${PID} ++wait ++ ++exit 0 +diff -ruN gnutls-3.7.2/tests/system-override-hash-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh +--- gnutls-3.7.2/tests/system-override-hash-allowlist.sh 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh 2021-06-28 09:09:14.000000000 +0200 +@@ -0,0 +1,41 @@ ++#!/bin/sh ++ ++# Copyright (C) 2019 Nikos Mavrogiannopoulos ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++: ${builddir=.} ++TMPFILE=c.$$.tmp ++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 ++ ++cat <<_EOF_ > ${TMPFILE} ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = sha384 ++secure-sig = rsa-pss-sha384 ++_EOF_ ++ ++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" ++ ++"${builddir}/system-override-hash" ++rc=$? ++rm ${TMPFILE} ++exit $rc +diff -ruN gnutls-3.7.2/tests/system-override-sig-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh +--- gnutls-3.7.2/tests/system-override-sig-allowlist.sh 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh 2021-06-28 09:09:14.000000000 +0200 +@@ -0,0 +1,43 @@ ++#!/bin/sh ++ ++# Copyright (C) 2019 Nikos Mavrogiannopoulos ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++: ${builddir=.} ++TMPFILE=c.$$.tmp ++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 ++ ++cat <<_EOF_ > ${TMPFILE} ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = sha256 ++secure-sig = rsa-sha256 ++secure-hash = sha384 ++secure-sig = rsa-pss-sha384 ++_EOF_ ++ ++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" ++ ++"${builddir}/system-override-sig" ++rc=$? ++rm ${TMPFILE} ++exit $rc +diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.c gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c +--- gnutls-3.7.2/tests/system-override-sig-tls.c 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c 2021-06-25 17:46:13.000000000 +0200 +@@ -0,0 +1,200 @@ ++/* ++ * Copyright (C) 2015-2021 Red Hat, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos, Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "utils.h" ++ ++#define SKIP16(pos, total) { \ ++ uint16_t _s; \ ++ if (pos+2 > total) fail("error\n"); \ ++ _s = (msg->data[pos] << 8) | msg->data[pos+1]; \ ++ if ((size_t)(pos+2+_s) > total) fail("error\n"); \ ++ pos += 2+_s; \ ++ } ++ ++#define SKIP8(pos, total) { \ ++ uint8_t _s; \ ++ if (pos+1 > total) fail("error\n"); \ ++ _s = msg->data[pos]; \ ++ if ((size_t)(pos+1+_s) > total) fail("error\n"); \ ++ pos += 1+_s; \ ++ } ++ ++#define HANDSHAKE_SESSION_ID_POS 34 ++ ++#include "eagain-common.h" ++#include "cert-common.h" ++ ++/* This tests whether the client omits signature algorithms marked as insecure, ++ * from the signature_algorithms extension. ++ */ ++ ++const char *side; ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "%s|<%d>| %s", side, level, str); ++} ++ ++#define PRIO "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:" \ ++ "+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384" ++/* rsa_pss_rsae_sha384 */ ++#define SIGALGS_EXP "\x00\x02\x08\x05" ++ ++static int ++ext_callback(void *ctx, unsigned tls_id, ++ const unsigned char *data, unsigned size) ++{ ++ if (tls_id == 13) { /* signature algorithms */ ++ if (size != sizeof(SIGALGS_EXP) - 1) { ++ fail("invalid signature_algorithms length: %u != 4\n", ++ size); ++ } ++ if (memcmp(data, SIGALGS_EXP, sizeof(SIGALGS_EXP) - 1) != 0) { ++ fail("invalid signature_algorithms\n"); ++ } ++ } ++ return 0; ++} ++ ++static int ++handshake_callback(gnutls_session_t session, unsigned int htype, ++ unsigned post, unsigned int incoming, ++ const gnutls_datum_t *msg) ++{ ++ assert(post); ++ ++ if (!incoming && htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) { ++ int ret; ++ unsigned pos; ++ gnutls_datum_t mmsg; ++ ++ assert(msg->size >= HANDSHAKE_SESSION_ID_POS); ++ pos = HANDSHAKE_SESSION_ID_POS; ++ SKIP8(pos, msg->size); ++ SKIP16(pos, msg->size); ++ SKIP8(pos, msg->size); ++ ++ mmsg.data = &msg->data[pos]; ++ mmsg.size = msg->size - pos; ++ ret = gnutls_ext_raw_parse(NULL, ext_callback, &mmsg, 0); ++ assert(ret >= 0); ++ } ++ return 0; ++} ++ ++void doit(void) ++{ ++ int ret; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ global_init(); ++ ++ /* General init. */ ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(6); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials(&serverx509cred); ++ gnutls_certificate_set_x509_key_mem(serverx509cred, ++ &server2_cert, &server2_key, ++ GNUTLS_X509_FMT_PEM); ++ ++ gnutls_init(&server, GNUTLS_SERVER); ++ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, ++ serverx509cred); ++ ++ gnutls_priority_set_direct(server, PRIO, NULL); ++ ++ gnutls_transport_set_push_function(server, server_push); ++ gnutls_transport_set_pull_function(server, server_pull); ++ gnutls_transport_set_pull_timeout_function(server, ++ server_pull_timeout_func); ++ gnutls_transport_set_ptr(server, server); ++ ++ /* Init client */ ++ ret = gnutls_certificate_allocate_credentials(&clientx509cred); ++ if (ret < 0) ++ exit(1); ++ ++ ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca2_cert, GNUTLS_X509_FMT_PEM); ++ if (ret < 0) ++ exit(1); ++ ++ ret = gnutls_init(&client, GNUTLS_CLIENT); ++ if (ret < 0) ++ exit(1); ++ ++ ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ++ clientx509cred); ++ if (ret < 0) ++ exit(1); ++ ++ ret = gnutls_priority_set_direct(client, PRIO, NULL); ++ if (ret < 0) ++ exit(1); ++ ++ gnutls_transport_set_push_function(client, client_push); ++ gnutls_transport_set_pull_function(client, client_pull); ++ gnutls_transport_set_pull_timeout_function(client, ++ client_pull_timeout_func); ++ gnutls_transport_set_ptr(client, client); ++ ++ gnutls_handshake_set_hook_function(client, ++ GNUTLS_HANDSHAKE_ANY, ++ GNUTLS_HOOK_POST, ++ handshake_callback); ++ ++ HANDSHAKE(client, server); ++ ++ gnutls_bye(client, GNUTLS_SHUT_RDWR); ++ gnutls_bye(server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit(client); ++ gnutls_deinit(server); ++ ++ gnutls_certificate_free_credentials(serverx509cred); ++ gnutls_certificate_free_credentials(clientx509cred); ++ ++ gnutls_global_deinit(); ++ ++ reset_buffers(); ++} +diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh +--- gnutls-3.7.2/tests/system-override-sig-tls.sh 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh 2021-06-25 17:46:13.000000000 +0200 +@@ -0,0 +1,39 @@ ++#!/bin/sh ++ ++# Copyright (C) 2019 Nikos Mavrogiannopoulos ++# Copyright (C) 2021 Red Hat, Inc. ++# ++# Author: Nikos Mavrogiannopoulos, Daiki Ueno ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++: ${builddir=.} ++TMPFILE=c.$$.tmp ++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 ++ ++cat <<_EOF_ > ${TMPFILE} ++[overrides] ++ ++insecure-sig = rsa-pss-rsae-sha256 ++_EOF_ ++ ++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" ++ ++"${builddir}/system-override-sig-tls" ++rc=$? ++rm ${TMPFILE} ++exit $rc +diff -ruN gnutls-3.7.2/tests/system-override-versions-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh +--- gnutls-3.7.2/tests/system-override-versions-allowlist.sh 1970-01-01 01:00:00.000000000 +0100 ++++ gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh 2021-06-28 09:09:14.000000000 +0200 +@@ -0,0 +1,109 @@ ++#!/bin/sh ++ ++# Copyright (C) 2019 Red Hat, Inc. ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++: ${srcdir=.} ++: ${SERV=../src/gnutls-serv${EXEEXT}} ++: ${CLI=../src/gnutls-cli${EXEEXT}} ++TMPFILE=config.$$.tmp ++TMPFILE2=log.$$.tmp ++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++. "${srcdir}/scripts/common.sh" ++ ++cat <<_EOF_ > ${TMPFILE} ++[global] ++override-mode = allowlist ++ ++[overrides] ++enabled-version = tls1.1 ++_EOF_ ++ ++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" ++export GNUTLS_DEBUG_LEVEL=3 ++ ++"${CLI}" --list|grep Protocols >${TMPFILE2} ++cat ${TMPFILE2} ++if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then ++ echo "Found disabled protocol with --list" ++ exit 1 ++fi ++ ++PRIO=@SYSTEM:+CIPHER-ALL:+MAC-ALL:+GROUP-ALL ++ ++"${CLI}" --priority "$PRIO" --list|grep Protocols >${TMPFILE2} ++cat ${TMPFILE2} ++if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then ++ echo "Found disabled protocol with --list --priority $PRIO" ++ exit 1 ++fi ++ ++# Try whether a client connection with these protocols will succeed. ++ ++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem ++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem ++ ++unset GNUTLS_SYSTEM_PRIORITY_FILE ++ ++eval "${GETPORT}" ++launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1} ++PID=$! ++wait_server ${PID} ++ ++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" ++ ++"${CLI}" -p "${PORT}" 127.0.0.1 --priority "$PRIO" --insecure --logfile ${TMPFILE2} /dev/null && ++ fail "expected connection to fail (1)" ++ ++kill ${PID} ++wait ++ ++# Try whether a server connection with these protocols will succeed. ++ ++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem ++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem ++ ++eval "${GETPORT}" ++launch_server --echo --priority "$PRIO" --x509keyfile ${KEY1} --x509certfile ${CERT1} ++PID=$! ++wait_server ${PID} ++ ++unset GNUTLS_SYSTEM_PRIORITY_FILE ++ ++"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} /dev/null && ++ fail "expected connection to fail (2)" ++ ++kill ${PID} ++wait ++ ++exit 0 diff --git a/gnutls-3.7.2-key-share-ecdhx.patch b/gnutls-3.7.2-key-share-ecdhx.patch new file mode 100644 index 0000000..21a69a5 --- /dev/null +++ b/gnutls-3.7.2-key-share-ecdhx.patch @@ -0,0 +1,92 @@ +From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 25 Jun 2021 08:39:12 +0200 +Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when + advertising + +Previously, if both X25519 and X448 groups were enabled in the +priority string, the client sent both algorithms in a key_share +extension, while it was only capable of handling one algorithm from +the same (Edwards curve) category. This adds an extra check so the +client should send either X25519 or X448. + +Signed-off-by: Daiki Ueno +--- + lib/ext/key_share.c | 24 +++++++++++++++++++++--- + tests/tls13/key_share.c | 3 +++ + 2 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c +index a8c4bb5cf..a4db3af95 100644 +--- a/lib/ext/key_share.c ++++ b/lib/ext/key_share.c +@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session, + return 0; + } + ++static inline bool ++pk_type_is_ecdhx(gnutls_pk_algorithm_t pk) ++{ ++ return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448; ++} ++ ++static inline bool ++pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b) ++{ ++ return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b)); ++} ++ + /* returns data_size or a negative number on failure + */ + static int +@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session, + /* generate key shares for out top-(max_groups) groups + * if they are of different PK type. */ + for (i = 0; i < session->internals.priorities->groups.size; i++) { ++ unsigned int j; ++ + group = session->internals.priorities->groups.entry[i]; + +- if (generated == 1 && group->pk == selected_groups[0]) +- continue; +- else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0])) ++ for (j = 0; j < generated; j++) { ++ if (pk_type_equal(group->pk, selected_groups[j])) { ++ break; ++ } ++ } ++ if (j < generated) { + continue; ++ } + + selected_groups[generated] = group->pk; + +diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c +index 7f8f6295c..816a7d9b5 100644 +--- a/tests/tls13/key_share.c ++++ b/tests/tls13/key_share.c +@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = { + [23] = GNUTLS_GROUP_SECP256R1, + [24] = GNUTLS_GROUP_SECP384R1, + [29] = GNUTLS_GROUP_X25519, ++ [30] = GNUTLS_GROUP_X448, + [0x100] = GNUTLS_GROUP_FFDHE2048, + [0x101] = GNUTLS_GROUP_FFDHE3072 + }; +@@ -315,11 +316,13 @@ void doit(void) + start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2); + start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2); + start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2); ++ start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2); + start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2); + + start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3); + start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3); + start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3); ++ start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3); + start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3); + + /* test default behavior */ +-- +2.31.1 + diff --git a/gnutls.spec b/gnutls.spec index 2d15b56..7a3fc6b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,10 @@ # This spec file has been automatically updated Version: 3.7.2 -Release: 2%{?dist} +Release: 3%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.7.2-config-allowlisting.patch +Patch4: gnutls-3.7.2-key-share-ecdhx.patch %bcond_with bootstrap %bcond_without dane %if 0%{?rhel} @@ -162,6 +164,10 @@ rm -f lib/minitasn1/*.c lib/minitasn1/*.h echo "SYSTEM=NORMAL" >> tests/system.prio +%if !%{with bootstrap} +touch doc/stamp* doc/*.texi doc/*.info doc/*.html doc/manpages/stamp_mans +%endif + # Note that we explicitly enable SHA1, as SHA1 deprecation is handled # via the crypto policies @@ -295,6 +301,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon Jun 28 2021 Daiki Ueno - 3.7.2-3 +- Enable allowlisting configuration mode (#1975421) + * Sat Jun 26 2021 Daiki Ueno - 3.7.2-2 - Remove %%defattr invocations which are no longer necessary - libpkcs11mock1.* is not installed anymore