diff --git a/gnutls-3.7.2-config-allowlisting.patch b/gnutls-3.7.2-config-allowlisting.patch
new file mode 100644
index 0000000..484f053
--- /dev/null
+++ b/gnutls-3.7.2-config-allowlisting.patch
@@ -0,0 +1,8352 @@
+diff -ruN gnutls-3.7.2/aminclude_static.am gnutls-3.7.2-bootstrapped/aminclude_static.am
+--- gnutls-3.7.2/aminclude_static.am	2021-05-29 10:11:18.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/aminclude_static.am	2021-06-28 09:11:35.000000000 +0200
+@@ -1,6 +1,6 @@
+ 
+ # aminclude_static.am generated automatically by Autoconf
+-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
++# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
+ 
+ 
+ # Code coverage
+diff -ruN gnutls-3.7.2/AUTHORS gnutls-3.7.2-bootstrapped/AUTHORS
+--- gnutls-3.7.2/AUTHORS	2021-05-29 10:22:59.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/AUTHORS	2021-06-28 09:56:13.000000000 +0200
+@@ -37,8 +37,8 @@
+ Kevin Cernekee <cernekee at gmail.com>
+ Nikolay Sivov <nsivov at codeweavers.com>
+ Sahana Prasad <sahana at redhat.com>
+-Michael Catanzaro <mcatanzaro at gnome.org>
+ Alexander Sosedkin <asosedkin at redhat.com>
++Michael Catanzaro <mcatanzaro at gnome.org>
+ Daniel Lenski <dlenski at gmail.com>
+ JonasZhou <JonasZhou at zhaoxin.com>
+ Stefan Sørensen <stefan.sorensen at spectralink.com>
+diff -ruN gnutls-3.7.2/ChangeLog gnutls-3.7.2-bootstrapped/ChangeLog
+--- gnutls-3.7.2/ChangeLog	2021-05-29 10:23:25.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/ChangeLog	2021-06-28 09:56:40.000000000 +0200
+@@ -1,4 +1,63 @@
+ Author: Daiki Ueno <ueno@gnu.org>
++Date:   Mon Jun 28 07:04:55 2021 +0200
++
++    tests: set SH_LOG_COMPILER so sh tests run under $(SHELL)
++    
++    This omits the need of setting executable bits on shell script tests.
++    
++    Signed-off-by: Daiki Ueno <ueno@gnu.org>
++
++Author: Daiki Ueno <ueno@gnu.org>
++Date:   Thu May 6 12:41:40 2021 +0200
++
++    priority: support allowlisting in configuration file
++    
++    This adds a new mode of interpreting the [overrides] section.  If
++    "override-mode" is set to "allowlisting" in the [global] section, all
++    the algorithms (hashes, signature algorithms, curves, and versions)
++    are initially marked as insecure/disabled.  Then the user can enable
++    them by specifying allowlisting keywords such as "secure-hash" in the
++    [overrides] section.
++    
++    Signed-off-by: Daiki Ueno <ueno@gnu.org>
++    Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
++
++Author: Daiki Ueno <ueno@gnu.org>
++Date:   Wed May 5 16:27:55 2021 +0200
++
++    priority: refactor config file parsing
++    
++    This adds the following refactoring:
++    
++    - avoid side-effects during parsing the config file, by separating
++      application phase; the parsed configuration can be applied globally
++      with cfg_apply, after validation
++    - make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
++      name
++    
++    Signed-off-by: Daiki Ueno <ueno@gnu.org>
++
++Author: Daiki Ueno <ueno@gnu.org>
++Date:   Fri Jun 11 06:58:43 2021 +0200
++
++    priority: reflect system wide config when constructing sigalgs
++    
++    Otherwise the client would advertise signature algorithms which it
++    cannot use and cause handshake to fail.
++    
++    Reported by Philip Schaten in:
++    https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html
++    
++    Signed-off-by: Daiki Ueno <ueno@gnu.org>
++
++Author: Daiki Ueno <ueno@gnu.org>
++Date:   Wed Jun 9 14:29:11 2021 +0200
++
++    p11tool: mention how CKA_IDs of certs are calculated upon --write
++    
++    Signed-off-by: Daiki Ueno <ueno@gnu.org>
++
++Author: Daiki Ueno <ueno@gnu.org>
+ Date:   Sat May 29 07:18:17 2021 +0200
+ 
+     Release 3.7.2
+@@ -49224,3 +49283,13 @@
+ Date:   Fri Nov 7 10:22:11 2014 +0100
+ 
+     doc: corrected values for INSECURE level
++
++Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
++Date:   Fri Nov 7 08:55:40 2014 +0100
++
++    pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags
++
++Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
++Date:   Fri Nov 7 08:44:46 2014 +0100
++
++    pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
+diff -ruN gnutls-3.7.2/doc/cha-config.texi gnutls-3.7.2-bootstrapped/doc/cha-config.texi
+--- gnutls-3.7.2/doc/cha-config.texi	2021-05-10 16:34:47.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/cha-config.texi	2021-06-28 09:09:14.000000000 +0200
+@@ -74,6 +74,7 @@
+ @item @code{insecure-sig-for-cert}: to mark the signature algorithm as insecure when used in certificates.
+ @item @code{insecure-sig}: to mark the signature algorithm as insecure for any use.
+ @item @code{insecure-hash}: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
++@item @code{disabled-curve}: to disable the specified elliptic curve.
+ @item @code{disabled-version}: to disable the specified TLS versions.
+ @item @code{tls-disabled-cipher}: to disable the specified ciphers for use in the TLS or DTLS protocols.
+ @item @code{tls-disabled-mac}: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
+@@ -82,11 +83,39 @@
+ @end itemize
+ 
+ Each of the options can be repeated multiple times when multiple values need
+-to be disabled.
++to be disabled or enabled.
+ 
+ The valid values for the options above can be found in the 'Protocols', 'Digests'
+ 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of the output of @code{gnutls-cli --list}.
+ 
++Sometimes the system administrator wants to enable only specific
++algorithms, despite the library defaults. GnuTLS provides an
++alternative mode of overriding: allowlisting.
++
++In the allowlisting mode, all the algorithms are initially marked as
++insecure or disabled, and shall be explicitly turned on by the options
++in the @code{[overrides]} section. Those options are mutually
++exclusive to the above ones for the blocklisting mode (the default)
++@itemize
++@item @code{secure-sig-for-cert}: to mark the signature algorithm as secure when used in certificates.
++@item @code{secure-sig}: to mark the signature algorithm as secure for any use.
++@item @code{secure-hash}: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
++@item @code{enabled-curve}: to enable the specified elliptic curve.
++@item @code{enabled-version}: to enable the specified TLS versions.
++@item @code{tls-enabled-cipher}: to enable the specified ciphers for use in the TLS or DTLS protocols.
++@item @code{tls-enabled-mac}: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
++@item @code{tls-enabled-group}: to enable the specified group for use in the TLS or DTLS protocols.
++@item @code{tls-enabled-kx}: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
++@end itemize
++
++The allowlisting mode can be enabled by adding @code{override-mode =
++allowlist} in the @code{[global]} section.
++
++When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
++
++@showfuncD{gnutls_ecc_curve_mark_enabled,gnutls_sign_mark_secure,gnutls_digest_mark_secure,gnutls_protocol_mark_enabled}
++@showfuncD{gnutls_ecc_curve_mark_disabled,gnutls_sign_mark_insecure,gnutls_digest_mark_insecure,gnutls_protocol_mark_disabled}
++
+ @subsection Examples
+ 
+ The following example marks as insecure all digital signature algorithms
+@@ -120,6 +149,20 @@
+ tls-disabled-group = group-ffdhe8192
+ @end example
+ 
++The following example demonstrates the use of the allowlisting
++mode. It disables all the signature algorithms but
++@code{RSA-SHA256}. Note that the hash algorithm @code{SHA256} also
++needs to be explicitly enabled.
++
++@example
++[global]
++override-mode = allowlist
++
++[overrides]
++secure-hash = sha256
++secure-sig = rsa-sha256
++@end example
++
+ @node Querying for disabled algorithms and protocols
+ @section Querying for disabled algorithms and protocols
+ 
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure
+--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,12 @@
++
++
++
++
++@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
++@var{dig}: is a digest algorithm
++
++Mark  @code{dig} as insecure system wide. This only works if the allowlisting mode
++is used in the configuration file.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short
+--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure
+--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,12 @@
++
++
++
++
++@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
++@var{dig}: is a digest algorithm
++
++Invalidate previous system wide setting that marked  @code{dig} as insecure. This
++only works if the allowlisting mode is used in the configuration file.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short
+--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled
+--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,15 @@
++
++
++
++
++@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
++@var{curve}: is an ECC curve
++
++Mark  @code{curve} as disabled system wide. This setting can be reverted with
++@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
++uses the allowlisting mode.
++
++@strong{Returns:} 0 on success or negative error code otherwise.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short
+--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short	2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled
+--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,15 @@
++
++
++
++
++@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
++@var{curve}: is an ECC curve
++
++Invalidate previous system wide setting that marked  @code{curve} as disabled. This
++only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()}  or
++through the allowlisting mode in the configuration file.
++
++@strong{Returns:} 0 on success or negative error code otherwise.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short
+--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short	2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled
+--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,10 @@
++
++
++
++
++@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
++@var{version}: is a (gnutls) version number
++
++Mark  @code{version} as disabled system wide. This only works if the allowlisting
++mode is used in the configuration file.
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short
+--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short	2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled
+--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,11 @@
++
++
++
++
++@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
++@var{version}: is a (gnutls) version number
++
++Invalidate previous system wide setting that marked  @code{version} as
++disabled. This only works if the allowlisting mode is used in the
++configuration file.
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short
+--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short	2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure
+--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,18 @@
++
++
++
++
++@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
++@var{sign}: the sign algorithm
++
++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
++
++Mark  @code{sign} as insecure system wide. This only works if the
++allowlisting mode is used in the configuration file.
++
++If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
++and the algorithm was previously considered secure for all purposes,
++it only marks the algorithm as insecure for the use with certificates.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short
+--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short	2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure
+--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure	2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,22 @@
++
++
++
++
++@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
++@var{sign}: the sign algorithm
++
++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
++
++Invalidate previous system wide setting that marked  @code{sign} as
++insecure. This only works if the algorithm is marked as insecure
++with @code{gnutls_sign_mark_insecure()}  or through the allowlisting mode
++in the configuration file.
++
++If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
++it marks it the algorithm as secure for all purposes.
++If the absence of this flag, it will mark it as
++"secure, but not for certificates" at most,
++but it won't restrict anything either.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short
+--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short	2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+diff -ruN gnutls-3.7.2/doc/gnutls-api.texi gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi
+--- gnutls-3.7.2/doc/gnutls-api.texi	2021-05-29 10:19:28.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi	2021-06-28 09:39:50.000000000 +0200
+@@ -2706,6 +2706,28 @@
+ integers indicating the available digests.
+ @end deftypefun
+ 
++@subheading gnutls_digest_mark_insecure
++@anchor{gnutls_digest_mark_insecure}
++@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
++@var{dig}: is a digest algorithm
++
++Mark  @code{dig} as insecure system wide. This only works if the allowlisting mode
++is used in the configuration file.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
++@subheading gnutls_digest_mark_secure
++@anchor{gnutls_digest_mark_secure}
++@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
++@var{dig}: is a digest algorithm
++
++Invalidate previous system wide setting that marked  @code{dig} as insecure. This
++only works if the allowlisting mode is used in the configuration file.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
+ @subheading gnutls_early_cipher_get
+ @anchor{gnutls_early_cipher_get}
+ @deftypefun {gnutls_cipher_algorithm_t} {gnutls_early_cipher_get} (gnutls_session_t @var{session})
+@@ -2820,6 +2842,34 @@
+ integers indicating the available curves.
+ @end deftypefun
+ 
++@subheading gnutls_ecc_curve_mark_disabled
++@anchor{gnutls_ecc_curve_mark_disabled}
++@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
++@var{curve}: is an ECC curve
++
++Mark  @code{curve} as disabled system wide. This setting can be reverted with
++@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
++uses the allowlisting mode.
++
++@strong{Returns:} 0 on success or negative error code otherwise.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
++@subheading gnutls_ecc_curve_mark_enabled
++@anchor{gnutls_ecc_curve_mark_enabled}
++@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
++@var{curve}: is an ECC curve
++
++Invalidate previous system wide setting that marked  @code{curve} as disabled. This
++only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()}  or
++through the allowlisting mode in the configuration file.
++
++@strong{Returns:} 0 on success or negative error code otherwise.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
+ @subheading gnutls_error_is_fatal
+ @anchor{gnutls_error_is_fatal}
+ @deftypefun {int} {gnutls_error_is_fatal} (int @var{error})
+@@ -5026,6 +5076,25 @@
+ indicating the available protocols.
+ @end deftypefun
+ 
++@subheading gnutls_protocol_mark_disabled
++@anchor{gnutls_protocol_mark_disabled}
++@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
++@var{version}: is a (gnutls) version number
++
++Mark  @code{version} as disabled system wide. This only works if the allowlisting
++mode is used in the configuration file.
++@end deftypefun
++
++@subheading gnutls_protocol_mark_enabled
++@anchor{gnutls_protocol_mark_enabled}
++@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
++@var{version}: is a (gnutls) version number
++
++Invalidate previous system wide setting that marked  @code{version} as
++disabled. This only works if the allowlisting mode is used in the
++configuration file.
++@end deftypefun
++
+ @subheading gnutls_psk_allocate_client_credentials
+ @anchor{gnutls_psk_allocate_client_credentials}
+ @deftypefun {int} {gnutls_psk_allocate_client_credentials} (gnutls_psk_client_credentials_t *            @var{sc})
+@@ -7027,6 +7096,44 @@
+ integers indicating the available ciphers.
+ @end deftypefun
+ 
++@subheading gnutls_sign_mark_insecure
++@anchor{gnutls_sign_mark_insecure}
++@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
++@var{sign}: the sign algorithm
++
++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
++
++Mark  @code{sign} as insecure system wide. This only works if the
++allowlisting mode is used in the configuration file.
++
++If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
++and the algorithm was previously considered secure for all purposes,
++it only marks the algorithm as insecure for the use with certificates.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
++@subheading gnutls_sign_mark_secure
++@anchor{gnutls_sign_mark_secure}
++@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
++@var{sign}: the sign algorithm
++
++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
++
++Invalidate previous system wide setting that marked  @code{sign} as
++insecure. This only works if the algorithm is marked as insecure
++with @code{gnutls_sign_mark_insecure()}  or through the allowlisting mode
++in the configuration file.
++
++If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
++it marks it the algorithm as secure for all purposes.
++If the absence of this flag, it will mark it as
++"secure, but not for certificates" at most,
++but it won't restrict anything either.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
+ @subheading gnutls_sign_supports_pk_algorithm
+ @anchor{gnutls_sign_supports_pk_algorithm}
+ @deftypefun {unsigned} {gnutls_sign_supports_pk_algorithm} (gnutls_sign_algorithm_t @var{sign}, gnutls_pk_algorithm_t @var{pk})
+diff -ruN gnutls-3.7.2/doc/gnutls.html gnutls-3.7.2-bootstrapped/doc/gnutls.html
+--- gnutls-3.7.2/doc/gnutls.html	2021-05-29 10:23:25.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/gnutls.html	2021-06-28 09:56:40.000000000 +0200
+@@ -8018,8 +8018,9 @@
+ </p><span id="write-option_002e"></span><h4 class="subsubheading">write option.</h4>
+ <span id="p11tool-write"></span>
+ <p>This is the &ldquo;writes the loaded objects to a pkcs #11 token&rdquo; option.
+-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
+-    one of &ndash;load-privkey, &ndash;load-pubkey, &ndash;load-certificate option.
++It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of &ndash;load-privkey, &ndash;load-pubkey, &ndash;load-certificate option.
++</p>
++<p>When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
+ </p><span id="id-option_002e"></span><h4 class="subsubheading">id option.</h4>
+ <span id="p11tool-id"></span>
+ <p>This is the &ldquo;sets an id for the write operation&rdquo; option.
+@@ -16992,6 +16993,7 @@
+ <li> <code>insecure-sig-for-cert</code>: to mark the signature algorithm as insecure when used in certificates.
+ </li><li> <code>insecure-sig</code>: to mark the signature algorithm as insecure for any use.
+ </li><li> <code>insecure-hash</code>: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
++</li><li> <code>disabled-curve</code>: to disable the specified elliptic curve.
+ </li><li> <code>disabled-version</code>: to disable the specified TLS versions.
+ </li><li> <code>tls-disabled-cipher</code>: to disable the specified ciphers for use in the TLS or DTLS protocols.
+ </li><li> <code>tls-disabled-mac</code>: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
+@@ -17000,11 +17002,49 @@
+ </li></ul>
+ 
+ <p>Each of the options can be repeated multiple times when multiple values need
+-to be disabled.
++to be disabled or enabled.
+ </p>
+ <p>The valid values for the options above can be found in the &rsquo;Protocols&rsquo;, &rsquo;Digests&rsquo;
+ &rsquo;PK-signatures&rsquo;, &rsquo;Protocols&rsquo;, &rsquo;Ciphrers&rsquo;, and &rsquo;MACs&rsquo; fields of the output of <code>gnutls-cli --list</code>.
+ </p>
++<p>Sometimes the system administrator wants to enable only specific
++algorithms, despite the library defaults. GnuTLS provides an
++alternative mode of overriding: allowlisting.
++</p>
++<p>In the allowlisting mode, all the algorithms are initially marked as
++insecure or disabled, and shall be explicitly turned on by the options
++in the <code>[overrides]</code> section. Those options are mutually
++exclusive to the above ones for the blocklisting mode (the default)
++</p><ul>
++<li> <code>secure-sig-for-cert</code>: to mark the signature algorithm as secure when used in certificates.
++</li><li> <code>secure-sig</code>: to mark the signature algorithm as secure for any use.
++</li><li> <code>secure-hash</code>: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
++</li><li> <code>enabled-curve</code>: to enable the specified elliptic curve.
++</li><li> <code>enabled-version</code>: to enable the specified TLS versions.
++</li><li> <code>tls-enabled-cipher</code>: to enable the specified ciphers for use in the TLS or DTLS protocols.
++</li><li> <code>tls-enabled-mac</code>: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
++</li><li> <code>tls-enabled-group</code>: to enable the specified group for use in the TLS or DTLS protocols.
++</li><li> <code>tls-enabled-kx</code>: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
++</li></ul>
++
++<p>The allowlisting mode can be enabled by adding <code>override-mode =
++allowlist</code> in the <code>[global]</code> section.
++</p>
++<p>When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
++</p>
++<dl compact="compact">
++<dt><code><var>int</var> <a href="#gnutls_005fecc_005fcurve_005fmark_005fenabled">gnutls_ecc_curve_mark_enabled</a> (gnutls_ecc_curve_t <var>curve</var>)</code></dt>
++<dt><code><var>int</var> <a href="#gnutls_005fsign_005fmark_005fsecure">gnutls_sign_mark_secure</a> (gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</code></dt>
++<dt><code><var>int</var> <a href="#gnutls_005fdigest_005fmark_005fsecure">gnutls_digest_mark_secure</a> (gnutls_digest_algorithm_t <var>dig</var>)</code></dt>
++<dt><code><var>int</var> <a href="#gnutls_005fprotocol_005fmark_005fenabled">gnutls_protocol_mark_enabled</a> (gnutls_protocol_t <var>version</var>)</code></dt>
++</dl>
++<dl compact="compact">
++<dt><code><var>int</var> <a href="#gnutls_005fecc_005fcurve_005fmark_005fdisabled">gnutls_ecc_curve_mark_disabled</a> (gnutls_ecc_curve_t <var>curve</var>)</code></dt>
++<dt><code><var>int</var> <a href="#gnutls_005fsign_005fmark_005finsecure">gnutls_sign_mark_insecure</a> (gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</code></dt>
++<dt><code><var>int</var> <a href="#gnutls_005fdigest_005fmark_005finsecure">gnutls_digest_mark_insecure</a> (gnutls_digest_algorithm_t <var>dig</var>)</code></dt>
++<dt><code><var>int</var> <a href="#gnutls_005fprotocol_005fmark_005fdisabled">gnutls_protocol_mark_disabled</a> (gnutls_protocol_t <var>version</var>)</code></dt>
++</dl>
++
+ <span id="Examples"></span><h4 class="subsection">8.2.1 Examples</h4>
+ 
+ <p>The following example marks as insecure all digital signature algorithms
+@@ -17038,6 +17078,20 @@
+ tls-disabled-group = group-ffdhe8192
+ </pre></div>
+ 
++<p>The following example demonstrates the use of the allowlisting
++mode. It disables all the signature algorithms but
++<code>RSA-SHA256</code>. Note that the hash algorithm <code>SHA256</code> also
++needs to be explicitly enabled.
++</p>
++<div class="example">
++<pre class="example">[global]
++override-mode = allowlist
++
++[overrides]
++secure-hash = sha256
++secure-sig = rsa-sha256
++</pre></div>
++
+ <hr>
+ <span id="Querying-for-disabled-algorithms-and-protocols"></span><div class="header">
+ <p>
+@@ -23658,6 +23712,28 @@
+ integers indicating the available digests.
+ </p></dd></dl>
+ 
++<span id="gnutls_005fdigest_005fmark_005finsecure-1"></span><h4 class="subheading">gnutls_digest_mark_insecure</h4>
++<span id="gnutls_005fdigest_005fmark_005finsecure"></span><dl>
++<dt id="index-gnutls_005fdigest_005fmark_005finsecure">Function: <em>int</em> <strong>gnutls_digest_mark_insecure</strong> <em>(gnutls_digest_algorithm_t <var>dig</var>)</em></dt>
++<dd><p><var>dig</var>: is a digest algorithm
++</p>
++<p>Mark  <code>dig</code> as insecure system wide. This only works if the allowlisting mode
++is used in the configuration file.
++</p>
++<p><strong>Since:</strong> 3.7.3
++</p></dd></dl>
++
++<span id="gnutls_005fdigest_005fmark_005fsecure-1"></span><h4 class="subheading">gnutls_digest_mark_secure</h4>
++<span id="gnutls_005fdigest_005fmark_005fsecure"></span><dl>
++<dt id="index-gnutls_005fdigest_005fmark_005fsecure">Function: <em>int</em> <strong>gnutls_digest_mark_secure</strong> <em>(gnutls_digest_algorithm_t <var>dig</var>)</em></dt>
++<dd><p><var>dig</var>: is a digest algorithm
++</p>
++<p>Invalidate previous system wide setting that marked  <code>dig</code> as insecure. This
++only works if the allowlisting mode is used in the configuration file.
++</p>
++<p><strong>Since:</strong> 3.7.3
++</p></dd></dl>
++
+ <span id="gnutls_005fearly_005fcipher_005fget-1"></span><h4 class="subheading">gnutls_early_cipher_get</h4>
+ <span id="gnutls_005fearly_005fcipher_005fget"></span><dl>
+ <dt id="index-gnutls_005fearly_005fcipher_005fget">Function: <em>gnutls_cipher_algorithm_t</em> <strong>gnutls_early_cipher_get</strong> <em>(gnutls_session_t <var>session</var>)</em></dt>
+@@ -23772,6 +23848,34 @@
+ integers indicating the available curves.
+ </p></dd></dl>
+ 
++<span id="gnutls_005fecc_005fcurve_005fmark_005fdisabled-1"></span><h4 class="subheading">gnutls_ecc_curve_mark_disabled</h4>
++<span id="gnutls_005fecc_005fcurve_005fmark_005fdisabled"></span><dl>
++<dt id="index-gnutls_005fecc_005fcurve_005fmark_005fdisabled">Function: <em>int</em> <strong>gnutls_ecc_curve_mark_disabled</strong> <em>(gnutls_ecc_curve_t <var>curve</var>)</em></dt>
++<dd><p><var>curve</var>: is an ECC curve
++</p>
++<p>Mark  <code>curve</code> as disabled system wide. This setting can be reverted with
++<code>gnutls_ecc_curve_mark_enabled()</code> . This only works if the configuration file
++uses the allowlisting mode.
++</p>
++<p><strong>Returns:</strong> 0 on success or negative error code otherwise.
++</p>
++<p><strong>Since:</strong> 3.7.3
++</p></dd></dl>
++
++<span id="gnutls_005fecc_005fcurve_005fmark_005fenabled-1"></span><h4 class="subheading">gnutls_ecc_curve_mark_enabled</h4>
++<span id="gnutls_005fecc_005fcurve_005fmark_005fenabled"></span><dl>
++<dt id="index-gnutls_005fecc_005fcurve_005fmark_005fenabled">Function: <em>int</em> <strong>gnutls_ecc_curve_mark_enabled</strong> <em>(gnutls_ecc_curve_t <var>curve</var>)</em></dt>
++<dd><p><var>curve</var>: is an ECC curve
++</p>
++<p>Invalidate previous system wide setting that marked  <code>curve</code> as disabled. This
++only works if the curve is disabled with <code>gnutls_ecc_curve_mark_disabled()</code>  or
++through the allowlisting mode in the configuration file.
++</p>
++<p><strong>Returns:</strong> 0 on success or negative error code otherwise.
++</p>
++<p><strong>Since:</strong> 3.7.3
++</p></dd></dl>
++
+ <span id="gnutls_005ferror_005fis_005ffatal-1"></span><h4 class="subheading">gnutls_error_is_fatal</h4>
+ <span id="gnutls_005ferror_005fis_005ffatal"></span><dl>
+ <dt id="index-gnutls_005ferror_005fis_005ffatal-1">Function: <em>int</em> <strong>gnutls_error_is_fatal</strong> <em>(int <var>error</var>)</em></dt>
+@@ -25978,6 +26082,25 @@
+ indicating the available protocols.
+ </p></dd></dl>
+ 
++<span id="gnutls_005fprotocol_005fmark_005fdisabled-1"></span><h4 class="subheading">gnutls_protocol_mark_disabled</h4>
++<span id="gnutls_005fprotocol_005fmark_005fdisabled"></span><dl>
++<dt id="index-gnutls_005fprotocol_005fmark_005fdisabled">Function: <em>int</em> <strong>gnutls_protocol_mark_disabled</strong> <em>(gnutls_protocol_t <var>version</var>)</em></dt>
++<dd><p><var>version</var>: is a (gnutls) version number
++</p>
++<p>Mark  <code>version</code> as disabled system wide. This only works if the allowlisting
++mode is used in the configuration file.
++</p></dd></dl>
++
++<span id="gnutls_005fprotocol_005fmark_005fenabled-1"></span><h4 class="subheading">gnutls_protocol_mark_enabled</h4>
++<span id="gnutls_005fprotocol_005fmark_005fenabled"></span><dl>
++<dt id="index-gnutls_005fprotocol_005fmark_005fenabled">Function: <em>int</em> <strong>gnutls_protocol_mark_enabled</strong> <em>(gnutls_protocol_t <var>version</var>)</em></dt>
++<dd><p><var>version</var>: is a (gnutls) version number
++</p>
++<p>Invalidate previous system wide setting that marked  <code>version</code> as
++disabled. This only works if the allowlisting mode is used in the
++configuration file.
++</p></dd></dl>
++
+ <span id="gnutls_005fpsk_005fallocate_005fclient_005fcredentials-1"></span><h4 class="subheading">gnutls_psk_allocate_client_credentials</h4>
+ <span id="gnutls_005fpsk_005fallocate_005fclient_005fcredentials"></span><dl>
+ <dt id="index-gnutls_005fpsk_005fallocate_005fclient_005fcredentials">Function: <em>int</em> <strong>gnutls_psk_allocate_client_credentials</strong> <em>(gnutls_psk_client_credentials_t *            <var>sc</var>)</em></dt>
+@@ -27979,6 +28102,44 @@
+ integers indicating the available ciphers.
+ </p></dd></dl>
+ 
++<span id="gnutls_005fsign_005fmark_005finsecure-1"></span><h4 class="subheading">gnutls_sign_mark_insecure</h4>
++<span id="gnutls_005fsign_005fmark_005finsecure"></span><dl>
++<dt id="index-gnutls_005fsign_005fmark_005finsecure">Function: <em>int</em> <strong>gnutls_sign_mark_insecure</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</em></dt>
++<dd><p><var>sign</var>: the sign algorithm
++</p>
++<p><var>flags</var>: <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  or 0
++</p>
++<p>Mark  <code>sign</code> as insecure system wide. This only works if the
++allowlisting mode is used in the configuration file.
++</p>
++<p>If  <code>flags</code> has <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  bit set,
++and the algorithm was previously considered secure for all purposes,
++it only marks the algorithm as insecure for the use with certificates.
++</p>
++<p><strong>Since:</strong> 3.7.3
++</p></dd></dl>
++
++<span id="gnutls_005fsign_005fmark_005fsecure-1"></span><h4 class="subheading">gnutls_sign_mark_secure</h4>
++<span id="gnutls_005fsign_005fmark_005fsecure"></span><dl>
++<dt id="index-gnutls_005fsign_005fmark_005fsecure">Function: <em>int</em> <strong>gnutls_sign_mark_secure</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</em></dt>
++<dd><p><var>sign</var>: the sign algorithm
++</p>
++<p><var>flags</var>: <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  or 0
++</p>
++<p>Invalidate previous system wide setting that marked  <code>sign</code> as
++insecure. This only works if the algorithm is marked as insecure
++with <code>gnutls_sign_mark_insecure()</code>  or through the allowlisting mode
++in the configuration file.
++</p>
++<p>If  <code>flags</code> has <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  bit set,
++it marks it the algorithm as secure for all purposes.
++If the absence of this flag, it will mark it as
++&quot;secure, but not for certificates&quot; at most,
++but it won&rsquo;t restrict anything either.
++</p>
++<p><strong>Since:</strong> 3.7.3
++</p></dd></dl>
++
+ <span id="gnutls_005fsign_005fsupports_005fpk_005falgorithm-1"></span><h4 class="subheading">gnutls_sign_supports_pk_algorithm</h4>
+ <span id="gnutls_005fsign_005fsupports_005fpk_005falgorithm"></span><dl>
+ <dt id="index-gnutls_005fsign_005fsupports_005fpk_005falgorithm">Function: <em>unsigned</em> <strong>gnutls_sign_supports_pk_algorithm</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, gnutls_pk_algorithm_t <var>pk</var>)</em></dt>
+@@ -45743,6 +45904,8 @@
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fget_005fname"><code>gnutls_digest_get_name</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fget_005foid"><code>gnutls_digest_get_oid</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005flist"><code>gnutls_digest_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
++<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fmark_005finsecure"><code>gnutls_digest_mark_insecure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
++<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fmark_005fsecure"><code>gnutls_digest_mark_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fcookie_005fsend"><code>gnutls_dtls_cookie_send</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fcookie_005fverify"><code>gnutls_dtls_cookie_verify</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fget_005fdata_005fmtu"><code>gnutls_dtls_get_data_mtu</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
+@@ -45762,6 +45925,8 @@
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fget_005fpk"><code>gnutls_ecc_curve_get_pk</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fget_005fsize"><code>gnutls_ecc_curve_get_size</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005flist"><code>gnutls_ecc_curve_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
++<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fmark_005fdisabled"><code>gnutls_ecc_curve_mark_disabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
++<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fmark_005fenabled"><code>gnutls_ecc_curve_mark_enabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005fber_005fdigest_005finfo"><code>gnutls_encode_ber_digest_info</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005fgost_005frs_005fvalue"><code>gnutls_encode_gost_rs_value</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005frs_005fvalue"><code>gnutls_encode_rs_value</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
+@@ -46151,6 +46316,8 @@
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fget_005fname"><code>gnutls_protocol_get_name</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fget_005fversion"><code>gnutls_protocol_get_version</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005flist"><code>gnutls_protocol_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
++<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fmark_005fdisabled"><code>gnutls_protocol_mark_disabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
++<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fmark_005fenabled"><code>gnutls_protocol_mark_enabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fallocate_005fclient_005fcredentials"><code>gnutls_psk_allocate_client_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fallocate_005fserver_005fcredentials"><code>gnutls_psk_allocate_server_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fclient_005fget_005fhint"><code>gnutls_psk_client_get_hint</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+@@ -46325,6 +46492,8 @@
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fis_005fsecure"><code>gnutls_sign_is_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fis_005fsecure2"><code>gnutls_sign_is_secure2</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005flist"><code>gnutls_sign_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
++<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fmark_005finsecure"><code>gnutls_sign_mark_insecure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
++<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fmark_005fsecure"><code>gnutls_sign_mark_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fsupports_005fpk_005falgorithm"><code>gnutls_sign_supports_pk_algorithm</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fsrp_005fallocate_005fclient_005fcredentials"><code>gnutls_srp_allocate_client_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+ <tr><td></td><td valign="top"><a href="#index-gnutls_005fsrp_005fallocate_005fserver_005fcredentials"><code>gnutls_srp_allocate_server_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+diff -ruN gnutls-3.7.2/doc/gnutls.info gnutls-3.7.2-bootstrapped/doc/gnutls.info
+--- gnutls-3.7.2/doc/gnutls.info	2021-05-29 10:23:25.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/gnutls.info	2021-06-28 09:56:40.000000000 +0200
+@@ -29,12 +29,12 @@
+ 
+ Indirect:
+ gnutls.info-1: 1291
+-gnutls.info-2: 322163
+-gnutls.info-3: 605942
+-gnutls.info-4: 1147244
+-gnutls.info-5: 1463965
+-gnutls.info-6: 1515571
+-gnutls.info-7: 1896190
++gnutls.info-2: 322461
++gnutls.info-3: 606240
++gnutls.info-4: 1153831
++gnutls.info-5: 1470552
++gnutls.info-6: 1522158
++gnutls.info-7: 1903361
+ 
+ Tag Table:
+ (Indirect)
+@@ -324,1507 +324,1515 @@
+ Ref: p11tool set-id312425
+ Ref: p11tool set-label312850
+ Ref: p11tool write313198
+-Ref: p11tool id313462
+-Ref: p11tool mark-wrap313719
+-Ref: p11tool mark-trusted313966
+-Ref: p11tool mark-distrusted314330
+-Ref: p11tool mark-decrypt314784
+-Ref: p11tool mark-sign315061
+-Ref: p11tool mark-ca315338
+-Ref: p11tool mark-private315611
+-Ref: p11tool ca315909
+-Ref: p11tool private316043
+-Ref: p11tool secret-key316198
+-Ref: p11tool other-options316361
+-Ref: p11tool debug316463
+-Ref: p11tool so-login316604
+-Ref: p11tool admin-login316848
+-Ref: p11tool test-sign316989
+-Ref: p11tool sign-params317283
+-Ref: p11tool hash317623
+-Ref: p11tool generate-random317919
+-Ref: p11tool inder318093
+-Ref: p11tool inraw318318
+-Ref: p11tool outder318444
+-Ref: p11tool outraw318696
+-Ref: p11tool provider318829
+-Ref: p11tool provider-opts319038
+-Ref: p11tool batch319311
+-Ref: p11tool exit status319464
+-Ref: p11tool See Also319694
+-Ref: p11tool Examples319742
+-Node: Trusted Platform Module322163
+-Ref: Trusted Platform Module-Footnote-1323956
+-Ref: Trusted Platform Module-Footnote-2324004
+-Node: Keys in TPM324061
+-Node: Key generation325545
+-Node: Using keys327813
+-Node: tpmtool Invocation331458
+-Ref: tpmtool usage331884
+-Ref: tpmtool debug335196
+-Ref: tpmtool generate-rsa335337
+-Ref: tpmtool user335608
+-Ref: tpmtool system335967
+-Ref: tpmtool test-sign336321
+-Ref: tpmtool sec-param336604
+-Ref: tpmtool inder336930
+-Ref: tpmtool outder337231
+-Ref: tpmtool srk-well-known337450
+-Ref: tpmtool exit status337606
+-Ref: tpmtool See Also337836
+-Ref: tpmtool Examples337897
+-Node: How to use GnuTLS in applications338514
+-Node: Introduction to the library339083
+-Node: General idea339682
+-Ref: fig-gnutls-design340531
+-Ref: General idea-Footnote-1341836
+-Node: Error handling341881
+-Node: Common types344108
+-Node: Debugging and auditing345442
+-Ref: tab:environment346313
+-Node: Thread safety349180
+-Ref: Thread safety-Footnote-1351326
+-Node: Running in a sandbox351538
+-Node: Sessions and fork352932
+-Node: Callback functions353484
+-Node: Preparation354452
+-Node: Headers354871
+-Node: Initialization355160
+-Ref: Initialization-Footnote-1356154
+-Node: Version check356447
+-Node: Building the source357322
+-Node: Session initialization359433
+-Ref: gnutls_init_flags_t360910
+-Node: Associating the credentials367923
+-Ref: tab:key-exchange-cred368699
+-Node: Certificate credentials369830
+-Node: Raw public-key credentials385415
+-Node: SRP credentials386715
+-Node: PSK credentials391613
+-Node: Anonymous credentials395548
+-Node: Setting up the transport layer396394
+-Node: Asynchronous operation405947
+-Node: Reducing round-trips410248
+-Node: Zero-roundtrip mode413688
+-Node: Anti-replay protection415893
+-Node: DTLS sessions419538
+-Ref: DTLS sessions-Footnote-1421842
+-Node: DTLS and SCTP421919
+-Node: TLS handshake422939
+-Node: Data transfer and termination426857
+-Node: Buffered data transfer435999
+-Node: Handling alerts437800
+-Node: Priority Strings441182
+-Ref: tab:prio-keywords443782
+-Ref: tab:prio-algorithms450860
+-Ref: tab:prio-special1456290
+-Ref: tab:prio-special2460137
+-Ref: Priority Strings-Footnote-1466758
+-Node: Selecting cryptographic key sizes466980
+-Ref: tab:key-sizes467629
+-Node: Advanced topics472378
+-Node: Virtual hosts and credentials472876
+-Node: Session resumption476201
+-Node: Certificate verification484108
+-Ref: dane_verify_status_t493829
+-Node: TLS 1.2 re-authentication494234
+-Node: TLS 1.3 re-authentication and re-key499091
+-Node: Parameter generation500750
+-Node: Deriving keys for other applications/protocols503397
+-Node: Channel Bindings506627
+-Node: Interoperability508166
+-Node: Compatibility with the OpenSSL library509484
+-Node: GnuTLS application examples510211
+-Ref: examples510430
+-Node: Client examples510723
+-Node: Client example with X.509 certificate support511250
+-Ref: ex-verify511488
+-Node: Datagram TLS client example516532
+-Node: Client using a smart card with TLS520937
+-Ref: ex-pkcs11-client521174
+-Node: Client with Resume capability example526469
+-Ref: ex-resume-client526753
+-Node: Client example with SSH-style certificate verification531940
+-Node: Server examples536147
+-Node: Echo server with X.509 authentication536501
+-Node: DTLS echo server with X.509 authentication544225
+-Node: More advanced client and servers558636
+-Node: Client example with anonymous authentication559493
+-Node: Using a callback to select the certificate to use563417
+-Node: Obtaining session information569800
+-Node: Advanced certificate verification example574013
+-Ref: ex-verify2574289
+-Node: Client example with PSK authentication579719
+-Node: Client example with SRP authentication584085
+-Node: Legacy client example with X.509 certificate support588369
+-Ref: ex-verify-legacy588686
+-Node: Client example in C++594639
+-Node: Echo server with PSK authentication597211
+-Node: Echo server with SRP authentication605942
+-Node: Echo server with anonymous authentication612860
+-Node: Helper functions for TCP connections618188
+-Node: Helper functions for UDP connections619780
+-Node: OCSP example621685
+-Ref: Generate OCSP request621868
+-Node: Miscellaneous examples631475
+-Node: Checking for an alert631801
+-Node: X.509 certificate parsing example633250
+-Ref: ex-x509-info633507
+-Node: Listing the ciphersuites in a priority string637536
+-Node: PKCS12 structure generation example639853
+-Node: System-wide configuration of the library644058
+-Node: Application-specific priority strings645885
+-Node: Disabling algorithms and protocols647333
+-Node: Querying for disabled algorithms and protocols650217
+-Node: Overriding the parameter verification profile651339
+-Node: Overriding the default priority string652341
+-Node: Using GnuTLS as a cryptographic library652958
+-Ref: Using GnuTLS as a cryptographic library-Footnote-1653814
+-Node: Symmetric algorithms653871
+-Ref: gnutls_cipher_algorithm_t654631
+-Ref: Symmetric algorithms-Footnote-1663061
+-Node: Public key algorithms663146
+-Node: Cryptographic Message Syntax / PKCS7667868
+-Ref: gnutls_pkcs7_sign_flags671307
+-Node: Hash and MAC functions672775
+-Ref: gnutls_mac_algorithm_t673387
+-Ref: gnutls_digest_algorithm_t676759
+-Node: Random number generation677810
+-Ref: gnutls_rnd_level_t678172
+-Node: Overriding algorithms679279
+-Node: Other included programs685597
+-Node: gnutls-cli Invocation686168
+-Ref: gnutls-cli usage686730
+-Ref: gnutls-cli debug694480
+-Ref: gnutls-cli tofu694621
+-Ref: gnutls-cli strict-tofu695084
+-Ref: gnutls-cli dane695486
+-Ref: gnutls-cli local-dns695829
+-Ref: gnutls-cli ca-verification696144
+-Ref: gnutls-cli ocsp696499
+-Ref: gnutls-cli resume696741
+-Ref: gnutls-cli rehandshake696887
+-Ref: gnutls-cli sni-hostname697054
+-Ref: gnutls-cli verify-hostname697580
+-Ref: gnutls-cli starttls697813
+-Ref: gnutls-cli app-proto697997
+-Ref: gnutls-cli starttls-proto698159
+-Ref: gnutls-cli save-ocsp-multi698670
+-Ref: gnutls-cli dh-bits699127
+-Ref: gnutls-cli priority699478
+-Ref: gnutls-cli rawpkkeyfile699856
+-Ref: gnutls-cli rawpkfile700313
+-Ref: gnutls-cli ranges700854
+-Ref: gnutls-cli benchmark-ciphers701104
+-Ref: gnutls-cli benchmark-tls-ciphers701422
+-Ref: gnutls-cli list701741
+-Ref: gnutls-cli priority-list702108
+-Ref: gnutls-cli noticket702354
+-Ref: gnutls-cli alpn702515
+-Ref: gnutls-cli disable-extensions702824
+-Ref: gnutls-cli single-key-share703056
+-Ref: gnutls-cli post-handshake-auth703272
+-Ref: gnutls-cli inline-commands703469
+-Ref: gnutls-cli inline-commands-prefix703789
+-Ref: gnutls-cli provider704192
+-Ref: gnutls-cli logfile704389
+-Ref: gnutls-cli waitresumption704746
+-Ref: gnutls-cli ca-auto-retrieve705003
+-Ref: gnutls-cli exit status705407
+-Ref: gnutls-cli See Also705643
+-Ref: gnutls-cli Examples705720
+-Node: gnutls-serv Invocation709927
+-Ref: gnutls-serv usage710404
+-Ref: gnutls-serv debug715924
+-Ref: gnutls-serv sni-hostname716065
+-Ref: gnutls-serv alpn716397
+-Ref: gnutls-serv require-client-cert716684
+-Ref: gnutls-serv verify-client-cert716928
+-Ref: gnutls-serv heartbeat717157
+-Ref: gnutls-serv priority717308
+-Ref: gnutls-serv x509keyfile717677
+-Ref: gnutls-serv x509certfile718194
+-Ref: gnutls-serv x509dsakeyfile718711
+-Ref: gnutls-serv x509dsacertfile718875
+-Ref: gnutls-serv x509ecckeyfile719042
+-Ref: gnutls-serv x509ecccertfile719204
+-Ref: gnutls-serv rawpkkeyfile719371
+-Ref: gnutls-serv rawpkfile720190
+-Ref: gnutls-serv ocsp-response721045
+-Ref: gnutls-serv ignore-ocsp-response-errors721362
+-Ref: gnutls-serv list721609
+-Ref: gnutls-serv provider721847
+-Ref: gnutls-serv exit status722044
+-Ref: gnutls-serv See Also722282
+-Ref: gnutls-serv Examples722360
+-Node: gnutls-cli-debug Invocation727668
+-Ref: gnutls-cli-debug usage728490
+-Ref: gnutls-cli-debug debug730745
+-Ref: gnutls-cli-debug app-proto730886
+-Ref: gnutls-cli-debug starttls-proto731054
+-Ref: gnutls-cli-debug exit status731433
+-Ref: gnutls-cli-debug See Also731681
+-Ref: gnutls-cli-debug Examples731764
+-Node: Internal architecture of GnuTLS735261
+-Node: The TLS Protocol735867
+-Ref: fig-client-server736343
+-Node: TLS Handshake Protocol736433
+-Ref: fig-gnutls-handshake736875
+-Ref: fig-gnutls-handshake-sequence737384
+-Node: TLS Authentication Methods737482
+-Ref: TLS Authentication Methods-Footnote-1739786
+-Node: TLS Hello Extension Handling739852
+-Node: Cryptographic Backend752954
+-Ref: fig-crypto-layers753637
+-Ref: Cryptographic Backend-Footnote-1756919
+-Ref: Cryptographic Backend-Footnote-2757004
+-Node: Random Number Generators-internals757112
+-Node: FIPS140-2 mode764476
+-Ref: gnutls_fips_mode_t767112
+-Node: Upgrading from previous versions769259
+-Node: Support783253
+-Node: Getting help783501
+-Node: Commercial Support784089
+-Node: Bug Reports784360
+-Node: Contributing785724
+-Node: Certification787750
+-Node: Error codes788214
+-Node: Supported ciphersuites812847
+-Ref: ciphersuites813020
+-Node: API reference828064
+-Node: Core TLS API828474
+-Ref: gnutls_alert_get828701
+-Ref: gnutls_alert_get_name829320
+-Ref: gnutls_alert_get_strname829705
+-Ref: gnutls_alert_send830040
+-Ref: gnutls_alert_send_appropriate830918
+-Ref: gnutls_alert_set_read_function831885
+-Ref: gnutls_alpn_get_selected_protocol832269
+-Ref: gnutls_alpn_set_protocols832933
+-Ref: gnutls_anon_allocate_client_credentials833770
+-Ref: gnutls_anon_allocate_server_credentials834155
+-Ref: gnutls_anon_free_client_credentials834532
+-Ref: gnutls_anon_free_server_credentials834821
+-Ref: gnutls_anon_set_params_function835102
+-Ref: gnutls_anon_set_server_dh_params835778
+-Ref: gnutls_anon_set_server_known_dh_params836438
+-Ref: gnutls_anon_set_server_params_function837347
+-Ref: gnutls_anti_replay_deinit838010
+-Ref: gnutls_anti_replay_enable838324
+-Ref: gnutls_anti_replay_init838672
+-Ref: gnutls_anti_replay_set_add_function839200
+-Ref: gnutls_anti_replay_set_ptr840218
+-Ref: gnutls_anti_replay_set_window840553
+-Ref: gnutls_auth_client_get_type841321
+-Ref: gnutls_auth_get_type841948
+-Ref: gnutls_auth_server_get_type842760
+-Ref: gnutls_base64_decode2843389
+-Ref: gnutls_base64_encode2843945
+-Ref: gnutls_buffer_append_data844565
+-Ref: gnutls_bye844963
+-Ref: gnutls_certificate_activation_time_peers846564
+-Ref: gnutls_certificate_allocate_credentials846982
+-Ref: gnutls_certificate_client_get_request_status847379
+-Ref: gnutls_certificate_expiration_time_peers847787
+-Ref: gnutls_certificate_free_ca_names848191
+-Ref: gnutls_certificate_free_cas848860
+-Ref: gnutls_certificate_free_credentials849263
+-Ref: gnutls_certificate_free_crls849697
+-Ref: gnutls_certificate_free_keys849997
+-Ref: gnutls_certificate_get_crt_raw850431
+-Ref: gnutls_certificate_get_issuer851502
+-Ref: gnutls_certificate_get_ocsp_expiration852585
+-Ref: gnutls_certificate_get_ours853756
+-Ref: gnutls_certificate_get_peers854586
+-Ref: gnutls_certificate_get_peers_subkey_id855709
+-Ref: gnutls_certificate_get_verify_flags856065
+-Ref: gnutls_certificate_get_x509_crt856478
+-Ref: gnutls_certificate_get_x509_key858122
+-Ref: gnutls_certificate_send_x509_rdn_sequence859437
+-Ref: gnutls_certificate_server_set_request860144
+-Ref: gnutls_certificate_set_dh_params860934
+-Ref: gnutls_certificate_set_flags861753
+-Ref: gnutls_certificate_set_known_dh_params862278
+-Ref: gnutls_certificate_set_ocsp_status_request_file863206
+-Ref: gnutls_certificate_set_ocsp_status_request_file2865112
+-Ref: gnutls_certificate_set_ocsp_status_request_function866630
+-Ref: gnutls_certificate_set_ocsp_status_request_function2868118
+-Ref: gnutls_certificate_set_ocsp_status_request_mem870084
+-Ref: gnutls_certificate_set_params_function871859
+-Ref: gnutls_certificate_set_pin_function872556
+-Ref: gnutls_certificate_set_rawpk_key_file873209
+-Ref: gnutls_certificate_set_rawpk_key_mem876513
+-Ref: gnutls_certificate_set_retrieve_function879660
+-Ref: gnutls_certificate_set_verify_flags881790
+-Ref: gnutls_certificate_set_verify_function882283
+-Ref: gnutls_certificate_set_verify_limits883347
+-Ref: gnutls_certificate_set_x509_crl884028
+-Ref: gnutls_certificate_set_x509_crl_file884856
+-Ref: gnutls_certificate_set_x509_crl_mem885637
+-Ref: gnutls_certificate_set_x509_key886414
+-Ref: gnutls_certificate_set_x509_key_file888082
+-Ref: gnutls_certificate_set_x509_key_file2890318
+-Ref: gnutls_certificate_set_x509_key_mem892852
+-Ref: gnutls_certificate_set_x509_key_mem2894500
+-Ref: gnutls_certificate_set_x509_simple_pkcs12_file896313
+-Ref: gnutls_certificate_set_x509_simple_pkcs12_mem898443
+-Ref: gnutls_certificate_set_x509_system_trust900543
+-Ref: gnutls_certificate_set_x509_trust901113
+-Ref: gnutls_certificate_set_x509_trust_dir902093
+-Ref: gnutls_certificate_set_x509_trust_file902831
+-Ref: gnutls_certificate_set_x509_trust_mem904007
+-Ref: gnutls_certificate_type_get904950
+-Ref: gnutls_certificate_type_get2905797
+-Ref: gnutls_certificate_type_get_id907182
+-Ref: gnutls_certificate_type_get_name907579
+-Ref: gnutls_certificate_type_list907962
+-Ref: gnutls_certificate_verification_status_print908316
+-Ref: gnutls_certificate_verify_peers909074
+-Ref: gnutls_certificate_verify_peers2911870
+-Ref: gnutls_certificate_verify_peers3913785
+-Ref: gnutls_check_version916095
+-Ref: gnutls_cipher_get916837
+-Ref: gnutls_cipher_get_id917142
+-Ref: gnutls_cipher_get_key_size917524
+-Ref: gnutls_cipher_get_name917888
+-Ref: gnutls_cipher_list918235
+-Ref: gnutls_cipher_suite_get_name918795
+-Ref: gnutls_cipher_suite_info919663
+-Ref: gnutls_credentials_clear920846
+-Ref: gnutls_credentials_get921074
+-Ref: gnutls_credentials_set922029
+-Ref: gnutls_db_check_entry923393
+-Ref: gnutls_db_check_entry_expire_time923850
+-Ref: gnutls_db_check_entry_time924256
+-Ref: gnutls_db_get_default_cache_expiration924647
+-Ref: gnutls_db_get_ptr924842
+-Ref: gnutls_db_remove_session925154
+-Ref: gnutls_db_set_cache_expiration925691
+-Ref: gnutls_db_set_ptr926112
+-Ref: gnutls_db_set_remove_function926447
+-Ref: gnutls_db_set_retrieve_function926950
+-Ref: gnutls_db_set_store_function927636
+-Ref: gnutls_deinit928103
+-Ref: gnutls_dh_get_group928442
+-Ref: gnutls_dh_get_peers_public_bits929294
+-Ref: gnutls_dh_get_prime_bits929738
+-Ref: gnutls_dh_get_pubkey930378
+-Ref: gnutls_dh_get_secret_bits931076
+-Ref: gnutls_dh_params_cpy931508
+-Ref: gnutls_dh_params_deinit932016
+-Ref: gnutls_dh_params_export2_pkcs3932257
+-Ref: gnutls_dh_params_export_pkcs3933078
+-Ref: gnutls_dh_params_export_raw934097
+-Ref: gnutls_dh_params_generate2934850
+-Ref: gnutls_dh_params_import_dsa936104
+-Ref: gnutls_dh_params_import_pkcs3936581
+-Ref: gnutls_dh_params_import_raw937320
+-Ref: gnutls_dh_params_import_raw2937950
+-Ref: gnutls_dh_params_import_raw3938664
+-Ref: gnutls_dh_params_init939364
+-Ref: gnutls_dh_set_prime_bits939695
+-Ref: gnutls_digest_get_id940798
+-Ref: gnutls_digest_get_name941224
+-Ref: gnutls_digest_get_oid941570
+-Ref: gnutls_digest_list941961
+-Ref: gnutls_early_cipher_get942332
+-Ref: gnutls_early_prf_hash_get942705
+-Ref: gnutls_ecc_curve_get943123
+-Ref: gnutls_ecc_curve_get_id943524
+-Ref: gnutls_ecc_curve_get_name943905
+-Ref: gnutls_ecc_curve_get_oid944239
+-Ref: gnutls_ecc_curve_get_pk944584
+-Ref: gnutls_ecc_curve_get_size944888
+-Ref: gnutls_ecc_curve_list945117
+-Ref: gnutls_error_is_fatal945440
+-Ref: gnutls_error_to_alert946242
+-Ref: gnutls_est_record_overhead_size946974
+-Ref: gnutls_ext_get_current_msg947882
+-Ref: gnutls_ext_get_data948573
+-Ref: gnutls_ext_get_name949088
+-Ref: gnutls_ext_get_name2949406
+-Ref: gnutls_ext_raw_parse949916
+-Ref: gnutls_ext_register951066
+-Ref: gnutls_ext_set_data952701
+-Ref: gnutls_fingerprint953212
+-Ref: gnutls_fips140_mode_enabled954218
+-Ref: gnutls_fips140_set_mode954772
+-Ref: gnutls_get_system_config_file955825
+-Ref: gnutls_global_deinit956201
+-Ref: gnutls_global_init956651
+-Ref: gnutls_global_set_audit_log_function957926
+-Ref: gnutls_global_set_log_function958633
+-Ref: gnutls_global_set_log_level959141
+-Ref: gnutls_global_set_mutex959629
+-Ref: gnutls_global_set_time_function960731
+-Ref: gnutls_gost_paramset_get_name961168
+-Ref: gnutls_gost_paramset_get_oid961544
+-Ref: gnutls_group_get961921
+-Ref: gnutls_group_get_id962291
+-Ref: gnutls_group_get_name962638
+-Ref: gnutls_group_list962958
+-Ref: gnutls_handshake963280
+-Ref: gnutls_handshake_description_get_name965385
+-Ref: gnutls_handshake_get_last_in965773
+-Ref: gnutls_handshake_get_last_out966398
+-Ref: gnutls_handshake_set_hook_function967030
+-Ref: gnutls_handshake_set_max_packet_length968422
+-Ref: gnutls_handshake_set_post_client_hello_function969207
+-Ref: gnutls_handshake_set_private_extensions970533
+-Ref: gnutls_handshake_set_random971212
+-Ref: gnutls_handshake_set_read_function971932
+-Ref: gnutls_handshake_set_secret_function972333
+-Ref: gnutls_handshake_set_timeout972712
+-Ref: gnutls_handshake_write973402
+-Ref: gnutls_heartbeat_allowed974103
+-Ref: gnutls_heartbeat_enable974577
+-Ref: gnutls_heartbeat_get_timeout975415
+-Ref: gnutls_heartbeat_ping975954
+-Ref: gnutls_heartbeat_pong977086
+-Ref: gnutls_heartbeat_set_timeouts977493
+-Ref: gnutls_hex2bin978264
+-Ref: gnutls_hex_decode978983
+-Ref: gnutls_hex_decode2979709
+-Ref: gnutls_hex_encode980138
+-Ref: gnutls_hex_encode2980735
+-Ref: gnutls_idna_map981250
+-Ref: gnutls_idna_reverse_map982380
+-Ref: gnutls_init983145
+-Ref: gnutls_key_generate983973
+-Ref: gnutls_kx_get984390
+-Ref: gnutls_kx_get_id984976
+-Ref: gnutls_kx_get_name985320
+-Ref: gnutls_kx_list985665
+-Ref: gnutls_load_file985993
+-Ref: gnutls_mac_get986765
+-Ref: gnutls_mac_get_id987070
+-Ref: gnutls_mac_get_key_size987483
+-Ref: gnutls_mac_get_name987820
+-Ref: gnutls_mac_list988139
+-Ref: gnutls_memcmp988527
+-Ref: gnutls_memset989087
+-Ref: gnutls_ocsp_status_request_enable_client989481
+-Ref: gnutls_ocsp_status_request_get990492
+-Ref: gnutls_ocsp_status_request_get2991154
+-Ref: gnutls_ocsp_status_request_is_checked992149
+-Ref: gnutls_oid_to_digest993537
+-Ref: gnutls_oid_to_ecc_curve993946
+-Ref: gnutls_oid_to_gost_paramset994272
+-Ref: gnutls_oid_to_mac994683
+-Ref: gnutls_oid_to_pk995096
+-Ref: gnutls_oid_to_sign995468
+-Ref: gnutls_openpgp_send_cert995872
+-Ref: gnutls_packet_deinit996174
+-Ref: gnutls_packet_get996448
+-Ref: gnutls_pem_base64_decode996953
+-Ref: gnutls_pem_base64_decode2997808
+-Ref: gnutls_pem_base64_encode998803
+-Ref: gnutls_pem_base64_encode2999632
+-Ref: gnutls_perror1000568
+-Ref: gnutls_pk_algorithm_get_name1000864
+-Ref: gnutls_pk_bits_to_sec_param1001220
+-Ref: gnutls_pk_get_id1001694
+-Ref: gnutls_pk_get_name1002212
+-Ref: gnutls_pk_get_oid1002580
+-Ref: gnutls_pk_list1002979
+-Ref: gnutls_pk_to_sign1003312
+-Ref: gnutls_prf1003723
+-Ref: gnutls_prf_early1005718
+-Ref: gnutls_prf_hash_get1007373
+-Ref: gnutls_prf_raw1007905
+-Ref: gnutls_prf_rfc57051009789
+-Ref: gnutls_priority_certificate_type_list1011466
+-Ref: gnutls_priority_certificate_type_list21012162
+-Ref: gnutls_priority_cipher_list1012778
+-Ref: gnutls_priority_deinit1013165
+-Ref: gnutls_priority_ecc_curve_list1013408
+-Ref: gnutls_priority_get_cipher_suite_index1013940
+-Ref: gnutls_priority_group_list1014856
+-Ref: gnutls_priority_init1015237
+-Ref: gnutls_priority_init21016317
+-Ref: gnutls_priority_kx_list1020691
+-Ref: gnutls_priority_mac_list1021096
+-Ref: gnutls_priority_protocol_list1021501
+-Ref: gnutls_priority_set1021903
+-Ref: gnutls_priority_set_direct1022558
+-Ref: gnutls_priority_sign_list1023491
+-Ref: gnutls_priority_string_list1023907
+-Ref: gnutls_protocol_get_id1024539
+-Ref: gnutls_protocol_get_name1024855
+-Ref: gnutls_protocol_get_version1025214
+-Ref: gnutls_protocol_list1025512
+-Ref: gnutls_psk_allocate_client_credentials1025882
+-Ref: gnutls_psk_allocate_server_credentials1026302
+-Ref: gnutls_psk_client_get_hint1026698
+-Ref: gnutls_psk_free_client_credentials1027325
+-Ref: gnutls_psk_free_server_credentials1027608
+-Ref: gnutls_psk_server_get_username1027883
+-Ref: gnutls_psk_server_get_username21028590
+-Ref: gnutls_psk_set_client_credentials1029284
+-Ref: gnutls_psk_set_client_credentials21030307
+-Ref: gnutls_psk_set_client_credentials_function1031087
+-Ref: gnutls_psk_set_client_credentials_function21032090
+-Ref: gnutls_psk_set_params_function1033247
+-Ref: gnutls_psk_set_server_credentials_file1033927
+-Ref: gnutls_psk_set_server_credentials_function1034788
+-Ref: gnutls_psk_set_server_credentials_function21035742
+-Ref: gnutls_psk_set_server_credentials_hint1036865
+-Ref: gnutls_psk_set_server_dh_params1037489
+-Ref: gnutls_psk_set_server_known_dh_params1038174
+-Ref: gnutls_psk_set_server_params_function1039071
+-Ref: gnutls_random_art1039712
+-Ref: gnutls_range_split1040574
+-Ref: gnutls_reauth1041656
+-Ref: gnutls_record_can_use_length_hiding1043758
+-Ref: gnutls_record_check_corked1044509
+-Ref: gnutls_record_check_pending1044892
+-Ref: gnutls_record_cork1045303
+-Ref: gnutls_record_disable_padding1045717
+-Ref: gnutls_record_discard_queued1046325
+-Ref: gnutls_record_get_direction1046942
+-Ref: gnutls_record_get_max_early_data_size1047923
+-Ref: gnutls_record_get_max_size1048475
+-Ref: gnutls_record_get_state1048842
+-Ref: gnutls_record_overhead_size1049864
+-Ref: gnutls_record_recv1050251
+-Ref: gnutls_record_recv_early_data1051701
+-Ref: gnutls_record_recv_packet1052763
+-Ref: gnutls_record_recv_seq1053642
+-Ref: gnutls_record_send1054628
+-Ref: gnutls_record_send21056686
+-Ref: gnutls_record_send_early_data1057838
+-Ref: gnutls_record_send_range1058894
+-Ref: gnutls_record_set_max_early_data_size1060073
+-Ref: gnutls_record_set_max_recv_size1060719
+-Ref: gnutls_record_set_max_size1061423
+-Ref: gnutls_record_set_state1062602
+-Ref: gnutls_record_set_timeout1063260
+-Ref: gnutls_record_uncork1063861
+-Ref: gnutls_rehandshake1064801
+-Ref: gnutls_safe_renegotiation_status1066583
+-Ref: gnutls_sec_param_get_name1066998
+-Ref: gnutls_sec_param_to_pk_bits1067372
+-Ref: gnutls_sec_param_to_symmetric_bits1068042
+-Ref: gnutls_server_name_get1068426
+-Ref: gnutls_server_name_set1069898
+-Ref: gnutls_session_channel_binding1071056
+-Ref: gnutls_session_enable_compatibility_mode1071774
+-Ref: gnutls_session_etm_status1072481
+-Ref: gnutls_session_ext_master_secret_status1072884
+-Ref: gnutls_session_ext_register1073375
+-Ref: gnutls_session_force_valid1075637
+-Ref: gnutls_session_get_data1076058
+-Ref: gnutls_session_get_data21076718
+-Ref: gnutls_session_get_desc1078991
+-Ref: gnutls_session_get_flags1079513
+-Ref: gnutls_session_get_id1080051
+-Ref: gnutls_session_get_id21081574
+-Ref: gnutls_session_get_keylog_function1083044
+-Ref: gnutls_session_get_master_secret1083451
+-Ref: gnutls_session_get_ptr1083935
+-Ref: gnutls_session_get_random1084330
+-Ref: gnutls_session_get_verify_cert_status1084951
+-Ref: gnutls_session_is_resumed1085624
+-Ref: gnutls_session_key_update1085994
+-Ref: gnutls_session_resumption_requested1086942
+-Ref: gnutls_session_set_data1087324
+-Ref: gnutls_session_set_id1088165
+-Ref: gnutls_session_set_keylog_function1088840
+-Ref: gnutls_session_set_premaster1089239
+-Ref: gnutls_session_set_ptr1090334
+-Ref: gnutls_session_set_verify_cert1090734
+-Ref: gnutls_session_set_verify_cert21092078
+-Ref: gnutls_session_set_verify_function1093262
+-Ref: gnutls_session_supplemental_register1094374
+-Ref: gnutls_session_ticket_enable_client1095632
+-Ref: gnutls_session_ticket_enable_server1096125
+-Ref: gnutls_session_ticket_key_generate1096919
+-Ref: gnutls_session_ticket_send1097347
+-Ref: gnutls_set_default_priority1097931
+-Ref: gnutls_set_default_priority_append1099016
+-Ref: gnutls_sign_algorithm_get1100358
+-Ref: gnutls_sign_algorithm_get_client1100801
+-Ref: gnutls_sign_algorithm_get_requested1101268
+-Ref: gnutls_sign_get_hash_algorithm1102295
+-Ref: gnutls_sign_get_id1102707
+-Ref: gnutls_sign_get_name1103070
+-Ref: gnutls_sign_get_oid1103402
+-Ref: gnutls_sign_get_pk_algorithm1103788
+-Ref: gnutls_sign_is_secure1104395
+-Ref: gnutls_sign_is_secure21104665
+-Ref: gnutls_sign_list1105001
+-Ref: gnutls_sign_supports_pk_algorithm1105361
+-Ref: gnutls_srp_allocate_client_credentials1105945
+-Ref: gnutls_srp_allocate_server_credentials1106346
+-Ref: gnutls_srp_base64_decode1106719
+-Ref: gnutls_srp_base64_decode21107424
+-Ref: gnutls_srp_base64_encode1108092
+-Ref: gnutls_srp_base64_encode21108893
+-Ref: gnutls_srp_free_client_credentials1109624
+-Ref: gnutls_srp_free_server_credentials1109907
+-Ref: gnutls_srp_server_get_username1110182
+-Ref: gnutls_srp_set_client_credentials1110636
+-Ref: gnutls_srp_set_client_credentials_function1111526
+-Ref: gnutls_srp_set_prime_bits1112773
+-Ref: gnutls_srp_set_server_credentials_file1113458
+-Ref: gnutls_srp_set_server_credentials_function1114184
+-Ref: gnutls_srp_set_server_fake_salt_seed1115899
+-Ref: gnutls_srp_verifier1117402
+-Ref: gnutls_srtp_get_keys1118330
+-Ref: gnutls_srtp_get_mki1119724
+-Ref: gnutls_srtp_get_profile_id1120293
+-Ref: gnutls_srtp_get_profile_name1120751
+-Ref: gnutls_srtp_get_selected_profile1121172
+-Ref: gnutls_srtp_set_mki1121616
+-Ref: gnutls_srtp_set_profile1122065
+-Ref: gnutls_srtp_set_profile_direct1122597
+-Ref: gnutls_store_commitment1123320
+-Ref: gnutls_store_pubkey1124619
+-Ref: gnutls_strerror1126406
+-Ref: gnutls_strerror_name1126891
+-Ref: gnutls_supplemental_get_name1127360
+-Ref: gnutls_supplemental_recv1127782
+-Ref: gnutls_supplemental_register1128252
+-Ref: gnutls_supplemental_send1129364
+-Ref: gnutls_system_recv_timeout1129809
+-Ref: gnutls_tdb_deinit1130551
+-Ref: gnutls_tdb_init1130766
+-Ref: gnutls_tdb_set_store_commitment_func1131125
+-Ref: gnutls_tdb_set_store_func1131806
+-Ref: gnutls_tdb_set_verify_func1132395
+-Ref: gnutls_transport_get_int1133139
+-Ref: gnutls_transport_get_int21133547
+-Ref: gnutls_transport_get_ptr1134050
+-Ref: gnutls_transport_get_ptr21134466
+-Ref: gnutls_transport_set_errno1135000
+-Ref: gnutls_transport_set_errno_function1135987
+-Ref: gnutls_transport_set_int1136524
+-Ref: gnutls_transport_set_int21137078
+-Ref: gnutls_transport_set_ptr1137807
+-Ref: gnutls_transport_set_ptr21138220
+-Ref: gnutls_transport_set_pull_function1138864
+-Ref: gnutls_transport_set_pull_timeout_function1139644
+-Ref: gnutls_transport_set_push_function1141347
+-Ref: gnutls_transport_set_vec_push_function1142192
+-Ref: gnutls_url_is_supported1142888
+-Ref: gnutls_utf8_password_normalize1143308
+-Ref: gnutls_verify_stored_pubkey1144097
+-Node: Datagram TLS API1147244
+-Ref: gnutls_dtls_cookie_send1147520
+-Ref: gnutls_dtls_cookie_verify1148775
+-Ref: gnutls_dtls_get_data_mtu1149719
+-Ref: gnutls_dtls_get_mtu1150162
+-Ref: gnutls_dtls_get_timeout1150605
+-Ref: gnutls_dtls_prestate_set1151148
+-Ref: gnutls_dtls_set_data_mtu1151732
+-Ref: gnutls_dtls_set_mtu1152706
+-Ref: gnutls_dtls_set_timeouts1153313
+-Ref: gnutls_record_get_discarded1154317
+-Node: X509 certificate API1154591
+-Ref: gnutls_certificate_get_trust_list1154940
+-Ref: gnutls_certificate_set_trust_list1155588
+-Ref: gnutls_certificate_verification_profile_get_id1156363
+-Ref: gnutls_certificate_verification_profile_get_name1156910
+-Ref: gnutls_pkcs8_info1157293
+-Ref: gnutls_pkcs_schema_get_name1158811
+-Ref: gnutls_pkcs_schema_get_oid1159216
+-Ref: gnutls_session_set_verify_output_function1159643
+-Ref: gnutls_subject_alt_names_deinit1160800
+-Ref: gnutls_subject_alt_names_get1161079
+-Ref: gnutls_subject_alt_names_init1162089
+-Ref: gnutls_subject_alt_names_set1162469
+-Ref: gnutls_x509_aia_deinit1163288
+-Ref: gnutls_x509_aia_get1163522
+-Ref: gnutls_x509_aia_init1164681
+-Ref: gnutls_x509_aia_set1165016
+-Ref: gnutls_x509_aki_deinit1165811
+-Ref: gnutls_x509_aki_get_cert_issuer1166075
+-Ref: gnutls_x509_aki_get_id1167141
+-Ref: gnutls_x509_aki_init1167680
+-Ref: gnutls_x509_aki_set_cert_issuer1168029
+-Ref: gnutls_x509_aki_set_id1169144
+-Ref: gnutls_x509_cidr_to_rfc52801169573
+-Ref: gnutls_x509_crl_check_issuer1170471
+-Ref: gnutls_x509_crl_deinit1170919
+-Ref: gnutls_x509_crl_dist_points_deinit1171151
+-Ref: gnutls_x509_crl_dist_points_get1171446
+-Ref: gnutls_x509_crl_dist_points_init1172420
+-Ref: gnutls_x509_crl_dist_points_set1172816
+-Ref: gnutls_x509_crl_export1173519
+-Ref: gnutls_x509_crl_export21174402
+-Ref: gnutls_x509_crl_get_authority_key_gn_serial1175122
+-Ref: gnutls_x509_crl_get_authority_key_id1176436
+-Ref: gnutls_x509_crl_get_crt_count1177499
+-Ref: gnutls_x509_crl_get_crt_serial1177857
+-Ref: gnutls_x509_crl_get_dn_oid1178761
+-Ref: gnutls_x509_crl_get_extension_data1179567
+-Ref: gnutls_x509_crl_get_extension_data21180684
+-Ref: gnutls_x509_crl_get_extension_info1181563
+-Ref: gnutls_x509_crl_get_extension_oid1182827
+-Ref: gnutls_x509_crl_get_issuer_dn1183679
+-Ref: gnutls_x509_crl_get_issuer_dn21184680
+-Ref: gnutls_x509_crl_get_issuer_dn31185514
+-Ref: gnutls_x509_crl_get_issuer_dn_by_oid1186492
+-Ref: gnutls_x509_crl_get_next_update1188003
+-Ref: gnutls_x509_crl_get_number1188437
+-Ref: gnutls_x509_crl_get_raw_issuer_dn1189162
+-Ref: gnutls_x509_crl_get_signature1189616
+-Ref: gnutls_x509_crl_get_signature_algorithm1190163
+-Ref: gnutls_x509_crl_get_signature_oid1190725
+-Ref: gnutls_x509_crl_get_this_update1191386
+-Ref: gnutls_x509_crl_get_version1191711
+-Ref: gnutls_x509_crl_import1192019
+-Ref: gnutls_x509_crl_init1192643
+-Ref: gnutls_x509_crl_iter_crt_serial1193232
+-Ref: gnutls_x509_crl_iter_deinit1194378
+-Ref: gnutls_x509_crl_list_import1194623
+-Ref: gnutls_x509_crl_list_import21195625
+-Ref: gnutls_x509_crl_print1196491
+-Ref: gnutls_x509_crl_set_authority_key_id1197140
+-Ref: gnutls_x509_crl_set_crt1197793
+-Ref: gnutls_x509_crl_set_crt_serial1198366
+-Ref: gnutls_x509_crl_set_next_update1198998
+-Ref: gnutls_x509_crl_set_number1199615
+-Ref: gnutls_x509_crl_set_this_update1200192
+-Ref: gnutls_x509_crl_set_version1200596
+-Ref: gnutls_x509_crl_sign1201139
+-Ref: gnutls_x509_crl_sign21201832
+-Ref: gnutls_x509_crl_verify1203068
+-Ref: gnutls_x509_crq_deinit1204312
+-Ref: gnutls_x509_crq_export1204550
+-Ref: gnutls_x509_crq_export21205547
+-Ref: gnutls_x509_crq_get_attribute_by_oid1206321
+-Ref: gnutls_x509_crq_get_attribute_data1207346
+-Ref: gnutls_x509_crq_get_attribute_info1208458
+-Ref: gnutls_x509_crq_get_basic_constraints1209655
+-Ref: gnutls_x509_crq_get_challenge_password1210908
+-Ref: gnutls_x509_crq_get_dn1211520
+-Ref: gnutls_x509_crq_get_dn21212469
+-Ref: gnutls_x509_crq_get_dn31213326
+-Ref: gnutls_x509_crq_get_dn_by_oid1214334
+-Ref: gnutls_x509_crq_get_dn_oid1215795
+-Ref: gnutls_x509_crq_get_extension_by_oid1216582
+-Ref: gnutls_x509_crq_get_extension_by_oid21217739
+-Ref: gnutls_x509_crq_get_extension_data1218821
+-Ref: gnutls_x509_crq_get_extension_data21219951
+-Ref: gnutls_x509_crq_get_extension_info1220830
+-Ref: gnutls_x509_crq_get_key_id1222091
+-Ref: gnutls_x509_crq_get_key_purpose_oid1223158
+-Ref: gnutls_x509_crq_get_key_rsa_raw1224173
+-Ref: gnutls_x509_crq_get_key_usage1224797
+-Ref: gnutls_x509_crq_get_pk_algorithm1225883
+-Ref: gnutls_x509_crq_get_pk_oid1226604
+-Ref: gnutls_x509_crq_get_private_key_usage_period1227261
+-Ref: gnutls_x509_crq_get_signature_algorithm1227976
+-Ref: gnutls_x509_crq_get_signature_oid1228615
+-Ref: gnutls_x509_crq_get_spki1229276
+-Ref: gnutls_x509_crq_get_subject_alt_name1229836
+-Ref: gnutls_x509_crq_get_subject_alt_othername_oid1231394
+-Ref: gnutls_x509_crq_get_tlsfeatures1232874
+-Ref: gnutls_x509_crq_get_version1234003
+-Ref: gnutls_x509_crq_import1234349
+-Ref: gnutls_x509_crq_init1235031
+-Ref: gnutls_x509_crq_print1235379
+-Ref: gnutls_x509_crq_set_attribute_by_oid1236035
+-Ref: gnutls_x509_crq_set_basic_constraints1236900
+-Ref: gnutls_x509_crq_set_challenge_password1237644
+-Ref: gnutls_x509_crq_set_dn1238095
+-Ref: gnutls_x509_crq_set_dn_by_oid1238713
+-Ref: gnutls_x509_crq_set_extension_by_oid1239843
+-Ref: gnutls_x509_crq_set_key1240622
+-Ref: gnutls_x509_crq_set_key_purpose_oid1241085
+-Ref: gnutls_x509_crq_set_key_rsa_raw1241865
+-Ref: gnutls_x509_crq_set_key_usage1242441
+-Ref: gnutls_x509_crq_set_private_key_usage_period1242945
+-Ref: gnutls_x509_crq_set_spki1243450
+-Ref: gnutls_x509_crq_set_subject_alt_name1244321
+-Ref: gnutls_x509_crq_set_subject_alt_othername1245147
+-Ref: gnutls_x509_crq_set_tlsfeatures1245985
+-Ref: gnutls_x509_crq_set_version1246535
+-Ref: gnutls_x509_crq_sign1247020
+-Ref: gnutls_x509_crq_sign21247791
+-Ref: gnutls_x509_crq_verify1249123
+-Ref: gnutls_x509_crt_check_email1249716
+-Ref: gnutls_x509_crt_check_hostname1250244
+-Ref: gnutls_x509_crt_check_hostname21250956
+-Ref: gnutls_x509_crt_check_ip1252707
+-Ref: gnutls_x509_crt_check_issuer1253321
+-Ref: gnutls_x509_crt_check_key_purpose1254059
+-Ref: gnutls_x509_crt_check_revocation1254753
+-Ref: gnutls_x509_crt_cpy_crl_dist_points1255402
+-Ref: gnutls_x509_crt_deinit1255991
+-Ref: gnutls_x509_crt_equals1256209
+-Ref: gnutls_x509_crt_equals21256591
+-Ref: gnutls_x509_crt_export1257015
+-Ref: gnutls_x509_crt_export21257926
+-Ref: gnutls_x509_crt_get_activation_time1258624
+-Ref: gnutls_x509_crt_get_authority_info_access1259002
+-Ref: gnutls_x509_crt_get_authority_key_gn_serial1262476
+-Ref: gnutls_x509_crt_get_authority_key_id1263917
+-Ref: gnutls_x509_crt_get_basic_constraints1265048
+-Ref: gnutls_x509_crt_get_ca_status1266262
+-Ref: gnutls_x509_crt_get_crl_dist_points1267261
+-Ref: gnutls_x509_crt_get_dn1268586
+-Ref: gnutls_x509_crt_get_dn21269781
+-Ref: gnutls_x509_crt_get_dn31270590
+-Ref: gnutls_x509_crt_get_dn_by_oid1271550
+-Ref: gnutls_x509_crt_get_dn_oid1273319
+-Ref: gnutls_x509_crt_get_expiration_time1274347
+-Ref: gnutls_x509_crt_get_extension_by_oid1274713
+-Ref: gnutls_x509_crt_get_extension_by_oid21275840
+-Ref: gnutls_x509_crt_get_extension_data1276913
+-Ref: gnutls_x509_crt_get_extension_data21278002
+-Ref: gnutls_x509_crt_get_extension_info1278867
+-Ref: gnutls_x509_crt_get_extension_oid1280279
+-Ref: gnutls_x509_crt_get_fingerprint1281242
+-Ref: gnutls_x509_crt_get_inhibit_anypolicy1282130
+-Ref: gnutls_x509_crt_get_issuer1283099
+-Ref: gnutls_x509_crt_get_issuer_alt_name1283737
+-Ref: gnutls_x509_crt_get_issuer_alt_name21285537
+-Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1287119
+-Ref: gnutls_x509_crt_get_issuer_dn1288768
+-Ref: gnutls_x509_crt_get_issuer_dn21289889
+-Ref: gnutls_x509_crt_get_issuer_dn31290736
+-Ref: gnutls_x509_crt_get_issuer_dn_by_oid1291727
+-Ref: gnutls_x509_crt_get_issuer_dn_oid1293514
+-Ref: gnutls_x509_crt_get_issuer_unique_id1294550
+-Ref: gnutls_x509_crt_get_key_id1295645
+-Ref: gnutls_x509_crt_get_key_purpose_oid1296668
+-Ref: gnutls_x509_crt_get_key_usage1297829
+-Ref: gnutls_x509_crt_get_name_constraints1298889
+-Ref: gnutls_x509_crt_get_pk_algorithm1300297
+-Ref: gnutls_x509_crt_get_pk_dsa_raw1301086
+-Ref: gnutls_x509_crt_get_pk_ecc_raw1301754
+-Ref: gnutls_x509_crt_get_pk_gost_raw1302567
+-Ref: gnutls_x509_crt_get_pk_oid1303411
+-Ref: gnutls_x509_crt_get_pk_rsa_raw1304037
+-Ref: gnutls_x509_crt_get_policy1304615
+-Ref: gnutls_x509_crt_get_private_key_usage_period1305561
+-Ref: gnutls_x509_crt_get_proxy1306313
+-Ref: gnutls_x509_crt_get_raw_dn1307334
+-Ref: gnutls_x509_crt_get_raw_issuer_dn1307927
+-Ref: gnutls_x509_crt_get_serial1308506
+-Ref: gnutls_x509_crt_get_signature1309246
+-Ref: gnutls_x509_crt_get_signature_algorithm1309801
+-Ref: gnutls_x509_crt_get_signature_oid1310414
+-Ref: gnutls_x509_crt_get_spki1311072
+-Ref: gnutls_x509_crt_get_subject1311558
+-Ref: gnutls_x509_crt_get_subject_alt_name1312201
+-Ref: gnutls_x509_crt_get_subject_alt_name21313960
+-Ref: gnutls_x509_crt_get_subject_alt_othername_oid1315525
+-Ref: gnutls_x509_crt_get_subject_key_id1317165
+-Ref: gnutls_x509_crt_get_subject_unique_id1317997
+-Ref: gnutls_x509_crt_get_tlsfeatures1319082
+-Ref: gnutls_x509_crt_get_version1320194
+-Ref: gnutls_x509_crt_import1320521
+-Ref: gnutls_x509_crt_import_url1321222
+-Ref: gnutls_x509_crt_init1321943
+-Ref: gnutls_x509_crt_list_import1322290
+-Ref: gnutls_x509_crt_list_import21323657
+-Ref: gnutls_x509_crt_list_import_url1324729
+-Ref: gnutls_x509_crt_list_verify1325953
+-Ref: gnutls_x509_crt_print1327533
+-Ref: gnutls_x509_crt_set_activation_time1328425
+-Ref: gnutls_x509_crt_set_authority_info_access1328892
+-Ref: gnutls_x509_crt_set_authority_key_id1329787
+-Ref: gnutls_x509_crt_set_basic_constraints1330369
+-Ref: gnutls_x509_crt_set_ca_status1331068
+-Ref: gnutls_x509_crt_set_crl_dist_points1331666
+-Ref: gnutls_x509_crt_set_crl_dist_points21332318
+-Ref: gnutls_x509_crt_set_crq1333017
+-Ref: gnutls_x509_crt_set_crq_extension_by_oid1333734
+-Ref: gnutls_x509_crt_set_crq_extensions1334370
+-Ref: gnutls_x509_crt_set_dn1334836
+-Ref: gnutls_x509_crt_set_dn_by_oid1335719
+-Ref: gnutls_x509_crt_set_expiration_time1336836
+-Ref: gnutls_x509_crt_set_extension_by_oid1337381
+-Ref: gnutls_x509_crt_set_flags1338156
+-Ref: gnutls_x509_crt_set_inhibit_anypolicy1338664
+-Ref: gnutls_x509_crt_set_issuer_alt_name1339174
+-Ref: gnutls_x509_crt_set_issuer_alt_othername1340196
+-Ref: gnutls_x509_crt_set_issuer_dn1341172
+-Ref: gnutls_x509_crt_set_issuer_dn_by_oid1341811
+-Ref: gnutls_x509_crt_set_issuer_unique_id1343090
+-Ref: gnutls_x509_crt_set_key1343595
+-Ref: gnutls_x509_crt_set_key_purpose_oid1344175
+-Ref: gnutls_x509_crt_set_key_usage1344943
+-Ref: gnutls_x509_crt_set_name_constraints1345402
+-Ref: gnutls_x509_crt_set_pin_function1346024
+-Ref: gnutls_x509_crt_set_policy1346692
+-Ref: gnutls_x509_crt_set_private_key_usage_period1347545
+-Ref: gnutls_x509_crt_set_proxy1348052
+-Ref: gnutls_x509_crt_set_proxy_dn1348866
+-Ref: gnutls_x509_crt_set_serial1349885
+-Ref: gnutls_x509_crt_set_spki1350945
+-Ref: gnutls_x509_crt_set_subject_alt_name1351800
+-Ref: gnutls_x509_crt_set_subject_alt_othername1353040
+-Ref: gnutls_x509_crt_set_subject_alternative_name1354048
+-Ref: gnutls_x509_crt_set_subject_key_id1354946
+-Ref: gnutls_x509_crt_set_subject_unique_id1355466
+-Ref: gnutls_x509_crt_set_tlsfeatures1355989
+-Ref: gnutls_x509_crt_set_version1356513
+-Ref: gnutls_x509_crt_sign1357336
+-Ref: gnutls_x509_crt_sign21358031
+-Ref: gnutls_x509_crt_verify1359264
+-Ref: gnutls_x509_crt_verify_data21360313
+-Ref: gnutls_x509_dn_deinit1361317
+-Ref: gnutls_x509_dn_export1361579
+-Ref: gnutls_x509_dn_export21362473
+-Ref: gnutls_x509_dn_get_rdn_ava1363134
+-Ref: gnutls_x509_dn_get_str1364166
+-Ref: gnutls_x509_dn_get_str21364762
+-Ref: gnutls_x509_dn_import1365624
+-Ref: gnutls_x509_dn_init1366240
+-Ref: gnutls_x509_dn_oid_known1366661
+-Ref: gnutls_x509_dn_oid_name1367330
+-Ref: gnutls_x509_dn_set_str1367859
+-Ref: gnutls_x509_ext_deinit1368458
+-Ref: gnutls_x509_ext_export_aia1368702
+-Ref: gnutls_x509_ext_export_authority_key_id1369296
+-Ref: gnutls_x509_ext_export_basic_constraints1369952
+-Ref: gnutls_x509_ext_export_crl_dist_points1370649
+-Ref: gnutls_x509_ext_export_inhibit_anypolicy1371317
+-Ref: gnutls_x509_ext_export_key_purposes1371985
+-Ref: gnutls_x509_ext_export_key_usage1372604
+-Ref: gnutls_x509_ext_export_name_constraints1373220
+-Ref: gnutls_x509_ext_export_policies1373861
+-Ref: gnutls_x509_ext_export_private_key_usage_period1374524
+-Ref: gnutls_x509_ext_export_proxy1375189
+-Ref: gnutls_x509_ext_export_subject_alt_names1376175
+-Ref: gnutls_x509_ext_export_subject_key_id1376824
+-Ref: gnutls_x509_ext_export_tlsfeatures1377446
+-Ref: gnutls_x509_ext_import_aia1378064
+-Ref: gnutls_x509_ext_import_authority_key_id1378769
+-Ref: gnutls_x509_ext_import_basic_constraints1379437
+-Ref: gnutls_x509_ext_import_crl_dist_points1380063
+-Ref: gnutls_x509_ext_import_inhibit_anypolicy1380691
+-Ref: gnutls_x509_ext_import_key_purposes1381606
+-Ref: gnutls_x509_ext_import_key_usage1382240
+-Ref: gnutls_x509_ext_import_name_constraints1383256
+-Ref: gnutls_x509_ext_import_policies1384594
+-Ref: gnutls_x509_ext_import_private_key_usage_period1385201
+-Ref: gnutls_x509_ext_import_proxy1385816
+-Ref: gnutls_x509_ext_import_subject_alt_names1386902
+-Ref: gnutls_x509_ext_import_subject_key_id1387660
+-Ref: gnutls_x509_ext_import_tlsfeatures1388295
+-Ref: gnutls_x509_ext_print1389187
+-Ref: gnutls_x509_key_purpose_deinit1389898
+-Ref: gnutls_x509_key_purpose_get1390152
+-Ref: gnutls_x509_key_purpose_init1390880
+-Ref: gnutls_x509_key_purpose_set1391241
+-Ref: gnutls_x509_name_constraints_add_excluded1391696
+-Ref: gnutls_x509_name_constraints_add_permitted1392637
+-Ref: gnutls_x509_name_constraints_check1393512
+-Ref: gnutls_x509_name_constraints_check_crt1394349
+-Ref: gnutls_x509_name_constraints_deinit1395219
+-Ref: gnutls_x509_name_constraints_get_excluded1395519
+-Ref: gnutls_x509_name_constraints_get_permitted1396590
+-Ref: gnutls_x509_name_constraints_init1397644
+-Ref: gnutls_x509_othername_to_virtual1398027
+-Ref: gnutls_x509_policies_deinit1398646
+-Ref: gnutls_x509_policies_get1398926
+-Ref: gnutls_x509_policies_init1399712
+-Ref: gnutls_x509_policies_set1400077
+-Ref: gnutls_x509_policy_release1400544
+-Ref: gnutls_x509_privkey_cpy1400908
+-Ref: gnutls_x509_privkey_deinit1401378
+-Ref: gnutls_x509_privkey_export1401619
+-Ref: gnutls_x509_privkey_export21402654
+-Ref: gnutls_x509_privkey_export2_pkcs81403532
+-Ref: gnutls_x509_privkey_export_dsa_raw1404808
+-Ref: gnutls_x509_privkey_export_ecc_raw1405548
+-Ref: gnutls_x509_privkey_export_gost_raw1406431
+-Ref: gnutls_x509_privkey_export_pkcs81407516
+-Ref: gnutls_x509_privkey_export_rsa_raw1409021
+-Ref: gnutls_x509_privkey_export_rsa_raw21409882
+-Ref: gnutls_x509_privkey_fix1410868
+-Ref: gnutls_x509_privkey_generate1411253
+-Ref: gnutls_x509_privkey_generate21412778
+-Ref: gnutls_x509_privkey_get_key_id1414937
+-Ref: gnutls_x509_privkey_get_pk_algorithm1415956
+-Ref: gnutls_x509_privkey_get_pk_algorithm21416384
+-Ref: gnutls_x509_privkey_get_seed1416875
+-Ref: gnutls_x509_privkey_get_spki1417699
+-Ref: gnutls_x509_privkey_import1418234
+-Ref: gnutls_x509_privkey_import21419029
+-Ref: gnutls_x509_privkey_import_dsa_raw1420102
+-Ref: gnutls_x509_privkey_import_ecc_raw1420834
+-Ref: gnutls_x509_privkey_import_gost_raw1421650
+-Ref: gnutls_x509_privkey_import_openssl1422926
+-Ref: gnutls_x509_privkey_import_pkcs81423800
+-Ref: gnutls_x509_privkey_import_rsa_raw1425247
+-Ref: gnutls_x509_privkey_import_rsa_raw21426101
+-Ref: gnutls_x509_privkey_init1427097
+-Ref: gnutls_x509_privkey_sec_param1427442
+-Ref: gnutls_x509_privkey_set_flags1427861
+-Ref: gnutls_x509_privkey_set_pin_function1428411
+-Ref: gnutls_x509_privkey_set_spki1429029
+-Ref: gnutls_x509_privkey_sign_data1429576
+-Ref: gnutls_x509_privkey_verify_params1430797
+-Ref: gnutls_x509_privkey_verify_seed1431133
+-Ref: gnutls_x509_rdn_get1431962
+-Ref: gnutls_x509_rdn_get21432780
+-Ref: gnutls_x509_rdn_get_by_oid1433688
+-Ref: gnutls_x509_rdn_get_oid1434670
+-Ref: gnutls_x509_spki_deinit1435415
+-Ref: gnutls_x509_spki_get_rsa_pss_params1435697
+-Ref: gnutls_x509_spki_init1436258
+-Ref: gnutls_x509_spki_set_rsa_pss_params1436774
+-Ref: gnutls_x509_tlsfeatures_add1437287
+-Ref: gnutls_x509_tlsfeatures_check_crt1437743
+-Ref: gnutls_x509_tlsfeatures_deinit1438343
+-Ref: gnutls_x509_tlsfeatures_get1438621
+-Ref: gnutls_x509_tlsfeatures_init1439181
+-Ref: gnutls_x509_trust_list_add_cas1439566
+-Ref: gnutls_x509_trust_list_add_crls1440751
+-Ref: gnutls_x509_trust_list_add_named_crt1442129
+-Ref: gnutls_x509_trust_list_add_system_trust1443344
+-Ref: gnutls_x509_trust_list_add_trust_dir1444106
+-Ref: gnutls_x509_trust_list_add_trust_file1444969
+-Ref: gnutls_x509_trust_list_add_trust_mem1446116
+-Ref: gnutls_x509_trust_list_deinit1447035
+-Ref: gnutls_x509_trust_list_get_issuer1447661
+-Ref: gnutls_x509_trust_list_get_issuer_by_dn1448711
+-Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1449440
+-Ref: gnutls_x509_trust_list_get_ptr1450248
+-Ref: gnutls_x509_trust_list_init1450761
+-Ref: gnutls_x509_trust_list_iter_deinit1451266
+-Ref: gnutls_x509_trust_list_iter_get_ca1451575
+-Ref: gnutls_x509_trust_list_remove_cas1452755
+-Ref: gnutls_x509_trust_list_remove_trust_file1453610
+-Ref: gnutls_x509_trust_list_remove_trust_mem1454311
+-Ref: gnutls_x509_trust_list_set_getissuer_function1454969
+-Ref: gnutls_x509_trust_list_set_ptr1456602
+-Ref: gnutls_x509_trust_list_verify_crt1457140
+-Ref: gnutls_x509_trust_list_verify_crt21458303
+-Ref: gnutls_x509_trust_list_verify_named_crt1461237
+-Node: PKCS 7 API1463965
+-Ref: gnutls_pkcs7_add_attr1464261
+-Ref: gnutls_pkcs7_attrs_deinit1465067
+-Ref: gnutls_pkcs7_deinit1465302
+-Ref: gnutls_pkcs7_delete_crl1465507
+-Ref: gnutls_pkcs7_delete_crt1465936
+-Ref: gnutls_pkcs7_export1466382
+-Ref: gnutls_pkcs7_export21467282
+-Ref: gnutls_pkcs7_get_attr1467943
+-Ref: gnutls_pkcs7_get_crl_count1468830
+-Ref: gnutls_pkcs7_get_crl_raw1469178
+-Ref: gnutls_pkcs7_get_crl_raw21469953
+-Ref: gnutls_pkcs7_get_crt_count1470584
+-Ref: gnutls_pkcs7_get_crt_raw1470959
+-Ref: gnutls_pkcs7_get_crt_raw21471859
+-Ref: gnutls_pkcs7_get_embedded_data1472713
+-Ref: gnutls_pkcs7_get_embedded_data_oid1473713
+-Ref: gnutls_pkcs7_get_signature_count1474273
+-Ref: gnutls_pkcs7_get_signature_info1474680
+-Ref: gnutls_pkcs7_import1475353
+-Ref: gnutls_pkcs7_init1475974
+-Ref: gnutls_pkcs7_print1476398
+-Ref: gnutls_pkcs7_print_signature_info1477143
+-Ref: gnutls_pkcs7_set_crl1477948
+-Ref: gnutls_pkcs7_set_crl_raw1478349
+-Ref: gnutls_pkcs7_set_crt1478739
+-Ref: gnutls_pkcs7_set_crt_raw1479223
+-Ref: gnutls_pkcs7_sign1479636
+-Ref: gnutls_pkcs7_signature_info_deinit1481075
+-Ref: gnutls_pkcs7_verify1481428
+-Ref: gnutls_pkcs7_verify_direct1482593
+-Node: OCSP API1484053
+-Ref: gnutls_ocsp_req_add_cert1484337
+-Ref: gnutls_ocsp_req_add_cert_id1485297
+-Ref: gnutls_ocsp_req_deinit1486617
+-Ref: gnutls_ocsp_req_export1486834
+-Ref: gnutls_ocsp_req_get_cert_id1487259
+-Ref: gnutls_ocsp_req_get_extension1488851
+-Ref: gnutls_ocsp_req_get_nonce1490267
+-Ref: gnutls_ocsp_req_get_version1490921
+-Ref: gnutls_ocsp_req_import1491308
+-Ref: gnutls_ocsp_req_init1491804
+-Ref: gnutls_ocsp_req_print1492132
+-Ref: gnutls_ocsp_req_randomize_nonce1492868
+-Ref: gnutls_ocsp_req_set_extension1493301
+-Ref: gnutls_ocsp_req_set_nonce1493985
+-Ref: gnutls_ocsp_resp_check_crt1494572
+-Ref: gnutls_ocsp_resp_deinit1495156
+-Ref: gnutls_ocsp_resp_export1495380
+-Ref: gnutls_ocsp_resp_export21495806
+-Ref: gnutls_ocsp_resp_get_certs1496326
+-Ref: gnutls_ocsp_resp_get_extension1497451
+-Ref: gnutls_ocsp_resp_get_nonce1498875
+-Ref: gnutls_ocsp_resp_get_produced1499541
+-Ref: gnutls_ocsp_resp_get_responder1499888
+-Ref: gnutls_ocsp_resp_get_responder21500993
+-Ref: gnutls_ocsp_resp_get_responder_raw_id1502256
+-Ref: gnutls_ocsp_resp_get_response1503087
+-Ref: gnutls_ocsp_resp_get_signature1504313
+-Ref: gnutls_ocsp_resp_get_signature_algorithm1504802
+-Ref: gnutls_ocsp_resp_get_single1505280
+-Ref: gnutls_ocsp_resp_get_status1507222
+-Ref: gnutls_ocsp_resp_get_version1507651
+-Ref: gnutls_ocsp_resp_import1508059
+-Ref: gnutls_ocsp_resp_import21508627
+-Ref: gnutls_ocsp_resp_init1509255
+-Ref: gnutls_ocsp_resp_list_import21509604
+-Ref: gnutls_ocsp_resp_print1510795
+-Ref: gnutls_ocsp_resp_verify1511521
+-Ref: gnutls_ocsp_resp_verify_direct1513138
+-Node: PKCS 12 API1515571
+-Ref: gnutls_pkcs12_bag_decrypt1515861
+-Ref: gnutls_pkcs12_bag_deinit1516293
+-Ref: gnutls_pkcs12_bag_enc_info1516531
+-Ref: gnutls_pkcs12_bag_encrypt1517904
+-Ref: gnutls_pkcs12_bag_get_count1518409
+-Ref: gnutls_pkcs12_bag_get_data1518720
+-Ref: gnutls_pkcs12_bag_get_friendly_name1519326
+-Ref: gnutls_pkcs12_bag_get_key_id1519963
+-Ref: gnutls_pkcs12_bag_get_type1520582
+-Ref: gnutls_pkcs12_bag_init1520952
+-Ref: gnutls_pkcs12_bag_set_crl1521410
+-Ref: gnutls_pkcs12_bag_set_crt1521843
+-Ref: gnutls_pkcs12_bag_set_data1522289
+-Ref: gnutls_pkcs12_bag_set_friendly_name1522760
+-Ref: gnutls_pkcs12_bag_set_key_id1523444
+-Ref: gnutls_pkcs12_bag_set_privkey1524118
+-Ref: gnutls_pkcs12_deinit1524774
+-Ref: gnutls_pkcs12_export1524976
+-Ref: gnutls_pkcs12_export21525883
+-Ref: gnutls_pkcs12_generate_mac1526559
+-Ref: gnutls_pkcs12_generate_mac21526950
+-Ref: gnutls_pkcs12_get_bag1527394
+-Ref: gnutls_pkcs12_import1527980
+-Ref: gnutls_pkcs12_init1528701
+-Ref: gnutls_pkcs12_mac_info1529134
+-Ref: gnutls_pkcs12_set_bag1530443
+-Ref: gnutls_pkcs12_simple_parse1530849
+-Ref: gnutls_pkcs12_verify_mac1533530
+-Node: PKCS 11 API1533886
+-Ref: gnutls_pkcs11_add_provider1534215
+-Ref: gnutls_pkcs11_copy_attached_extension1534960
+-Ref: gnutls_pkcs11_copy_pubkey1535819
+-Ref: gnutls_pkcs11_copy_secret_key1536852
+-Ref: gnutls_pkcs11_copy_x509_crt1537577
+-Ref: gnutls_pkcs11_copy_x509_crt21538225
+-Ref: gnutls_pkcs11_copy_x509_privkey1539193
+-Ref: gnutls_pkcs11_copy_x509_privkey21540010
+-Ref: gnutls_pkcs11_crt_is_known1540955
+-Ref: gnutls_pkcs11_deinit1542091
+-Ref: gnutls_pkcs11_delete_url1542408
+-Ref: gnutls_pkcs11_get_pin_function1542924
+-Ref: gnutls_pkcs11_get_raw_issuer1543307
+-Ref: gnutls_pkcs11_get_raw_issuer_by_dn1544217
+-Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1545256
+-Ref: gnutls_pkcs11_init1546367
+-Ref: gnutls_pkcs11_obj_deinit1547409
+-Ref: gnutls_pkcs11_obj_export1547655
+-Ref: gnutls_pkcs11_obj_export21548500
+-Ref: gnutls_pkcs11_obj_export31549097
+-Ref: gnutls_pkcs11_obj_export_url1549770
+-Ref: gnutls_pkcs11_obj_flags_get_str1550297
+-Ref: gnutls_pkcs11_obj_get_exts1550776
+-Ref: gnutls_pkcs11_obj_get_flags1551712
+-Ref: gnutls_pkcs11_obj_get_info1552249
+-Ref: gnutls_pkcs11_obj_get_ptr1553513
+-Ref: gnutls_pkcs11_obj_get_type1554422
+-Ref: gnutls_pkcs11_obj_import_url1554772
+-Ref: gnutls_pkcs11_obj_init1555692
+-Ref: gnutls_pkcs11_obj_list_import_url31556077
+-Ref: gnutls_pkcs11_obj_list_import_url41558018
+-Ref: gnutls_pkcs11_obj_set_info1559694
+-Ref: gnutls_pkcs11_obj_set_pin_function1560473
+-Ref: gnutls_pkcs11_privkey_cpy1560984
+-Ref: gnutls_pkcs11_privkey_deinit1561485
+-Ref: gnutls_pkcs11_privkey_export_pubkey1561748
+-Ref: gnutls_pkcs11_privkey_export_url1562552
+-Ref: gnutls_pkcs11_privkey_generate1563062
+-Ref: gnutls_pkcs11_privkey_generate21563734
+-Ref: gnutls_pkcs11_privkey_generate31564964
+-Ref: gnutls_pkcs11_privkey_get_info1566474
+-Ref: gnutls_pkcs11_privkey_get_pk_algorithm1567356
+-Ref: gnutls_pkcs11_privkey_import_url1567887
+-Ref: gnutls_pkcs11_privkey_init1568588
+-Ref: gnutls_pkcs11_privkey_set_pin_function1569303
+-Ref: gnutls_pkcs11_privkey_status1569823
+-Ref: gnutls_pkcs11_reinit1570199
+-Ref: gnutls_pkcs11_set_pin_function1570759
+-Ref: gnutls_pkcs11_set_token_function1571249
+-Ref: gnutls_pkcs11_token_check_mechanism1571667
+-Ref: gnutls_pkcs11_token_get_flags1572424
+-Ref: gnutls_pkcs11_token_get_info1572966
+-Ref: gnutls_pkcs11_token_get_mechanism1573989
+-Ref: gnutls_pkcs11_token_get_ptr1574602
+-Ref: gnutls_pkcs11_token_get_random1575301
+-Ref: gnutls_pkcs11_token_get_url1575932
+-Ref: gnutls_pkcs11_token_init1576600
+-Ref: gnutls_pkcs11_token_set_pin1577238
+-Ref: gnutls_pkcs11_type_get_name1578078
+-Ref: gnutls_x509_crt_import_pkcs111578567
+-Ref: gnutls_x509_crt_list_import_pkcs111579089
+-Node: TPM API1579698
+-Ref: gnutls_tpm_get_registered1579977
+-Ref: gnutls_tpm_key_list_deinit1580370
+-Ref: gnutls_tpm_key_list_get_url1580638
+-Ref: gnutls_tpm_privkey_delete1581291
+-Ref: gnutls_tpm_privkey_generate1581729
+-Node: Abstract key API1583079
+-Ref: gnutls_certificate_set_key1583400
+-Ref: gnutls_certificate_set_retrieve_function21585536
+-Ref: gnutls_certificate_set_retrieve_function31587786
+-Ref: gnutls_pcert_deinit1590646
+-Ref: gnutls_pcert_export_openpgp1590891
+-Ref: gnutls_pcert_export_x5091591240
+-Ref: gnutls_pcert_import_openpgp1591890
+-Ref: gnutls_pcert_import_openpgp_raw1592289
+-Ref: gnutls_pcert_import_rawpk1592858
+-Ref: gnutls_pcert_import_rawpk_raw1593711
+-Ref: gnutls_pcert_import_x5091594960
+-Ref: gnutls_pcert_import_x509_list1595557
+-Ref: gnutls_pcert_import_x509_raw1596747
+-Ref: gnutls_pcert_list_import_x509_file1597453
+-Ref: gnutls_pcert_list_import_x509_raw1598885
+-Ref: gnutls_privkey_decrypt_data1600219
+-Ref: gnutls_privkey_decrypt_data21600867
+-Ref: gnutls_privkey_deinit1601692
+-Ref: gnutls_privkey_export_dsa_raw1601941
+-Ref: gnutls_privkey_export_dsa_raw21602671
+-Ref: gnutls_privkey_export_ecc_raw1603477
+-Ref: gnutls_privkey_export_ecc_raw21604339
+-Ref: gnutls_privkey_export_gost_raw21605281
+-Ref: gnutls_privkey_export_openpgp1606415
+-Ref: gnutls_privkey_export_pkcs111606767
+-Ref: gnutls_privkey_export_rsa_raw1607379
+-Ref: gnutls_privkey_export_rsa_raw21608410
+-Ref: gnutls_privkey_export_x5091609456
+-Ref: gnutls_privkey_generate1610104
+-Ref: gnutls_privkey_generate21611595
+-Ref: gnutls_privkey_get_pk_algorithm1613723
+-Ref: gnutls_privkey_get_seed1614337
+-Ref: gnutls_privkey_get_spki1615136
+-Ref: gnutls_privkey_get_type1615716
+-Ref: gnutls_privkey_import_dsa_raw1616205
+-Ref: gnutls_privkey_import_ecc_raw1616917
+-Ref: gnutls_privkey_import_ext1617730
+-Ref: gnutls_privkey_import_ext21618880
+-Ref: gnutls_privkey_import_ext31620237
+-Ref: gnutls_privkey_import_ext41621851
+-Ref: gnutls_privkey_import_gost_raw1624611
+-Ref: gnutls_privkey_import_openpgp1625819
+-Ref: gnutls_privkey_import_openpgp_raw1626228
+-Ref: gnutls_privkey_import_pkcs111626817
+-Ref: gnutls_privkey_import_pkcs11_url1627575
+-Ref: gnutls_privkey_import_rsa_raw1628024
+-Ref: gnutls_privkey_import_tpm_raw1629020
+-Ref: gnutls_privkey_import_tpm_url1629887
+-Ref: gnutls_privkey_import_url1630990
+-Ref: gnutls_privkey_import_x5091631537
+-Ref: gnutls_privkey_import_x509_raw1632285
+-Ref: gnutls_privkey_init1633064
+-Ref: gnutls_privkey_set_flags1633982
+-Ref: gnutls_privkey_set_pin_function1634507
+-Ref: gnutls_privkey_set_spki1635077
+-Ref: gnutls_privkey_sign_data1635650
+-Ref: gnutls_privkey_sign_data21636670
+-Ref: gnutls_privkey_sign_hash1637568
+-Ref: gnutls_privkey_sign_hash21639005
+-Ref: gnutls_privkey_status1640271
+-Ref: gnutls_privkey_verify_params1640815
+-Ref: gnutls_privkey_verify_seed1641177
+-Ref: gnutls_pubkey_deinit1641889
+-Ref: gnutls_pubkey_encrypt_data1642129
+-Ref: gnutls_pubkey_export1642771
+-Ref: gnutls_pubkey_export21643785
+-Ref: gnutls_pubkey_export_dsa_raw1644558
+-Ref: gnutls_pubkey_export_dsa_raw21645370
+-Ref: gnutls_pubkey_export_ecc_raw1646254
+-Ref: gnutls_pubkey_export_ecc_raw21647153
+-Ref: gnutls_pubkey_export_ecc_x9621648132
+-Ref: gnutls_pubkey_export_gost_raw21648791
+-Ref: gnutls_pubkey_export_rsa_raw1649935
+-Ref: gnutls_pubkey_export_rsa_raw21650632
+-Ref: gnutls_pubkey_get_key_id1651393
+-Ref: gnutls_pubkey_get_key_usage1652418
+-Ref: gnutls_pubkey_get_openpgp_key_id1652915
+-Ref: gnutls_pubkey_get_pk_algorithm1653554
+-Ref: gnutls_pubkey_get_preferred_hash_algorithm1654202
+-Ref: gnutls_pubkey_get_spki1655143
+-Ref: gnutls_pubkey_import1655711
+-Ref: gnutls_pubkey_import_dsa_raw1656395
+-Ref: gnutls_pubkey_import_ecc_raw1657056
+-Ref: gnutls_pubkey_import_ecc_x9621657824
+-Ref: gnutls_pubkey_import_gost_raw1658460
+-Ref: gnutls_pubkey_import_openpgp1659607
+-Ref: gnutls_pubkey_import_openpgp_raw1659999
+-Ref: gnutls_pubkey_import_pkcs111660568
+-Ref: gnutls_pubkey_import_privkey1661110
+-Ref: gnutls_pubkey_import_rsa_raw1661812
+-Ref: gnutls_pubkey_import_tpm_raw1662336
+-Ref: gnutls_pubkey_import_tpm_url1663113
+-Ref: gnutls_pubkey_import_url1664005
+-Ref: gnutls_pubkey_import_x5091664478
+-Ref: gnutls_pubkey_import_x509_crq1664978
+-Ref: gnutls_pubkey_import_x509_raw1665481
+-Ref: gnutls_pubkey_init1666058
+-Ref: gnutls_pubkey_print1666387
+-Ref: gnutls_pubkey_set_key_usage1667121
+-Ref: gnutls_pubkey_set_pin_function1667690
+-Ref: gnutls_pubkey_set_spki1668255
+-Ref: gnutls_pubkey_verify_data21668826
+-Ref: gnutls_pubkey_verify_hash21669734
+-Ref: gnutls_pubkey_verify_params1670858
+-Ref: gnutls_register_custom_url1671216
+-Ref: gnutls_system_key_add_x5091672154
+-Ref: gnutls_system_key_delete1672899
+-Ref: gnutls_system_key_iter_deinit1673323
+-Ref: gnutls_system_key_iter_get_info1673591
+-Ref: gnutls_x509_crl_privkey_sign1674865
+-Ref: gnutls_x509_crq_privkey_sign1676134
+-Ref: gnutls_x509_crq_set_pubkey1677496
+-Ref: gnutls_x509_crt_privkey_sign1678004
+-Ref: gnutls_x509_crt_set_pubkey1679247
+-Node: Socket specific API1679700
+-Ref: gnutls_transport_set_fastopen1679993
+-Node: DANE API1681539
+-Ref: dane_cert_type_name1681913
+-Ref: dane_cert_usage_name1682203
+-Ref: dane_match_type_name1682515
+-Ref: dane_query_data1682798
+-Ref: dane_query_deinit1683477
+-Ref: dane_query_entries1683682
+-Ref: dane_query_status1683924
+-Ref: dane_query_tlsa1684218
+-Ref: dane_query_to_raw_tlsa1684809
+-Ref: dane_raw_tlsa1686151
+-Ref: dane_state_deinit1687228
+-Ref: dane_state_init1687420
+-Ref: dane_state_set_dlv_file1687934
+-Ref: dane_strerror1688235
+-Ref: dane_verification_status_print1688734
+-Ref: dane_verify_crt1689328
+-Ref: dane_verify_crt_raw1691515
+-Ref: dane_verify_session_crt1692748
+-Node: Cryptographic API1694150
+-Ref: gnutls_aead_cipher_decrypt1694651
+-Ref: gnutls_aead_cipher_decryptv21696030
+-Ref: gnutls_aead_cipher_deinit1696955
+-Ref: gnutls_aead_cipher_encrypt1697283
+-Ref: gnutls_aead_cipher_encryptv1698392
+-Ref: gnutls_aead_cipher_encryptv21699540
+-Ref: gnutls_aead_cipher_init1700468
+-Ref: gnutls_cipher_add_auth1701134
+-Ref: gnutls_cipher_decrypt1701714
+-Ref: gnutls_cipher_decrypt21702338
+-Ref: gnutls_cipher_deinit1703264
+-Ref: gnutls_cipher_encrypt1703543
+-Ref: gnutls_cipher_encrypt21704003
+-Ref: gnutls_cipher_get_block_size1704780
+-Ref: gnutls_cipher_get_iv_size1705060
+-Ref: gnutls_cipher_get_tag_size1705542
+-Ref: gnutls_cipher_init1705948
+-Ref: gnutls_cipher_set_iv1706678
+-Ref: gnutls_cipher_tag1707023
+-Ref: gnutls_crypto_register_aead_cipher1707525
+-Ref: gnutls_crypto_register_cipher1709129
+-Ref: gnutls_crypto_register_digest1710910
+-Ref: gnutls_crypto_register_mac1712134
+-Ref: gnutls_decode_ber_digest_info1713562
+-Ref: gnutls_decode_gost_rs_value1714361
+-Ref: gnutls_decode_rs_value1715161
+-Ref: gnutls_encode_ber_digest_info1715946
+-Ref: gnutls_encode_gost_rs_value1716590
+-Ref: gnutls_encode_rs_value1717336
+-Ref: gnutls_hash1717956
+-Ref: gnutls_hash_copy1718387
+-Ref: gnutls_hash_deinit1718904
+-Ref: gnutls_hash_fast1719232
+-Ref: gnutls_hash_get_len1719749
+-Ref: gnutls_hash_init1720082
+-Ref: gnutls_hash_output1720618
+-Ref: gnutls_hkdf_expand1720950
+-Ref: gnutls_hkdf_extract1721653
+-Ref: gnutls_hmac1722196
+-Ref: gnutls_hmac_copy1722627
+-Ref: gnutls_hmac_deinit1723108
+-Ref: gnutls_hmac_fast1723435
+-Ref: gnutls_hmac_get_key_size1724159
+-Ref: gnutls_hmac_get_len1724620
+-Ref: gnutls_hmac_init1724950
+-Ref: gnutls_hmac_output1725733
+-Ref: gnutls_hmac_set_nonce1726068
+-Ref: gnutls_mac_get_nonce_size1726435
+-Ref: gnutls_pbkdf21726751
+-Ref: gnutls_rnd1727384
+-Ref: gnutls_rnd_refresh1728022
+-Node: Compatibility API1728308
+-Ref: gnutls_compression_get1728650
+-Ref: gnutls_compression_get_id1729002
+-Ref: gnutls_compression_get_name1729366
+-Ref: gnutls_compression_list1729748
+-Ref: gnutls_global_set_mem_functions1730080
+-Ref: gnutls_openpgp_privkey_sign_hash1731455
+-Ref: gnutls_priority_compression_list1731884
+-Ref: gnutls_x509_crt_get_preferred_hash_algorithm1732336
+-Ref: gnutls_x509_privkey_sign_hash1733217
+-Node: Copying Information1734087
+-Node: Bibliography1759264
+-Ref: CBCATT1759403
+-Ref: GPGH1759581
+-Ref: GUTPKI1759704
+-Ref: PRNGATTACKS1759879
+-Ref: KEYPIN1760079
+-Ref: NISTSP800571760254
+-Ref: RFC74131760502
+-Ref: RFC79181760669
+-Ref: RFC61251760846
+-Ref: RFC76851761187
+-Ref: RFC76131761362
+-Ref: RFC22461761610
+-Ref: RFC60831761771
+-Ref: RFC44181762008
+-Ref: RFC46801762175
+-Ref: RFC76331762333
+-Ref: RFC79191762505
+-Ref: RFC45141762709
+-Ref: RFC43461762913
+-Ref: RFC43471763063
+-Ref: RFC52461763230
+-Ref: RFC24401763381
+-Ref: RFC48801763563
+-Ref: RFC42111763757
+-Ref: RFC28171763951
+-Ref: RFC28181764104
+-Ref: RFC29451764218
+-Ref: RFC73011764368
+-Ref: RFC29861764588
+-Ref: PKIX1764777
+-Ref: RFC37491765040
+-Ref: RFC38201765206
+-Ref: RFC65201765449
+-Ref: RFC57461765688
+-Ref: RFC52801765897
+-Ref: TLSTKT1766164
+-Ref: PKCS121766396
+-Ref: PKCS111766537
+-Ref: RESCORLA1766683
+-Ref: SELKEY1766779
+-Ref: SSL31766938
+-Ref: STEVENS1767129
+-Ref: TLSEXT1767237
+-Ref: TLSPGP1767454
+-Ref: TLSSRP1767619
+-Ref: TLSPSK1767816
+-Ref: TOMSRP1767985
+-Ref: WEGER1768098
+-Ref: ECRYPT1768290
+-Ref: RFC50561768495
+-Ref: RFC57641768648
+-Ref: RFC59291768936
+-Ref: PKCS11URI1769079
+-Ref: TPMURI1769215
+-Ref: ANDERSON1769409
+-Ref: RFC48211769555
+-Ref: RFC25601769708
+-Ref: RIVESTCRL1769902
+-Node: Function and Data Index1770263
+-Node: Concept Index1896190
++Ref: p11tool id313760
++Ref: p11tool mark-wrap314017
++Ref: p11tool mark-trusted314264
++Ref: p11tool mark-distrusted314628
++Ref: p11tool mark-decrypt315082
++Ref: p11tool mark-sign315359
++Ref: p11tool mark-ca315636
++Ref: p11tool mark-private315909
++Ref: p11tool ca316207
++Ref: p11tool private316341
++Ref: p11tool secret-key316496
++Ref: p11tool other-options316659
++Ref: p11tool debug316761
++Ref: p11tool so-login316902
++Ref: p11tool admin-login317146
++Ref: p11tool test-sign317287
++Ref: p11tool sign-params317581
++Ref: p11tool hash317921
++Ref: p11tool generate-random318217
++Ref: p11tool inder318391
++Ref: p11tool inraw318616
++Ref: p11tool outder318742
++Ref: p11tool outraw318994
++Ref: p11tool provider319127
++Ref: p11tool provider-opts319336
++Ref: p11tool batch319609
++Ref: p11tool exit status319762
++Ref: p11tool See Also319992
++Ref: p11tool Examples320040
++Node: Trusted Platform Module322461
++Ref: Trusted Platform Module-Footnote-1324254
++Ref: Trusted Platform Module-Footnote-2324302
++Node: Keys in TPM324359
++Node: Key generation325843
++Node: Using keys328111
++Node: tpmtool Invocation331756
++Ref: tpmtool usage332182
++Ref: tpmtool debug335494
++Ref: tpmtool generate-rsa335635
++Ref: tpmtool user335906
++Ref: tpmtool system336265
++Ref: tpmtool test-sign336619
++Ref: tpmtool sec-param336902
++Ref: tpmtool inder337228
++Ref: tpmtool outder337529
++Ref: tpmtool srk-well-known337748
++Ref: tpmtool exit status337904
++Ref: tpmtool See Also338134
++Ref: tpmtool Examples338195
++Node: How to use GnuTLS in applications338812
++Node: Introduction to the library339381
++Node: General idea339980
++Ref: fig-gnutls-design340829
++Ref: General idea-Footnote-1342134
++Node: Error handling342179
++Node: Common types344406
++Node: Debugging and auditing345740
++Ref: tab:environment346611
++Node: Thread safety349478
++Ref: Thread safety-Footnote-1351624
++Node: Running in a sandbox351836
++Node: Sessions and fork353230
++Node: Callback functions353782
++Node: Preparation354750
++Node: Headers355169
++Node: Initialization355458
++Ref: Initialization-Footnote-1356452
++Node: Version check356745
++Node: Building the source357620
++Node: Session initialization359731
++Ref: gnutls_init_flags_t361208
++Node: Associating the credentials368221
++Ref: tab:key-exchange-cred368997
++Node: Certificate credentials370128
++Node: Raw public-key credentials385713
++Node: SRP credentials387013
++Node: PSK credentials391911
++Node: Anonymous credentials395846
++Node: Setting up the transport layer396692
++Node: Asynchronous operation406245
++Node: Reducing round-trips410546
++Node: Zero-roundtrip mode413986
++Node: Anti-replay protection416191
++Node: DTLS sessions419836
++Ref: DTLS sessions-Footnote-1422140
++Node: DTLS and SCTP422217
++Node: TLS handshake423237
++Node: Data transfer and termination427155
++Node: Buffered data transfer436297
++Node: Handling alerts438098
++Node: Priority Strings441480
++Ref: tab:prio-keywords444080
++Ref: tab:prio-algorithms451158
++Ref: tab:prio-special1456588
++Ref: tab:prio-special2460435
++Ref: Priority Strings-Footnote-1467056
++Node: Selecting cryptographic key sizes467278
++Ref: tab:key-sizes467927
++Node: Advanced topics472676
++Node: Virtual hosts and credentials473174
++Node: Session resumption476499
++Node: Certificate verification484406
++Ref: dane_verify_status_t494127
++Node: TLS 1.2 re-authentication494532
++Node: TLS 1.3 re-authentication and re-key499389
++Node: Parameter generation501048
++Node: Deriving keys for other applications/protocols503695
++Node: Channel Bindings506925
++Node: Interoperability508464
++Node: Compatibility with the OpenSSL library509782
++Node: GnuTLS application examples510509
++Ref: examples510728
++Node: Client examples511021
++Node: Client example with X.509 certificate support511548
++Ref: ex-verify511786
++Node: Datagram TLS client example516830
++Node: Client using a smart card with TLS521235
++Ref: ex-pkcs11-client521472
++Node: Client with Resume capability example526767
++Ref: ex-resume-client527051
++Node: Client example with SSH-style certificate verification532238
++Node: Server examples536445
++Node: Echo server with X.509 authentication536799
++Node: DTLS echo server with X.509 authentication544523
++Node: More advanced client and servers558934
++Node: Client example with anonymous authentication559791
++Node: Using a callback to select the certificate to use563715
++Node: Obtaining session information570098
++Node: Advanced certificate verification example574311
++Ref: ex-verify2574587
++Node: Client example with PSK authentication580017
++Node: Client example with SRP authentication584383
++Node: Legacy client example with X.509 certificate support588667
++Ref: ex-verify-legacy588984
++Node: Client example in C++594937
++Node: Echo server with PSK authentication597509
++Node: Echo server with SRP authentication606240
++Node: Echo server with anonymous authentication613158
++Node: Helper functions for TCP connections618486
++Node: Helper functions for UDP connections620078
++Node: OCSP example621983
++Ref: Generate OCSP request622166
++Node: Miscellaneous examples631773
++Node: Checking for an alert632099
++Node: X.509 certificate parsing example633548
++Ref: ex-x509-info633805
++Node: Listing the ciphersuites in a priority string637834
++Node: PKCS12 structure generation example640151
++Node: System-wide configuration of the library644356
++Node: Application-specific priority strings646183
++Node: Disabling algorithms and protocols647631
++Node: Querying for disabled algorithms and protocols653128
++Node: Overriding the parameter verification profile654250
++Node: Overriding the default priority string655252
++Node: Using GnuTLS as a cryptographic library655869
++Ref: Using GnuTLS as a cryptographic library-Footnote-1656725
++Node: Symmetric algorithms656782
++Ref: gnutls_cipher_algorithm_t657542
++Ref: Symmetric algorithms-Footnote-1665972
++Node: Public key algorithms666057
++Node: Cryptographic Message Syntax / PKCS7670779
++Ref: gnutls_pkcs7_sign_flags674218
++Node: Hash and MAC functions675686
++Ref: gnutls_mac_algorithm_t676298
++Ref: gnutls_digest_algorithm_t679670
++Node: Random number generation680721
++Ref: gnutls_rnd_level_t681083
++Node: Overriding algorithms682190
++Node: Other included programs688508
++Node: gnutls-cli Invocation689079
++Ref: gnutls-cli usage689641
++Ref: gnutls-cli debug697391
++Ref: gnutls-cli tofu697532
++Ref: gnutls-cli strict-tofu697995
++Ref: gnutls-cli dane698397
++Ref: gnutls-cli local-dns698740
++Ref: gnutls-cli ca-verification699055
++Ref: gnutls-cli ocsp699410
++Ref: gnutls-cli resume699652
++Ref: gnutls-cli rehandshake699798
++Ref: gnutls-cli sni-hostname699965
++Ref: gnutls-cli verify-hostname700491
++Ref: gnutls-cli starttls700724
++Ref: gnutls-cli app-proto700908
++Ref: gnutls-cli starttls-proto701070
++Ref: gnutls-cli save-ocsp-multi701581
++Ref: gnutls-cli dh-bits702038
++Ref: gnutls-cli priority702389
++Ref: gnutls-cli rawpkkeyfile702767
++Ref: gnutls-cli rawpkfile703224
++Ref: gnutls-cli ranges703765
++Ref: gnutls-cli benchmark-ciphers704015
++Ref: gnutls-cli benchmark-tls-ciphers704333
++Ref: gnutls-cli list704652
++Ref: gnutls-cli priority-list705019
++Ref: gnutls-cli noticket705265
++Ref: gnutls-cli alpn705426
++Ref: gnutls-cli disable-extensions705735
++Ref: gnutls-cli single-key-share705967
++Ref: gnutls-cli post-handshake-auth706183
++Ref: gnutls-cli inline-commands706380
++Ref: gnutls-cli inline-commands-prefix706700
++Ref: gnutls-cli provider707103
++Ref: gnutls-cli logfile707300
++Ref: gnutls-cli waitresumption707657
++Ref: gnutls-cli ca-auto-retrieve707914
++Ref: gnutls-cli exit status708318
++Ref: gnutls-cli See Also708554
++Ref: gnutls-cli Examples708631
++Node: gnutls-serv Invocation712838
++Ref: gnutls-serv usage713315
++Ref: gnutls-serv debug718835
++Ref: gnutls-serv sni-hostname718976
++Ref: gnutls-serv alpn719308
++Ref: gnutls-serv require-client-cert719595
++Ref: gnutls-serv verify-client-cert719839
++Ref: gnutls-serv heartbeat720068
++Ref: gnutls-serv priority720219
++Ref: gnutls-serv x509keyfile720588
++Ref: gnutls-serv x509certfile721105
++Ref: gnutls-serv x509dsakeyfile721622
++Ref: gnutls-serv x509dsacertfile721786
++Ref: gnutls-serv x509ecckeyfile721953
++Ref: gnutls-serv x509ecccertfile722115
++Ref: gnutls-serv rawpkkeyfile722282
++Ref: gnutls-serv rawpkfile723101
++Ref: gnutls-serv ocsp-response723956
++Ref: gnutls-serv ignore-ocsp-response-errors724273
++Ref: gnutls-serv list724520
++Ref: gnutls-serv provider724758
++Ref: gnutls-serv exit status724955
++Ref: gnutls-serv See Also725193
++Ref: gnutls-serv Examples725271
++Node: gnutls-cli-debug Invocation730579
++Ref: gnutls-cli-debug usage731401
++Ref: gnutls-cli-debug debug733656
++Ref: gnutls-cli-debug app-proto733797
++Ref: gnutls-cli-debug starttls-proto733965
++Ref: gnutls-cli-debug exit status734344
++Ref: gnutls-cli-debug See Also734592
++Ref: gnutls-cli-debug Examples734675
++Node: Internal architecture of GnuTLS738172
++Node: The TLS Protocol738778
++Ref: fig-client-server739254
++Node: TLS Handshake Protocol739344
++Ref: fig-gnutls-handshake739786
++Ref: fig-gnutls-handshake-sequence740295
++Node: TLS Authentication Methods740393
++Ref: TLS Authentication Methods-Footnote-1742697
++Node: TLS Hello Extension Handling742763
++Node: Cryptographic Backend755865
++Ref: fig-crypto-layers756548
++Ref: Cryptographic Backend-Footnote-1759830
++Ref: Cryptographic Backend-Footnote-2759915
++Node: Random Number Generators-internals760023
++Node: FIPS140-2 mode767387
++Ref: gnutls_fips_mode_t770023
++Node: Upgrading from previous versions772170
++Node: Support786164
++Node: Getting help786412
++Node: Commercial Support787000
++Node: Bug Reports787271
++Node: Contributing788635
++Node: Certification790661
++Node: Error codes791125
++Node: Supported ciphersuites815758
++Ref: ciphersuites815931
++Node: API reference830975
++Node: Core TLS API831385
++Ref: gnutls_alert_get831612
++Ref: gnutls_alert_get_name832231
++Ref: gnutls_alert_get_strname832616
++Ref: gnutls_alert_send832951
++Ref: gnutls_alert_send_appropriate833829
++Ref: gnutls_alert_set_read_function834796
++Ref: gnutls_alpn_get_selected_protocol835180
++Ref: gnutls_alpn_set_protocols835844
++Ref: gnutls_anon_allocate_client_credentials836681
++Ref: gnutls_anon_allocate_server_credentials837066
++Ref: gnutls_anon_free_client_credentials837443
++Ref: gnutls_anon_free_server_credentials837732
++Ref: gnutls_anon_set_params_function838013
++Ref: gnutls_anon_set_server_dh_params838689
++Ref: gnutls_anon_set_server_known_dh_params839349
++Ref: gnutls_anon_set_server_params_function840258
++Ref: gnutls_anti_replay_deinit840921
++Ref: gnutls_anti_replay_enable841235
++Ref: gnutls_anti_replay_init841583
++Ref: gnutls_anti_replay_set_add_function842111
++Ref: gnutls_anti_replay_set_ptr843129
++Ref: gnutls_anti_replay_set_window843464
++Ref: gnutls_auth_client_get_type844232
++Ref: gnutls_auth_get_type844859
++Ref: gnutls_auth_server_get_type845671
++Ref: gnutls_base64_decode2846300
++Ref: gnutls_base64_encode2846856
++Ref: gnutls_buffer_append_data847476
++Ref: gnutls_bye847874
++Ref: gnutls_certificate_activation_time_peers849475
++Ref: gnutls_certificate_allocate_credentials849893
++Ref: gnutls_certificate_client_get_request_status850290
++Ref: gnutls_certificate_expiration_time_peers850698
++Ref: gnutls_certificate_free_ca_names851102
++Ref: gnutls_certificate_free_cas851771
++Ref: gnutls_certificate_free_credentials852174
++Ref: gnutls_certificate_free_crls852608
++Ref: gnutls_certificate_free_keys852908
++Ref: gnutls_certificate_get_crt_raw853342
++Ref: gnutls_certificate_get_issuer854413
++Ref: gnutls_certificate_get_ocsp_expiration855496
++Ref: gnutls_certificate_get_ours856667
++Ref: gnutls_certificate_get_peers857497
++Ref: gnutls_certificate_get_peers_subkey_id858620
++Ref: gnutls_certificate_get_verify_flags858976
++Ref: gnutls_certificate_get_x509_crt859389
++Ref: gnutls_certificate_get_x509_key861033
++Ref: gnutls_certificate_send_x509_rdn_sequence862348
++Ref: gnutls_certificate_server_set_request863055
++Ref: gnutls_certificate_set_dh_params863845
++Ref: gnutls_certificate_set_flags864664
++Ref: gnutls_certificate_set_known_dh_params865189
++Ref: gnutls_certificate_set_ocsp_status_request_file866117
++Ref: gnutls_certificate_set_ocsp_status_request_file2868023
++Ref: gnutls_certificate_set_ocsp_status_request_function869541
++Ref: gnutls_certificate_set_ocsp_status_request_function2871029
++Ref: gnutls_certificate_set_ocsp_status_request_mem872995
++Ref: gnutls_certificate_set_params_function874770
++Ref: gnutls_certificate_set_pin_function875467
++Ref: gnutls_certificate_set_rawpk_key_file876120
++Ref: gnutls_certificate_set_rawpk_key_mem879424
++Ref: gnutls_certificate_set_retrieve_function882571
++Ref: gnutls_certificate_set_verify_flags884701
++Ref: gnutls_certificate_set_verify_function885194
++Ref: gnutls_certificate_set_verify_limits886258
++Ref: gnutls_certificate_set_x509_crl886939
++Ref: gnutls_certificate_set_x509_crl_file887767
++Ref: gnutls_certificate_set_x509_crl_mem888548
++Ref: gnutls_certificate_set_x509_key889325
++Ref: gnutls_certificate_set_x509_key_file890993
++Ref: gnutls_certificate_set_x509_key_file2893229
++Ref: gnutls_certificate_set_x509_key_mem895763
++Ref: gnutls_certificate_set_x509_key_mem2897411
++Ref: gnutls_certificate_set_x509_simple_pkcs12_file899224
++Ref: gnutls_certificate_set_x509_simple_pkcs12_mem901354
++Ref: gnutls_certificate_set_x509_system_trust903454
++Ref: gnutls_certificate_set_x509_trust904024
++Ref: gnutls_certificate_set_x509_trust_dir905004
++Ref: gnutls_certificate_set_x509_trust_file905742
++Ref: gnutls_certificate_set_x509_trust_mem906918
++Ref: gnutls_certificate_type_get907861
++Ref: gnutls_certificate_type_get2908708
++Ref: gnutls_certificate_type_get_id910093
++Ref: gnutls_certificate_type_get_name910490
++Ref: gnutls_certificate_type_list910873
++Ref: gnutls_certificate_verification_status_print911227
++Ref: gnutls_certificate_verify_peers911985
++Ref: gnutls_certificate_verify_peers2914781
++Ref: gnutls_certificate_verify_peers3916696
++Ref: gnutls_check_version919006
++Ref: gnutls_cipher_get919748
++Ref: gnutls_cipher_get_id920053
++Ref: gnutls_cipher_get_key_size920435
++Ref: gnutls_cipher_get_name920799
++Ref: gnutls_cipher_list921146
++Ref: gnutls_cipher_suite_get_name921706
++Ref: gnutls_cipher_suite_info922574
++Ref: gnutls_credentials_clear923757
++Ref: gnutls_credentials_get923985
++Ref: gnutls_credentials_set924940
++Ref: gnutls_db_check_entry926304
++Ref: gnutls_db_check_entry_expire_time926761
++Ref: gnutls_db_check_entry_time927167
++Ref: gnutls_db_get_default_cache_expiration927558
++Ref: gnutls_db_get_ptr927753
++Ref: gnutls_db_remove_session928065
++Ref: gnutls_db_set_cache_expiration928602
++Ref: gnutls_db_set_ptr929023
++Ref: gnutls_db_set_remove_function929358
++Ref: gnutls_db_set_retrieve_function929861
++Ref: gnutls_db_set_store_function930547
++Ref: gnutls_deinit931014
++Ref: gnutls_dh_get_group931353
++Ref: gnutls_dh_get_peers_public_bits932205
++Ref: gnutls_dh_get_prime_bits932649
++Ref: gnutls_dh_get_pubkey933289
++Ref: gnutls_dh_get_secret_bits933987
++Ref: gnutls_dh_params_cpy934419
++Ref: gnutls_dh_params_deinit934927
++Ref: gnutls_dh_params_export2_pkcs3935168
++Ref: gnutls_dh_params_export_pkcs3935989
++Ref: gnutls_dh_params_export_raw937008
++Ref: gnutls_dh_params_generate2937761
++Ref: gnutls_dh_params_import_dsa939015
++Ref: gnutls_dh_params_import_pkcs3939492
++Ref: gnutls_dh_params_import_raw940231
++Ref: gnutls_dh_params_import_raw2940861
++Ref: gnutls_dh_params_import_raw3941575
++Ref: gnutls_dh_params_init942275
++Ref: gnutls_dh_set_prime_bits942606
++Ref: gnutls_digest_get_id943709
++Ref: gnutls_digest_get_name944135
++Ref: gnutls_digest_get_oid944481
++Ref: gnutls_digest_list944872
++Ref: gnutls_digest_mark_insecure945251
++Ref: gnutls_digest_mark_secure945570
++Ref: gnutls_early_cipher_get945923
++Ref: gnutls_early_prf_hash_get946296
++Ref: gnutls_ecc_curve_get946714
++Ref: gnutls_ecc_curve_get_id947115
++Ref: gnutls_ecc_curve_get_name947496
++Ref: gnutls_ecc_curve_get_oid947830
++Ref: gnutls_ecc_curve_get_pk948175
++Ref: gnutls_ecc_curve_get_size948479
++Ref: gnutls_ecc_curve_list948708
++Ref: gnutls_ecc_curve_mark_disabled949049
++Ref: gnutls_ecc_curve_mark_enabled949506
++Ref: gnutls_error_is_fatal949986
++Ref: gnutls_error_to_alert950788
++Ref: gnutls_est_record_overhead_size951520
++Ref: gnutls_ext_get_current_msg952428
++Ref: gnutls_ext_get_data953119
++Ref: gnutls_ext_get_name953634
++Ref: gnutls_ext_get_name2953952
++Ref: gnutls_ext_raw_parse954462
++Ref: gnutls_ext_register955612
++Ref: gnutls_ext_set_data957247
++Ref: gnutls_fingerprint957758
++Ref: gnutls_fips140_mode_enabled958764
++Ref: gnutls_fips140_set_mode959318
++Ref: gnutls_get_system_config_file960371
++Ref: gnutls_global_deinit960747
++Ref: gnutls_global_init961197
++Ref: gnutls_global_set_audit_log_function962472
++Ref: gnutls_global_set_log_function963179
++Ref: gnutls_global_set_log_level963687
++Ref: gnutls_global_set_mutex964175
++Ref: gnutls_global_set_time_function965277
++Ref: gnutls_gost_paramset_get_name965714
++Ref: gnutls_gost_paramset_get_oid966090
++Ref: gnutls_group_get966467
++Ref: gnutls_group_get_id966837
++Ref: gnutls_group_get_name967184
++Ref: gnutls_group_list967504
++Ref: gnutls_handshake967826
++Ref: gnutls_handshake_description_get_name969931
++Ref: gnutls_handshake_get_last_in970319
++Ref: gnutls_handshake_get_last_out970944
++Ref: gnutls_handshake_set_hook_function971576
++Ref: gnutls_handshake_set_max_packet_length972968
++Ref: gnutls_handshake_set_post_client_hello_function973753
++Ref: gnutls_handshake_set_private_extensions975079
++Ref: gnutls_handshake_set_random975758
++Ref: gnutls_handshake_set_read_function976478
++Ref: gnutls_handshake_set_secret_function976879
++Ref: gnutls_handshake_set_timeout977258
++Ref: gnutls_handshake_write977948
++Ref: gnutls_heartbeat_allowed978649
++Ref: gnutls_heartbeat_enable979123
++Ref: gnutls_heartbeat_get_timeout979961
++Ref: gnutls_heartbeat_ping980500
++Ref: gnutls_heartbeat_pong981632
++Ref: gnutls_heartbeat_set_timeouts982039
++Ref: gnutls_hex2bin982810
++Ref: gnutls_hex_decode983529
++Ref: gnutls_hex_decode2984255
++Ref: gnutls_hex_encode984684
++Ref: gnutls_hex_encode2985281
++Ref: gnutls_idna_map985796
++Ref: gnutls_idna_reverse_map986926
++Ref: gnutls_init987691
++Ref: gnutls_key_generate988519
++Ref: gnutls_kx_get988936
++Ref: gnutls_kx_get_id989522
++Ref: gnutls_kx_get_name989866
++Ref: gnutls_kx_list990211
++Ref: gnutls_load_file990539
++Ref: gnutls_mac_get991311
++Ref: gnutls_mac_get_id991616
++Ref: gnutls_mac_get_key_size992029
++Ref: gnutls_mac_get_name992366
++Ref: gnutls_mac_list992685
++Ref: gnutls_memcmp993073
++Ref: gnutls_memset993633
++Ref: gnutls_ocsp_status_request_enable_client994027
++Ref: gnutls_ocsp_status_request_get995038
++Ref: gnutls_ocsp_status_request_get2995700
++Ref: gnutls_ocsp_status_request_is_checked996695
++Ref: gnutls_oid_to_digest998083
++Ref: gnutls_oid_to_ecc_curve998492
++Ref: gnutls_oid_to_gost_paramset998818
++Ref: gnutls_oid_to_mac999229
++Ref: gnutls_oid_to_pk999642
++Ref: gnutls_oid_to_sign1000014
++Ref: gnutls_openpgp_send_cert1000418
++Ref: gnutls_packet_deinit1000720
++Ref: gnutls_packet_get1000994
++Ref: gnutls_pem_base64_decode1001499
++Ref: gnutls_pem_base64_decode21002354
++Ref: gnutls_pem_base64_encode1003349
++Ref: gnutls_pem_base64_encode21004178
++Ref: gnutls_perror1005114
++Ref: gnutls_pk_algorithm_get_name1005410
++Ref: gnutls_pk_bits_to_sec_param1005766
++Ref: gnutls_pk_get_id1006240
++Ref: gnutls_pk_get_name1006758
++Ref: gnutls_pk_get_oid1007126
++Ref: gnutls_pk_list1007525
++Ref: gnutls_pk_to_sign1007858
++Ref: gnutls_prf1008269
++Ref: gnutls_prf_early1010264
++Ref: gnutls_prf_hash_get1011919
++Ref: gnutls_prf_raw1012451
++Ref: gnutls_prf_rfc57051014335
++Ref: gnutls_priority_certificate_type_list1016012
++Ref: gnutls_priority_certificate_type_list21016708
++Ref: gnutls_priority_cipher_list1017324
++Ref: gnutls_priority_deinit1017711
++Ref: gnutls_priority_ecc_curve_list1017954
++Ref: gnutls_priority_get_cipher_suite_index1018486
++Ref: gnutls_priority_group_list1019402
++Ref: gnutls_priority_init1019783
++Ref: gnutls_priority_init21020863
++Ref: gnutls_priority_kx_list1025237
++Ref: gnutls_priority_mac_list1025642
++Ref: gnutls_priority_protocol_list1026047
++Ref: gnutls_priority_set1026449
++Ref: gnutls_priority_set_direct1027104
++Ref: gnutls_priority_sign_list1028037
++Ref: gnutls_priority_string_list1028453
++Ref: gnutls_protocol_get_id1029085
++Ref: gnutls_protocol_get_name1029401
++Ref: gnutls_protocol_get_version1029760
++Ref: gnutls_protocol_list1030058
++Ref: gnutls_protocol_mark_disabled1030410
++Ref: gnutls_protocol_mark_enabled1030727
++Ref: gnutls_psk_allocate_client_credentials1031103
++Ref: gnutls_psk_allocate_server_credentials1031523
++Ref: gnutls_psk_client_get_hint1031919
++Ref: gnutls_psk_free_client_credentials1032546
++Ref: gnutls_psk_free_server_credentials1032829
++Ref: gnutls_psk_server_get_username1033104
++Ref: gnutls_psk_server_get_username21033811
++Ref: gnutls_psk_set_client_credentials1034505
++Ref: gnutls_psk_set_client_credentials21035528
++Ref: gnutls_psk_set_client_credentials_function1036308
++Ref: gnutls_psk_set_client_credentials_function21037311
++Ref: gnutls_psk_set_params_function1038468
++Ref: gnutls_psk_set_server_credentials_file1039148
++Ref: gnutls_psk_set_server_credentials_function1040009
++Ref: gnutls_psk_set_server_credentials_function21040963
++Ref: gnutls_psk_set_server_credentials_hint1042086
++Ref: gnutls_psk_set_server_dh_params1042710
++Ref: gnutls_psk_set_server_known_dh_params1043395
++Ref: gnutls_psk_set_server_params_function1044292
++Ref: gnutls_random_art1044933
++Ref: gnutls_range_split1045795
++Ref: gnutls_reauth1046877
++Ref: gnutls_record_can_use_length_hiding1048979
++Ref: gnutls_record_check_corked1049730
++Ref: gnutls_record_check_pending1050113
++Ref: gnutls_record_cork1050524
++Ref: gnutls_record_disable_padding1050938
++Ref: gnutls_record_discard_queued1051546
++Ref: gnutls_record_get_direction1052163
++Ref: gnutls_record_get_max_early_data_size1053144
++Ref: gnutls_record_get_max_size1053696
++Ref: gnutls_record_get_state1054063
++Ref: gnutls_record_overhead_size1055085
++Ref: gnutls_record_recv1055472
++Ref: gnutls_record_recv_early_data1056922
++Ref: gnutls_record_recv_packet1057984
++Ref: gnutls_record_recv_seq1058863
++Ref: gnutls_record_send1059849
++Ref: gnutls_record_send21061907
++Ref: gnutls_record_send_early_data1063059
++Ref: gnutls_record_send_range1064115
++Ref: gnutls_record_set_max_early_data_size1065294
++Ref: gnutls_record_set_max_recv_size1065940
++Ref: gnutls_record_set_max_size1066644
++Ref: gnutls_record_set_state1067823
++Ref: gnutls_record_set_timeout1068481
++Ref: gnutls_record_uncork1069082
++Ref: gnutls_rehandshake1070022
++Ref: gnutls_safe_renegotiation_status1071804
++Ref: gnutls_sec_param_get_name1072219
++Ref: gnutls_sec_param_to_pk_bits1072593
++Ref: gnutls_sec_param_to_symmetric_bits1073263
++Ref: gnutls_server_name_get1073647
++Ref: gnutls_server_name_set1075119
++Ref: gnutls_session_channel_binding1076277
++Ref: gnutls_session_enable_compatibility_mode1076995
++Ref: gnutls_session_etm_status1077702
++Ref: gnutls_session_ext_master_secret_status1078105
++Ref: gnutls_session_ext_register1078596
++Ref: gnutls_session_force_valid1080858
++Ref: gnutls_session_get_data1081279
++Ref: gnutls_session_get_data21081939
++Ref: gnutls_session_get_desc1084212
++Ref: gnutls_session_get_flags1084734
++Ref: gnutls_session_get_id1085272
++Ref: gnutls_session_get_id21086795
++Ref: gnutls_session_get_keylog_function1088265
++Ref: gnutls_session_get_master_secret1088672
++Ref: gnutls_session_get_ptr1089156
++Ref: gnutls_session_get_random1089551
++Ref: gnutls_session_get_verify_cert_status1090172
++Ref: gnutls_session_is_resumed1090845
++Ref: gnutls_session_key_update1091215
++Ref: gnutls_session_resumption_requested1092163
++Ref: gnutls_session_set_data1092545
++Ref: gnutls_session_set_id1093386
++Ref: gnutls_session_set_keylog_function1094061
++Ref: gnutls_session_set_premaster1094460
++Ref: gnutls_session_set_ptr1095555
++Ref: gnutls_session_set_verify_cert1095955
++Ref: gnutls_session_set_verify_cert21097299
++Ref: gnutls_session_set_verify_function1098483
++Ref: gnutls_session_supplemental_register1099595
++Ref: gnutls_session_ticket_enable_client1100853
++Ref: gnutls_session_ticket_enable_server1101346
++Ref: gnutls_session_ticket_key_generate1102140
++Ref: gnutls_session_ticket_send1102568
++Ref: gnutls_set_default_priority1103152
++Ref: gnutls_set_default_priority_append1104237
++Ref: gnutls_sign_algorithm_get1105579
++Ref: gnutls_sign_algorithm_get_client1106022
++Ref: gnutls_sign_algorithm_get_requested1106489
++Ref: gnutls_sign_get_hash_algorithm1107516
++Ref: gnutls_sign_get_id1107928
++Ref: gnutls_sign_get_name1108291
++Ref: gnutls_sign_get_oid1108623
++Ref: gnutls_sign_get_pk_algorithm1109009
++Ref: gnutls_sign_is_secure1109616
++Ref: gnutls_sign_is_secure21109886
++Ref: gnutls_sign_list1110222
++Ref: gnutls_sign_mark_insecure1110566
++Ref: gnutls_sign_mark_secure1111163
++Ref: gnutls_sign_supports_pk_algorithm1111948
++Ref: gnutls_srp_allocate_client_credentials1112532
++Ref: gnutls_srp_allocate_server_credentials1112933
++Ref: gnutls_srp_base64_decode1113306
++Ref: gnutls_srp_base64_decode21114011
++Ref: gnutls_srp_base64_encode1114679
++Ref: gnutls_srp_base64_encode21115480
++Ref: gnutls_srp_free_client_credentials1116211
++Ref: gnutls_srp_free_server_credentials1116494
++Ref: gnutls_srp_server_get_username1116769
++Ref: gnutls_srp_set_client_credentials1117223
++Ref: gnutls_srp_set_client_credentials_function1118113
++Ref: gnutls_srp_set_prime_bits1119360
++Ref: gnutls_srp_set_server_credentials_file1120045
++Ref: gnutls_srp_set_server_credentials_function1120771
++Ref: gnutls_srp_set_server_fake_salt_seed1122486
++Ref: gnutls_srp_verifier1123989
++Ref: gnutls_srtp_get_keys1124917
++Ref: gnutls_srtp_get_mki1126311
++Ref: gnutls_srtp_get_profile_id1126880
++Ref: gnutls_srtp_get_profile_name1127338
++Ref: gnutls_srtp_get_selected_profile1127759
++Ref: gnutls_srtp_set_mki1128203
++Ref: gnutls_srtp_set_profile1128652
++Ref: gnutls_srtp_set_profile_direct1129184
++Ref: gnutls_store_commitment1129907
++Ref: gnutls_store_pubkey1131206
++Ref: gnutls_strerror1132993
++Ref: gnutls_strerror_name1133478
++Ref: gnutls_supplemental_get_name1133947
++Ref: gnutls_supplemental_recv1134369
++Ref: gnutls_supplemental_register1134839
++Ref: gnutls_supplemental_send1135951
++Ref: gnutls_system_recv_timeout1136396
++Ref: gnutls_tdb_deinit1137138
++Ref: gnutls_tdb_init1137353
++Ref: gnutls_tdb_set_store_commitment_func1137712
++Ref: gnutls_tdb_set_store_func1138393
++Ref: gnutls_tdb_set_verify_func1138982
++Ref: gnutls_transport_get_int1139726
++Ref: gnutls_transport_get_int21140134
++Ref: gnutls_transport_get_ptr1140637
++Ref: gnutls_transport_get_ptr21141053
++Ref: gnutls_transport_set_errno1141587
++Ref: gnutls_transport_set_errno_function1142574
++Ref: gnutls_transport_set_int1143111
++Ref: gnutls_transport_set_int21143665
++Ref: gnutls_transport_set_ptr1144394
++Ref: gnutls_transport_set_ptr21144807
++Ref: gnutls_transport_set_pull_function1145451
++Ref: gnutls_transport_set_pull_timeout_function1146231
++Ref: gnutls_transport_set_push_function1147934
++Ref: gnutls_transport_set_vec_push_function1148779
++Ref: gnutls_url_is_supported1149475
++Ref: gnutls_utf8_password_normalize1149895
++Ref: gnutls_verify_stored_pubkey1150684
++Node: Datagram TLS API1153831
++Ref: gnutls_dtls_cookie_send1154107
++Ref: gnutls_dtls_cookie_verify1155362
++Ref: gnutls_dtls_get_data_mtu1156306
++Ref: gnutls_dtls_get_mtu1156749
++Ref: gnutls_dtls_get_timeout1157192
++Ref: gnutls_dtls_prestate_set1157735
++Ref: gnutls_dtls_set_data_mtu1158319
++Ref: gnutls_dtls_set_mtu1159293
++Ref: gnutls_dtls_set_timeouts1159900
++Ref: gnutls_record_get_discarded1160904
++Node: X509 certificate API1161178
++Ref: gnutls_certificate_get_trust_list1161527
++Ref: gnutls_certificate_set_trust_list1162175
++Ref: gnutls_certificate_verification_profile_get_id1162950
++Ref: gnutls_certificate_verification_profile_get_name1163497
++Ref: gnutls_pkcs8_info1163880
++Ref: gnutls_pkcs_schema_get_name1165398
++Ref: gnutls_pkcs_schema_get_oid1165803
++Ref: gnutls_session_set_verify_output_function1166230
++Ref: gnutls_subject_alt_names_deinit1167387
++Ref: gnutls_subject_alt_names_get1167666
++Ref: gnutls_subject_alt_names_init1168676
++Ref: gnutls_subject_alt_names_set1169056
++Ref: gnutls_x509_aia_deinit1169875
++Ref: gnutls_x509_aia_get1170109
++Ref: gnutls_x509_aia_init1171268
++Ref: gnutls_x509_aia_set1171603
++Ref: gnutls_x509_aki_deinit1172398
++Ref: gnutls_x509_aki_get_cert_issuer1172662
++Ref: gnutls_x509_aki_get_id1173728
++Ref: gnutls_x509_aki_init1174267
++Ref: gnutls_x509_aki_set_cert_issuer1174616
++Ref: gnutls_x509_aki_set_id1175731
++Ref: gnutls_x509_cidr_to_rfc52801176160
++Ref: gnutls_x509_crl_check_issuer1177058
++Ref: gnutls_x509_crl_deinit1177506
++Ref: gnutls_x509_crl_dist_points_deinit1177738
++Ref: gnutls_x509_crl_dist_points_get1178033
++Ref: gnutls_x509_crl_dist_points_init1179007
++Ref: gnutls_x509_crl_dist_points_set1179403
++Ref: gnutls_x509_crl_export1180106
++Ref: gnutls_x509_crl_export21180989
++Ref: gnutls_x509_crl_get_authority_key_gn_serial1181709
++Ref: gnutls_x509_crl_get_authority_key_id1183023
++Ref: gnutls_x509_crl_get_crt_count1184086
++Ref: gnutls_x509_crl_get_crt_serial1184444
++Ref: gnutls_x509_crl_get_dn_oid1185348
++Ref: gnutls_x509_crl_get_extension_data1186154
++Ref: gnutls_x509_crl_get_extension_data21187271
++Ref: gnutls_x509_crl_get_extension_info1188150
++Ref: gnutls_x509_crl_get_extension_oid1189414
++Ref: gnutls_x509_crl_get_issuer_dn1190266
++Ref: gnutls_x509_crl_get_issuer_dn21191267
++Ref: gnutls_x509_crl_get_issuer_dn31192101
++Ref: gnutls_x509_crl_get_issuer_dn_by_oid1193079
++Ref: gnutls_x509_crl_get_next_update1194590
++Ref: gnutls_x509_crl_get_number1195024
++Ref: gnutls_x509_crl_get_raw_issuer_dn1195749
++Ref: gnutls_x509_crl_get_signature1196203
++Ref: gnutls_x509_crl_get_signature_algorithm1196750
++Ref: gnutls_x509_crl_get_signature_oid1197312
++Ref: gnutls_x509_crl_get_this_update1197973
++Ref: gnutls_x509_crl_get_version1198298
++Ref: gnutls_x509_crl_import1198606
++Ref: gnutls_x509_crl_init1199230
++Ref: gnutls_x509_crl_iter_crt_serial1199819
++Ref: gnutls_x509_crl_iter_deinit1200965
++Ref: gnutls_x509_crl_list_import1201210
++Ref: gnutls_x509_crl_list_import21202212
++Ref: gnutls_x509_crl_print1203078
++Ref: gnutls_x509_crl_set_authority_key_id1203727
++Ref: gnutls_x509_crl_set_crt1204380
++Ref: gnutls_x509_crl_set_crt_serial1204953
++Ref: gnutls_x509_crl_set_next_update1205585
++Ref: gnutls_x509_crl_set_number1206202
++Ref: gnutls_x509_crl_set_this_update1206779
++Ref: gnutls_x509_crl_set_version1207183
++Ref: gnutls_x509_crl_sign1207726
++Ref: gnutls_x509_crl_sign21208419
++Ref: gnutls_x509_crl_verify1209655
++Ref: gnutls_x509_crq_deinit1210899
++Ref: gnutls_x509_crq_export1211137
++Ref: gnutls_x509_crq_export21212134
++Ref: gnutls_x509_crq_get_attribute_by_oid1212908
++Ref: gnutls_x509_crq_get_attribute_data1213933
++Ref: gnutls_x509_crq_get_attribute_info1215045
++Ref: gnutls_x509_crq_get_basic_constraints1216242
++Ref: gnutls_x509_crq_get_challenge_password1217495
++Ref: gnutls_x509_crq_get_dn1218107
++Ref: gnutls_x509_crq_get_dn21219056
++Ref: gnutls_x509_crq_get_dn31219913
++Ref: gnutls_x509_crq_get_dn_by_oid1220921
++Ref: gnutls_x509_crq_get_dn_oid1222382
++Ref: gnutls_x509_crq_get_extension_by_oid1223169
++Ref: gnutls_x509_crq_get_extension_by_oid21224326
++Ref: gnutls_x509_crq_get_extension_data1225408
++Ref: gnutls_x509_crq_get_extension_data21226538
++Ref: gnutls_x509_crq_get_extension_info1227417
++Ref: gnutls_x509_crq_get_key_id1228678
++Ref: gnutls_x509_crq_get_key_purpose_oid1229745
++Ref: gnutls_x509_crq_get_key_rsa_raw1230760
++Ref: gnutls_x509_crq_get_key_usage1231384
++Ref: gnutls_x509_crq_get_pk_algorithm1232470
++Ref: gnutls_x509_crq_get_pk_oid1233191
++Ref: gnutls_x509_crq_get_private_key_usage_period1233848
++Ref: gnutls_x509_crq_get_signature_algorithm1234563
++Ref: gnutls_x509_crq_get_signature_oid1235202
++Ref: gnutls_x509_crq_get_spki1235863
++Ref: gnutls_x509_crq_get_subject_alt_name1236423
++Ref: gnutls_x509_crq_get_subject_alt_othername_oid1237981
++Ref: gnutls_x509_crq_get_tlsfeatures1239461
++Ref: gnutls_x509_crq_get_version1240590
++Ref: gnutls_x509_crq_import1240936
++Ref: gnutls_x509_crq_init1241618
++Ref: gnutls_x509_crq_print1241966
++Ref: gnutls_x509_crq_set_attribute_by_oid1242622
++Ref: gnutls_x509_crq_set_basic_constraints1243487
++Ref: gnutls_x509_crq_set_challenge_password1244231
++Ref: gnutls_x509_crq_set_dn1244682
++Ref: gnutls_x509_crq_set_dn_by_oid1245300
++Ref: gnutls_x509_crq_set_extension_by_oid1246430
++Ref: gnutls_x509_crq_set_key1247209
++Ref: gnutls_x509_crq_set_key_purpose_oid1247672
++Ref: gnutls_x509_crq_set_key_rsa_raw1248452
++Ref: gnutls_x509_crq_set_key_usage1249028
++Ref: gnutls_x509_crq_set_private_key_usage_period1249532
++Ref: gnutls_x509_crq_set_spki1250037
++Ref: gnutls_x509_crq_set_subject_alt_name1250908
++Ref: gnutls_x509_crq_set_subject_alt_othername1251734
++Ref: gnutls_x509_crq_set_tlsfeatures1252572
++Ref: gnutls_x509_crq_set_version1253122
++Ref: gnutls_x509_crq_sign1253607
++Ref: gnutls_x509_crq_sign21254378
++Ref: gnutls_x509_crq_verify1255710
++Ref: gnutls_x509_crt_check_email1256303
++Ref: gnutls_x509_crt_check_hostname1256831
++Ref: gnutls_x509_crt_check_hostname21257543
++Ref: gnutls_x509_crt_check_ip1259294
++Ref: gnutls_x509_crt_check_issuer1259908
++Ref: gnutls_x509_crt_check_key_purpose1260646
++Ref: gnutls_x509_crt_check_revocation1261340
++Ref: gnutls_x509_crt_cpy_crl_dist_points1261989
++Ref: gnutls_x509_crt_deinit1262578
++Ref: gnutls_x509_crt_equals1262796
++Ref: gnutls_x509_crt_equals21263178
++Ref: gnutls_x509_crt_export1263602
++Ref: gnutls_x509_crt_export21264513
++Ref: gnutls_x509_crt_get_activation_time1265211
++Ref: gnutls_x509_crt_get_authority_info_access1265589
++Ref: gnutls_x509_crt_get_authority_key_gn_serial1269063
++Ref: gnutls_x509_crt_get_authority_key_id1270504
++Ref: gnutls_x509_crt_get_basic_constraints1271635
++Ref: gnutls_x509_crt_get_ca_status1272849
++Ref: gnutls_x509_crt_get_crl_dist_points1273848
++Ref: gnutls_x509_crt_get_dn1275173
++Ref: gnutls_x509_crt_get_dn21276368
++Ref: gnutls_x509_crt_get_dn31277177
++Ref: gnutls_x509_crt_get_dn_by_oid1278137
++Ref: gnutls_x509_crt_get_dn_oid1279906
++Ref: gnutls_x509_crt_get_expiration_time1280934
++Ref: gnutls_x509_crt_get_extension_by_oid1281300
++Ref: gnutls_x509_crt_get_extension_by_oid21282427
++Ref: gnutls_x509_crt_get_extension_data1283500
++Ref: gnutls_x509_crt_get_extension_data21284589
++Ref: gnutls_x509_crt_get_extension_info1285454
++Ref: gnutls_x509_crt_get_extension_oid1286866
++Ref: gnutls_x509_crt_get_fingerprint1287829
++Ref: gnutls_x509_crt_get_inhibit_anypolicy1288717
++Ref: gnutls_x509_crt_get_issuer1289686
++Ref: gnutls_x509_crt_get_issuer_alt_name1290324
++Ref: gnutls_x509_crt_get_issuer_alt_name21292124
++Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1293706
++Ref: gnutls_x509_crt_get_issuer_dn1295355
++Ref: gnutls_x509_crt_get_issuer_dn21296476
++Ref: gnutls_x509_crt_get_issuer_dn31297323
++Ref: gnutls_x509_crt_get_issuer_dn_by_oid1298314
++Ref: gnutls_x509_crt_get_issuer_dn_oid1300101
++Ref: gnutls_x509_crt_get_issuer_unique_id1301137
++Ref: gnutls_x509_crt_get_key_id1302232
++Ref: gnutls_x509_crt_get_key_purpose_oid1303255
++Ref: gnutls_x509_crt_get_key_usage1304416
++Ref: gnutls_x509_crt_get_name_constraints1305476
++Ref: gnutls_x509_crt_get_pk_algorithm1306884
++Ref: gnutls_x509_crt_get_pk_dsa_raw1307673
++Ref: gnutls_x509_crt_get_pk_ecc_raw1308341
++Ref: gnutls_x509_crt_get_pk_gost_raw1309154
++Ref: gnutls_x509_crt_get_pk_oid1309998
++Ref: gnutls_x509_crt_get_pk_rsa_raw1310624
++Ref: gnutls_x509_crt_get_policy1311202
++Ref: gnutls_x509_crt_get_private_key_usage_period1312148
++Ref: gnutls_x509_crt_get_proxy1312900
++Ref: gnutls_x509_crt_get_raw_dn1313921
++Ref: gnutls_x509_crt_get_raw_issuer_dn1314514
++Ref: gnutls_x509_crt_get_serial1315093
++Ref: gnutls_x509_crt_get_signature1315833
++Ref: gnutls_x509_crt_get_signature_algorithm1316388
++Ref: gnutls_x509_crt_get_signature_oid1317001
++Ref: gnutls_x509_crt_get_spki1317659
++Ref: gnutls_x509_crt_get_subject1318145
++Ref: gnutls_x509_crt_get_subject_alt_name1318788
++Ref: gnutls_x509_crt_get_subject_alt_name21320547
++Ref: gnutls_x509_crt_get_subject_alt_othername_oid1322112
++Ref: gnutls_x509_crt_get_subject_key_id1323752
++Ref: gnutls_x509_crt_get_subject_unique_id1324584
++Ref: gnutls_x509_crt_get_tlsfeatures1325669
++Ref: gnutls_x509_crt_get_version1326781
++Ref: gnutls_x509_crt_import1327108
++Ref: gnutls_x509_crt_import_url1327809
++Ref: gnutls_x509_crt_init1328530
++Ref: gnutls_x509_crt_list_import1328877
++Ref: gnutls_x509_crt_list_import21330244
++Ref: gnutls_x509_crt_list_import_url1331316
++Ref: gnutls_x509_crt_list_verify1332540
++Ref: gnutls_x509_crt_print1334120
++Ref: gnutls_x509_crt_set_activation_time1335012
++Ref: gnutls_x509_crt_set_authority_info_access1335479
++Ref: gnutls_x509_crt_set_authority_key_id1336374
++Ref: gnutls_x509_crt_set_basic_constraints1336956
++Ref: gnutls_x509_crt_set_ca_status1337655
++Ref: gnutls_x509_crt_set_crl_dist_points1338253
++Ref: gnutls_x509_crt_set_crl_dist_points21338905
++Ref: gnutls_x509_crt_set_crq1339604
++Ref: gnutls_x509_crt_set_crq_extension_by_oid1340321
++Ref: gnutls_x509_crt_set_crq_extensions1340957
++Ref: gnutls_x509_crt_set_dn1341423
++Ref: gnutls_x509_crt_set_dn_by_oid1342306
++Ref: gnutls_x509_crt_set_expiration_time1343423
++Ref: gnutls_x509_crt_set_extension_by_oid1343968
++Ref: gnutls_x509_crt_set_flags1344743
++Ref: gnutls_x509_crt_set_inhibit_anypolicy1345251
++Ref: gnutls_x509_crt_set_issuer_alt_name1345761
++Ref: gnutls_x509_crt_set_issuer_alt_othername1346783
++Ref: gnutls_x509_crt_set_issuer_dn1347759
++Ref: gnutls_x509_crt_set_issuer_dn_by_oid1348398
++Ref: gnutls_x509_crt_set_issuer_unique_id1349677
++Ref: gnutls_x509_crt_set_key1350182
++Ref: gnutls_x509_crt_set_key_purpose_oid1350762
++Ref: gnutls_x509_crt_set_key_usage1351530
++Ref: gnutls_x509_crt_set_name_constraints1351989
++Ref: gnutls_x509_crt_set_pin_function1352611
++Ref: gnutls_x509_crt_set_policy1353279
++Ref: gnutls_x509_crt_set_private_key_usage_period1354132
++Ref: gnutls_x509_crt_set_proxy1354639
++Ref: gnutls_x509_crt_set_proxy_dn1355453
++Ref: gnutls_x509_crt_set_serial1356472
++Ref: gnutls_x509_crt_set_spki1357532
++Ref: gnutls_x509_crt_set_subject_alt_name1358387
++Ref: gnutls_x509_crt_set_subject_alt_othername1359627
++Ref: gnutls_x509_crt_set_subject_alternative_name1360635
++Ref: gnutls_x509_crt_set_subject_key_id1361533
++Ref: gnutls_x509_crt_set_subject_unique_id1362053
++Ref: gnutls_x509_crt_set_tlsfeatures1362576
++Ref: gnutls_x509_crt_set_version1363100
++Ref: gnutls_x509_crt_sign1363923
++Ref: gnutls_x509_crt_sign21364618
++Ref: gnutls_x509_crt_verify1365851
++Ref: gnutls_x509_crt_verify_data21366900
++Ref: gnutls_x509_dn_deinit1367904
++Ref: gnutls_x509_dn_export1368166
++Ref: gnutls_x509_dn_export21369060
++Ref: gnutls_x509_dn_get_rdn_ava1369721
++Ref: gnutls_x509_dn_get_str1370753
++Ref: gnutls_x509_dn_get_str21371349
++Ref: gnutls_x509_dn_import1372211
++Ref: gnutls_x509_dn_init1372827
++Ref: gnutls_x509_dn_oid_known1373248
++Ref: gnutls_x509_dn_oid_name1373917
++Ref: gnutls_x509_dn_set_str1374446
++Ref: gnutls_x509_ext_deinit1375045
++Ref: gnutls_x509_ext_export_aia1375289
++Ref: gnutls_x509_ext_export_authority_key_id1375883
++Ref: gnutls_x509_ext_export_basic_constraints1376539
++Ref: gnutls_x509_ext_export_crl_dist_points1377236
++Ref: gnutls_x509_ext_export_inhibit_anypolicy1377904
++Ref: gnutls_x509_ext_export_key_purposes1378572
++Ref: gnutls_x509_ext_export_key_usage1379191
++Ref: gnutls_x509_ext_export_name_constraints1379807
++Ref: gnutls_x509_ext_export_policies1380448
++Ref: gnutls_x509_ext_export_private_key_usage_period1381111
++Ref: gnutls_x509_ext_export_proxy1381776
++Ref: gnutls_x509_ext_export_subject_alt_names1382762
++Ref: gnutls_x509_ext_export_subject_key_id1383411
++Ref: gnutls_x509_ext_export_tlsfeatures1384033
++Ref: gnutls_x509_ext_import_aia1384651
++Ref: gnutls_x509_ext_import_authority_key_id1385356
++Ref: gnutls_x509_ext_import_basic_constraints1386024
++Ref: gnutls_x509_ext_import_crl_dist_points1386650
++Ref: gnutls_x509_ext_import_inhibit_anypolicy1387278
++Ref: gnutls_x509_ext_import_key_purposes1388193
++Ref: gnutls_x509_ext_import_key_usage1388827
++Ref: gnutls_x509_ext_import_name_constraints1389843
++Ref: gnutls_x509_ext_import_policies1391181
++Ref: gnutls_x509_ext_import_private_key_usage_period1391788
++Ref: gnutls_x509_ext_import_proxy1392403
++Ref: gnutls_x509_ext_import_subject_alt_names1393489
++Ref: gnutls_x509_ext_import_subject_key_id1394247
++Ref: gnutls_x509_ext_import_tlsfeatures1394882
++Ref: gnutls_x509_ext_print1395774
++Ref: gnutls_x509_key_purpose_deinit1396485
++Ref: gnutls_x509_key_purpose_get1396739
++Ref: gnutls_x509_key_purpose_init1397467
++Ref: gnutls_x509_key_purpose_set1397828
++Ref: gnutls_x509_name_constraints_add_excluded1398283
++Ref: gnutls_x509_name_constraints_add_permitted1399224
++Ref: gnutls_x509_name_constraints_check1400099
++Ref: gnutls_x509_name_constraints_check_crt1400936
++Ref: gnutls_x509_name_constraints_deinit1401806
++Ref: gnutls_x509_name_constraints_get_excluded1402106
++Ref: gnutls_x509_name_constraints_get_permitted1403177
++Ref: gnutls_x509_name_constraints_init1404231
++Ref: gnutls_x509_othername_to_virtual1404614
++Ref: gnutls_x509_policies_deinit1405233
++Ref: gnutls_x509_policies_get1405513
++Ref: gnutls_x509_policies_init1406299
++Ref: gnutls_x509_policies_set1406664
++Ref: gnutls_x509_policy_release1407131
++Ref: gnutls_x509_privkey_cpy1407495
++Ref: gnutls_x509_privkey_deinit1407965
++Ref: gnutls_x509_privkey_export1408206
++Ref: gnutls_x509_privkey_export21409241
++Ref: gnutls_x509_privkey_export2_pkcs81410119
++Ref: gnutls_x509_privkey_export_dsa_raw1411395
++Ref: gnutls_x509_privkey_export_ecc_raw1412135
++Ref: gnutls_x509_privkey_export_gost_raw1413018
++Ref: gnutls_x509_privkey_export_pkcs81414103
++Ref: gnutls_x509_privkey_export_rsa_raw1415608
++Ref: gnutls_x509_privkey_export_rsa_raw21416469
++Ref: gnutls_x509_privkey_fix1417455
++Ref: gnutls_x509_privkey_generate1417840
++Ref: gnutls_x509_privkey_generate21419365
++Ref: gnutls_x509_privkey_get_key_id1421524
++Ref: gnutls_x509_privkey_get_pk_algorithm1422543
++Ref: gnutls_x509_privkey_get_pk_algorithm21422971
++Ref: gnutls_x509_privkey_get_seed1423462
++Ref: gnutls_x509_privkey_get_spki1424286
++Ref: gnutls_x509_privkey_import1424821
++Ref: gnutls_x509_privkey_import21425616
++Ref: gnutls_x509_privkey_import_dsa_raw1426689
++Ref: gnutls_x509_privkey_import_ecc_raw1427421
++Ref: gnutls_x509_privkey_import_gost_raw1428237
++Ref: gnutls_x509_privkey_import_openssl1429513
++Ref: gnutls_x509_privkey_import_pkcs81430387
++Ref: gnutls_x509_privkey_import_rsa_raw1431834
++Ref: gnutls_x509_privkey_import_rsa_raw21432688
++Ref: gnutls_x509_privkey_init1433684
++Ref: gnutls_x509_privkey_sec_param1434029
++Ref: gnutls_x509_privkey_set_flags1434448
++Ref: gnutls_x509_privkey_set_pin_function1434998
++Ref: gnutls_x509_privkey_set_spki1435616
++Ref: gnutls_x509_privkey_sign_data1436163
++Ref: gnutls_x509_privkey_verify_params1437384
++Ref: gnutls_x509_privkey_verify_seed1437720
++Ref: gnutls_x509_rdn_get1438549
++Ref: gnutls_x509_rdn_get21439367
++Ref: gnutls_x509_rdn_get_by_oid1440275
++Ref: gnutls_x509_rdn_get_oid1441257
++Ref: gnutls_x509_spki_deinit1442002
++Ref: gnutls_x509_spki_get_rsa_pss_params1442284
++Ref: gnutls_x509_spki_init1442845
++Ref: gnutls_x509_spki_set_rsa_pss_params1443361
++Ref: gnutls_x509_tlsfeatures_add1443874
++Ref: gnutls_x509_tlsfeatures_check_crt1444330
++Ref: gnutls_x509_tlsfeatures_deinit1444930
++Ref: gnutls_x509_tlsfeatures_get1445208
++Ref: gnutls_x509_tlsfeatures_init1445768
++Ref: gnutls_x509_trust_list_add_cas1446153
++Ref: gnutls_x509_trust_list_add_crls1447338
++Ref: gnutls_x509_trust_list_add_named_crt1448716
++Ref: gnutls_x509_trust_list_add_system_trust1449931
++Ref: gnutls_x509_trust_list_add_trust_dir1450693
++Ref: gnutls_x509_trust_list_add_trust_file1451556
++Ref: gnutls_x509_trust_list_add_trust_mem1452703
++Ref: gnutls_x509_trust_list_deinit1453622
++Ref: gnutls_x509_trust_list_get_issuer1454248
++Ref: gnutls_x509_trust_list_get_issuer_by_dn1455298
++Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1456027
++Ref: gnutls_x509_trust_list_get_ptr1456835
++Ref: gnutls_x509_trust_list_init1457348
++Ref: gnutls_x509_trust_list_iter_deinit1457853
++Ref: gnutls_x509_trust_list_iter_get_ca1458162
++Ref: gnutls_x509_trust_list_remove_cas1459342
++Ref: gnutls_x509_trust_list_remove_trust_file1460197
++Ref: gnutls_x509_trust_list_remove_trust_mem1460898
++Ref: gnutls_x509_trust_list_set_getissuer_function1461556
++Ref: gnutls_x509_trust_list_set_ptr1463189
++Ref: gnutls_x509_trust_list_verify_crt1463727
++Ref: gnutls_x509_trust_list_verify_crt21464890
++Ref: gnutls_x509_trust_list_verify_named_crt1467824
++Node: PKCS 7 API1470552
++Ref: gnutls_pkcs7_add_attr1470848
++Ref: gnutls_pkcs7_attrs_deinit1471654
++Ref: gnutls_pkcs7_deinit1471889
++Ref: gnutls_pkcs7_delete_crl1472094
++Ref: gnutls_pkcs7_delete_crt1472523
++Ref: gnutls_pkcs7_export1472969
++Ref: gnutls_pkcs7_export21473869
++Ref: gnutls_pkcs7_get_attr1474530
++Ref: gnutls_pkcs7_get_crl_count1475417
++Ref: gnutls_pkcs7_get_crl_raw1475765
++Ref: gnutls_pkcs7_get_crl_raw21476540
++Ref: gnutls_pkcs7_get_crt_count1477171
++Ref: gnutls_pkcs7_get_crt_raw1477546
++Ref: gnutls_pkcs7_get_crt_raw21478446
++Ref: gnutls_pkcs7_get_embedded_data1479300
++Ref: gnutls_pkcs7_get_embedded_data_oid1480300
++Ref: gnutls_pkcs7_get_signature_count1480860
++Ref: gnutls_pkcs7_get_signature_info1481267
++Ref: gnutls_pkcs7_import1481940
++Ref: gnutls_pkcs7_init1482561
++Ref: gnutls_pkcs7_print1482985
++Ref: gnutls_pkcs7_print_signature_info1483730
++Ref: gnutls_pkcs7_set_crl1484535
++Ref: gnutls_pkcs7_set_crl_raw1484936
++Ref: gnutls_pkcs7_set_crt1485326
++Ref: gnutls_pkcs7_set_crt_raw1485810
++Ref: gnutls_pkcs7_sign1486223
++Ref: gnutls_pkcs7_signature_info_deinit1487662
++Ref: gnutls_pkcs7_verify1488015
++Ref: gnutls_pkcs7_verify_direct1489180
++Node: OCSP API1490640
++Ref: gnutls_ocsp_req_add_cert1490924
++Ref: gnutls_ocsp_req_add_cert_id1491884
++Ref: gnutls_ocsp_req_deinit1493204
++Ref: gnutls_ocsp_req_export1493421
++Ref: gnutls_ocsp_req_get_cert_id1493846
++Ref: gnutls_ocsp_req_get_extension1495438
++Ref: gnutls_ocsp_req_get_nonce1496854
++Ref: gnutls_ocsp_req_get_version1497508
++Ref: gnutls_ocsp_req_import1497895
++Ref: gnutls_ocsp_req_init1498391
++Ref: gnutls_ocsp_req_print1498719
++Ref: gnutls_ocsp_req_randomize_nonce1499455
++Ref: gnutls_ocsp_req_set_extension1499888
++Ref: gnutls_ocsp_req_set_nonce1500572
++Ref: gnutls_ocsp_resp_check_crt1501159
++Ref: gnutls_ocsp_resp_deinit1501743
++Ref: gnutls_ocsp_resp_export1501967
++Ref: gnutls_ocsp_resp_export21502393
++Ref: gnutls_ocsp_resp_get_certs1502913
++Ref: gnutls_ocsp_resp_get_extension1504038
++Ref: gnutls_ocsp_resp_get_nonce1505462
++Ref: gnutls_ocsp_resp_get_produced1506128
++Ref: gnutls_ocsp_resp_get_responder1506475
++Ref: gnutls_ocsp_resp_get_responder21507580
++Ref: gnutls_ocsp_resp_get_responder_raw_id1508843
++Ref: gnutls_ocsp_resp_get_response1509674
++Ref: gnutls_ocsp_resp_get_signature1510900
++Ref: gnutls_ocsp_resp_get_signature_algorithm1511389
++Ref: gnutls_ocsp_resp_get_single1511867
++Ref: gnutls_ocsp_resp_get_status1513809
++Ref: gnutls_ocsp_resp_get_version1514238
++Ref: gnutls_ocsp_resp_import1514646
++Ref: gnutls_ocsp_resp_import21515214
++Ref: gnutls_ocsp_resp_init1515842
++Ref: gnutls_ocsp_resp_list_import21516191
++Ref: gnutls_ocsp_resp_print1517382
++Ref: gnutls_ocsp_resp_verify1518108
++Ref: gnutls_ocsp_resp_verify_direct1519725
++Node: PKCS 12 API1522158
++Ref: gnutls_pkcs12_bag_decrypt1522448
++Ref: gnutls_pkcs12_bag_deinit1522880
++Ref: gnutls_pkcs12_bag_enc_info1523118
++Ref: gnutls_pkcs12_bag_encrypt1524491
++Ref: gnutls_pkcs12_bag_get_count1524996
++Ref: gnutls_pkcs12_bag_get_data1525307
++Ref: gnutls_pkcs12_bag_get_friendly_name1525913
++Ref: gnutls_pkcs12_bag_get_key_id1526550
++Ref: gnutls_pkcs12_bag_get_type1527169
++Ref: gnutls_pkcs12_bag_init1527539
++Ref: gnutls_pkcs12_bag_set_crl1527997
++Ref: gnutls_pkcs12_bag_set_crt1528430
++Ref: gnutls_pkcs12_bag_set_data1528876
++Ref: gnutls_pkcs12_bag_set_friendly_name1529347
++Ref: gnutls_pkcs12_bag_set_key_id1530031
++Ref: gnutls_pkcs12_bag_set_privkey1530705
++Ref: gnutls_pkcs12_deinit1531361
++Ref: gnutls_pkcs12_export1531563
++Ref: gnutls_pkcs12_export21532470
++Ref: gnutls_pkcs12_generate_mac1533146
++Ref: gnutls_pkcs12_generate_mac21533537
++Ref: gnutls_pkcs12_get_bag1533981
++Ref: gnutls_pkcs12_import1534567
++Ref: gnutls_pkcs12_init1535288
++Ref: gnutls_pkcs12_mac_info1535721
++Ref: gnutls_pkcs12_set_bag1537030
++Ref: gnutls_pkcs12_simple_parse1537436
++Ref: gnutls_pkcs12_verify_mac1540117
++Node: PKCS 11 API1540473
++Ref: gnutls_pkcs11_add_provider1540802
++Ref: gnutls_pkcs11_copy_attached_extension1541547
++Ref: gnutls_pkcs11_copy_pubkey1542406
++Ref: gnutls_pkcs11_copy_secret_key1543439
++Ref: gnutls_pkcs11_copy_x509_crt1544164
++Ref: gnutls_pkcs11_copy_x509_crt21544812
++Ref: gnutls_pkcs11_copy_x509_privkey1545780
++Ref: gnutls_pkcs11_copy_x509_privkey21546597
++Ref: gnutls_pkcs11_crt_is_known1547542
++Ref: gnutls_pkcs11_deinit1548678
++Ref: gnutls_pkcs11_delete_url1548995
++Ref: gnutls_pkcs11_get_pin_function1549511
++Ref: gnutls_pkcs11_get_raw_issuer1549894
++Ref: gnutls_pkcs11_get_raw_issuer_by_dn1550804
++Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1551843
++Ref: gnutls_pkcs11_init1552954
++Ref: gnutls_pkcs11_obj_deinit1553996
++Ref: gnutls_pkcs11_obj_export1554242
++Ref: gnutls_pkcs11_obj_export21555087
++Ref: gnutls_pkcs11_obj_export31555684
++Ref: gnutls_pkcs11_obj_export_url1556357
++Ref: gnutls_pkcs11_obj_flags_get_str1556884
++Ref: gnutls_pkcs11_obj_get_exts1557363
++Ref: gnutls_pkcs11_obj_get_flags1558299
++Ref: gnutls_pkcs11_obj_get_info1558836
++Ref: gnutls_pkcs11_obj_get_ptr1560100
++Ref: gnutls_pkcs11_obj_get_type1561009
++Ref: gnutls_pkcs11_obj_import_url1561359
++Ref: gnutls_pkcs11_obj_init1562279
++Ref: gnutls_pkcs11_obj_list_import_url31562664
++Ref: gnutls_pkcs11_obj_list_import_url41564605
++Ref: gnutls_pkcs11_obj_set_info1566281
++Ref: gnutls_pkcs11_obj_set_pin_function1567060
++Ref: gnutls_pkcs11_privkey_cpy1567571
++Ref: gnutls_pkcs11_privkey_deinit1568072
++Ref: gnutls_pkcs11_privkey_export_pubkey1568335
++Ref: gnutls_pkcs11_privkey_export_url1569139
++Ref: gnutls_pkcs11_privkey_generate1569649
++Ref: gnutls_pkcs11_privkey_generate21570321
++Ref: gnutls_pkcs11_privkey_generate31571551
++Ref: gnutls_pkcs11_privkey_get_info1573061
++Ref: gnutls_pkcs11_privkey_get_pk_algorithm1573943
++Ref: gnutls_pkcs11_privkey_import_url1574474
++Ref: gnutls_pkcs11_privkey_init1575175
++Ref: gnutls_pkcs11_privkey_set_pin_function1575890
++Ref: gnutls_pkcs11_privkey_status1576410
++Ref: gnutls_pkcs11_reinit1576786
++Ref: gnutls_pkcs11_set_pin_function1577346
++Ref: gnutls_pkcs11_set_token_function1577836
++Ref: gnutls_pkcs11_token_check_mechanism1578254
++Ref: gnutls_pkcs11_token_get_flags1579011
++Ref: gnutls_pkcs11_token_get_info1579553
++Ref: gnutls_pkcs11_token_get_mechanism1580576
++Ref: gnutls_pkcs11_token_get_ptr1581189
++Ref: gnutls_pkcs11_token_get_random1581888
++Ref: gnutls_pkcs11_token_get_url1582519
++Ref: gnutls_pkcs11_token_init1583187
++Ref: gnutls_pkcs11_token_set_pin1583825
++Ref: gnutls_pkcs11_type_get_name1584665
++Ref: gnutls_x509_crt_import_pkcs111585154
++Ref: gnutls_x509_crt_list_import_pkcs111585676
++Node: TPM API1586285
++Ref: gnutls_tpm_get_registered1586564
++Ref: gnutls_tpm_key_list_deinit1586957
++Ref: gnutls_tpm_key_list_get_url1587225
++Ref: gnutls_tpm_privkey_delete1587878
++Ref: gnutls_tpm_privkey_generate1588316
++Node: Abstract key API1589666
++Ref: gnutls_certificate_set_key1589987
++Ref: gnutls_certificate_set_retrieve_function21592123
++Ref: gnutls_certificate_set_retrieve_function31594373
++Ref: gnutls_pcert_deinit1597233
++Ref: gnutls_pcert_export_openpgp1597478
++Ref: gnutls_pcert_export_x5091597827
++Ref: gnutls_pcert_import_openpgp1598477
++Ref: gnutls_pcert_import_openpgp_raw1598876
++Ref: gnutls_pcert_import_rawpk1599445
++Ref: gnutls_pcert_import_rawpk_raw1600298
++Ref: gnutls_pcert_import_x5091601547
++Ref: gnutls_pcert_import_x509_list1602144
++Ref: gnutls_pcert_import_x509_raw1603334
++Ref: gnutls_pcert_list_import_x509_file1604040
++Ref: gnutls_pcert_list_import_x509_raw1605472
++Ref: gnutls_privkey_decrypt_data1606806
++Ref: gnutls_privkey_decrypt_data21607454
++Ref: gnutls_privkey_deinit1608279
++Ref: gnutls_privkey_export_dsa_raw1608528
++Ref: gnutls_privkey_export_dsa_raw21609258
++Ref: gnutls_privkey_export_ecc_raw1610064
++Ref: gnutls_privkey_export_ecc_raw21610926
++Ref: gnutls_privkey_export_gost_raw21611868
++Ref: gnutls_privkey_export_openpgp1613002
++Ref: gnutls_privkey_export_pkcs111613354
++Ref: gnutls_privkey_export_rsa_raw1613966
++Ref: gnutls_privkey_export_rsa_raw21614997
++Ref: gnutls_privkey_export_x5091616043
++Ref: gnutls_privkey_generate1616691
++Ref: gnutls_privkey_generate21618182
++Ref: gnutls_privkey_get_pk_algorithm1620310
++Ref: gnutls_privkey_get_seed1620924
++Ref: gnutls_privkey_get_spki1621723
++Ref: gnutls_privkey_get_type1622303
++Ref: gnutls_privkey_import_dsa_raw1622792
++Ref: gnutls_privkey_import_ecc_raw1623504
++Ref: gnutls_privkey_import_ext1624317
++Ref: gnutls_privkey_import_ext21625467
++Ref: gnutls_privkey_import_ext31626824
++Ref: gnutls_privkey_import_ext41628438
++Ref: gnutls_privkey_import_gost_raw1631198
++Ref: gnutls_privkey_import_openpgp1632406
++Ref: gnutls_privkey_import_openpgp_raw1632815
++Ref: gnutls_privkey_import_pkcs111633404
++Ref: gnutls_privkey_import_pkcs11_url1634162
++Ref: gnutls_privkey_import_rsa_raw1634611
++Ref: gnutls_privkey_import_tpm_raw1635607
++Ref: gnutls_privkey_import_tpm_url1636474
++Ref: gnutls_privkey_import_url1637577
++Ref: gnutls_privkey_import_x5091638124
++Ref: gnutls_privkey_import_x509_raw1638872
++Ref: gnutls_privkey_init1639651
++Ref: gnutls_privkey_set_flags1640569
++Ref: gnutls_privkey_set_pin_function1641094
++Ref: gnutls_privkey_set_spki1641664
++Ref: gnutls_privkey_sign_data1642237
++Ref: gnutls_privkey_sign_data21643257
++Ref: gnutls_privkey_sign_hash1644155
++Ref: gnutls_privkey_sign_hash21645592
++Ref: gnutls_privkey_status1646858
++Ref: gnutls_privkey_verify_params1647402
++Ref: gnutls_privkey_verify_seed1647764
++Ref: gnutls_pubkey_deinit1648476
++Ref: gnutls_pubkey_encrypt_data1648716
++Ref: gnutls_pubkey_export1649358
++Ref: gnutls_pubkey_export21650372
++Ref: gnutls_pubkey_export_dsa_raw1651145
++Ref: gnutls_pubkey_export_dsa_raw21651957
++Ref: gnutls_pubkey_export_ecc_raw1652841
++Ref: gnutls_pubkey_export_ecc_raw21653740
++Ref: gnutls_pubkey_export_ecc_x9621654719
++Ref: gnutls_pubkey_export_gost_raw21655378
++Ref: gnutls_pubkey_export_rsa_raw1656522
++Ref: gnutls_pubkey_export_rsa_raw21657219
++Ref: gnutls_pubkey_get_key_id1657980
++Ref: gnutls_pubkey_get_key_usage1659005
++Ref: gnutls_pubkey_get_openpgp_key_id1659502
++Ref: gnutls_pubkey_get_pk_algorithm1660141
++Ref: gnutls_pubkey_get_preferred_hash_algorithm1660789
++Ref: gnutls_pubkey_get_spki1661730
++Ref: gnutls_pubkey_import1662298
++Ref: gnutls_pubkey_import_dsa_raw1662982
++Ref: gnutls_pubkey_import_ecc_raw1663643
++Ref: gnutls_pubkey_import_ecc_x9621664411
++Ref: gnutls_pubkey_import_gost_raw1665047
++Ref: gnutls_pubkey_import_openpgp1666194
++Ref: gnutls_pubkey_import_openpgp_raw1666586
++Ref: gnutls_pubkey_import_pkcs111667155
++Ref: gnutls_pubkey_import_privkey1667697
++Ref: gnutls_pubkey_import_rsa_raw1668399
++Ref: gnutls_pubkey_import_tpm_raw1668923
++Ref: gnutls_pubkey_import_tpm_url1669700
++Ref: gnutls_pubkey_import_url1670592
++Ref: gnutls_pubkey_import_x5091671065
++Ref: gnutls_pubkey_import_x509_crq1671565
++Ref: gnutls_pubkey_import_x509_raw1672068
++Ref: gnutls_pubkey_init1672645
++Ref: gnutls_pubkey_print1672974
++Ref: gnutls_pubkey_set_key_usage1673708
++Ref: gnutls_pubkey_set_pin_function1674277
++Ref: gnutls_pubkey_set_spki1674842
++Ref: gnutls_pubkey_verify_data21675413
++Ref: gnutls_pubkey_verify_hash21676321
++Ref: gnutls_pubkey_verify_params1677445
++Ref: gnutls_register_custom_url1677803
++Ref: gnutls_system_key_add_x5091678741
++Ref: gnutls_system_key_delete1679486
++Ref: gnutls_system_key_iter_deinit1679910
++Ref: gnutls_system_key_iter_get_info1680178
++Ref: gnutls_x509_crl_privkey_sign1681452
++Ref: gnutls_x509_crq_privkey_sign1682721
++Ref: gnutls_x509_crq_set_pubkey1684083
++Ref: gnutls_x509_crt_privkey_sign1684591
++Ref: gnutls_x509_crt_set_pubkey1685834
++Node: Socket specific API1686287
++Ref: gnutls_transport_set_fastopen1686580
++Node: DANE API1688126
++Ref: dane_cert_type_name1688500
++Ref: dane_cert_usage_name1688790
++Ref: dane_match_type_name1689102
++Ref: dane_query_data1689385
++Ref: dane_query_deinit1690064
++Ref: dane_query_entries1690269
++Ref: dane_query_status1690511
++Ref: dane_query_tlsa1690805
++Ref: dane_query_to_raw_tlsa1691396
++Ref: dane_raw_tlsa1692738
++Ref: dane_state_deinit1693815
++Ref: dane_state_init1694007
++Ref: dane_state_set_dlv_file1694521
++Ref: dane_strerror1694822
++Ref: dane_verification_status_print1695321
++Ref: dane_verify_crt1695915
++Ref: dane_verify_crt_raw1698102
++Ref: dane_verify_session_crt1699335
++Node: Cryptographic API1700737
++Ref: gnutls_aead_cipher_decrypt1701238
++Ref: gnutls_aead_cipher_decryptv21702617
++Ref: gnutls_aead_cipher_deinit1703542
++Ref: gnutls_aead_cipher_encrypt1703870
++Ref: gnutls_aead_cipher_encryptv1704979
++Ref: gnutls_aead_cipher_encryptv21706127
++Ref: gnutls_aead_cipher_init1707055
++Ref: gnutls_cipher_add_auth1707721
++Ref: gnutls_cipher_decrypt1708301
++Ref: gnutls_cipher_decrypt21708925
++Ref: gnutls_cipher_deinit1709851
++Ref: gnutls_cipher_encrypt1710130
++Ref: gnutls_cipher_encrypt21710590
++Ref: gnutls_cipher_get_block_size1711367
++Ref: gnutls_cipher_get_iv_size1711647
++Ref: gnutls_cipher_get_tag_size1712129
++Ref: gnutls_cipher_init1712535
++Ref: gnutls_cipher_set_iv1713265
++Ref: gnutls_cipher_tag1713610
++Ref: gnutls_crypto_register_aead_cipher1714112
++Ref: gnutls_crypto_register_cipher1715716
++Ref: gnutls_crypto_register_digest1717497
++Ref: gnutls_crypto_register_mac1718721
++Ref: gnutls_decode_ber_digest_info1720149
++Ref: gnutls_decode_gost_rs_value1720948
++Ref: gnutls_decode_rs_value1721748
++Ref: gnutls_encode_ber_digest_info1722533
++Ref: gnutls_encode_gost_rs_value1723177
++Ref: gnutls_encode_rs_value1723923
++Ref: gnutls_hash1724543
++Ref: gnutls_hash_copy1724974
++Ref: gnutls_hash_deinit1725491
++Ref: gnutls_hash_fast1725819
++Ref: gnutls_hash_get_len1726336
++Ref: gnutls_hash_init1726669
++Ref: gnutls_hash_output1727205
++Ref: gnutls_hkdf_expand1727537
++Ref: gnutls_hkdf_extract1728240
++Ref: gnutls_hmac1728783
++Ref: gnutls_hmac_copy1729214
++Ref: gnutls_hmac_deinit1729695
++Ref: gnutls_hmac_fast1730022
++Ref: gnutls_hmac_get_key_size1730746
++Ref: gnutls_hmac_get_len1731207
++Ref: gnutls_hmac_init1731537
++Ref: gnutls_hmac_output1732320
++Ref: gnutls_hmac_set_nonce1732655
++Ref: gnutls_mac_get_nonce_size1733022
++Ref: gnutls_pbkdf21733338
++Ref: gnutls_rnd1733971
++Ref: gnutls_rnd_refresh1734609
++Node: Compatibility API1734895
++Ref: gnutls_compression_get1735237
++Ref: gnutls_compression_get_id1735589
++Ref: gnutls_compression_get_name1735953
++Ref: gnutls_compression_list1736335
++Ref: gnutls_global_set_mem_functions1736667
++Ref: gnutls_openpgp_privkey_sign_hash1738042
++Ref: gnutls_priority_compression_list1738471
++Ref: gnutls_x509_crt_get_preferred_hash_algorithm1738923
++Ref: gnutls_x509_privkey_sign_hash1739804
++Node: Copying Information1740674
++Node: Bibliography1765851
++Ref: CBCATT1765990
++Ref: GPGH1766168
++Ref: GUTPKI1766291
++Ref: PRNGATTACKS1766466
++Ref: KEYPIN1766666
++Ref: NISTSP800571766841
++Ref: RFC74131767089
++Ref: RFC79181767256
++Ref: RFC61251767433
++Ref: RFC76851767774
++Ref: RFC76131767949
++Ref: RFC22461768197
++Ref: RFC60831768358
++Ref: RFC44181768595
++Ref: RFC46801768762
++Ref: RFC76331768920
++Ref: RFC79191769092
++Ref: RFC45141769296
++Ref: RFC43461769500
++Ref: RFC43471769650
++Ref: RFC52461769817
++Ref: RFC24401769968
++Ref: RFC48801770150
++Ref: RFC42111770344
++Ref: RFC28171770538
++Ref: RFC28181770691
++Ref: RFC29451770805
++Ref: RFC73011770955
++Ref: RFC29861771175
++Ref: PKIX1771364
++Ref: RFC37491771627
++Ref: RFC38201771793
++Ref: RFC65201772036
++Ref: RFC57461772275
++Ref: RFC52801772484
++Ref: TLSTKT1772751
++Ref: PKCS121772983
++Ref: PKCS111773124
++Ref: RESCORLA1773270
++Ref: SELKEY1773366
++Ref: SSL31773525
++Ref: STEVENS1773716
++Ref: TLSEXT1773824
++Ref: TLSPGP1774041
++Ref: TLSSRP1774206
++Ref: TLSPSK1774403
++Ref: TOMSRP1774572
++Ref: WEGER1774685
++Ref: ECRYPT1774877
++Ref: RFC50561775082
++Ref: RFC57641775235
++Ref: RFC59291775523
++Ref: PKCS11URI1775666
++Ref: TPMURI1775802
++Ref: ANDERSON1775996
++Ref: RFC48211776142
++Ref: RFC25601776295
++Ref: RIVESTCRL1776489
++Node: Function and Data Index1776850
++Node: Concept Index1903361
+ 
+ End Tag Table
+ 
+diff -ruN gnutls-3.7.2/doc/gnutls.info-1 gnutls-3.7.2-bootstrapped/doc/gnutls.info-1
+--- gnutls-3.7.2/doc/gnutls.info-1	2021-05-29 10:19:34.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-1	2021-06-28 09:39:56.000000000 +0200
+@@ -7426,6 +7426,12 @@
+ to a token.  Must be combined with one of -load-privkey, -load-pubkey,
+ -load-certificate option.
+ 
++When writing a certificate object, its CKA_ID is set to the same CKA_ID
++of the corresponding public key, if it exists on the token; otherwise it
++will be derived from the X.509 Subject Key Identifier of the
++certificate.  If this behavior is undesired, write the public key to the
++token beforehand.
++
+ id option.
+ ..........
+ 
+diff -ruN gnutls-3.7.2/doc/gnutls.info-3 gnutls-3.7.2-bootstrapped/doc/gnutls.info-3
+--- gnutls-3.7.2/doc/gnutls.info-3	2021-05-29 10:19:36.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-3	2021-06-28 09:39:58.000000000 +0200
+@@ -1350,6 +1350,7 @@
+    * 'insecure-hash': to mark the hash algorithm as insecure for digital
+      signature use (provides a more generic way to disable digital
+      signatures for broken hash algorithms).
++   * 'disabled-curve': to disable the specified elliptic curve.
+    * 'disabled-version': to disable the specified TLS versions.
+    * 'tls-disabled-cipher': to disable the specified ciphers for use in
+      the TLS or DTLS protocols.
+@@ -1362,12 +1363,54 @@
+      earlier).
+ 
+ Each of the options can be repeated multiple times when multiple values
+-need to be disabled.
++need to be disabled or enabled.
+ 
+ The valid values for the options above can be found in the 'Protocols',
+ 'Digests' 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of
+ the output of 'gnutls-cli --list'.
+ 
++Sometimes the system administrator wants to enable only specific
++algorithms, despite the library defaults.  GnuTLS provides an
++alternative mode of overriding: allowlisting.
++
++In the allowlisting mode, all the algorithms are initially marked as
++insecure or disabled, and shall be explicitly turned on by the options
++in the '[overrides]' section.  Those options are mutually exclusive to
++the above ones for the blocklisting mode (the default)
++   * 'secure-sig-for-cert': to mark the signature algorithm as secure
++     when used in certificates.
++   * 'secure-sig': to mark the signature algorithm as secure for any
++     use.
++   * 'secure-hash': to mark the hash algorithm as secure for digital
++     signature use (provides a more generic way to enable digital
++     signatures for broken hash algorithms).
++   * 'enabled-curve': to enable the specified elliptic curve.
++   * 'enabled-version': to enable the specified TLS versions.
++   * 'tls-enabled-cipher': to enable the specified ciphers for use in
++     the TLS or DTLS protocols.
++   * 'tls-enabled-mac': to enable the specified MAC algorithms for use
++     in the TLS or DTLS protocols.
++   * 'tls-enabled-group': to enable the specified group for use in the
++     TLS or DTLS protocols.
++   * 'tls-enabled-kx': to enable the specified key exchange algorithms
++     for use in the TLS or DTLS protocols (applies to TLS1.2 or
++     earlier).
++
++The allowlisting mode can be enabled by adding 'override-mode =
++allowlist' in the '[global]' section.
++
++When the allowlisting mode is in effect, it is also possible for the
++applications to modify the setting through the API.
++
++'INT *note gnutls_ecc_curve_mark_enabled:: (gnutls_ecc_curve_t CURVE)'
++'INT *note gnutls_sign_mark_secure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)'
++'INT *note gnutls_digest_mark_secure:: (gnutls_digest_algorithm_t DIG)'
++'INT *note gnutls_protocol_mark_enabled:: (gnutls_protocol_t VERSION)'
++'INT *note gnutls_ecc_curve_mark_disabled:: (gnutls_ecc_curve_t CURVE)'
++'INT *note gnutls_sign_mark_insecure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)'
++'INT *note gnutls_digest_mark_insecure:: (gnutls_digest_algorithm_t DIG)'
++'INT *note gnutls_protocol_mark_disabled:: (gnutls_protocol_t VERSION)'
++
+ 8.2.1 Examples
+ --------------
+ 
+@@ -1396,6 +1439,17 @@
+      tls-disabled-mac = sha1
+      tls-disabled-group = group-ffdhe8192
+ 
++The following example demonstrates the use of the allowlisting mode.  It
++disables all the signature algorithms but 'RSA-SHA256'.  Note that the
++hash algorithm 'SHA256' also needs to be explicitly enabled.
++
++     [global]
++     override-mode = allowlist
++
++     [overrides]
++     secure-hash = sha256
++     secure-sig = rsa-sha256
++
+ 
+ File: gnutls.info,  Node: Querying for disabled algorithms and protocols,  Next: Overriding the parameter verification profile,  Prev: Disabling algorithms and protocols,  Up: System-wide configuration of the library
+ 
+@@ -8538,6 +8592,31 @@
+      'gnutls_digest_algorithm_t' integers indicating the available
+      digests.
+ 
++gnutls_digest_mark_insecure
++---------------------------
++
++ -- Function: int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t
++          DIG)
++     DIG: is a digest algorithm
++
++     Mark 'dig' as insecure system wide.  This only works if the
++     allowlisting mode is used in the configuration file.
++
++     *Since:* 3.7.3
++
++gnutls_digest_mark_secure
++-------------------------
++
++ -- Function: int gnutls_digest_mark_secure (gnutls_digest_algorithm_t
++          DIG)
++     DIG: is a digest algorithm
++
++     Invalidate previous system wide setting that marked 'dig' as
++     insecure.  This only works if the allowlisting mode is used in the
++     configuration file.
++
++     *Since:* 3.7.3
++
+ gnutls_early_cipher_get
+ -----------------------
+ 
+@@ -8657,6 +8736,37 @@
+      *Returns:* Return a (0)-terminated list of 'gnutls_ecc_curve_t'
+      integers indicating the available curves.
+ 
++gnutls_ecc_curve_mark_disabled
++------------------------------
++
++ -- Function: int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t
++          CURVE)
++     CURVE: is an ECC curve
++
++     Mark 'curve' as disabled system wide.  This setting can be reverted
++     with 'gnutls_ecc_curve_mark_enabled()' .  This only works if the
++     configuration file uses the allowlisting mode.
++
++     *Returns:* 0 on success or negative error code otherwise.
++
++     *Since:* 3.7.3
++
++gnutls_ecc_curve_mark_enabled
++-----------------------------
++
++ -- Function: int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t
++          CURVE)
++     CURVE: is an ECC curve
++
++     Invalidate previous system wide setting that marked 'curve' as
++     disabled.  This only works if the curve is disabled with
++     'gnutls_ecc_curve_mark_disabled()' or through the allowlisting mode
++     in the configuration file.
++
++     *Returns:* 0 on success or negative error code otherwise.
++
++     *Since:* 3.7.3
++
+ gnutls_error_is_fatal
+ ---------------------
+ 
+@@ -11047,6 +11157,27 @@
+      *Returns:* a (0)-terminated list of 'gnutls_protocol_t' integers
+      indicating the available protocols.
+ 
++gnutls_protocol_mark_disabled
++-----------------------------
++
++ -- Function: int gnutls_protocol_mark_disabled (gnutls_protocol_t
++          VERSION)
++     VERSION: is a (gnutls) version number
++
++     Mark 'version' as disabled system wide.  This only works if the
++     allowlisting mode is used in the configuration file.
++
++gnutls_protocol_mark_enabled
++----------------------------
++
++ -- Function: int gnutls_protocol_mark_enabled (gnutls_protocol_t
++          VERSION)
++     VERSION: is a (gnutls) version number
++
++     Invalidate previous system wide setting that marked 'version' as
++     disabled.  This only works if the allowlisting mode is used in the
++     configuration file.
++
+ gnutls_psk_allocate_client_credentials
+ --------------------------------------
+ 
+@@ -13235,6 +13366,45 @@
+      *Returns:* a (0)-terminated list of 'gnutls_sign_algorithm_t'
+      integers indicating the available ciphers.
+ 
++gnutls_sign_mark_insecure
++-------------------------
++
++ -- Function: int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t
++          SIGN, unsigned FLAGS)
++     SIGN: the sign algorithm
++
++     FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0
++
++     Mark 'sign' as insecure system wide.  This only works if the
++     allowlisting mode is used in the configuration file.
++
++     If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, and the
++     algorithm was previously considered secure for all purposes, it
++     only marks the algorithm as insecure for the use with certificates.
++
++     *Since:* 3.7.3
++
++gnutls_sign_mark_secure
++-----------------------
++
++ -- Function: int gnutls_sign_mark_secure (gnutls_sign_algorithm_t SIGN,
++          unsigned FLAGS)
++     SIGN: the sign algorithm
++
++     FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0
++
++     Invalidate previous system wide setting that marked 'sign' as
++     insecure.  This only works if the algorithm is marked as insecure
++     with 'gnutls_sign_mark_insecure()' or through the allowlisting mode
++     in the configuration file.
++
++     If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, it
++     marks it the algorithm as secure for all purposes.  If the absence
++     of this flag, it will mark it as "secure, but not for certificates"
++     at most, but it won't restrict anything either.
++
++     *Since:* 3.7.3
++
+ gnutls_sign_supports_pk_algorithm
+ ---------------------------------
+ 
+diff -ruN gnutls-3.7.2/doc/gnutls.info-6 gnutls-3.7.2-bootstrapped/doc/gnutls.info-6
+--- gnutls-3.7.2/doc/gnutls.info-6	2021-05-29 10:19:38.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-6	2021-06-28 09:40:00.000000000 +0200
+@@ -7847,6 +7847,8 @@
+ * gnutls_digest_get_name:                Core TLS API.       (line 3005)
+ * gnutls_digest_get_oid:                 Core TLS API.       (line 3017)
+ * gnutls_digest_list:                    Core TLS API.       (line 3032)
++* gnutls_digest_mark_insecure:           Core TLS API.       (line 3046)
++* gnutls_digest_mark_secure:             Core TLS API.       (line 3058)
+ * gnutls_dtls_cookie_send:               Datagram TLS API.   (line   11)
+ * gnutls_dtls_cookie_verify:             Datagram TLS API.   (line   45)
+ * gnutls_dtls_get_data_mtu:              Datagram TLS API.   (line   74)
+@@ -7858,71 +7860,73 @@
+ * gnutls_dtls_set_data_mtu:              Datagram TLS API.   (line  139)
+ * gnutls_dtls_set_mtu:                   Datagram TLS API.   (line  165)
+ * gnutls_dtls_set_timeouts:              Datagram TLS API.   (line  182)
+-* gnutls_early_cipher_get:               Core TLS API.       (line 3046)
+-* gnutls_early_prf_hash_get:             Core TLS API.       (line 3060)
+-* gnutls_ecc_curve_get:                  Core TLS API.       (line 3075)
+-* gnutls_ecc_curve_get_id:               Core TLS API.       (line 3089)
+-* gnutls_ecc_curve_get_name:             Core TLS API.       (line 3103)
+-* gnutls_ecc_curve_get_oid:              Core TLS API.       (line 3117)
+-* gnutls_ecc_curve_get_pk:               Core TLS API.       (line 3131)
+-* gnutls_ecc_curve_get_size:             Core TLS API.       (line 3143)
+-* gnutls_ecc_curve_list:                 Core TLS API.       (line 3153)
++* gnutls_early_cipher_get:               Core TLS API.       (line 3071)
++* gnutls_early_prf_hash_get:             Core TLS API.       (line 3085)
++* gnutls_ecc_curve_get:                  Core TLS API.       (line 3100)
++* gnutls_ecc_curve_get_id:               Core TLS API.       (line 3114)
++* gnutls_ecc_curve_get_name:             Core TLS API.       (line 3128)
++* gnutls_ecc_curve_get_oid:              Core TLS API.       (line 3142)
++* gnutls_ecc_curve_get_pk:               Core TLS API.       (line 3156)
++* gnutls_ecc_curve_get_size:             Core TLS API.       (line 3168)
++* gnutls_ecc_curve_list:                 Core TLS API.       (line 3178)
++* gnutls_ecc_curve_mark_disabled:        Core TLS API.       (line 3190)
++* gnutls_ecc_curve_mark_enabled:         Core TLS API.       (line 3205)
+ * gnutls_encode_ber_digest_info:         Cryptographic API.  (line  689)
+ * gnutls_encode_gost_rs_value:           Cryptographic API.  (line  709)
+ * gnutls_encode_rs_value:                Cryptographic API.  (line  732)
+ * gnutls_error_is_fatal:                 Data transfer and termination.
+                                                              (line   82)
+-* gnutls_error_is_fatal <1>:             Core TLS API.       (line 3165)
++* gnutls_error_is_fatal <1>:             Core TLS API.       (line 3221)
+ * gnutls_error_to_alert:                 Handling alerts.    (line   66)
+-* gnutls_error_to_alert <1>:             Core TLS API.       (line 3185)
+-* gnutls_est_record_overhead_size:       Core TLS API.       (line 3204)
+-* gnutls_ext_get_current_msg:            Core TLS API.       (line 3231)
+-* gnutls_ext_get_data:                   Core TLS API.       (line 3249)
+-* gnutls_ext_get_name:                   Core TLS API.       (line 3268)
+-* gnutls_ext_get_name2:                  Core TLS API.       (line 3279)
+-* gnutls_ext_raw_parse:                  Core TLS API.       (line 3296)
+-* gnutls_ext_register:                   Core TLS API.       (line 3327)
+-* gnutls_ext_set_data:                   Core TLS API.       (line 3374)
+-* gnutls_fingerprint:                    Core TLS API.       (line 3391)
+-* gnutls_fips140_mode_enabled:           Core TLS API.       (line 3418)
+-* gnutls_fips140_set_mode:               Core TLS API.       (line 3436)
++* gnutls_error_to_alert <1>:             Core TLS API.       (line 3241)
++* gnutls_est_record_overhead_size:       Core TLS API.       (line 3260)
++* gnutls_ext_get_current_msg:            Core TLS API.       (line 3287)
++* gnutls_ext_get_data:                   Core TLS API.       (line 3305)
++* gnutls_ext_get_name:                   Core TLS API.       (line 3324)
++* gnutls_ext_get_name2:                  Core TLS API.       (line 3335)
++* gnutls_ext_raw_parse:                  Core TLS API.       (line 3352)
++* gnutls_ext_register:                   Core TLS API.       (line 3383)
++* gnutls_ext_set_data:                   Core TLS API.       (line 3430)
++* gnutls_fingerprint:                    Core TLS API.       (line 3447)
++* gnutls_fips140_mode_enabled:           Core TLS API.       (line 3474)
++* gnutls_fips140_set_mode:               Core TLS API.       (line 3492)
+ * gnutls_get_system_config_file:         System-wide configuration of the library.
+                                                              (line   24)
+-* gnutls_get_system_config_file <1>:     Core TLS API.       (line 3462)
+-* gnutls_global_deinit:                  Core TLS API.       (line 3476)
+-* gnutls_global_init:                    Core TLS API.       (line 3489)
++* gnutls_get_system_config_file <1>:     Core TLS API.       (line 3518)
++* gnutls_global_deinit:                  Core TLS API.       (line 3532)
++* gnutls_global_init:                    Core TLS API.       (line 3545)
+ * gnutls_global_set_audit_log_function:  Debugging and auditing.
+                                                              (line   64)
+-* gnutls_global_set_audit_log_function <1>: Core TLS API.    (line 3518)
+-* gnutls_global_set_log_function:        Core TLS API.       (line 3537)
+-* gnutls_global_set_log_level:           Core TLS API.       (line 3552)
++* gnutls_global_set_audit_log_function <1>: Core TLS API.    (line 3574)
++* gnutls_global_set_log_function:        Core TLS API.       (line 3593)
++* gnutls_global_set_log_level:           Core TLS API.       (line 3608)
+ * gnutls_global_set_mem_functions:       Compatibility API.  (line   60)
+-* gnutls_global_set_mutex:               Core TLS API.       (line 3565)
+-* gnutls_global_set_time_function:       Core TLS API.       (line 3594)
+-* gnutls_gost_paramset_get_name:         Core TLS API.       (line 3608)
+-* gnutls_gost_paramset_get_oid:          Core TLS API.       (line 3622)
+-* gnutls_group_get:                      Core TLS API.       (line 3636)
+-* gnutls_group_get_id:                   Core TLS API.       (line 3649)
+-* gnutls_group_get_name:                 Core TLS API.       (line 3662)
+-* gnutls_group_list:                     Core TLS API.       (line 3675)
++* gnutls_global_set_mutex:               Core TLS API.       (line 3621)
++* gnutls_global_set_time_function:       Core TLS API.       (line 3650)
++* gnutls_gost_paramset_get_name:         Core TLS API.       (line 3664)
++* gnutls_gost_paramset_get_oid:          Core TLS API.       (line 3678)
++* gnutls_group_get:                      Core TLS API.       (line 3692)
++* gnutls_group_get_id:                   Core TLS API.       (line 3705)
++* gnutls_group_get_name:                 Core TLS API.       (line 3718)
++* gnutls_group_list:                     Core TLS API.       (line 3731)
+ * gnutls_handshake:                      TLS handshake.      (line   10)
+-* gnutls_handshake <1>:                  Core TLS API.       (line 3689)
+-* gnutls_handshake_description_get_name: Core TLS API.       (line 3732)
+-* gnutls_handshake_get_last_in:          Core TLS API.       (line 3744)
+-* gnutls_handshake_get_last_out:         Core TLS API.       (line 3761)
++* gnutls_handshake <1>:                  Core TLS API.       (line 3745)
++* gnutls_handshake_description_get_name: Core TLS API.       (line 3788)
++* gnutls_handshake_get_last_in:          Core TLS API.       (line 3800)
++* gnutls_handshake_get_last_out:         Core TLS API.       (line 3817)
+ * gnutls_handshake_set_hook_function:    Virtual hosts and credentials.
+                                                              (line   56)
+-* gnutls_handshake_set_hook_function <1>: Core TLS API.      (line 3778)
+-* gnutls_handshake_set_max_packet_length: Core TLS API.      (line 3815)
++* gnutls_handshake_set_hook_function <1>: Core TLS API.      (line 3834)
++* gnutls_handshake_set_max_packet_length: Core TLS API.      (line 3871)
+ * gnutls_handshake_set_post_client_hello_function: Core TLS API.
+-                                                             (line 3836)
+-* gnutls_handshake_set_private_extensions: Core TLS API.     (line 3867)
+-* gnutls_handshake_set_random:           Core TLS API.       (line 3886)
+-* gnutls_handshake_set_read_function:    Core TLS API.       (line 3908)
+-* gnutls_handshake_set_secret_function:  Core TLS API.       (line 3922)
++                                                             (line 3892)
++* gnutls_handshake_set_private_extensions: Core TLS API.     (line 3923)
++* gnutls_handshake_set_random:           Core TLS API.       (line 3942)
++* gnutls_handshake_set_read_function:    Core TLS API.       (line 3964)
++* gnutls_handshake_set_secret_function:  Core TLS API.       (line 3978)
+ * gnutls_handshake_set_timeout:          TLS handshake.      (line   50)
+-* gnutls_handshake_set_timeout <1>:      Core TLS API.       (line 3936)
+-* gnutls_handshake_write:                Core TLS API.       (line 3956)
++* gnutls_handshake_set_timeout <1>:      Core TLS API.       (line 3992)
++* gnutls_handshake_write:                Core TLS API.       (line 4012)
+ * gnutls_hash:                           Cryptographic API.  (line  753)
+ * gnutls_hash_copy:                      Cryptographic API.  (line  771)
+ * gnutls_hash_deinit:                    Cryptographic API.  (line  787)
+@@ -7930,17 +7934,17 @@
+ * gnutls_hash_get_len:                   Cryptographic API.  (line  821)
+ * gnutls_hash_init:                      Cryptographic API.  (line  835)
+ * gnutls_hash_output:                    Cryptographic API.  (line  853)
+-* gnutls_heartbeat_allowed:              Core TLS API.       (line 3977)
+-* gnutls_heartbeat_enable:               Core TLS API.       (line 3994)
+-* gnutls_heartbeat_get_timeout:          Core TLS API.       (line 4018)
+-* gnutls_heartbeat_ping:                 Core TLS API.       (line 4034)
+-* gnutls_heartbeat_pong:                 Core TLS API.       (line 4066)
+-* gnutls_heartbeat_set_timeouts:         Core TLS API.       (line 4082)
+-* gnutls_hex2bin:                        Core TLS API.       (line 4104)
+-* gnutls_hex_decode:                     Core TLS API.       (line 4127)
+-* gnutls_hex_decode2:                    Core TLS API.       (line 4149)
+-* gnutls_hex_encode:                     Core TLS API.       (line 4164)
+-* gnutls_hex_encode2:                    Core TLS API.       (line 4183)
++* gnutls_heartbeat_allowed:              Core TLS API.       (line 4033)
++* gnutls_heartbeat_enable:               Core TLS API.       (line 4050)
++* gnutls_heartbeat_get_timeout:          Core TLS API.       (line 4074)
++* gnutls_heartbeat_ping:                 Core TLS API.       (line 4090)
++* gnutls_heartbeat_pong:                 Core TLS API.       (line 4122)
++* gnutls_heartbeat_set_timeouts:         Core TLS API.       (line 4138)
++* gnutls_hex2bin:                        Core TLS API.       (line 4160)
++* gnutls_hex_decode:                     Core TLS API.       (line 4183)
++* gnutls_hex_decode2:                    Core TLS API.       (line 4205)
++* gnutls_hex_encode:                     Core TLS API.       (line 4220)
++* gnutls_hex_encode2:                    Core TLS API.       (line 4239)
+ * gnutls_hkdf_expand:                    Cryptographic API.  (line  867)
+ * gnutls_hkdf_extract:                   Cryptographic API.  (line  891)
+ * gnutls_hmac:                           Cryptographic API.  (line  912)
+@@ -7952,25 +7956,25 @@
+ * gnutls_hmac_init:                      Cryptographic API.  (line 1015)
+ * gnutls_hmac_output:                    Cryptographic API.  (line 1041)
+ * gnutls_hmac_set_nonce:                 Cryptographic API.  (line 1055)
+-* gnutls_idna_map:                       Core TLS API.       (line 4201)
+-* gnutls_idna_reverse_map:               Core TLS API.       (line 4232)
++* gnutls_idna_map:                       Core TLS API.       (line 4257)
++* gnutls_idna_reverse_map:               Core TLS API.       (line 4288)
+ * gnutls_init:                           Session initialization.
+                                                              (line   14)
+-* gnutls_init <1>:                       Core TLS API.       (line 4258)
+-* gnutls_key_generate:                   Core TLS API.       (line 4281)
+-* gnutls_kx_get:                         Core TLS API.       (line 4298)
+-* gnutls_kx_get_id:                      Core TLS API.       (line 4315)
+-* gnutls_kx_get_name:                    Core TLS API.       (line 4327)
+-* gnutls_kx_list:                        Core TLS API.       (line 4339)
+-* gnutls_load_file:                      Core TLS API.       (line 4351)
+-* gnutls_mac_get:                        Core TLS API.       (line 4374)
+-* gnutls_mac_get_id:                     Core TLS API.       (line 4386)
+-* gnutls_mac_get_key_size:               Core TLS API.       (line 4399)
+-* gnutls_mac_get_name:                   Core TLS API.       (line 4411)
++* gnutls_init <1>:                       Core TLS API.       (line 4314)
++* gnutls_key_generate:                   Core TLS API.       (line 4337)
++* gnutls_kx_get:                         Core TLS API.       (line 4354)
++* gnutls_kx_get_id:                      Core TLS API.       (line 4371)
++* gnutls_kx_get_name:                    Core TLS API.       (line 4383)
++* gnutls_kx_list:                        Core TLS API.       (line 4395)
++* gnutls_load_file:                      Core TLS API.       (line 4407)
++* gnutls_mac_get:                        Core TLS API.       (line 4430)
++* gnutls_mac_get_id:                     Core TLS API.       (line 4442)
++* gnutls_mac_get_key_size:               Core TLS API.       (line 4455)
++* gnutls_mac_get_name:                   Core TLS API.       (line 4467)
+ * gnutls_mac_get_nonce_size:             Cryptographic API.  (line 1070)
+-* gnutls_mac_list:                       Core TLS API.       (line 4423)
+-* gnutls_memcmp:                         Core TLS API.       (line 4435)
+-* gnutls_memset:                         Core TLS API.       (line 4456)
++* gnutls_mac_list:                       Core TLS API.       (line 4479)
++* gnutls_memcmp:                         Core TLS API.       (line 4491)
++* gnutls_memset:                         Core TLS API.       (line 4512)
+ * gnutls_ocsp_req_add_cert:              OCSP API.           (line   12)
+ * gnutls_ocsp_req_add_cert_id:           OCSP API.           (line   36)
+ * gnutls_ocsp_req_deinit:                OCSP API.           (line   69)
+@@ -8011,20 +8015,20 @@
+ * gnutls_ocsp_resp_print:                OCSP API.           (line  757)
+ * gnutls_ocsp_resp_verify:               OCSP API.           (line  780)
+ * gnutls_ocsp_resp_verify_direct:        OCSP API.           (line  818)
+-* gnutls_ocsp_status_request_enable_client: Core TLS API.    (line 4471)
+-* gnutls_ocsp_status_request_get:        Core TLS API.       (line 4499)
+-* gnutls_ocsp_status_request_get2:       Core TLS API.       (line 4518)
+-* gnutls_ocsp_status_request_is_checked: Core TLS API.       (line 4544)
+-* gnutls_oid_to_digest:                  Core TLS API.       (line 4578)
+-* gnutls_oid_to_ecc_curve:               Core TLS API.       (line 4593)
+-* gnutls_oid_to_gost_paramset:           Core TLS API.       (line 4605)
+-* gnutls_oid_to_mac:                     Core TLS API.       (line 4620)
+-* gnutls_oid_to_pk:                      Core TLS API.       (line 4635)
+-* gnutls_oid_to_sign:                    Core TLS API.       (line 4649)
++* gnutls_ocsp_status_request_enable_client: Core TLS API.    (line 4527)
++* gnutls_ocsp_status_request_get:        Core TLS API.       (line 4555)
++* gnutls_ocsp_status_request_get2:       Core TLS API.       (line 4574)
++* gnutls_ocsp_status_request_is_checked: Core TLS API.       (line 4600)
++* gnutls_oid_to_digest:                  Core TLS API.       (line 4634)
++* gnutls_oid_to_ecc_curve:               Core TLS API.       (line 4649)
++* gnutls_oid_to_gost_paramset:           Core TLS API.       (line 4661)
++* gnutls_oid_to_mac:                     Core TLS API.       (line 4676)
++* gnutls_oid_to_pk:                      Core TLS API.       (line 4691)
++* gnutls_oid_to_sign:                    Core TLS API.       (line 4705)
+ * gnutls_openpgp_privkey_sign_hash:      Compatibility API.  (line   95)
+-* gnutls_openpgp_send_cert:              Core TLS API.       (line 4664)
+-* gnutls_packet_deinit:                  Core TLS API.       (line 4677)
+-* gnutls_packet_get:                     Core TLS API.       (line 4688)
++* gnutls_openpgp_send_cert:              Core TLS API.       (line 4720)
++* gnutls_packet_deinit:                  Core TLS API.       (line 4733)
++* gnutls_packet_get:                     Core TLS API.       (line 4744)
+ * gnutls_pbkdf2:                         Cryptographic API.  (line 1083)
+ * gnutls_pcert_deinit:                   Abstract key API.   (line  176)
+ * gnutls_pcert_export_openpgp:           Abstract key API.   (line  186)
+@@ -8038,11 +8042,11 @@
+ * gnutls_pcert_import_x509_raw:          Abstract key API.   (line  370)
+ * gnutls_pcert_list_import_x509_file:    Abstract key API.   (line  393)
+ * gnutls_pcert_list_import_x509_raw:     Abstract key API.   (line  430)
+-* gnutls_pem_base64_decode:              Core TLS API.       (line 4706)
+-* gnutls_pem_base64_decode2:             Core TLS API.       (line 4730)
+-* gnutls_pem_base64_encode:              Core TLS API.       (line 4758)
+-* gnutls_pem_base64_encode2:             Core TLS API.       (line 4781)
+-* gnutls_perror:                         Core TLS API.       (line 4809)
++* gnutls_pem_base64_decode:              Core TLS API.       (line 4762)
++* gnutls_pem_base64_decode2:             Core TLS API.       (line 4786)
++* gnutls_pem_base64_encode:              Core TLS API.       (line 4814)
++* gnutls_pem_base64_encode2:             Core TLS API.       (line 4837)
++* gnutls_perror:                         Core TLS API.       (line 4865)
+ * gnutls_pkcs11_add_provider:            PKCS11 Manual Initialization.
+                                                              (line   13)
+ * gnutls_pkcs11_add_provider <1>:        PKCS 11 API.        (line   12)
+@@ -8183,39 +8187,39 @@
+                                                              (line  122)
+ * gnutls_pkcs_schema_get_oid:            X509 certificate API.
+                                                              (line  137)
+-* gnutls_pk_algorithm_get_name:          Core TLS API.       (line 4818)
++* gnutls_pk_algorithm_get_name:          Core TLS API.       (line 4874)
+ * gnutls_pk_bits_to_sec_param:           Selecting cryptographic key sizes.
+                                                              (line   91)
+-* gnutls_pk_bits_to_sec_param <1>:       Core TLS API.       (line 4830)
+-* gnutls_pk_get_id:                      Core TLS API.       (line 4847)
+-* gnutls_pk_get_name:                    Core TLS API.       (line 4862)
+-* gnutls_pk_get_oid:                     Core TLS API.       (line 4876)
+-* gnutls_pk_list:                        Core TLS API.       (line 4891)
+-* gnutls_pk_to_sign:                     Core TLS API.       (line 4905)
+-* gnutls_prf:                            Core TLS API.       (line 4920)
+-* gnutls_prf_early:                      Core TLS API.       (line 4970)
+-* gnutls_prf_hash_get:                   Core TLS API.       (line 5015)
+-* gnutls_prf_raw:                        Core TLS API.       (line 5032)
++* gnutls_pk_bits_to_sec_param <1>:       Core TLS API.       (line 4886)
++* gnutls_pk_get_id:                      Core TLS API.       (line 4903)
++* gnutls_pk_get_name:                    Core TLS API.       (line 4918)
++* gnutls_pk_get_oid:                     Core TLS API.       (line 4932)
++* gnutls_pk_list:                        Core TLS API.       (line 4947)
++* gnutls_pk_to_sign:                     Core TLS API.       (line 4961)
++* gnutls_prf:                            Core TLS API.       (line 4976)
++* gnutls_prf_early:                      Core TLS API.       (line 5026)
++* gnutls_prf_hash_get:                   Core TLS API.       (line 5071)
++* gnutls_prf_raw:                        Core TLS API.       (line 5088)
+ * gnutls_prf_rfc5705:                    Deriving keys for other applications/protocols.
+                                                              (line   16)
+-* gnutls_prf_rfc5705 <1>:                Core TLS API.       (line 5077)
+-* gnutls_priority_certificate_type_list: Core TLS API.       (line 5124)
+-* gnutls_priority_certificate_type_list2: Core TLS API.      (line 5145)
+-* gnutls_priority_cipher_list:           Core TLS API.       (line 5165)
++* gnutls_prf_rfc5705 <1>:                Core TLS API.       (line 5133)
++* gnutls_priority_certificate_type_list: Core TLS API.       (line 5180)
++* gnutls_priority_certificate_type_list2: Core TLS API.      (line 5201)
++* gnutls_priority_cipher_list:           Core TLS API.       (line 5221)
+ * gnutls_priority_compression_list:      Compatibility API.  (line  111)
+-* gnutls_priority_deinit:                Core TLS API.       (line 5180)
+-* gnutls_priority_ecc_curve_list:        Core TLS API.       (line 5189)
+-* gnutls_priority_get_cipher_suite_index: Core TLS API.      (line 5207)
+-* gnutls_priority_group_list:            Core TLS API.       (line 5232)
+-* gnutls_priority_init:                  Core TLS API.       (line 5247)
+-* gnutls_priority_init2:                 Core TLS API.       (line 5275)
+-* gnutls_priority_kx_list:               Core TLS API.       (line 5383)
+-* gnutls_priority_mac_list:              Core TLS API.       (line 5399)
+-* gnutls_priority_protocol_list:         Core TLS API.       (line 5414)
+-* gnutls_priority_set:                   Core TLS API.       (line 5430)
+-* gnutls_priority_set_direct:            Core TLS API.       (line 5448)
+-* gnutls_priority_sign_list:             Core TLS API.       (line 5472)
+-* gnutls_priority_string_list:           Core TLS API.       (line 5488)
++* gnutls_priority_deinit:                Core TLS API.       (line 5236)
++* gnutls_priority_ecc_curve_list:        Core TLS API.       (line 5245)
++* gnutls_priority_get_cipher_suite_index: Core TLS API.      (line 5263)
++* gnutls_priority_group_list:            Core TLS API.       (line 5288)
++* gnutls_priority_init:                  Core TLS API.       (line 5303)
++* gnutls_priority_init2:                 Core TLS API.       (line 5331)
++* gnutls_priority_kx_list:               Core TLS API.       (line 5439)
++* gnutls_priority_mac_list:              Core TLS API.       (line 5455)
++* gnutls_priority_protocol_list:         Core TLS API.       (line 5470)
++* gnutls_priority_set:                   Core TLS API.       (line 5486)
++* gnutls_priority_set_direct:            Core TLS API.       (line 5504)
++* gnutls_priority_sign_list:             Core TLS API.       (line 5528)
++* gnutls_priority_string_list:           Core TLS API.       (line 5544)
+ * gnutls_privkey_decrypt_data:           Operations.         (line  144)
+ * gnutls_privkey_decrypt_data <1>:       Abstract key API.   (line  465)
+ * gnutls_privkey_decrypt_data2:          Abstract key API.   (line  488)
+@@ -8275,33 +8279,35 @@
+ * gnutls_privkey_status:                 Abstract key API.   (line 1705)
+ * gnutls_privkey_verify_params:          Abstract key API.   (line 1721)
+ * gnutls_privkey_verify_seed:            Abstract key API.   (line 1734)
+-* gnutls_protocol_get_id:                Core TLS API.       (line 5508)
+-* gnutls_protocol_get_name:              Core TLS API.       (line 5520)
+-* gnutls_protocol_get_version:           Core TLS API.       (line 5532)
+-* gnutls_protocol_list:                  Core TLS API.       (line 5543)
+-* gnutls_psk_allocate_client_credentials: Core TLS API.      (line 5555)
+-* gnutls_psk_allocate_server_credentials: Core TLS API.      (line 5567)
+-* gnutls_psk_client_get_hint:            Core TLS API.       (line 5579)
+-* gnutls_psk_free_client_credentials:    Core TLS API.       (line 5598)
+-* gnutls_psk_free_server_credentials:    Core TLS API.       (line 5607)
+-* gnutls_psk_server_get_username:        Core TLS API.       (line 5616)
+-* gnutls_psk_server_get_username2:       Core TLS API.       (line 5636)
+-* gnutls_psk_set_client_credentials:     Core TLS API.       (line 5657)
+-* gnutls_psk_set_client_credentials2:    Core TLS API.       (line 5683)
++* gnutls_protocol_get_id:                Core TLS API.       (line 5564)
++* gnutls_protocol_get_name:              Core TLS API.       (line 5576)
++* gnutls_protocol_get_version:           Core TLS API.       (line 5588)
++* gnutls_protocol_list:                  Core TLS API.       (line 5599)
++* gnutls_protocol_mark_disabled:         Core TLS API.       (line 5611)
++* gnutls_protocol_mark_enabled:          Core TLS API.       (line 5621)
++* gnutls_psk_allocate_client_credentials: Core TLS API.      (line 5632)
++* gnutls_psk_allocate_server_credentials: Core TLS API.      (line 5644)
++* gnutls_psk_client_get_hint:            Core TLS API.       (line 5656)
++* gnutls_psk_free_client_credentials:    Core TLS API.       (line 5675)
++* gnutls_psk_free_server_credentials:    Core TLS API.       (line 5684)
++* gnutls_psk_server_get_username:        Core TLS API.       (line 5693)
++* gnutls_psk_server_get_username2:       Core TLS API.       (line 5713)
++* gnutls_psk_set_client_credentials:     Core TLS API.       (line 5734)
++* gnutls_psk_set_client_credentials2:    Core TLS API.       (line 5760)
+ * gnutls_psk_set_client_credentials_function: PSK credentials.
+                                                              (line   22)
+ * gnutls_psk_set_client_credentials_function <1>: Core TLS API.
+-                                                             (line 5706)
+-* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5731)
+-* gnutls_psk_set_params_function:        Core TLS API.       (line 5760)
++                                                             (line 5783)
++* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5808)
++* gnutls_psk_set_params_function:        Core TLS API.       (line 5837)
+ * gnutls_psk_set_server_credentials_file: PSK credentials.   (line   59)
+-* gnutls_psk_set_server_credentials_file <1>: Core TLS API.  (line 5778)
+-* gnutls_psk_set_server_credentials_function: Core TLS API.  (line 5800)
+-* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5825)
+-* gnutls_psk_set_server_credentials_hint: Core TLS API.      (line 5854)
+-* gnutls_psk_set_server_dh_params:       Core TLS API.       (line 5873)
+-* gnutls_psk_set_server_known_dh_params: Core TLS API.       (line 5891)
+-* gnutls_psk_set_server_params_function: Core TLS API.       (line 5915)
++* gnutls_psk_set_server_credentials_file <1>: Core TLS API.  (line 5855)
++* gnutls_psk_set_server_credentials_function: Core TLS API.  (line 5877)
++* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5902)
++* gnutls_psk_set_server_credentials_hint: Core TLS API.      (line 5931)
++* gnutls_psk_set_server_dh_params:       Core TLS API.       (line 5950)
++* gnutls_psk_set_server_known_dh_params: Core TLS API.       (line 5968)
++* gnutls_psk_set_server_params_function: Core TLS API.       (line 5992)
+ * gnutls_pubkey_deinit:                  Abstract key API.   (line 1758)
+ * gnutls_pubkey_encrypt_data:            Operations.         (line   60)
+ * gnutls_pubkey_encrypt_data <1>:        Abstract key API.   (line 1768)
+@@ -8351,169 +8357,171 @@
+ * gnutls_pubkey_verify_hash2:            Operations.         (line   33)
+ * gnutls_pubkey_verify_hash2 <1>:        Abstract key API.   (line 2681)
+ * gnutls_pubkey_verify_params:           Abstract key API.   (line 2711)
+-* gnutls_random_art:                     Core TLS API.       (line 5933)
+-* gnutls_range_split:                    Core TLS API.       (line 5960)
+-* gnutls_reauth:                         Core TLS API.       (line 5986)
+-* gnutls_record_can_use_length_hiding:   Core TLS API.       (line 6032)
+-* gnutls_record_check_corked:            Core TLS API.       (line 6050)
++* gnutls_random_art:                     Core TLS API.       (line 6010)
++* gnutls_range_split:                    Core TLS API.       (line 6037)
++* gnutls_reauth:                         Core TLS API.       (line 6063)
++* gnutls_record_can_use_length_hiding:   Core TLS API.       (line 6109)
++* gnutls_record_check_corked:            Core TLS API.       (line 6127)
+ * gnutls_record_check_pending:           Data transfer and termination.
+                                                              (line  138)
+-* gnutls_record_check_pending <1>:       Core TLS API.       (line 6064)
++* gnutls_record_check_pending <1>:       Core TLS API.       (line 6141)
+ * gnutls_record_cork:                    Buffered data transfer.
+                                                              (line   12)
+-* gnutls_record_cork <1>:                Core TLS API.       (line 6077)
+-* gnutls_record_disable_padding:         Core TLS API.       (line 6091)
+-* gnutls_record_discard_queued:          Core TLS API.       (line 6106)
++* gnutls_record_cork <1>:                Core TLS API.       (line 6154)
++* gnutls_record_disable_padding:         Core TLS API.       (line 6168)
++* gnutls_record_discard_queued:          Core TLS API.       (line 6183)
+ * gnutls_record_get_direction:           Asynchronous operation.
+                                                              (line   65)
+-* gnutls_record_get_direction <1>:       Core TLS API.       (line 6125)
++* gnutls_record_get_direction <1>:       Core TLS API.       (line 6202)
+ * gnutls_record_get_discarded:           Datagram TLS API.   (line  209)
+-* gnutls_record_get_max_early_data_size: Core TLS API.       (line 6148)
+-* gnutls_record_get_max_size:            Core TLS API.       (line 6164)
+-* gnutls_record_get_state:               Core TLS API.       (line 6176)
+-* gnutls_record_overhead_size:           Core TLS API.       (line 6207)
++* gnutls_record_get_max_early_data_size: Core TLS API.       (line 6225)
++* gnutls_record_get_max_size:            Core TLS API.       (line 6241)
++* gnutls_record_get_state:               Core TLS API.       (line 6253)
++* gnutls_record_overhead_size:           Core TLS API.       (line 6284)
+ * gnutls_record_recv:                    Data transfer and termination.
+                                                              (line   53)
+-* gnutls_record_recv <1>:                Core TLS API.       (line 6220)
+-* gnutls_record_recv_early_data:         Core TLS API.       (line 6252)
+-* gnutls_record_recv_packet:             Core TLS API.       (line 6280)
++* gnutls_record_recv <1>:                Core TLS API.       (line 6297)
++* gnutls_record_recv_early_data:         Core TLS API.       (line 6329)
++* gnutls_record_recv_packet:             Core TLS API.       (line 6357)
+ * gnutls_record_recv_seq:                Data transfer and termination.
+                                                              (line  108)
+-* gnutls_record_recv_seq <1>:            Core TLS API.       (line 6304)
++* gnutls_record_recv_seq <1>:            Core TLS API.       (line 6381)
+ * gnutls_record_send:                    Data transfer and termination.
+                                                              (line   12)
+-* gnutls_record_send <1>:                Core TLS API.       (line 6331)
++* gnutls_record_send <1>:                Core TLS API.       (line 6408)
+ * gnutls_record_send2:                   On Record Padding.  (line   23)
+-* gnutls_record_send2 <1>:               Core TLS API.       (line 6375)
+-* gnutls_record_send_early_data:         Core TLS API.       (line 6408)
+-* gnutls_record_send_range:              Core TLS API.       (line 6436)
+-* gnutls_record_set_max_early_data_size: Core TLS API.       (line 6465)
+-* gnutls_record_set_max_recv_size:       Core TLS API.       (line 6484)
+-* gnutls_record_set_max_size:            Core TLS API.       (line 6506)
+-* gnutls_record_set_state:               Core TLS API.       (line 6535)
+-* gnutls_record_set_timeout:             Core TLS API.       (line 6556)
++* gnutls_record_send2 <1>:               Core TLS API.       (line 6452)
++* gnutls_record_send_early_data:         Core TLS API.       (line 6485)
++* gnutls_record_send_range:              Core TLS API.       (line 6513)
++* gnutls_record_set_max_early_data_size: Core TLS API.       (line 6542)
++* gnutls_record_set_max_recv_size:       Core TLS API.       (line 6561)
++* gnutls_record_set_max_size:            Core TLS API.       (line 6583)
++* gnutls_record_set_state:               Core TLS API.       (line 6612)
++* gnutls_record_set_timeout:             Core TLS API.       (line 6633)
+ * gnutls_record_uncork:                  Buffered data transfer.
+                                                              (line   23)
+-* gnutls_record_uncork <1>:              Core TLS API.       (line 6575)
++* gnutls_record_uncork <1>:              Core TLS API.       (line 6652)
+ * gnutls_register_custom_url:            Application-specific keys.
+                                                              (line   69)
+ * gnutls_register_custom_url <1>:        Abstract key API.   (line 2724)
+ * gnutls_rehandshake:                    TLS 1.2 re-authentication.
+                                                              (line   70)
+-* gnutls_rehandshake <1>:                Core TLS API.       (line 6600)
++* gnutls_rehandshake <1>:                Core TLS API.       (line 6677)
+ * gnutls_rnd:                            Random number generation.
+                                                              (line   21)
+ * gnutls_rnd <1>:                        Cryptographic API.  (line 1108)
+ * gnutls_rnd_refresh:                    Cryptographic API.  (line 1130)
+ * gnutls_safe_renegotiation_status:      TLS 1.2 re-authentication.
+                                                              (line   44)
+-* gnutls_safe_renegotiation_status <1>:  Core TLS API.       (line 6640)
+-* gnutls_sec_param_get_name:             Core TLS API.       (line 6655)
++* gnutls_safe_renegotiation_status <1>:  Core TLS API.       (line 6717)
++* gnutls_sec_param_get_name:             Core TLS API.       (line 6732)
+ * gnutls_sec_param_to_pk_bits:           Selecting cryptographic key sizes.
+                                                              (line   75)
+-* gnutls_sec_param_to_pk_bits <1>:       Core TLS API.       (line 6669)
+-* gnutls_sec_param_to_symmetric_bits:    Core TLS API.       (line 6688)
+-* gnutls_server_name_get:                Core TLS API.       (line 6702)
+-* gnutls_server_name_set:                Core TLS API.       (line 6741)
+-* gnutls_session_channel_binding:        Core TLS API.       (line 6772)
+-* gnutls_session_enable_compatibility_mode: Core TLS API.    (line 6793)
+-* gnutls_session_etm_status:             Core TLS API.       (line 6813)
+-* gnutls_session_ext_master_secret_status: Core TLS API.     (line 6826)
+-* gnutls_session_ext_register:           Core TLS API.       (line 6840)
+-* gnutls_session_force_valid:            Core TLS API.       (line 6896)
+-* gnutls_session_get_data:               Core TLS API.       (line 6907)
+-* gnutls_session_get_data2:              Core TLS API.       (line 6927)
+-* gnutls_session_get_desc:               Core TLS API.       (line 6975)
+-* gnutls_session_get_flags:              Core TLS API.       (line 6992)
+-* gnutls_session_get_id:                 Core TLS API.       (line 7011)
++* gnutls_sec_param_to_pk_bits <1>:       Core TLS API.       (line 6746)
++* gnutls_sec_param_to_symmetric_bits:    Core TLS API.       (line 6765)
++* gnutls_server_name_get:                Core TLS API.       (line 6779)
++* gnutls_server_name_set:                Core TLS API.       (line 6818)
++* gnutls_session_channel_binding:        Core TLS API.       (line 6849)
++* gnutls_session_enable_compatibility_mode: Core TLS API.    (line 6870)
++* gnutls_session_etm_status:             Core TLS API.       (line 6890)
++* gnutls_session_ext_master_secret_status: Core TLS API.     (line 6903)
++* gnutls_session_ext_register:           Core TLS API.       (line 6917)
++* gnutls_session_force_valid:            Core TLS API.       (line 6973)
++* gnutls_session_get_data:               Core TLS API.       (line 6984)
++* gnutls_session_get_data2:              Core TLS API.       (line 7004)
++* gnutls_session_get_desc:               Core TLS API.       (line 7052)
++* gnutls_session_get_flags:              Core TLS API.       (line 7069)
++* gnutls_session_get_id:                 Core TLS API.       (line 7088)
+ * gnutls_session_get_id2:                Session resumption. (line   49)
+-* gnutls_session_get_id2 <1>:            Core TLS API.       (line 7045)
+-* gnutls_session_get_keylog_function:    Core TLS API.       (line 7078)
+-* gnutls_session_get_master_secret:      Core TLS API.       (line 7092)
+-* gnutls_session_get_ptr:                Core TLS API.       (line 7108)
+-* gnutls_session_get_random:             Core TLS API.       (line 7120)
+-* gnutls_session_get_verify_cert_status: Core TLS API.       (line 7140)
++* gnutls_session_get_id2 <1>:            Core TLS API.       (line 7122)
++* gnutls_session_get_keylog_function:    Core TLS API.       (line 7155)
++* gnutls_session_get_master_secret:      Core TLS API.       (line 7169)
++* gnutls_session_get_ptr:                Core TLS API.       (line 7185)
++* gnutls_session_get_random:             Core TLS API.       (line 7197)
++* gnutls_session_get_verify_cert_status: Core TLS API.       (line 7217)
+ * gnutls_session_is_resumed:             Session resumption. (line   40)
+-* gnutls_session_is_resumed <1>:         Core TLS API.       (line 7160)
+-* gnutls_session_key_update:             Core TLS API.       (line 7172)
++* gnutls_session_is_resumed <1>:         Core TLS API.       (line 7237)
++* gnutls_session_key_update:             Core TLS API.       (line 7249)
+ * gnutls_session_resumption_requested:   Session resumption. (line  150)
+-* gnutls_session_resumption_requested <1>: Core TLS API.     (line 7199)
+-* gnutls_session_set_data:               Core TLS API.       (line 7212)
+-* gnutls_session_set_id:                 Core TLS API.       (line 7235)
+-* gnutls_session_set_keylog_function:    Core TLS API.       (line 7256)
+-* gnutls_session_set_premaster:          Core TLS API.       (line 7270)
+-* gnutls_session_set_ptr:                Core TLS API.       (line 7305)
++* gnutls_session_resumption_requested <1>: Core TLS API.     (line 7276)
++* gnutls_session_set_data:               Core TLS API.       (line 7289)
++* gnutls_session_set_id:                 Core TLS API.       (line 7312)
++* gnutls_session_set_keylog_function:    Core TLS API.       (line 7333)
++* gnutls_session_set_premaster:          Core TLS API.       (line 7347)
++* gnutls_session_set_ptr:                Core TLS API.       (line 7382)
+ * gnutls_session_set_verify_cert:        Certificate credentials.
+                                                              (line  267)
+-* gnutls_session_set_verify_cert <1>:    Core TLS API.       (line 7318)
+-* gnutls_session_set_verify_cert2:       Core TLS API.       (line 7351)
+-* gnutls_session_set_verify_function:    Core TLS API.       (line 7383)
++* gnutls_session_set_verify_cert <1>:    Core TLS API.       (line 7395)
++* gnutls_session_set_verify_cert2:       Core TLS API.       (line 7428)
++* gnutls_session_set_verify_function:    Core TLS API.       (line 7460)
+ * gnutls_session_set_verify_output_function: X509 certificate API.
+                                                              (line  152)
+-* gnutls_session_supplemental_register:  Core TLS API.       (line 7412)
+-* gnutls_session_ticket_enable_client:   Core TLS API.       (line 7448)
++* gnutls_session_supplemental_register:  Core TLS API.       (line 7489)
++* gnutls_session_ticket_enable_client:   Core TLS API.       (line 7525)
+ * gnutls_session_ticket_enable_server:   Session resumption. (line  117)
+-* gnutls_session_ticket_enable_server <1>: Core TLS API.     (line 7464)
++* gnutls_session_ticket_enable_server <1>: Core TLS API.     (line 7541)
+ * gnutls_session_ticket_key_generate:    Session resumption. (line  137)
+-* gnutls_session_ticket_key_generate <1>: Core TLS API.      (line 7487)
++* gnutls_session_ticket_key_generate <1>: Core TLS API.      (line 7564)
+ * gnutls_session_ticket_send:            Session resumption. (line  170)
+-* gnutls_session_ticket_send <1>:        Core TLS API.       (line 7503)
+-* gnutls_set_default_priority:           Core TLS API.       (line 7521)
+-* gnutls_set_default_priority_append:    Core TLS API.       (line 7547)
+-* gnutls_sign_algorithm_get:             Core TLS API.       (line 7583)
+-* gnutls_sign_algorithm_get_client:      Core TLS API.       (line 7597)
+-* gnutls_sign_algorithm_get_requested:   Core TLS API.       (line 7612)
+-* gnutls_sign_get_hash_algorithm:        Core TLS API.       (line 7639)
+-* gnutls_sign_get_id:                    Core TLS API.       (line 7654)
+-* gnutls_sign_get_name:                  Core TLS API.       (line 7666)
+-* gnutls_sign_get_oid:                   Core TLS API.       (line 7678)
+-* gnutls_sign_get_pk_algorithm:          Core TLS API.       (line 7692)
+-* gnutls_sign_is_secure:                 Core TLS API.       (line 7710)
+-* gnutls_sign_is_secure2:                Core TLS API.       (line 7720)
+-* gnutls_sign_list:                      Core TLS API.       (line 7732)
+-* gnutls_sign_supports_pk_algorithm:     Core TLS API.       (line 7743)
+-* gnutls_srp_allocate_client_credentials: Core TLS API.      (line 7761)
+-* gnutls_srp_allocate_server_credentials: Core TLS API.      (line 7773)
+-* gnutls_srp_base64_decode:              Core TLS API.       (line 7785)
+-* gnutls_srp_base64_decode2:             Core TLS API.       (line 7807)
+-* gnutls_srp_base64_encode:              Core TLS API.       (line 7827)
+-* gnutls_srp_base64_encode2:             Core TLS API.       (line 7849)
+-* gnutls_srp_free_client_credentials:    Core TLS API.       (line 7870)
+-* gnutls_srp_free_server_credentials:    Core TLS API.       (line 7879)
+-* gnutls_srp_server_get_username:        Core TLS API.       (line 7888)
+-* gnutls_srp_set_client_credentials:     Core TLS API.       (line 7901)
++* gnutls_session_ticket_send <1>:        Core TLS API.       (line 7580)
++* gnutls_set_default_priority:           Core TLS API.       (line 7598)
++* gnutls_set_default_priority_append:    Core TLS API.       (line 7624)
++* gnutls_sign_algorithm_get:             Core TLS API.       (line 7660)
++* gnutls_sign_algorithm_get_client:      Core TLS API.       (line 7674)
++* gnutls_sign_algorithm_get_requested:   Core TLS API.       (line 7689)
++* gnutls_sign_get_hash_algorithm:        Core TLS API.       (line 7716)
++* gnutls_sign_get_id:                    Core TLS API.       (line 7731)
++* gnutls_sign_get_name:                  Core TLS API.       (line 7743)
++* gnutls_sign_get_oid:                   Core TLS API.       (line 7755)
++* gnutls_sign_get_pk_algorithm:          Core TLS API.       (line 7769)
++* gnutls_sign_is_secure:                 Core TLS API.       (line 7787)
++* gnutls_sign_is_secure2:                Core TLS API.       (line 7797)
++* gnutls_sign_list:                      Core TLS API.       (line 7809)
++* gnutls_sign_mark_insecure:             Core TLS API.       (line 7820)
++* gnutls_sign_mark_secure:               Core TLS API.       (line 7838)
++* gnutls_sign_supports_pk_algorithm:     Core TLS API.       (line 7859)
++* gnutls_srp_allocate_client_credentials: Core TLS API.      (line 7877)
++* gnutls_srp_allocate_server_credentials: Core TLS API.      (line 7889)
++* gnutls_srp_base64_decode:              Core TLS API.       (line 7901)
++* gnutls_srp_base64_decode2:             Core TLS API.       (line 7923)
++* gnutls_srp_base64_encode:              Core TLS API.       (line 7943)
++* gnutls_srp_base64_encode2:             Core TLS API.       (line 7965)
++* gnutls_srp_free_client_credentials:    Core TLS API.       (line 7986)
++* gnutls_srp_free_server_credentials:    Core TLS API.       (line 7995)
++* gnutls_srp_server_get_username:        Core TLS API.       (line 8004)
++* gnutls_srp_set_client_credentials:     Core TLS API.       (line 8017)
+ * gnutls_srp_set_client_credentials_function: SRP credentials.
+                                                              (line   19)
+ * gnutls_srp_set_client_credentials_function <1>: Core TLS API.
+-                                                             (line 7924)
+-* gnutls_srp_set_prime_bits:             Core TLS API.       (line 7957)
++                                                             (line 8040)
++* gnutls_srp_set_prime_bits:             Core TLS API.       (line 8073)
+ * gnutls_srp_set_server_credentials_file: SRP credentials.   (line   56)
+-* gnutls_srp_set_server_credentials_file <1>: Core TLS API.  (line 7978)
++* gnutls_srp_set_server_credentials_file <1>: Core TLS API.  (line 8094)
+ * gnutls_srp_set_server_credentials_function: SRP credentials.
+                                                              (line   72)
+ * gnutls_srp_set_server_credentials_function <1>: Core TLS API.
+-                                                             (line 7997)
+-* gnutls_srp_set_server_fake_salt_seed:  Core TLS API.       (line 8035)
++                                                             (line 8113)
++* gnutls_srp_set_server_fake_salt_seed:  Core TLS API.       (line 8151)
+ * gnutls_srp_verifier:                   Authentication using SRP.
+                                                              (line   45)
+-* gnutls_srp_verifier <1>:               Core TLS API.       (line 8072)
++* gnutls_srp_verifier <1>:               Core TLS API.       (line 8188)
+ * gnutls_srtp_get_keys:                  SRTP.               (line   31)
+-* gnutls_srtp_get_keys <1>:              Core TLS API.       (line 8101)
+-* gnutls_srtp_get_mki:                   Core TLS API.       (line 8139)
+-* gnutls_srtp_get_profile_id:            Core TLS API.       (line 8157)
+-* gnutls_srtp_get_profile_name:          Core TLS API.       (line 8173)
+-* gnutls_srtp_get_selected_profile:      Core TLS API.       (line 8188)
+-* gnutls_srtp_set_mki:                   Core TLS API.       (line 8204)
+-* gnutls_srtp_set_profile:               Core TLS API.       (line 8221)
+-* gnutls_srtp_set_profile_direct:        Core TLS API.       (line 8238)
++* gnutls_srtp_get_keys <1>:              Core TLS API.       (line 8217)
++* gnutls_srtp_get_mki:                   Core TLS API.       (line 8255)
++* gnutls_srtp_get_profile_id:            Core TLS API.       (line 8273)
++* gnutls_srtp_get_profile_name:          Core TLS API.       (line 8289)
++* gnutls_srtp_get_selected_profile:      Core TLS API.       (line 8304)
++* gnutls_srtp_set_mki:                   Core TLS API.       (line 8320)
++* gnutls_srtp_set_profile:               Core TLS API.       (line 8337)
++* gnutls_srtp_set_profile_direct:        Core TLS API.       (line 8354)
+ * gnutls_store_commitment:               Certificate verification.
+                                                              (line  115)
+-* gnutls_store_commitment <1>:           Core TLS API.       (line 8259)
++* gnutls_store_commitment <1>:           Core TLS API.       (line 8375)
+ * gnutls_store_pubkey:                   Certificate verification.
+                                                              (line   64)
+-* gnutls_store_pubkey <1>:               Core TLS API.       (line 8299)
+-* gnutls_strerror:                       Core TLS API.       (line 8348)
+-* gnutls_strerror_name:                  Core TLS API.       (line 8362)
++* gnutls_store_pubkey <1>:               Core TLS API.       (line 8415)
++* gnutls_strerror:                       Core TLS API.       (line 8464)
++* gnutls_strerror_name:                  Core TLS API.       (line 8478)
+ * gnutls_subject_alt_names_deinit:       X509 certificate API.
+                                                              (line  181)
+ * gnutls_subject_alt_names_get:          X509 certificate API.
+@@ -8522,22 +8530,22 @@
+                                                              (line  221)
+ * gnutls_subject_alt_names_set:          X509 certificate API.
+                                                              (line  235)
+-* gnutls_supplemental_get_name:          Core TLS API.       (line 8377)
+-* gnutls_supplemental_recv:              Core TLS API.       (line 8390)
+-* gnutls_supplemental_register:          Core TLS API.       (line 8405)
+-* gnutls_supplemental_send:              Core TLS API.       (line 8436)
++* gnutls_supplemental_get_name:          Core TLS API.       (line 8493)
++* gnutls_supplemental_recv:              Core TLS API.       (line 8506)
++* gnutls_supplemental_register:          Core TLS API.       (line 8521)
++* gnutls_supplemental_send:              Core TLS API.       (line 8552)
+ * gnutls_system_key_add_x509:            Abstract key API.   (line 2750)
+ * gnutls_system_key_delete:              Abstract key API.   (line 2776)
+ * gnutls_system_key_iter_deinit:         Abstract key API.   (line 2792)
+ * gnutls_system_key_iter_get_info:       Application-specific keys.
+                                                              (line   20)
+ * gnutls_system_key_iter_get_info <1>:   Abstract key API.   (line 2803)
+-* gnutls_system_recv_timeout:            Core TLS API.       (line 8450)
+-* gnutls_tdb_deinit:                     Core TLS API.       (line 8473)
+-* gnutls_tdb_init:                       Core TLS API.       (line 8482)
+-* gnutls_tdb_set_store_commitment_func:  Core TLS API.       (line 8493)
+-* gnutls_tdb_set_store_func:             Core TLS API.       (line 8513)
+-* gnutls_tdb_set_verify_func:            Core TLS API.       (line 8532)
++* gnutls_system_recv_timeout:            Core TLS API.       (line 8566)
++* gnutls_tdb_deinit:                     Core TLS API.       (line 8589)
++* gnutls_tdb_init:                       Core TLS API.       (line 8598)
++* gnutls_tdb_set_store_commitment_func:  Core TLS API.       (line 8609)
++* gnutls_tdb_set_store_func:             Core TLS API.       (line 8629)
++* gnutls_tdb_set_verify_func:            Core TLS API.       (line 8648)
+ * gnutls_tpm_get_registered:             TPM API.            (line   12)
+ * gnutls_tpm_key_list_deinit:            TPM API.            (line   27)
+ * gnutls_tpm_key_list_get_url:           TPM API.            (line   38)
+@@ -8546,44 +8554,44 @@
+ * gnutls_tpm_privkey_delete <2>:         TPM API.            (line   60)
+ * gnutls_tpm_privkey_generate:           Key generation.     (line    9)
+ * gnutls_tpm_privkey_generate <1>:       TPM API.            (line   76)
+-* gnutls_transport_get_int:              Core TLS API.       (line 8554)
+-* gnutls_transport_get_int2:             Core TLS API.       (line 8568)
+-* gnutls_transport_get_ptr:              Core TLS API.       (line 8585)
+-* gnutls_transport_get_ptr2:             Core TLS API.       (line 8598)
++* gnutls_transport_get_int:              Core TLS API.       (line 8670)
++* gnutls_transport_get_int2:             Core TLS API.       (line 8684)
++* gnutls_transport_get_ptr:              Core TLS API.       (line 8701)
++* gnutls_transport_get_ptr2:             Core TLS API.       (line 8714)
+ * gnutls_transport_set_errno:            Setting up the transport layer.
+                                                              (line  116)
+-* gnutls_transport_set_errno <1>:        Core TLS API.       (line 8614)
+-* gnutls_transport_set_errno_function:   Core TLS API.       (line 8637)
++* gnutls_transport_set_errno <1>:        Core TLS API.       (line 8730)
++* gnutls_transport_set_errno_function:   Core TLS API.       (line 8753)
+ * gnutls_transport_set_fastopen:         Reducing round-trips.
+                                                              (line   22)
+ * gnutls_transport_set_fastopen <1>:     Socket specific API.
+                                                              (line   11)
+-* gnutls_transport_set_int:              Core TLS API.       (line 8655)
+-* gnutls_transport_set_int2:             Core TLS API.       (line 8673)
+-* gnutls_transport_set_ptr:              Core TLS API.       (line 8695)
+-* gnutls_transport_set_ptr2:             Core TLS API.       (line 8708)
++* gnutls_transport_set_int:              Core TLS API.       (line 8771)
++* gnutls_transport_set_int2:             Core TLS API.       (line 8789)
++* gnutls_transport_set_ptr:              Core TLS API.       (line 8811)
++* gnutls_transport_set_ptr2:             Core TLS API.       (line 8824)
+ * gnutls_transport_set_pull_function:    Setting up the transport layer.
+                                                              (line   56)
+-* gnutls_transport_set_pull_function <1>: Core TLS API.      (line 8725)
++* gnutls_transport_set_pull_function <1>: Core TLS API.      (line 8841)
+ * gnutls_transport_set_pull_timeout_function: Setting up the transport layer.
+                                                              (line   71)
+ * gnutls_transport_set_pull_timeout_function <1>: Setting up the transport layer.
+                                                              (line  156)
+ * gnutls_transport_set_pull_timeout_function <2>: Core TLS API.
+-                                                             (line 8743)
++                                                             (line 8859)
+ * gnutls_transport_set_push_function:    Setting up the transport layer.
+                                                              (line   23)
+-* gnutls_transport_set_push_function <1>: Core TLS API.      (line 8783)
++* gnutls_transport_set_push_function <1>: Core TLS API.      (line 8899)
+ * gnutls_transport_set_vec_push_function: Setting up the transport layer.
+                                                              (line   40)
+-* gnutls_transport_set_vec_push_function <1>: Core TLS API.  (line 8803)
++* gnutls_transport_set_vec_push_function <1>: Core TLS API.  (line 8919)
+ * gnutls_url_is_supported:               Abstract public keys.
+                                                              (line   57)
+-* gnutls_url_is_supported <1>:           Core TLS API.       (line 8822)
+-* gnutls_utf8_password_normalize:        Core TLS API.       (line 8836)
++* gnutls_url_is_supported <1>:           Core TLS API.       (line 8938)
++* gnutls_utf8_password_normalize:        Core TLS API.       (line 8952)
+ * gnutls_verify_stored_pubkey:           Certificate verification.
+                                                              (line   18)
+-* gnutls_verify_stored_pubkey <1>:       Core TLS API.       (line 8861)
++* gnutls_verify_stored_pubkey <1>:       Core TLS API.       (line 8977)
+ * gnutls_x509_aia_deinit:                X509 certificate API.
+                                                              (line  262)
+ * gnutls_x509_aia_get:                   X509 certificate API.
+diff -ruN gnutls-3.7.2/doc/invoke-p11tool.texi gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi
+--- gnutls-3.7.2/doc/invoke-p11tool.texi	2021-05-29 10:19:05.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi	2021-06-28 09:39:25.000000000 +0200
+@@ -403,8 +403,9 @@
+ @anchor{p11tool write}
+ 
+ This is the ``writes the loaded objects to a pkcs #11 token'' option.
+-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
+-    one of --load-privkey, --load-pubkey, --load-certificate option.
++It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.
++
++When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
+ @subsubheading id option.
+ @anchor{p11tool id}
+ 
+diff -ruN gnutls-3.7.2/doc/Makefile.am gnutls-3.7.2-bootstrapped/doc/Makefile.am
+--- gnutls-3.7.2/doc/Makefile.am	2021-05-27 08:08:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/Makefile.am	2021-06-28 09:09:14.000000000 +0200
+@@ -974,6 +974,10 @@
+ FUNCS += functions/gnutls_digest_get_oid.short
+ FUNCS += functions/gnutls_digest_list
+ FUNCS += functions/gnutls_digest_list.short
++FUNCS += functions/gnutls_digest_mark_insecure
++FUNCS += functions/gnutls_digest_mark_insecure.short
++FUNCS += functions/gnutls_digest_mark_secure
++FUNCS += functions/gnutls_digest_mark_secure.short
+ FUNCS += functions/gnutls_dtls_cookie_send
+ FUNCS += functions/gnutls_dtls_cookie_send.short
+ FUNCS += functions/gnutls_dtls_cookie_verify
+@@ -1010,6 +1014,10 @@
+ FUNCS += functions/gnutls_ecc_curve_get_size.short
+ FUNCS += functions/gnutls_ecc_curve_list
+ FUNCS += functions/gnutls_ecc_curve_list.short
++FUNCS += functions/gnutls_ecc_curve_mark_disabled
++FUNCS += functions/gnutls_ecc_curve_mark_disabled.short
++FUNCS += functions/gnutls_ecc_curve_mark_enabled
++FUNCS += functions/gnutls_ecc_curve_mark_enabled.short
+ FUNCS += functions/gnutls_encode_ber_digest_info
+ FUNCS += functions/gnutls_encode_ber_digest_info.short
+ FUNCS += functions/gnutls_encode_gost_rs_value
+@@ -1730,6 +1738,10 @@
+ FUNCS += functions/gnutls_protocol_get_version.short
+ FUNCS += functions/gnutls_protocol_list
+ FUNCS += functions/gnutls_protocol_list.short
++FUNCS += functions/gnutls_protocol_mark_disabled
++FUNCS += functions/gnutls_protocol_mark_disabled.short
++FUNCS += functions/gnutls_protocol_mark_enabled
++FUNCS += functions/gnutls_protocol_mark_enabled.short
+ FUNCS += functions/gnutls_psk_allocate_client_credentials
+ FUNCS += functions/gnutls_psk_allocate_client_credentials.short
+ FUNCS += functions/gnutls_psk_allocate_server_credentials
+@@ -2024,6 +2036,10 @@
+ FUNCS += functions/gnutls_sign_is_secure2.short
+ FUNCS += functions/gnutls_sign_list
+ FUNCS += functions/gnutls_sign_list.short
++FUNCS += functions/gnutls_sign_mark_insecure
++FUNCS += functions/gnutls_sign_mark_insecure.short
++FUNCS += functions/gnutls_sign_mark_secure
++FUNCS += functions/gnutls_sign_mark_secure.short
+ FUNCS += functions/gnutls_sign_supports_pk_algorithm
+ FUNCS += functions/gnutls_sign_supports_pk_algorithm.short
+ FUNCS += functions/gnutls_srp_allocate_client_credentials
+diff -ruN gnutls-3.7.2/doc/Makefile.in gnutls-3.7.2-bootstrapped/doc/Makefile.in
+--- gnutls-3.7.2/doc/Makefile.in	2021-05-29 10:11:20.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/Makefile.in	2021-06-28 09:11:37.000000000 +0200
+@@ -2697,6 +2697,10 @@
+ 	functions/gnutls_digest_get_oid.short \
+ 	functions/gnutls_digest_list \
+ 	functions/gnutls_digest_list.short \
++	functions/gnutls_digest_mark_insecure \
++	functions/gnutls_digest_mark_insecure.short \
++	functions/gnutls_digest_mark_secure \
++	functions/gnutls_digest_mark_secure.short \
+ 	functions/gnutls_dtls_cookie_send \
+ 	functions/gnutls_dtls_cookie_send.short \
+ 	functions/gnutls_dtls_cookie_verify \
+@@ -2733,6 +2737,10 @@
+ 	functions/gnutls_ecc_curve_get_size.short \
+ 	functions/gnutls_ecc_curve_list \
+ 	functions/gnutls_ecc_curve_list.short \
++	functions/gnutls_ecc_curve_mark_disabled \
++	functions/gnutls_ecc_curve_mark_disabled.short \
++	functions/gnutls_ecc_curve_mark_enabled \
++	functions/gnutls_ecc_curve_mark_enabled.short \
+ 	functions/gnutls_encode_ber_digest_info \
+ 	functions/gnutls_encode_ber_digest_info.short \
+ 	functions/gnutls_encode_gost_rs_value \
+@@ -3403,6 +3411,10 @@
+ 	functions/gnutls_protocol_get_version.short \
+ 	functions/gnutls_protocol_list \
+ 	functions/gnutls_protocol_list.short \
++	functions/gnutls_protocol_mark_disabled \
++	functions/gnutls_protocol_mark_disabled.short \
++	functions/gnutls_protocol_mark_enabled \
++	functions/gnutls_protocol_mark_enabled.short \
+ 	functions/gnutls_psk_allocate_client_credentials \
+ 	functions/gnutls_psk_allocate_client_credentials.short \
+ 	functions/gnutls_psk_allocate_server_credentials \
+@@ -3692,6 +3704,10 @@
+ 	functions/gnutls_sign_is_secure2 \
+ 	functions/gnutls_sign_is_secure2.short \
+ 	functions/gnutls_sign_list functions/gnutls_sign_list.short \
++	functions/gnutls_sign_mark_insecure \
++	functions/gnutls_sign_mark_insecure.short \
++	functions/gnutls_sign_mark_secure \
++	functions/gnutls_sign_mark_secure.short \
+ 	functions/gnutls_sign_supports_pk_algorithm \
+ 	functions/gnutls_sign_supports_pk_algorithm.short \
+ 	functions/gnutls_srp_allocate_client_credentials \
+diff -ruN gnutls-3.7.2/doc/manpages/certtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1
+--- gnutls-3.7.2/doc/manpages/certtool.1	2021-05-29 10:15:21.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1	2021-06-28 09:35:22.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH certtool 1 "29 May 2021" "3.7.2" "User Commands"
++.TH certtool 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/manpages/danetool.1 gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1
+--- gnutls-3.7.2/doc/manpages/danetool.1	2021-05-29 10:15:24.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1	2021-06-28 09:35:24.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH danetool 1 "29 May 2021" "3.7.2" "User Commands"
++.TH danetool 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1
+--- gnutls-3.7.2/doc/manpages/gnutls-cli.1	2021-05-29 10:15:21.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1	2021-06-28 09:35:22.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH gnutls-cli 1 "29 May 2021" "3.7.2" "User Commands"
++.TH gnutls-cli 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1
+--- gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1	2021-05-29 10:15:21.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1	2021-06-28 09:35:22.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH gnutls-cli-debug 1 "29 May 2021" "3.7.2" "User Commands"
++.TH gnutls-cli-debug 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3
+--- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3	2021-06-28 09:35:39.000000000 +0200
+@@ -0,0 +1,36 @@
++.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
++.TH "gnutls_digest_mark_insecure" 3 "3.7.2" "gnutls" "gnutls"
++.SH NAME
++gnutls_digest_mark_insecure \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t " dig ");"
++.SH ARGUMENTS
++.IP "gnutls_digest_algorithm_t dig" 12
++is a digest algorithm
++.SH "DESCRIPTION"
++Mark  \fIdig\fP as insecure system wide. This only works if the allowlisting mode
++is used in the configuration file.
++.SH "SINCE"
++3.7.3
++.SH "REPORTING BUGS"
++Report bugs to <bugs@gnutls.org>.
++.br
++Home page: https://www.gnutls.org
++
++.SH COPYRIGHT
++Copyright \(co 2001- Free Software Foundation, Inc., and others.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual.
++If the /usr/share/doc/gnutls/
++directory does not contain the HTML form visit
++.B
++.IP https://www.gnutls.org/manual/
++.PP
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3
+--- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3	2021-06-28 09:35:39.000000000 +0200
+@@ -0,0 +1,36 @@
++.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
++.TH "gnutls_digest_mark_secure" 3 "3.7.2" "gnutls" "gnutls"
++.SH NAME
++gnutls_digest_mark_secure \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_digest_mark_secure(gnutls_digest_algorithm_t " dig ");"
++.SH ARGUMENTS
++.IP "gnutls_digest_algorithm_t dig" 12
++is a digest algorithm
++.SH "DESCRIPTION"
++Invalidate previous system wide setting that marked  \fIdig\fP as insecure. This
++only works if the allowlisting mode is used in the configuration file.
++.SH "SINCE"
++3.7.3
++.SH "REPORTING BUGS"
++Report bugs to <bugs@gnutls.org>.
++.br
++Home page: https://www.gnutls.org
++
++.SH COPYRIGHT
++Copyright \(co 2001- Free Software Foundation, Inc., and others.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual.
++If the /usr/share/doc/gnutls/
++directory does not contain the HTML form visit
++.B
++.IP https://www.gnutls.org/manual/
++.PP
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3
+--- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3	2021-06-28 09:35:38.000000000 +0200
+@@ -0,0 +1,39 @@
++.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
++.TH "gnutls_ecc_curve_mark_disabled" 3 "3.7.2" "gnutls" "gnutls"
++.SH NAME
++gnutls_ecc_curve_mark_disabled \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t " curve ");"
++.SH ARGUMENTS
++.IP "gnutls_ecc_curve_t curve" 12
++is an ECC curve
++.SH "DESCRIPTION"
++Mark  \fIcurve\fP as disabled system wide. This setting can be reverted with
++\fBgnutls_ecc_curve_mark_enabled()\fP. This only works if the configuration file
++uses the allowlisting mode.
++.SH "RETURNS"
++0 on success or negative error code otherwise.
++.SH "SINCE"
++3.7.3
++.SH "REPORTING BUGS"
++Report bugs to <bugs@gnutls.org>.
++.br
++Home page: https://www.gnutls.org
++
++.SH COPYRIGHT
++Copyright \(co 2001- Free Software Foundation, Inc., and others.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual.
++If the /usr/share/doc/gnutls/
++directory does not contain the HTML form visit
++.B
++.IP https://www.gnutls.org/manual/
++.PP
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3
+--- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3	2021-06-28 09:35:39.000000000 +0200
+@@ -0,0 +1,39 @@
++.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
++.TH "gnutls_ecc_curve_mark_enabled" 3 "3.7.2" "gnutls" "gnutls"
++.SH NAME
++gnutls_ecc_curve_mark_enabled \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t " curve ");"
++.SH ARGUMENTS
++.IP "gnutls_ecc_curve_t curve" 12
++is an ECC curve
++.SH "DESCRIPTION"
++Invalidate previous system wide setting that marked  \fIcurve\fP as disabled. This
++only works if the curve is disabled with \fBgnutls_ecc_curve_mark_disabled()\fP or
++through the allowlisting mode in the configuration file.
++.SH "RETURNS"
++0 on success or negative error code otherwise.
++.SH "SINCE"
++3.7.3
++.SH "REPORTING BUGS"
++Report bugs to <bugs@gnutls.org>.
++.br
++Home page: https://www.gnutls.org
++
++.SH COPYRIGHT
++Copyright \(co 2001- Free Software Foundation, Inc., and others.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual.
++If the /usr/share/doc/gnutls/
++directory does not contain the HTML form visit
++.B
++.IP https://www.gnutls.org/manual/
++.PP
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3
+--- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3	2021-06-28 09:35:39.000000000 +0200
+@@ -0,0 +1,34 @@
++.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
++.TH "gnutls_protocol_mark_disabled" 3 "3.7.2" "gnutls" "gnutls"
++.SH NAME
++gnutls_protocol_mark_disabled \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_protocol_mark_disabled(gnutls_protocol_t " version ");"
++.SH ARGUMENTS
++.IP "gnutls_protocol_t version" 12
++is a (gnutls) version number
++.SH "DESCRIPTION"
++Mark  \fIversion\fP as disabled system wide. This only works if the allowlisting
++mode is used in the configuration file.
++.SH "REPORTING BUGS"
++Report bugs to <bugs@gnutls.org>.
++.br
++Home page: https://www.gnutls.org
++
++.SH COPYRIGHT
++Copyright \(co 2001- Free Software Foundation, Inc., and others.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual.
++If the /usr/share/doc/gnutls/
++directory does not contain the HTML form visit
++.B
++.IP https://www.gnutls.org/manual/
++.PP
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3
+--- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3	2021-06-28 09:35:40.000000000 +0200
+@@ -0,0 +1,35 @@
++.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
++.TH "gnutls_protocol_mark_enabled" 3 "3.7.2" "gnutls" "gnutls"
++.SH NAME
++gnutls_protocol_mark_enabled \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_protocol_mark_enabled(gnutls_protocol_t " version ");"
++.SH ARGUMENTS
++.IP "gnutls_protocol_t version" 12
++is a (gnutls) version number
++.SH "DESCRIPTION"
++Invalidate previous system wide setting that marked  \fIversion\fP as
++disabled. This only works if the allowlisting mode is used in the
++configuration file.
++.SH "REPORTING BUGS"
++Report bugs to <bugs@gnutls.org>.
++.br
++Home page: https://www.gnutls.org
++
++.SH COPYRIGHT
++Copyright \(co 2001- Free Software Foundation, Inc., and others.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual.
++If the /usr/share/doc/gnutls/
++directory does not contain the HTML form visit
++.B
++.IP https://www.gnutls.org/manual/
++.PP
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls-serv.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1
+--- gnutls-3.7.2/doc/manpages/gnutls-serv.1	2021-05-29 10:15:21.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1	2021-06-28 09:35:22.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH gnutls-serv 1 "29 May 2021" "3.7.2" "User Commands"
++.TH gnutls-serv 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3
+--- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3	2021-06-28 09:35:39.000000000 +0200
+@@ -0,0 +1,42 @@
++.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
++.TH "gnutls_sign_mark_insecure" 3 "3.7.2" "gnutls" "gnutls"
++.SH NAME
++gnutls_sign_mark_insecure \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");"
++.SH ARGUMENTS
++.IP "gnutls_sign_algorithm_t sign" 12
++the sign algorithm
++.IP "unsigned flags" 12
++\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0
++.SH "DESCRIPTION"
++Mark  \fIsign\fP as insecure system wide. This only works if the
++allowlisting mode is used in the configuration file.
++
++If  \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set,
++and the algorithm was previously considered secure for all purposes,
++it only marks the algorithm as insecure for the use with certificates.
++.SH "SINCE"
++3.7.3
++.SH "REPORTING BUGS"
++Report bugs to <bugs@gnutls.org>.
++.br
++Home page: https://www.gnutls.org
++
++.SH COPYRIGHT
++Copyright \(co 2001- Free Software Foundation, Inc., and others.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual.
++If the /usr/share/doc/gnutls/
++directory does not contain the HTML form visit
++.B
++.IP https://www.gnutls.org/manual/
++.PP
+diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3
+--- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3	2021-06-28 09:35:39.000000000 +0200
+@@ -0,0 +1,46 @@
++.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
++.TH "gnutls_sign_mark_secure" 3 "3.7.2" "gnutls" "gnutls"
++.SH NAME
++gnutls_sign_mark_secure \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_sign_mark_secure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");"
++.SH ARGUMENTS
++.IP "gnutls_sign_algorithm_t sign" 12
++the sign algorithm
++.IP "unsigned flags" 12
++\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0
++.SH "DESCRIPTION"
++Invalidate previous system wide setting that marked  \fIsign\fP as
++insecure. This only works if the algorithm is marked as insecure
++with \fBgnutls_sign_mark_insecure()\fP or through the allowlisting mode
++in the configuration file.
++
++If  \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set,
++it marks it the algorithm as secure for all purposes.
++If the absence of this flag, it will mark it as
++"secure, but not for certificates" at most,
++but it won't restrict anything either.
++.SH "SINCE"
++3.7.3
++.SH "REPORTING BUGS"
++Report bugs to <bugs@gnutls.org>.
++.br
++Home page: https://www.gnutls.org
++
++.SH COPYRIGHT
++Copyright \(co 2001- Free Software Foundation, Inc., and others.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual.
++If the /usr/share/doc/gnutls/
++directory does not contain the HTML form visit
++.B
++.IP https://www.gnutls.org/manual/
++.PP
+diff -ruN gnutls-3.7.2/doc/manpages/Makefile.am gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am
+--- gnutls-3.7.2/doc/manpages/Makefile.am	2021-05-27 08:08:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am	2021-06-28 09:09:14.000000000 +0200
+@@ -289,6 +289,8 @@
+ APIMANS += gnutls_digest_get_name.3
+ APIMANS += gnutls_digest_get_oid.3
+ APIMANS += gnutls_digest_list.3
++APIMANS += gnutls_digest_mark_insecure.3
++APIMANS += gnutls_digest_mark_secure.3
+ APIMANS += gnutls_dtls_cookie_send.3
+ APIMANS += gnutls_dtls_cookie_verify.3
+ APIMANS += gnutls_dtls_get_data_mtu.3
+@@ -307,6 +309,8 @@
+ APIMANS += gnutls_ecc_curve_get_pk.3
+ APIMANS += gnutls_ecc_curve_get_size.3
+ APIMANS += gnutls_ecc_curve_list.3
++APIMANS += gnutls_ecc_curve_mark_disabled.3
++APIMANS += gnutls_ecc_curve_mark_enabled.3
+ APIMANS += gnutls_encode_ber_digest_info.3
+ APIMANS += gnutls_encode_gost_rs_value.3
+ APIMANS += gnutls_encode_rs_value.3
+@@ -667,6 +671,8 @@
+ APIMANS += gnutls_protocol_get_name.3
+ APIMANS += gnutls_protocol_get_version.3
+ APIMANS += gnutls_protocol_list.3
++APIMANS += gnutls_protocol_mark_disabled.3
++APIMANS += gnutls_protocol_mark_enabled.3
+ APIMANS += gnutls_psk_allocate_client_credentials.3
+ APIMANS += gnutls_psk_allocate_server_credentials.3
+ APIMANS += gnutls_psk_client_get_hint.3
+@@ -814,6 +820,8 @@
+ APIMANS += gnutls_sign_is_secure.3
+ APIMANS += gnutls_sign_is_secure2.3
+ APIMANS += gnutls_sign_list.3
++APIMANS += gnutls_sign_mark_insecure.3
++APIMANS += gnutls_sign_mark_secure.3
+ APIMANS += gnutls_sign_supports_pk_algorithm.3
+ APIMANS += gnutls_srp_allocate_client_credentials.3
+ APIMANS += gnutls_srp_allocate_server_credentials.3
+diff -ruN gnutls-3.7.2/doc/manpages/Makefile.in gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in
+--- gnutls-3.7.2/doc/manpages/Makefile.in	2021-05-29 10:11:21.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in	2021-06-28 09:11:38.000000000 +0200
+@@ -2185,6 +2185,7 @@
+ 	gnutls_dh_params_init.3 gnutls_dh_set_prime_bits.3 \
+ 	gnutls_digest_get_id.3 gnutls_digest_get_name.3 \
+ 	gnutls_digest_get_oid.3 gnutls_digest_list.3 \
++	gnutls_digest_mark_insecure.3 gnutls_digest_mark_secure.3 \
+ 	gnutls_dtls_cookie_send.3 gnutls_dtls_cookie_verify.3 \
+ 	gnutls_dtls_get_data_mtu.3 gnutls_dtls_get_mtu.3 \
+ 	gnutls_dtls_get_timeout.3 gnutls_dtls_prestate_set.3 \
+@@ -2194,6 +2195,8 @@
+ 	gnutls_ecc_curve_get_id.3 gnutls_ecc_curve_get_name.3 \
+ 	gnutls_ecc_curve_get_oid.3 gnutls_ecc_curve_get_pk.3 \
+ 	gnutls_ecc_curve_get_size.3 gnutls_ecc_curve_list.3 \
++	gnutls_ecc_curve_mark_disabled.3 \
++	gnutls_ecc_curve_mark_enabled.3 \
+ 	gnutls_encode_ber_digest_info.3 gnutls_encode_gost_rs_value.3 \
+ 	gnutls_encode_rs_value.3 gnutls_error_is_fatal.3 \
+ 	gnutls_error_to_alert.3 gnutls_est_record_overhead_size.3 \
+@@ -2399,7 +2402,8 @@
+ 	gnutls_privkey_status.3 gnutls_privkey_verify_params.3 \
+ 	gnutls_privkey_verify_seed.3 gnutls_protocol_get_id.3 \
+ 	gnutls_protocol_get_name.3 gnutls_protocol_get_version.3 \
+-	gnutls_protocol_list.3 \
++	gnutls_protocol_list.3 gnutls_protocol_mark_disabled.3 \
++	gnutls_protocol_mark_enabled.3 \
+ 	gnutls_psk_allocate_client_credentials.3 \
+ 	gnutls_psk_allocate_server_credentials.3 \
+ 	gnutls_psk_client_get_hint.3 \
+@@ -2498,6 +2502,7 @@
+ 	gnutls_sign_get_name.3 gnutls_sign_get_oid.3 \
+ 	gnutls_sign_get_pk_algorithm.3 gnutls_sign_is_secure.3 \
+ 	gnutls_sign_is_secure2.3 gnutls_sign_list.3 \
++	gnutls_sign_mark_insecure.3 gnutls_sign_mark_secure.3 \
+ 	gnutls_sign_supports_pk_algorithm.3 \
+ 	gnutls_srp_allocate_client_credentials.3 \
+ 	gnutls_srp_allocate_server_credentials.3 \
+diff -ruN gnutls-3.7.2/doc/manpages/ocsptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1
+--- gnutls-3.7.2/doc/manpages/ocsptool.1	2021-05-29 10:15:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1	2021-06-28 09:35:23.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH ocsptool 1 "29 May 2021" "3.7.2" "User Commands"
++.TH ocsptool 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/manpages/p11tool.1 gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1
+--- gnutls-3.7.2/doc/manpages/p11tool.1	2021-05-29 10:15:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1	2021-06-28 09:35:23.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH p11tool 1 "29 May 2021" "3.7.2" "User Commands"
++.TH p11tool 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+@@ -230,8 +230,9 @@
+ .NOP \f\*[B-Font]\-\-write\f[]
+ Writes the loaded objects to a PKCS #11 token.
+ .sp
+-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
+-    one of \--load-privkey, \--load-pubkey, \--load-certificate option.
++It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option.
++.sp
++When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
+ .TP
+ .NOP \f\*[B-Font]\-\-delete\f[]
+ Deletes the objects matching the given PKCS #11 URL.
+diff -ruN gnutls-3.7.2/doc/manpages/psktool.1 gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1
+--- gnutls-3.7.2/doc/manpages/psktool.1	2021-05-29 10:15:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1	2021-06-28 09:35:23.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH psktool 1 "29 May 2021" "3.7.2" "User Commands"
++.TH psktool 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/manpages/srptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1
+--- gnutls-3.7.2/doc/manpages/srptool.1	2021-05-29 10:15:24.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1	2021-06-28 09:35:24.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH srptool 1 "29 May 2021" "3.7.2" "User Commands"
++.TH srptool 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/manpages/tpmtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1
+--- gnutls-3.7.2/doc/manpages/tpmtool.1	2021-05-29 10:15:23.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1	2021-06-28 09:35:23.000000000 +0200
+@@ -10,7 +10,7 @@
+ .ds B-Font B
+ .ds I-Font I
+ .ds R-Font R
+-.TH tpmtool 1 "29 May 2021" "3.7.2" "User Commands"
++.TH tpmtool 1 "28 Jun 2021" "3.7.2" "User Commands"
+ .\"
+ .\" DO NOT EDIT THIS FILE (in-mem file)
+ .\"
+diff -ruN gnutls-3.7.2/doc/reference/gnutls-sections.txt gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt
+--- gnutls-3.7.2/doc/reference/gnutls-sections.txt	2021-05-29 10:23:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt	2021-06-28 09:56:37.000000000 +0200
+@@ -267,6 +267,8 @@
+ encipher_type
+ GNUTLS_SIGN_FLAG_TLS13_OK
+ GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE
++GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE
++GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE
+ gnutls_sign_entry_st
+ gnutls_ecc_curve_entry_st
+ MAX_ECC_CURVE_SIZE
+@@ -1486,6 +1488,14 @@
+ gnutls_sign_algorithm_get_requested
+ gnutls_cipher_get_name
+ gnutls_oid_to_digest
++gnutls_ecc_curve_mark_disabled
++gnutls_ecc_curve_mark_enabled
++gnutls_sign_mark_insecure
++gnutls_sign_mark_secure
++gnutls_digest_mark_insecure
++gnutls_digest_mark_secure
++gnutls_protocol_mark_disabled
++gnutls_protocol_mark_enabled
+ gnutls_error_is_fatal
+ gnutls_perror
+ gnutls_strerror
+@@ -2268,6 +2278,8 @@
+ gnutls_group_entry_st
+ GNUTLS_MAC_FLAG_PREIMAGE_INSECURE
+ GNUTLS_MAC_FLAG_CONTINUOUS_MAC
++GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE
++GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE
+ mac_entry_st
+ version_entry_st
+ sign_algorithm_st
+diff -ruN gnutls-3.7.2/lib/algorithms/ecc.c gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c
+--- gnutls-3.7.2/lib/algorithms/ecc.c	2021-05-10 16:34:47.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c	2021-06-28 09:09:14.000000000 +0200
+@@ -351,13 +351,83 @@
+ 	return ret;
+ }
+ 
+-int _gnutls_ecc_curve_mark_disabled(const char *name)
++/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
++int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve)
+ {
+ 	gnutls_ecc_curve_entry_st *p;
+ 
+ 	for(p = ecc_curves; p->name != NULL; p++) {
+-		if (c_strcasecmp(p->name, name) == 0) {
+-			p->supported = 0;
++		if (p->id == curve) {
++			p->supported = false;
++			return 0;
++		}
++	}
++
++	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++}
++
++/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
++void _gnutls_ecc_curve_mark_disabled_all(void)
++{
++	gnutls_ecc_curve_entry_st *p;
++
++	for(p = ecc_curves; p->name != NULL; p++) {
++		p->supported = false;
++		p->supported_revertible = true;
++	}
++}
++
++/**
++ * gnutls_ecc_curve_mark_enabled:
++ * @curve: is an ECC curve
++ *
++ * Mark @curve as disabled system wide. This setting can be reverted with
++ * gnutls_ecc_curve_mark_enabled(). This only works if the configuration file
++ * uses the allowlisting mode.
++ *
++ * Returns: 0 on success or negative error code otherwise.
++ *
++ * Since: 3.7.3
++ */
++int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve)
++{
++	gnutls_ecc_curve_entry_st *p;
++
++	for(p = ecc_curves; p->name != NULL; p++) {
++		if (p->id == curve) {
++			if (!p->supported_revertible) {
++				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			}
++			p->supported = false;
++			return 0;
++		}
++	}
++
++	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++}
++
++/**
++ * gnutls_ecc_curve_mark_enabled:
++ * @curve: is an ECC curve
++ *
++ * Invalidate previous system wide setting that marked @curve as disabled. This
++ * only works if the curve is disabled with gnutls_ecc_curve_mark_disabled() or
++ * through the allowlisting mode in the configuration file.
++ *
++ * Returns: 0 on success or negative error code otherwise.
++ *
++ * Since: 3.7.3
++ */
++int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve)
++{
++	gnutls_ecc_curve_entry_st *p;
++
++	for(p = ecc_curves; p->name != NULL; p++) {
++		if (p->id == curve) {
++			if (!p->supported_revertible) {
++				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			}
++			p->supported = true;
+ 			return 0;
+ 		}
+ 	}
+diff -ruN gnutls-3.7.2/lib/algorithms/groups.c gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c
+--- gnutls-3.7.2/lib/algorithms/groups.c	2021-04-19 09:28:28.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c	2021-06-28 09:09:14.000000000 +0200
+@@ -276,6 +276,24 @@
+ 	return ret;
+ }
+ 
++
++/* Similar to gnutls_group_get_id, except that it does not check if
++ * the curve is supported.
++ */
++gnutls_group_t _gnutls_group_get_id(const char *name)
++{
++	gnutls_group_t ret = GNUTLS_GROUP_INVALID;
++
++	GNUTLS_GROUP_LOOP(
++		if (c_strcasecmp(p->name, name) == 0) {
++			ret = p->id;
++			break;
++		}
++	);
++
++	return ret;
++}
++
+ /**
+  * gnutls_group_get_name:
+  * @group: is an element from %gnutls_group_t
+diff -ruN gnutls-3.7.2/lib/algorithms/mac.c gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c
+--- gnutls-3.7.2/lib/algorithms/mac.c	2021-05-27 08:08:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c	2021-06-28 09:09:14.000000000 +0200
+@@ -291,13 +291,56 @@
+ 	return ret;
+ }
+ 
+-int _gnutls_digest_mark_insecure(const char *name)
++/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
++int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig)
+ {
+ #ifndef DISABLE_SYSTEM_CONFIG
+ 	mac_entry_st *p;
+ 
+ 	for(p = hash_algorithms; p->name != NULL; p++) {
+-		if (p->oid != NULL && c_strcasecmp(p->name, name) == 0) {
++		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
++			p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
++			return 0;
++		}
++	}
++
++#endif
++	return GNUTLS_E_INVALID_REQUEST;
++}
++
++/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
++void _gnutls_digest_mark_insecure_all(void)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	mac_entry_st *p;
++
++	for(p = hash_algorithms; p->name != NULL; p++) {
++		p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE |
++			GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
++	}
++
++#endif
++}
++
++/**
++ * gnutls_digest_mark_insecure:
++ * @dig: is a digest algorithm
++ *
++ * Mark @dig as insecure system wide. This only works if the allowlisting mode
++ * is used in the configuration file.
++ *
++ * Since: 3.7.3
++ */
++int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	mac_entry_st *p;
++
++	for(p = hash_algorithms; p->name != NULL; p++) {
++		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
++			if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) {
++				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			}
+ 			p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
+ 			return 0;
+ 		}
+@@ -307,6 +350,34 @@
+ 	return GNUTLS_E_INVALID_REQUEST;
+ }
+ 
++/**
++ * gnutls_digest_mark_secure:
++ * @dig: is a digest algorithm
++ *
++ * Invalidate previous system wide setting that marked @dig as insecure. This
++ * only works if the allowlisting mode is used in the configuration file.
++ *
++ * Since: 3.7.3
++ */
++int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	mac_entry_st *p;
++
++	for(p = hash_algorithms; p->name != NULL; p++) {
++		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
++			if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) {
++				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			}
++			p->flags &= ~GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
++			return 0;
++		}
++	}
++
++#endif
++	return GNUTLS_E_INVALID_REQUEST;
++}
++
+ unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig)
+ {
+ 	const mac_entry_st *p;
+@@ -320,6 +391,21 @@
+ 	return 1;
+ }
+ 
++bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig,	unsigned flags)
++{
++	const mac_entry_st *p;
++
++	for(p = hash_algorithms; p->name != NULL; p++) {
++		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
++			return (p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE &&
++				!(flags & GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE &&
++				  p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE));
++		}
++	}
++
++	return true;
++}
++
+ /**
+  * gnutls_mac_get_id:
+  * @name: is a MAC algorithm name
+diff -ruN gnutls-3.7.2/lib/algorithms/protocols.c gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c
+--- gnutls-3.7.2/lib/algorithms/protocols.c	2021-05-10 16:34:47.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c	2021-06-28 09:09:14.000000000 +0200
+@@ -198,14 +198,82 @@
+ 	return 0;
+ }
+ 
+-int _gnutls_version_mark_disabled(const char *name)
++/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
++int _gnutls_version_mark_disabled(gnutls_protocol_t version)
+ {
+ #ifndef DISABLE_SYSTEM_CONFIG
+ 	version_entry_st *p;
+ 
+ 	for (p = sup_versions; p->name != NULL; p++)
+-		if (c_strcasecmp(p->name, name) == 0) {
+-			p->supported = 0;
++		if (p->id == version) {
++			p->supported = false;
++			return 0;
++		}
++
++#endif
++	return GNUTLS_E_INVALID_REQUEST;
++}
++
++/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
++void _gnutls_version_mark_disabled_all(void)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	version_entry_st *p;
++
++	for (p = sup_versions; p->name != NULL; p++) {
++		p->supported = false;
++		p->supported_revertible = true;
++	}
++
++#endif
++}
++
++/**
++ * gnutls_protocol_mark_disabled:
++ * @version: is a (gnutls) version number
++ *
++ * Mark @version as disabled system wide. This only works if the allowlisting
++ * mode is used in the configuration file.
++ *
++ */
++int gnutls_protocol_mark_disabled(gnutls_protocol_t version)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	version_entry_st *p;
++
++	for (p = sup_versions; p->name != NULL; p++)
++		if (p->id == version) {
++			if (!p->supported_revertible) {
++				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			}
++			p->supported = false;
++			return 0;
++		}
++
++#endif
++	return GNUTLS_E_INVALID_REQUEST;
++}
++
++/**
++ * gnutls_protocol_mark_enabled:
++ * @version: is a (gnutls) version number
++ *
++ * Invalidate previous system wide setting that marked @version as
++ * disabled. This only works if the allowlisting mode is used in the
++ * configuration file.
++ *
++ */
++int gnutls_protocol_mark_enabled(gnutls_protocol_t version)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	version_entry_st *p;
++
++	for (p = sup_versions; p->name != NULL; p++)
++		if (p->id == version) {
++			if (!p->supported_revertible) {
++				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			}
++			p->supported = true;
+ 			return 0;
+ 		}
+ 
+@@ -469,6 +537,25 @@
+ 	return supported_protocols;
+ }
+ 
++/* Return all versions, including non-supported ones.
++ */
++const gnutls_protocol_t *_gnutls_protocol_list(void)
++{
++	const version_entry_st *p;
++	static gnutls_protocol_t protocols[MAX_ALGOS] = { 0 };
++
++	if (protocols[0] == 0) {
++		int i = 0;
++
++		for (p = sup_versions; p->name != NULL; p++) {
++			protocols[i++] = p->id;
++		}
++		protocols[i++] = 0;
++	}
++
++	return protocols;
++}
++
+ /* Returns a version number given the major and minor numbers.
+  */
+ gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor)
+diff -ruN gnutls-3.7.2/lib/algorithms/sign.c gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c
+--- gnutls-3.7.2/lib/algorithms/sign.c	2021-05-10 16:34:47.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c	2021-06-28 09:09:14.000000000 +0200
+@@ -453,16 +453,23 @@
+ 
+ bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags)
+ {
+-	if (se->hash != GNUTLS_DIG_UNKNOWN && _gnutls_digest_is_insecure(se->hash))
+-		return gnutls_assert_val(0);
++	if (se->hash != GNUTLS_DIG_UNKNOWN &&
++	    _gnutls_digest_is_insecure2(se->hash,
++					flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE ?
++					GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE :
++					0)) {
++		return gnutls_assert_val(false);
++	}
+ 
+-	if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS)
+-		return (se->slevel==_SECURE)?1:0;
+-	else
+-		return (se->slevel==_SECURE || se->slevel == _INSECURE_FOR_CERTS)?1:0;
++	return (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS ?
++		se->slevel == _SECURE :
++		(se->slevel == _SECURE || se->slevel == _INSECURE_FOR_CERTS)) ||
++		(flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE &&
++		 se->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE);
+ }
+ 
+-int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t level)
++/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
++int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, hash_security_level_t level)
+ {
+ #ifndef DISABLE_SYSTEM_CONFIG
+ 	gnutls_sign_entry_st *p;
+@@ -471,11 +478,106 @@
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+ 	for(p = sign_algorithms; p->name != NULL; p++) {
+-		if (c_strcasecmp(p->name, name) == 0) {
++		if (p->id && p->id == sign) {
++			if (p->slevel < level)
+ 				p->slevel = level;
+ 			return 0;
+ 		}
+ 	}
++#endif
++	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++}
++
++/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
++void _gnutls_sign_mark_insecure_all(hash_security_level_t level)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	gnutls_sign_entry_st *p;
++
++	for(p = sign_algorithms; p->name != NULL; p++) {
++		if (p->slevel < level)
++			p->slevel = level;
++		p->flags |= GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE;
++	}
++#endif
++}
++
++/**
++ * gnutls_sign_mark_insecure:
++ * @sign: the sign algorithm
++ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0
++ *
++ * Mark @sign as insecure system wide. This only works if the
++ * allowlisting mode is used in the configuration file.
++ *
++ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set,
++ * and the algorithm was previously considered secure for all purposes,
++ * it only marks the algorithm as insecure for the use with certificates.
++ *
++ * Since: 3.7.3
++ */
++int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	gnutls_sign_entry_st *p;
++
++	for(p = sign_algorithms; p->name != NULL; p++) {
++		if (p->id && p->id == sign) {
++			if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) {
++				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			}
++			if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) {
++				if (p->slevel < _INSECURE_FOR_CERTS)
++					p->slevel = _INSECURE_FOR_CERTS;
++			} else {
++				p->slevel = _INSECURE;
++			}
++			return 0;
++		}
++	}
++#endif
++	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++}
++// TODO: really not sure about the intuitiveness of the interface of this one,
++//       the flag naming isn't ideal here
++
++/**
++ * gnutls_sign_mark_secure:
++ * @sign: the sign algorithm
++ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0
++ *
++ * Invalidate previous system wide setting that marked @sign as
++ * insecure. This only works if the algorithm is marked as insecure
++ * with gnutls_sign_mark_insecure() or through the allowlisting mode
++ * in the configuration file.
++ *
++ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set,
++ * it marks it the algorithm as secure for all purposes.
++ * If the absence of this flag, it will mark it as
++ * "secure, but not for certificates" at most,
++ * but it won't restrict anything either.
++ *
++ * Since: 3.7.3
++ */
++int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags)
++{
++#ifndef DISABLE_SYSTEM_CONFIG
++	gnutls_sign_entry_st *p;
++
++	for(p = sign_algorithms; p->name != NULL; p++) {
++		if (p->id && p->id == sign) {
++			if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) {
++				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			}
++			if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) {
++				p->slevel = _SECURE;
++			} else {
++				if (p->slevel > _INSECURE_FOR_CERTS)
++					p->slevel = _INSECURE_FOR_CERTS;
++			}
++			return 0;
++		}
++	}
+ #endif
+ 	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+diff -ruN gnutls-3.7.2/lib/algorithms.h gnutls-3.7.2-bootstrapped/lib/algorithms.h
+--- gnutls-3.7.2/lib/algorithms.h	2021-05-10 16:34:47.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/algorithms.h	2021-06-28 09:09:14.000000000 +0200
+@@ -345,15 +345,27 @@
+ 	_INSECURE
+ } hash_security_level_t;
+ 
+-int _gnutls_ecc_curve_mark_disabled(const char *name);
+-int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t);
+-int _gnutls_digest_mark_insecure(const char *name);
++int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve);
++int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t, hash_security_level_t);
++int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig);
+ unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig);
+-int _gnutls_version_mark_disabled(const char *name);
++bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig,	unsigned flags);
++const gnutls_protocol_t *_gnutls_protocol_list(void);
++int _gnutls_version_mark_disabled(gnutls_protocol_t version);
+ gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name);
+ 
++/* these functions are for revertible settings, meaning that algorithms marked
++ * as disabled/insecure with mark_*_all functions can be re-enabled with
++ * mark_{enabled,secure} functions */
++void _gnutls_ecc_curve_mark_disabled_all(void);
++void _gnutls_sign_mark_insecure_all(hash_security_level_t level);
++void _gnutls_digest_mark_insecure_all(void);
++void _gnutls_version_mark_disabled_all(void);
++
+ #define GNUTLS_SIGN_FLAG_TLS13_OK	1 /* if it is ok to use under TLS1.3 */
+ #define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */
++#define GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE (1 << 2)
++#define GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3)
+ struct gnutls_sign_entry_st {
+ 	const char *name;
+ 	const char *oid;
+@@ -448,6 +460,7 @@
+ 	unsigned sig_size;	/* the size of curve signatures in bytes (EdDSA) */
+ 	unsigned gost_curve;
+ 	bool supported;
++	bool supported_revertible;
+ 	gnutls_group_t group;
+ } gnutls_ecc_curve_entry_st;
+ 
+@@ -459,6 +472,7 @@
+ gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t);
+ const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num);
+ const gnutls_group_entry_st * _gnutls_id_to_group(unsigned id);
++gnutls_group_t _gnutls_group_get_id(const char *name);
+ 
+ gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits);
+ #define MAX_ECC_CURVE_SIZE 66
+diff -ruN gnutls-3.7.2/lib/gnutls_int.h gnutls-3.7.2-bootstrapped/lib/gnutls_int.h
+--- gnutls-3.7.2/lib/gnutls_int.h	2021-05-27 08:08:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/gnutls_int.h	2021-06-28 09:09:14.000000000 +0200
+@@ -662,6 +662,8 @@
+ 
+ #define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE	1  /* if this algorithm should not be trusted for pre-image attacks */
+ #define GNUTLS_MAC_FLAG_CONTINUOUS_MAC		(1 << 1) /* if this MAC should be used in a 'continuous' way in TLS */
++#define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE	(1 << 2)  /* if this algorithm should not be trusted for pre-image attacks, but can be enabled through API */
++#define GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE	(1 << 3)  /* when checking with _gnutls_digest_is_insecure2, don't treat revertible setting as fatal */
+ /* This structure is used both for MACs and digests
+  */
+ typedef struct mac_entry_st {
+@@ -685,6 +687,7 @@
+ 	uint8_t minor;		/* defined by the protocol */
+ 	transport_t transport;	/* Type of transport, stream or datagram */
+ 	bool supported;	/* 0 not supported, > 0 is supported */
++	bool supported_revertible;
+ 	bool explicit_iv;
+ 	bool extensions;	/* whether it supports extensions */
+ 	bool selectable_sighash;	/* whether signatures can be selected */
+diff -ruN gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in
+--- gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in	2021-05-27 08:08:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in	2021-06-28 09:09:14.000000000 +0200
+@@ -1438,6 +1438,16 @@
+ 				 gnutls_mac_algorithm_t * mac,
+ 				 gnutls_protocol_t * min_version);
+ 
++  /* functions for run-time enablement of algorithms */
++int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve);
++int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve);
++int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags);
++int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags);
++int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig);
++int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig);
++int gnutls_protocol_mark_disabled(gnutls_protocol_t version);
++int gnutls_protocol_mark_enabled(gnutls_protocol_t version);
++
+   /* error functions */
+ int gnutls_error_is_fatal(int error) __GNUTLS_CONST__;
+ int gnutls_error_to_alert(int err, int *level);
+diff -ruN gnutls-3.7.2/lib/libgnutls.map gnutls-3.7.2-bootstrapped/lib/libgnutls.map
+--- gnutls-3.7.2/lib/libgnutls.map	2021-05-29 07:16:27.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/libgnutls.map	2021-06-28 09:09:14.000000000 +0200
+@@ -1355,6 +1355,21 @@
+ 	*;
+ } GNUTLS_3_7_0;
+ 
++GNUTLS_3_7_3
++{
++ global:
++	gnutls_ecc_curve_mark_disabled;
++	gnutls_ecc_curve_mark_enabled;
++	gnutls_sign_mark_insecure;
++	gnutls_sign_mark_secure;
++	gnutls_digest_mark_insecure;
++	gnutls_digest_mark_secure;
++	gnutls_protocol_mark_disabled;
++	gnutls_protocol_mark_enabled;
++ local:
++	*;
++} GNUTLS_3_7_2;
++
+ GNUTLS_FIPS140_3_4 {
+   global:
+ 	gnutls_cipher_self_test;
+diff -ruN gnutls-3.7.2/lib/priority.c gnutls-3.7.2-bootstrapped/lib/priority.c
+--- gnutls-3.7.2/lib/priority.c	2021-05-27 08:08:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/lib/priority.c	2021-06-28 09:09:14.000000000 +0200
+@@ -700,6 +700,7 @@
+ #define LEVEL_SUITEB128 "SUITEB128"
+ #define LEVEL_SUITEB192 "SUITEB192"
+ #define LEVEL_LEGACY "LEGACY"
++#define LEVEL_SYSTEM "SYSTEM"
+ 
+ struct priority_groups_st {
+ 	const char *name;
+@@ -1001,17 +1002,22 @@
+ 
+ static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN;
+ static name_val_array_t system_wide_priority_strings = NULL;
++static char *system_wide_priority_string = NULL;
+ static unsigned system_wide_priority_strings_init = 0;
+ static unsigned system_wide_default_priority_string = 0;
+ static unsigned fail_on_invalid_config = 0;
+-static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0};
+-static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0};
+-static unsigned system_wide_disabled_groups[MAX_ALGOS+1] = {0};
+-static unsigned system_wide_disabled_kxs[MAX_ALGOS+1] = {0};
++static bool system_wide_allowlisting;
++static unsigned system_wide_tls_ciphers[MAX_ALGOS+1] = {0};
++static unsigned system_wide_tls_macs[MAX_ALGOS+1] = {0};
++static unsigned system_wide_tls_groups[MAX_ALGOS+1] = {0};
++static unsigned system_wide_tls_kxs[MAX_ALGOS+1] = {0};
++static unsigned system_wide_tls_sigs[MAX_ALGOS+1] = {0};
++static unsigned system_wide_tls_vers[MAX_ALGOS+1] = {0};
+ 
+ static const char *system_priority_file = SYSTEM_PRIORITY_FILE;
+ static time_t system_priority_last_mod = 0;
+ 
++#define GLOBAL_SECTION "global"
+ #define CUSTOM_PRIORITY_SECTION "priorities"
+ #define OVERRIDES_SECTION "overrides"
+ #define MAX_ALGO_NAME 2048
+@@ -1051,108 +1057,479 @@
+ 	return out;
+ }
+ 
+-/* This function parses a gnutls configuration file and updates internal
+- * settings accordingly.
++struct cfg {
++	bool allowlisting;
++
++	name_val_array_t priority_strings;
++	bool priority_strings_init;
++	char *default_priority_string;
++	gnutls_certificate_verification_profiles_t verification_profile;
++
++	gnutls_cipher_algorithm_t ciphers[MAX_ALGOS+1];
++	gnutls_mac_algorithm_t macs[MAX_ALGOS+1];
++	gnutls_group_t groups[MAX_ALGOS+1];
++	gnutls_kx_algorithm_t kxs[MAX_ALGOS+1];
++
++	gnutls_digest_algorithm_t *hashes;
++	size_t hashes_size;
++	gnutls_sign_algorithm_t *sigs;
++	size_t sigs_size;
++	gnutls_sign_algorithm_t *sigs_for_cert;
++	size_t sigs_for_cert_size;
++	gnutls_protocol_t *versions;
++	size_t versions_size;
++	gnutls_ecc_curve_t *curves;
++	size_t curves_size;
++};
++
++static inline void
++cfg_deinit(struct cfg *cfg)
++{
++	if (cfg->priority_strings) {
++		_name_val_array_clear(&cfg->priority_strings);
++	}
++	cfg->priority_strings_init = false;
++	gnutls_free(cfg->default_priority_string);
++	gnutls_free(cfg->hashes);
++	gnutls_free(cfg->sigs);
++	gnutls_free(cfg->sigs_for_cert);
++	gnutls_free(cfg->versions);
++	gnutls_free(cfg->curves);
++}
++
++static inline int
++cfg_apply(struct cfg *cfg)
++{
++	size_t i;
++
++	system_wide_verification_profile = cfg->verification_profile;
++
++	if (cfg->priority_strings_init) {
++		system_wide_priority_strings = cfg->priority_strings;
++		cfg->priority_strings = NULL;
++		cfg->priority_strings_init = false;
++		system_wide_priority_strings_init = 1;
++	}
++
++	if (cfg->default_priority_string) {
++		_clear_default_system_priority();
++		_gnutls_default_priority_string = cfg->default_priority_string;
++		cfg->default_priority_string = NULL;
++		system_wide_default_priority_string = 1;
++	}
++
++	system_wide_allowlisting = cfg->allowlisting;
++	memcpy(system_wide_tls_ciphers, cfg->ciphers, sizeof(cfg->ciphers));
++	memcpy(system_wide_tls_macs, cfg->macs, sizeof(cfg->macs));
++	memcpy(system_wide_tls_groups, cfg->groups, sizeof(cfg->groups));
++	memcpy(system_wide_tls_kxs, cfg->kxs, sizeof(cfg->kxs));
++
++	if (cfg->allowlisting) {
++		unsigned tls_sig_sem = 0;
++		size_t j;
++
++		_gnutls_digest_mark_insecure_all();
++		for (i = 0; i < cfg->hashes_size; i++) {
++			int ret = gnutls_digest_mark_secure(cfg->hashes[i]);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++		_gnutls_sign_mark_insecure_all(_INSECURE);
++		for (i = 0; i < cfg->sigs_size; i++) {
++			int ret = gnutls_sign_mark_secure(cfg->sigs[i], 0);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++		for (i = 0; i < cfg->sigs_for_cert_size; i++) {
++			int ret = gnutls_sign_mark_secure(cfg->sigs_for_cert[i],
++							  GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++		_gnutls_version_mark_disabled_all();
++		for (i = 0, j = 0; i < cfg->versions_size; i++) {
++			const version_entry_st *vers;
++			int ret = gnutls_protocol_mark_enabled(cfg->versions[i]);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++			vers = version_to_entry(cfg->versions[i]);
++			if (vers && vers->supported) {
++				tls_sig_sem |= vers->tls_sig_sem;
++				system_wide_tls_vers[j++] = vers->id;
++			}
++		}
++		_gnutls_ecc_curve_mark_disabled_all();
++		for (i = 0; i < cfg->curves_size; i++) {
++			int ret = gnutls_ecc_curve_mark_enabled(cfg->curves[i]);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++		for (i = 0, j = 0; i < cfg->sigs_size; i++) {
++			const gnutls_sign_entry_st *se;
++
++			se = _gnutls_sign_to_entry(cfg->sigs[i]);
++			if (se != NULL && se->aid.tls_sem & tls_sig_sem &&
++			    _gnutls_sign_is_secure2(se, 0)) {
++				system_wide_tls_sigs[j++] = se->id;
++			}
++		}
++	} else {
++		for (i = 0; i < cfg->hashes_size; i++) {
++			int ret = _gnutls_digest_mark_insecure(cfg->hashes[i]);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++		for (i = 0; i < cfg->sigs_size; i++) {
++			int ret = _gnutls_sign_mark_insecure(cfg->sigs[i], _INSECURE);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++		for (i = 0; i < cfg->sigs_for_cert_size; i++) {
++			int ret = _gnutls_sign_mark_insecure(cfg->sigs_for_cert[i], _INSECURE_FOR_CERTS);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++		for (i = 0; i < cfg->versions_size; i++) {
++			int ret = _gnutls_version_mark_disabled(cfg->versions[i]);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++		for (i = 0; i < cfg->curves_size; i++) {
++			int ret = _gnutls_ecc_curve_mark_disabled(cfg->curves[i]);
++			if (unlikely(ret < 0)) {
++				return ret;
++			}
++		}
++	}
++
++	return 0;
++}
++
++/* This function parse the global section of the configuration file.
++ */
++static int global_ini_handler(void *ctx, const char *section, const char *name, const char *value)
++{
++	char *p;
++	char str[MAX_ALGO_NAME];
++	struct cfg *cfg = ctx;
++
++	if (section != NULL && c_strcasecmp(section, GLOBAL_SECTION) == 0) {
++		if (c_strcasecmp(name, "override-mode") == 0) {
++			p = clear_spaces(value, str);
++			if (c_strcasecmp(value, "allowlist") == 0) {
++				cfg->allowlisting = true;
++			} else if (c_strcasecmp(value, "blocklist") == 0) {
++				cfg->allowlisting = false;
++			} else {
++				_gnutls_debug_log("cfg: unknown override mode %s\n",
++					p);
++				if (fail_on_invalid_config)
++					return 0;
++			}
++		} else {
++			_gnutls_debug_log("unknown parameter %s\n", name);
++			if (fail_on_invalid_config)
++				return 0;
++		}
++	}
++
++	return 1;
++}
++
++static bool
++override_allowed(struct cfg *cfg, const char *name)
++{
++	static const struct {
++		const char *allowlist_name;
++		const char *blocklist_name;
++	} names[] = {
++		{ "secure-hash", "insecure-hash" },
++		{ "secure-sig", "insecure-sig" },
++		{ "secure-sig-for-cert", "insecure-sig-for-cert" },
++		{ "enabled-version", "disabled-version" },
++		{ "enabled-curve", "disabled-curve" },
++		{ "tls-enabled-cipher", "tls-disabled-cipher" },
++		{ "tls-enabled-group", "tls-disabled-group" },
++		{ "tls-enabled-kx", "tls-disabled-kx" },
++		{ "tls-enabled-mac", "tls-disabled-mac" }
++	};
++	size_t i;
++
++	for (i = 0; i < sizeof(names) / sizeof(names[0]); i++) {
++		if (c_strcasecmp(name,
++				 cfg->allowlisting ?
++				 names[i].blocklist_name :
++				 names[i].allowlist_name) == 0)
++			return false;
++	}
++
++	return true;
++}
++
++/* This function parses a gnutls configuration file.  Updating internal settings
++ * according to the parsed configuration is done by cfg_apply.
+  */
+-static int cfg_ini_handler(void *_ctx, const char *section, const char *name, const char *value)
++static int cfg_ini_handler(void *ctx, const char *section, const char *name, const char *value)
+ {
+ 	char *p;
+-	int ret, type;
++	int ret;
+ 	unsigned i;
+ 	char str[MAX_ALGO_NAME];
++	struct cfg *cfg = ctx;
+ 
+ 	/* Note that we intentionally overwrite the value above; inih does
+ 	 * not use that value after we handle it. */
+ 
+ 	/* Parse sections */
+ 	if (section == NULL || section[0] == 0 || c_strcasecmp(section, CUSTOM_PRIORITY_SECTION)==0) {
+-		if (system_wide_priority_strings_init == 0) {
+-			_name_val_array_init(&system_wide_priority_strings);
+-			system_wide_priority_strings_init = 1;
++		if (!cfg->priority_strings_init) {
++			_name_val_array_init(&cfg->priority_strings);
++			cfg->priority_strings_init = true;
+ 		}
+ 
+ 		_gnutls_debug_log("cfg: adding priority: %s -> %s\n", name, value);
+ 
+-		ret = _name_val_array_append(&system_wide_priority_strings, name, value);
++		ret = _name_val_array_append(&cfg->priority_strings, name, value);
+ 		if (ret < 0)
+ 			return 0;
+ 	} else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) {
+-		if (c_strcasecmp(name, "default-priority-string")==0) {
+-			_clear_default_system_priority();
++		if (!override_allowed(cfg, name)) {
++			_gnutls_debug_log("cfg: %s is not allowed in this mode\n",
++					  name);
++			if (fail_on_invalid_config)
++				return 0;
++		} else if (c_strcasecmp(name, "default-priority-string")==0) {
++			if (cfg->default_priority_string) {
++				gnutls_free(cfg->default_priority_string);
++				cfg->default_priority_string = NULL;
++			}
+ 			p = clear_spaces(value, str);
+ 			_gnutls_debug_log("cfg: setting default-priority-string to %s\n", p);
+ 			if (strlen(p) > 0) {
+-				_gnutls_default_priority_string = gnutls_strdup(p);
+-				if (!_gnutls_default_priority_string) {
+-					_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
++				cfg->default_priority_string = gnutls_strdup(p);
++				if (!cfg->default_priority_string) {
+ 					_gnutls_debug_log("cfg: failed setting default-priority-string\n");
+ 					return 0;
+ 				}
+-				system_wide_default_priority_string = 1;
+ 			} else {
+ 				_gnutls_debug_log("cfg: empty default-priority-string, using default\n");
+ 				if (fail_on_invalid_config)
+ 					return 0;
+ 			}
+-		} else if (c_strcasecmp(name, "insecure-hash")==0) {
++		} else if (c_strcasecmp(name, "insecure-hash") == 0 ||
++			   c_strcasecmp(name, "secure-hash") == 0) {
++			gnutls_digest_algorithm_t dig, *tmp;
++
+ 			p = clear_spaces(value, str);
+ 
+-			_gnutls_debug_log("cfg: marking hash %s as insecure\n",
+-					  p);
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: marking hash %s as secure\n",
++						  p);
++			} else {
++				_gnutls_debug_log("cfg: marking hash %s as insecure\n",
++						  p);
++			}
+ 
+-			ret = _gnutls_digest_mark_insecure(p);
+-			if (ret < 0) {
++			dig = gnutls_digest_get_id(p);
++			if (dig == GNUTLS_DIG_UNKNOWN) {
+ 				_gnutls_debug_log("cfg: found unknown hash %s in %s\n",
+ 						  p, name);
+ 				if (fail_on_invalid_config)
+ 					return 0;
++				goto exit;
++			}
++			tmp = _gnutls_reallocarray(cfg->hashes,
++						   cfg->hashes_size + 1,
++						   sizeof(gnutls_digest_algorithm_t));
++			if (!tmp) {
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: failed marking hash %s as secure\n",
++							  p);
++				} else {
++					_gnutls_debug_log("cfg: failed marking hash %s as insecure\n",
++							  p);
++				}
++				if (fail_on_invalid_config)
++					return 0;
++				goto exit;
+ 			}
+-		} else if (c_strcasecmp(name, "insecure-sig")==0 || c_strcasecmp(name, "insecure-sig-for-cert")==0) {
++
++			cfg->hashes = tmp;
++			cfg->hashes[cfg->hashes_size] = dig;
++			cfg->hashes_size++;
++		} else if (c_strcasecmp(name, "insecure-sig") == 0 ||
++			   c_strcasecmp(name, "secure-sig") == 0) {
++			gnutls_sign_algorithm_t sig, *tmp;
++
+ 			p = clear_spaces(value, str);
+ 
+-			if (c_strcasecmp(name, "insecure-sig")==0) {
+-				type = _INSECURE;
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: marking signature %s as secure\n",
++						  p);
++			} else {
+ 				_gnutls_debug_log("cfg: marking signature %s as insecure\n",
+ 						  p);
++			}
++
++			sig = gnutls_sign_get_id(p);
++			if (sig == GNUTLS_SIGN_UNKNOWN) {
++				_gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
++						  p, name);
++				if (fail_on_invalid_config)
++					return 0;
++				goto exit;
++			}
++			tmp = _gnutls_reallocarray(cfg->sigs,
++						   cfg->sigs_size + 1,
++						   sizeof(gnutls_sign_algorithm_t));
++			if (!tmp) {
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: failed marking signature %s as secure\n",
++							  p);
++				} else {
++					_gnutls_debug_log("cfg: failed marking signature %s as insecure\n",
++							  p);
++				}
++				if (fail_on_invalid_config)
++					return 0;
++				goto exit;
++			}
++
++			cfg->sigs = tmp;
++			cfg->sigs[cfg->sigs_size] = sig;
++			cfg->sigs_size++;
++		} else if (c_strcasecmp(name, "insecure-sig-for-cert") == 0 ||
++			   c_strcasecmp(name, "secure-sig-for-cert") == 0) {
++			gnutls_sign_algorithm_t sig, *tmp;
++
++			p = clear_spaces(value, str);
++
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: marking signature %s as secure for certs\n",
++						  p);
+ 			} else {
+ 				_gnutls_debug_log("cfg: marking signature %s as insecure for certs\n",
+ 						  p);
+-				type = _INSECURE_FOR_CERTS;
+ 			}
+ 
+-			ret = _gnutls_sign_mark_insecure(p, type);
+-			if (ret < 0) {
++			sig = gnutls_sign_get_id(p);
++			if (sig == GNUTLS_SIGN_UNKNOWN) {
+ 				_gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
+ 						  p, name);
+ 				if (fail_on_invalid_config)
+ 					return 0;
++				goto exit;
++			}
++			tmp = _gnutls_reallocarray(cfg->sigs_for_cert,
++						   cfg->sigs_for_cert_size + 1,
++						   sizeof(gnutls_sign_algorithm_t));
++			if (!tmp) {
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: failed marking signature %s as secure for certs\n",
++							  p);
++				} else {
++					_gnutls_debug_log("cfg: failed marking signature %s as insecure for certs\n",
++							  p);
++				}
++				if (fail_on_invalid_config)
++					return 0;
++				goto exit;
+ 			}
+-		} else if (c_strcasecmp(name, "disabled-version")==0) {
++
++			cfg->sigs_for_cert = tmp;
++			cfg->sigs_for_cert[cfg->sigs_for_cert_size] = sig;
++			cfg->sigs_for_cert_size++;
++		} else if (c_strcasecmp(name, "disabled-version") == 0 ||
++			   c_strcasecmp(name, "enabled-version") == 0) {
++			gnutls_protocol_t prot, *tmp;
++
+ 			p = clear_spaces(value, str);
+ 
+-			_gnutls_debug_log("cfg: disabling version %s\n",
+-					  p);
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: enabling version %s\n",
++						  p);
++			} else {
++				_gnutls_debug_log("cfg: disabling version %s\n",
++						  p);
++			}
+ 
+-			ret = _gnutls_version_mark_disabled(p);
+-			if (ret < 0) {
++			prot = gnutls_protocol_get_id(p);
++			if (prot == GNUTLS_VERSION_UNKNOWN) {
+ 				_gnutls_debug_log("cfg: found unknown version %s in %s\n",
+ 						  p, name);
+ 				if (fail_on_invalid_config)
+ 					return 0;
++				goto exit;
+ 			}
+-		} else if (c_strcasecmp(name, "disabled-curve")==0) {
++			tmp = _gnutls_reallocarray(cfg->versions,
++						   cfg->versions_size + 1,
++						   sizeof(gnutls_protocol_t));
++			if (!tmp) {
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: failed enabling version %s\n",
++							  p);
++				} else {
++					_gnutls_debug_log("cfg: failed disabling version %s\n",
++							  p);
++				}
++				if (fail_on_invalid_config)
++					return 0;
++				goto exit;
++			}
++
++			cfg->versions = tmp;
++			cfg->versions[cfg->versions_size] = prot;
++			cfg->versions_size++;
++		} else if (c_strcasecmp(name, "disabled-curve") == 0 ||
++			   c_strcasecmp(name, "enabled-curve") == 0) {
++			gnutls_ecc_curve_t curve, *tmp;
++
+ 			p = clear_spaces(value, str);
+ 
+-			_gnutls_debug_log("cfg: disabling curve %s\n",
+-					  p);
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: enabling curve %s\n",
++						  p);
++			} else {
++				_gnutls_debug_log("cfg: disabling curve %s\n",
++						  p);
++			}
+ 
+-			ret = _gnutls_ecc_curve_mark_disabled(p);
+-			if (ret < 0) {
++			curve = gnutls_ecc_curve_get_id(p);
++			if (curve == GNUTLS_ECC_CURVE_INVALID) {
+ 				_gnutls_debug_log("cfg: found unknown curve %s in %s\n",
+ 						  p, name);
+ 				if (fail_on_invalid_config)
+ 					return 0;
++				goto exit;
++			}
++			tmp = _gnutls_reallocarray(cfg->curves,
++						   cfg->curves_size + 1,
++						   sizeof(gnutls_ecc_curve_t));
++			if (!tmp) {
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: failed enabling curve %s\n",
++							  p);
++				} else {
++					_gnutls_debug_log("cfg: failed disabling curve %s\n",
++							  p);
++				}
++				if (fail_on_invalid_config)
++					return 0;
++				goto exit;
+ 			}
++
++			cfg->curves = tmp;
++			cfg->curves[cfg->curves_size] = curve;
++			cfg->curves_size++;
+ 		} else if (c_strcasecmp(name, "min-verification-profile")==0) {
+ 			gnutls_certificate_verification_profiles_t profile;
+ 			profile = gnutls_certificate_verification_profile_get_id(value);
+@@ -1162,47 +1539,65 @@
+ 						  value, name);
+ 				if (fail_on_invalid_config)
+ 					return 0;
++				goto exit;
+ 			}
+ 
+-			system_wide_verification_profile = profile;
+-		} else if (c_strcasecmp(name, "tls-disabled-cipher")==0) {
+-			unsigned algo;
++			cfg->verification_profile = profile;
++		} else if (c_strcasecmp(name, "tls-disabled-cipher") == 0 ||
++			   c_strcasecmp(name, "tls-enabled-cipher") == 0) {
++			gnutls_cipher_algorithm_t algo;
+ 
+ 			p = clear_spaces(value, str);
+ 
+-			_gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
+-					  p);
+-
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: enabling cipher %s for TLS\n",
++						  p);
++			} else {
++				_gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
++						  p);
++			}
+ 
+ 			algo = gnutls_cipher_get_id(p);
+-			if (algo == 0) {
++			if (algo == GNUTLS_CIPHER_UNKNOWN) {
+ 				_gnutls_debug_log("cfg: unknown algorithm %s listed at %s\n",
+ 						  p, name);
+ 				if (fail_on_invalid_config)
+ 					return 0;
++				goto exit;
+ 			}
+ 
+ 			i = 0;
+-			while (system_wide_disabled_ciphers[i] != 0)
++			while (cfg->ciphers[i] != 0)
+ 				i++;
+ 
+ 			if (i > MAX_ALGOS-1) {
+-				_gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
+-						  i, name);
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: too many (%d) enabled ciphers from %s\n",
++							  i, name);
++				} else {
++					_gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
++							  i, name);
++				}
+ 				if (fail_on_invalid_config)
+ 					return 0;
+ 				goto exit;
+ 			}
+-			system_wide_disabled_ciphers[i] = algo;
+-			system_wide_disabled_ciphers[i+1] = 0;
++			cfg->ciphers[i] = algo;
++			cfg->ciphers[i+1] = 0;
+ 
+-		} else if (c_strcasecmp(name, "tls-disabled-mac")==0) {
+-			unsigned algo;
++		} else if (c_strcasecmp(name, "tls-disabled-mac") == 0 ||
++			   c_strcasecmp(name, "tls-enabled-mac") == 0) {
++			gnutls_mac_algorithm_t algo;
+ 
+ 			p = clear_spaces(value, str);
+ 
+-			_gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
+-					  p);
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: enabling MAC %s for TLS\n",
++						  p);
++			} else {
++				_gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
++						  p);
++			}
+ 
+ 			algo = gnutls_mac_get_id(p);
+ 			if (algo == 0) {
+@@ -1214,30 +1609,41 @@
+ 			}
+ 
+ 			i = 0;
+-			while (system_wide_disabled_macs[i] != 0)
++			while (cfg->macs[i] != 0)
+ 				i++;
+ 
+ 			if (i > MAX_ALGOS-1) {
+-				_gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
+-						  i, name);
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: too many (%d) enabled MACs from %s\n",
++							  i, name);
++				} else {
++					_gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
++							  i, name);
++				}
+ 				if (fail_on_invalid_config)
+ 					return 0;
+ 				goto exit;
+ 			}
+-			system_wide_disabled_macs[i] = algo;
+-			system_wide_disabled_macs[i+1] = 0;
+-		} else if (c_strcasecmp(name, "tls-disabled-group")==0) {
+-			unsigned algo;
++			cfg->macs[i] = algo;
++			cfg->macs[i+1] = 0;
++		} else if (c_strcasecmp(name, "tls-disabled-group") == 0 ||
++			   c_strcasecmp(name, "tls-enabled-group") == 0) {
++			gnutls_group_t algo;
+ 
+ 			p = clear_spaces(value, str);
+ 
+-			if (strlen(p) > 6)
+-				p += 6; // skip GROUP-
++			if (c_strncasecmp(p, "GROUP-", 6) == 0)
++				p += 6;
+ 
+-			_gnutls_debug_log("cfg: disabling group %s for TLS\n",
+-					  p);
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: enabling group %s for TLS\n",
++						  p);
++			} else {
++				_gnutls_debug_log("cfg: disabling group %s for TLS\n",
++						  p);
++			}
+ 
+-			algo = gnutls_group_get_id(p);
++			algo = _gnutls_group_get_id(p);
+ 			if (algo == 0) {
+ 				_gnutls_debug_log("cfg: unknown group %s listed at %s\n",
+ 						  p, name);
+@@ -1247,25 +1653,36 @@
+ 			}
+ 
+ 			i = 0;
+-			while (system_wide_disabled_groups[i] != 0)
++			while (cfg->groups[i] != 0)
+ 				i++;
+ 
+ 			if (i > MAX_ALGOS-1) {
+-				_gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
+-						  i, name);
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: too many (%d) enabled groups from %s\n",
++							  i, name);
++				} else {
++					_gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
++							  i, name);
++				}
+ 				if (fail_on_invalid_config)
+ 					return 0;
+ 				goto exit;
+ 			}
+-			system_wide_disabled_groups[i] = algo;
+-			system_wide_disabled_groups[i+1] = 0;
+-		} else if (c_strcasecmp(name, "tls-disabled-kx")==0) {
++			cfg->groups[i] = algo;
++			cfg->groups[i+1] = 0;
++		} else if (c_strcasecmp(name, "tls-disabled-kx") == 0 ||
++			   c_strcasecmp(name, "tls-enabled-kx") == 0) {
+ 			unsigned algo;
+ 
+ 			p = clear_spaces(value, str);
+ 
+-			_gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
+-					  p);
++			if (cfg->allowlisting) {
++				_gnutls_debug_log("cfg: enabling key exchange %s for TLS\n",
++						  p);
++			} else {
++				_gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
++						  p);
++			}
+ 
+ 			algo = gnutls_kx_get_id(p);
+ 			if (algo == 0) {
+@@ -1277,24 +1694,29 @@
+ 			}
+ 
+ 			i = 0;
+-			while (system_wide_disabled_kxs[i] != 0)
++			while (cfg->kxs[i] != 0)
+ 				i++;
+ 
+ 			if (i > MAX_ALGOS-1) {
+-				_gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
+-						  i, name);
++				if (cfg->allowlisting) {
++					_gnutls_debug_log("cfg: too many (%d) enabled key exchanges from %s\n",
++							  i, name);
++				} else {
++					_gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
++							  i, name);
++				}
+ 				if (fail_on_invalid_config)
+ 					return 0;
+ 				goto exit;
+ 			}
+-			system_wide_disabled_kxs[i] = algo;
+-			system_wide_disabled_kxs[i+1] = 0;
++			cfg->kxs[i] = algo;
++			cfg->kxs[i+1] = 0;
+ 		} else {
+ 			_gnutls_debug_log("unknown parameter %s\n", name);
+ 			if (fail_on_invalid_config)
+ 				return 0;
+ 		}
+-	} else {
++	} else if (c_strcasecmp(section, GLOBAL_SECTION) != 0) {
+ 		_gnutls_debug_log("cfg: unknown section %s\n",
+ 				  section);
+ 		if (fail_on_invalid_config)
+@@ -1310,6 +1732,7 @@
+ 	int ret;
+ 	struct stat sb;
+ 	FILE *fp;
++	struct cfg cfg;
+ 
+ 	if (stat(system_priority_file, &sb) < 0) {
+ 		_gnutls_debug_log("cfg: unable to access: %s: %d\n",
+@@ -1327,21 +1750,41 @@
+ 	if (system_wide_priority_strings_init != 0)
+ 		_name_val_array_clear(&system_wide_priority_strings);
+ 
++	gnutls_free(system_wide_priority_string);
++	system_wide_priority_string = NULL;
++
+ 	fp = fopen(system_priority_file, "re");
+ 	if (fp == NULL) {
+ 		_gnutls_debug_log("cfg: unable to open: %s: %d\n",
+ 				  system_priority_file, errno);
+ 		return;
+ 	}
+-	ret = ini_parse_file(fp, cfg_ini_handler, NULL);
++	/* Parsing the configuration file needs to be done in 2 phases: first
++	 * parsing the [global] section and then the other sections, because the
++	 * [global] section modifies the parsing behavior.
++	 */
++	memset(&cfg, 0, sizeof(cfg));
++	ret = ini_parse_file(fp, global_ini_handler, &cfg);
++	if (ret == 0) {
++		if (fseek(fp, 0L, SEEK_SET) < 0) {
++			_gnutls_debug_log("cfg: unable to rewind: %s: %d\n",
++					  system_priority_file, ret);
++			if (fail_on_invalid_config)
++				exit(1);
++		}
++		ret = ini_parse_file(fp, cfg_ini_handler, &cfg);
++	}
+ 	fclose(fp);
+ 	if (ret != 0) {
++		cfg_deinit(&cfg);
+ 		_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+ 				  system_priority_file, ret);
+ 		if (fail_on_invalid_config)
+ 			exit(1);
+ 		return;
+ 	}
++	cfg_apply(&cfg);
++	cfg_deinit(&cfg);
+ 
+ 	_gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n",
+ 			  system_priority_file,
+@@ -1368,6 +1811,7 @@
+ void _gnutls_unload_system_priorities(void)
+ {
+ 	_name_val_array_clear(&system_wide_priority_strings);
++	gnutls_free(system_wide_priority_string);
+ 	_clear_default_system_priority();
+ 	system_priority_last_mod = 0;
+ }
+@@ -1391,6 +1835,124 @@
+ 		return NULL;
+ }
+ 
++static const char *
++resolve_priorities_from_system_wide_allowlisting(void)
++{
++	gnutls_buffer_st buf;
++	int ret;
++	size_t i;
++
++	if (system_wide_priority_string) {
++		return system_wide_priority_string;
++	}
++
++	assert(system_wide_allowlisting);
++
++	_gnutls_buffer_init(&buf);
++
++	ret = _gnutls_buffer_append_str(&buf, "NONE");
++	if (ret < 0) {
++		_gnutls_buffer_clear(&buf);
++		return NULL;
++	}
++
++	for (i = 0; system_wide_tls_kxs[i] != 0; i++) {
++		ret = _gnutls_buffer_append_str(&buf, ":+");
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++
++		ret = _gnutls_buffer_append_str(&buf,
++						gnutls_kx_get_name(system_wide_tls_kxs[i]));
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++	}
++
++	for (i = 0; system_wide_tls_groups[i] != 0; i++) {
++		ret = _gnutls_buffer_append_str(&buf, ":+GROUP-");
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++
++		ret = _gnutls_buffer_append_str(&buf,
++						gnutls_group_get_name(system_wide_tls_groups[i]));
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++	}
++
++	for (i = 0; system_wide_tls_ciphers[i] != 0; i++) {
++		ret = _gnutls_buffer_append_str(&buf, ":+");
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++
++		ret = _gnutls_buffer_append_str(&buf,
++						gnutls_cipher_get_name(system_wide_tls_ciphers[i]));
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++	}
++
++	for (i = 0; system_wide_tls_macs[i] != 0; i++) {
++		ret = _gnutls_buffer_append_str(&buf, ":+");
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++
++		ret = _gnutls_buffer_append_str(&buf,
++						gnutls_mac_get_name(system_wide_tls_macs[i]));
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++	}
++
++	for (i = 0; system_wide_tls_sigs[i] != 0; i++) {
++		ret = _gnutls_buffer_append_str(&buf, ":+SIGN-");
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++
++		ret = _gnutls_buffer_append_str(&buf,
++						gnutls_sign_get_name(system_wide_tls_sigs[i]));
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++	}
++
++	for (i = 0; system_wide_tls_vers[i] != 0; i++) {
++		ret = _gnutls_buffer_append_str(&buf, ":+VERS-");
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++
++		ret = _gnutls_buffer_append_str(&buf,
++						gnutls_protocol_get_name(system_wide_tls_vers[i]));
++		if (ret < 0) {
++			_gnutls_buffer_clear(&buf);
++			return NULL;
++		}
++	}
++
++	gnutls_free(system_wide_priority_string);
++	system_wide_priority_string = gnutls_strdup((char *)buf.data);
++	_gnutls_buffer_clear(&buf);
++
++	return system_wide_priority_string;
++}
++
+ #define S(str) ((str!=NULL)?str:"")
+ 
+ /* Returns the new priorities if a priority string prefixed
+@@ -1445,7 +2007,13 @@
+ 			 */
+ 			_gnutls_update_system_priorities();
+ 
+-			p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
++			if (system_wide_allowlisting &&
++			    ss_len == sizeof(LEVEL_SYSTEM) - 1 &&
++			    strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) {
++				p = resolve_priorities_from_system_wide_allowlisting();
++			} else {
++				p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
++			}
+ 
+ 			_gnutls_debug_log("resolved '%.*s' to '%s', next '%.*s'\n",
+ 					  ss_len, ss, S(p), ss_next_len, S(ss_next));
+@@ -1548,48 +2116,52 @@
+ 	priority_cache->groups.size = 0;
+ 	priority_cache->groups.have_ffdhe = 0;
+ 
+-	/* disable key exchanges which are globally disabled */
+-	z = 0;
+-	while (system_wide_disabled_kxs[z] != 0) {
+-		for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
+-			if (priority_cache->_kx.priorities[i] != system_wide_disabled_kxs[z])
+-				priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
+-		}
+-		priority_cache->_kx.num_priorities = j;
+-		z++;
+-	}
+-
+-	/* disable groups which are globally disabled */
+-	z = 0;
+-	while (system_wide_disabled_groups[z] != 0) {
+-		for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
+-			if (priority_cache->_supported_ecc.priorities[i] != system_wide_disabled_groups[z])
+-				priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
+-		}
+-		priority_cache->_supported_ecc.num_priorities = j;
+-		z++;
+-	}
+-
+-	/* disable ciphers which are globally disabled */
+-	z = 0;
+-	while (system_wide_disabled_ciphers[z] != 0) {
+-		for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
+-			if (priority_cache->_cipher.priorities[i] != system_wide_disabled_ciphers[z])
+-				priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
+-		}
+-		priority_cache->_cipher.num_priorities = j;
+-		z++;
+-	}
+-
+-	/* disable MACs which are globally disabled */
+-	z = 0;
+-	while (system_wide_disabled_macs[z] != 0) {
+-		for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
+-			if (priority_cache->_mac.priorities[i] != system_wide_disabled_macs[z])
+-				priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
++	/* in blocklisting mode, apply system wide disablement of key exchanges,
++	 * groups, MACs, and ciphers. */
++	if (!system_wide_allowlisting) {
++		/* disable key exchanges which are globally disabled */
++		z = 0;
++		while (system_wide_tls_kxs[z] != 0) {
++			for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
++				if (priority_cache->_kx.priorities[i] != system_wide_tls_kxs[z])
++					priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
++			}
++			priority_cache->_kx.num_priorities = j;
++			z++;
++		}
++
++		/* disable groups which are globally disabled */
++		z = 0;
++		while (system_wide_tls_groups[z] != 0) {
++			for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
++				if (priority_cache->_supported_ecc.priorities[i] != system_wide_tls_groups[z])
++					priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
++			}
++			priority_cache->_supported_ecc.num_priorities = j;
++			z++;
++		}
++
++		/* disable ciphers which are globally disabled */
++		z = 0;
++		while (system_wide_tls_ciphers[z] != 0) {
++			for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
++				if (priority_cache->_cipher.priorities[i] != system_wide_tls_ciphers[z])
++					priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
++			}
++			priority_cache->_cipher.num_priorities = j;
++			z++;
++		}
++
++		/* disable MACs which are globally disabled */
++		z = 0;
++		while (system_wide_tls_macs[z] != 0) {
++			for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
++				if (priority_cache->_mac.priorities[i] != system_wide_tls_macs[z])
++					priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
++			}
++			priority_cache->_mac.num_priorities = j;
++			z++;
+ 		}
+-		priority_cache->_mac.num_priorities = j;
+-		z++;
+ 	}
+ 
+ 	for (j=0;j<priority_cache->_cipher.num_priorities;j++) {
+@@ -1737,10 +2309,15 @@
+ 	for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) {
+ 		se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]);
+ 		if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) {
+-			/* if the signature algorithm semantics are not compatible with
+-			 * the protocol's, then skip. */
+-			if ((se->aid.tls_sem & tls_sig_sem) == 0)
++			/* if the signature algorithm semantics is not
++			 * compatible with the protocol's, or the algorithm is
++			 * marked as insecure, then skip. */
++			if ((se->aid.tls_sem & tls_sig_sem) == 0 ||
++			    !_gnutls_sign_is_secure2(se, system_wide_allowlisting ?
++						     GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE :
++						     0)) {
+ 				continue;
++			}
+ 			priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se;
+ 		}
+ 	}
+@@ -2017,6 +2594,9 @@
+ 	(*priority_cache)->min_record_version = 1;
+ 	gnutls_atomic_init(&(*priority_cache)->usage_cnt);
+ 
++	if (system_wide_allowlisting && !priorities) {
++		priorities = "@" LEVEL_SYSTEM;
++	}
+ 	if (priorities == NULL) {
+ 		priorities = _gnutls_default_priority_string;
+ 		resolved_match = 0;
+@@ -2150,7 +2730,7 @@
+ 						_supported_groups_gost);
+ 				} else {
+ 					if ((algo =
+-					     gnutls_group_get_id
++					     _gnutls_group_get_id
+ 					     (&broken_list[i][7])) !=
+ 					    GNUTLS_GROUP_INVALID)
+ 						fn(&(*priority_cache)->
+diff -ruN gnutls-3.7.2/Makefile.in gnutls-3.7.2-bootstrapped/Makefile.in
+--- gnutls-3.7.2/Makefile.in	2021-05-29 10:11:20.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/Makefile.in	2021-06-28 09:11:37.000000000 +0200
+@@ -35,7 +35,7 @@
+ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ 
+ # aminclude_static.am generated automatically by Autoconf
+-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
++# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
+ VPATH = @srcdir@
+ am__is_gnu_make = { \
+   if test -z '$(MAKELEVEL)'; then \
+diff -ruN gnutls-3.7.2/NEWS gnutls-3.7.2-bootstrapped/NEWS
+--- gnutls-3.7.2/NEWS	2021-05-29 10:08:56.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/NEWS	2021-06-28 09:09:14.000000000 +0200
+@@ -5,6 +5,23 @@
+ Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
+ See the end for copying conditions.
+ 
++* Version 3.7.3 (unreleased)
++
++** libgnutls: The allowlisting configuration mode has been added to the system-wide
++   settings. In this mode, all the algorithms are initially marked as insecure
++   or disabled, while the applications can re-enable them either through the
++   [overrides] section of the configuration file or the new API (#1172).
++
++** API and ABI modifications:
++gnutls_ecc_curve_mark_disabled: Added.
++gnutls_ecc_curve_mark_enabled: Added.
++gnutls_sign_mark_insecure: Added.
++gnutls_sign_mark_secure: Added.
++gnutls_digest_mark_insecure: Added.
++gnutls_digest_mark_secure: Added.
++gnutls_protocol_mark_disabled: Added.
++gnutls_protocol_mark_enabled: Added.
++
+ * Version 3.7.2 (released 2021-05-29)
+ 
+ ** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
+diff -ruN gnutls-3.7.2/po/cs.po gnutls-3.7.2-bootstrapped/po/cs.po
+--- gnutls-3.7.2/po/cs.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/cs.po	2021-06-28 09:35:00.000000000 +0200
+@@ -9,7 +9,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls 3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2019-06-18 07:01+02:00\n"
+ "Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
+ "Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
+diff -ruN gnutls-3.7.2/po/de.po gnutls-3.7.2-bootstrapped/po/de.po
+--- gnutls-3.7.2/po/de.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/de.po	2021-06-28 09:35:00.000000000 +0200
+@@ -10,7 +10,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls 3.2.3\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2019-05-16 20:42+0200\n"
+ "Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
+ "Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
+diff -ruN gnutls-3.7.2/po/eo.po gnutls-3.7.2-bootstrapped/po/eo.po
+--- gnutls-3.7.2/po/eo.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/eo.po	2021-06-28 09:35:00.000000000 +0200
+@@ -7,7 +7,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls 3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2019-07-15 13:25-0300\n"
+ "Last-Translator: Felipe Castro <fefcas@gmail.com>\n"
+ "Language-Team: Esperanto <translation-team-eo@lists.sourceforge.net>\n"
+diff -ruN gnutls-3.7.2/po/es.po gnutls-3.7.2-bootstrapped/po/es.po
+--- gnutls-3.7.2/po/es.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/es.po	2021-06-28 09:35:00.000000000 +0200
+@@ -7,7 +7,7 @@
+ msgstr ""
+ "Project-Id-Version: libgnutls 3.2.3\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2018-05-02 19:11+0200\n"
+ "Last-Translator: Francisco Javier Serrador <fserrador@gmail.com>\n"
+ "Language-Team: Spanish <es@tp.org.es>\n"
+diff -ruN gnutls-3.7.2/po/fi.po gnutls-3.7.2-bootstrapped/po/fi.po
+--- gnutls-3.7.2/po/fi.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/fi.po	2021-06-28 09:35:00.000000000 +0200
+@@ -7,7 +7,7 @@
+ msgstr ""
+ "Project-Id-Version: libgnutls 3.2.1\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2013-06-19 17:09+0300\n"
+ "Last-Translator: Jorma Karvonen <karvonen.jorma@gmail.com>\n"
+ "Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
+diff -ruN gnutls-3.7.2/po/fr.po gnutls-3.7.2-bootstrapped/po/fr.po
+--- gnutls-3.7.2/po/fr.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/fr.po	2021-06-28 09:35:00.000000000 +0200
+@@ -12,7 +12,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls 3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2019-08-12 01:03+0200\n"
+ "Last-Translator: Stéphane Aulery <lkppo@free.fr>\n"
+ "Language-Team: French <traduc@traduc.org>\n"
+diff -ruN gnutls-3.7.2/po/gnutls.pot gnutls-3.7.2-bootstrapped/po/gnutls.pot
+--- gnutls-3.7.2/po/gnutls.pot	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/gnutls.pot	2021-06-28 09:35:00.000000000 +0200
+@@ -8,7 +8,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls 3.7.2\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+ "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+ "Language-Team: LANGUAGE <LL@li.org>\n"
+diff -ruN gnutls-3.7.2/po/it.po gnutls-3.7.2-bootstrapped/po/it.po
+--- gnutls-3.7.2/po/it.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/it.po	2021-06-28 09:35:00.000000000 +0200
+@@ -8,7 +8,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls-3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2019-08-02 11:43+0200\n"
+ "Last-Translator: Milo Casagrande <milo@milo.name>\n"
+ "Language-Team: Italian <tp@lists.linux.it>\n"
+Binary files gnutls-3.7.2/po/ms.gmo and gnutls-3.7.2-bootstrapped/po/ms.gmo differ
+diff -ruN gnutls-3.7.2/po/ms.po gnutls-3.7.2-bootstrapped/po/ms.po
+--- gnutls-3.7.2/po/ms.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/ms.po	2021-06-28 09:35:00.000000000 +0200
+@@ -7,8 +7,8 @@
+ msgstr ""
+ "Project-Id-Version: gnutls 3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+-"PO-Revision-Date: 2021-04-20 16:03+0800\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
++"PO-Revision-Date: 2021-06-14 00:17+0800\n"
+ "Last-Translator: Sharuzzaman Ahmat Raslan <sharuzzaman@gmail.com>\n"
+ "Language-Team: Malay <translation-team-ms@lists.sourceforge.net>\n"
+ "Language: ms\n"
+@@ -16,7 +16,7 @@
+ "Content-Type: text/plain; charset=utf-8\n"
+ "Content-Transfer-Encoding: 8bit\n"
+ "X-Bugs: Report translation errors to the Language-Team address.\n"
+-"X-Generator: Poedit 2.4.2\n"
++"X-Generator: Poedit 3.0\n"
+ 
+ #: lib/alert.c:39
+ msgid "Close notify"
+@@ -139,7 +139,7 @@
+ #: lib/alert.c:83
+ #, fuzzy
+ msgid "An extension was expected but was not seen"
+-msgstr "')' dijangka\n"
++msgstr "Sambungan tidak disokong telah dihantar"
+ 
+ #: lib/alert.c:86
+ msgid "No supported application protocol could be negotiated"
+@@ -1224,20 +1224,19 @@
+ msgstr "%s\t\t\tnamaLain OID: %.*s\n"
+ 
+ #: lib/x509/output.c:152
+-#, fuzzy, c-format
+-#| msgid "\t\t\tXMPP Address: %.*s\n"
++#, c-format
+ msgid "%sXMPP Address: %.*s\n"
+-msgstr "\t\t\tAlamat XMPP: %.*s\n"
++msgstr "%sAlamat XMPP: %.*s\n"
+ 
+ #: lib/x509/output.c:156
+-#, fuzzy, c-format
++#, c-format
+ msgid "%sKRB5Principal: %.*s\n"
+-msgstr "%s: %s.\n"
++msgstr "%sKRB5Principal: %.*s\n"
+ 
+ #: lib/x509/output.c:160
+-#, fuzzy, c-format
++#, c-format
+ msgid "%sUnknown name: "
+-msgstr "Nama"
++msgstr "%sNama tidak diketahui: "
+ 
+ #: lib/x509/output.c:302
+ #, c-format
+@@ -1266,14 +1265,14 @@
+ "\t\t\tLambakan Hex: "
+ 
+ #: lib/x509/output.c:347
+-#, fuzzy, c-format
++#, c-format
+ msgid "%s\t\t\tPermitted:\n"
+-msgstr "TDB: Tulis tidak dibenarkan"
++msgstr "%s\t\t\tDibenarkan:\n"
+ 
+ #: lib/x509/output.c:359
+-#, fuzzy, c-format
++#, c-format
+ msgid "%s\t\t\tExcluded:\n"
+-msgstr "%s%s: %.*s (%s)\n"
++msgstr "%s\t\t\tDikecualikan:\n"
+ 
+ #: lib/x509/output.c:399 lib/x509/output.c:401 lib/x509/output.c:403
+ #, c-format
+diff -ruN gnutls-3.7.2/po/nl.po gnutls-3.7.2-bootstrapped/po/nl.po
+--- gnutls-3.7.2/po/nl.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/nl.po	2021-06-28 09:35:00.000000000 +0200
+@@ -10,7 +10,7 @@
+ msgstr ""
+ "Project-Id-Version: libgnutls-3.2.1\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2013-06-13 19:56+0200\n"
+ "Last-Translator: Benno Schulenberg <benno@vertaalt.nl>\n"
+ "Language-Team: Dutch <vertaling@vrijschrift.org>\n"
+diff -ruN gnutls-3.7.2/po/pl.po gnutls-3.7.2-bootstrapped/po/pl.po
+--- gnutls-3.7.2/po/pl.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/pl.po	2021-06-28 09:35:00.000000000 +0200
+@@ -7,7 +7,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls-3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2019-06-01 08:22+0200\n"
+ "Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
+ "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
+diff -ruN gnutls-3.7.2/po/pt_BR.po gnutls-3.7.2-bootstrapped/po/pt_BR.po
+--- gnutls-3.7.2/po/pt_BR.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/pt_BR.po	2021-06-28 09:35:00.000000000 +0200
+@@ -7,7 +7,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls 3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2019-06-11 03:55-0200\n"
+ "Last-Translator: Rafael Fontenelle <rafaelff@gnome.org>\n"
+ "Language-Team: Brazilian Portuguese <ldpbr-translation@lists.sourceforge."
+diff -ruN gnutls-3.7.2/po/sr.po gnutls-3.7.2-bootstrapped/po/sr.po
+--- gnutls-3.7.2/po/sr.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/sr.po	2021-06-28 09:35:00.000000000 +0200
+@@ -6,7 +6,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls-3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2020-08-04 15:21+0200\n"
+ "Last-Translator: Мирослав Николић <miroslavnikolic@rocketmail.com>\n"
+ "Language-Team: Serbian <(nothing)>\n"
+diff -ruN gnutls-3.7.2/po/sv.po gnutls-3.7.2-bootstrapped/po/sv.po
+--- gnutls-3.7.2/po/sv.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/sv.po	2021-06-28 09:35:00.000000000 +0200
+@@ -8,7 +8,7 @@
+ msgstr ""
+ "Project-Id-Version: libgnutls 3.2.3\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2017-06-22 13:44+0200\n"
+ "Last-Translator: Anders Jonsson <anders.jonsson@norsjovallen.se>\n"
+ "Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
+diff -ruN gnutls-3.7.2/po/uk.po gnutls-3.7.2-bootstrapped/po/uk.po
+--- gnutls-3.7.2/po/uk.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/uk.po	2021-06-28 09:35:00.000000000 +0200
+@@ -8,7 +8,7 @@
+ msgstr ""
+ "Project-Id-Version: gnutls 3.6.8\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2019-06-06 21:38+0300\n"
+ "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
+ "Language-Team: Ukrainian <trans-uk@lists.fedoraproject.org>\n"
+diff -ruN gnutls-3.7.2/po/vi.po gnutls-3.7.2-bootstrapped/po/vi.po
+--- gnutls-3.7.2/po/vi.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/vi.po	2021-06-28 09:35:00.000000000 +0200
+@@ -8,7 +8,7 @@
+ msgstr ""
+ "Project-Id-Version: libgnutls-3.2.3\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2013-08-06 07:13+0700\n"
+ "Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
+ "Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n"
+diff -ruN gnutls-3.7.2/po/zh_CN.po gnutls-3.7.2-bootstrapped/po/zh_CN.po
+--- gnutls-3.7.2/po/zh_CN.po	2021-05-29 10:15:00.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/po/zh_CN.po	2021-06-28 09:35:00.000000000 +0200
+@@ -10,7 +10,7 @@
+ msgstr ""
+ "Project-Id-Version: libgnutls 3.2.3\n"
+ "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
+-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
++"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+ "PO-Revision-Date: 2015-11-10 09:47-0500\n"
+ "Last-Translator: Mingye Wang (Arthur2e5) <arthur200126@gmail.com>\n"
+ "Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
+diff -ruN gnutls-3.7.2/src/p11tool-args.def gnutls-3.7.2-bootstrapped/src/p11tool-args.def
+--- gnutls-3.7.2/src/p11tool-args.def	2021-04-19 09:28:28.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/src/p11tool-args.def	2021-06-25 17:46:01.000000000 +0200
+@@ -268,8 +268,9 @@
+ flag = {
+     name      = write;
+     descrip   = "Writes the loaded objects to a PKCS #11 token";
+-    doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
+-    one of --load-privkey, --load-pubkey, --load-certificate option.";
++    doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.
++
++When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.";
+ };
+ 
+ flag = {
+diff -ruN gnutls-3.7.2/tests/Makefile.am gnutls-3.7.2-bootstrapped/tests/Makefile.am
+--- gnutls-3.7.2/tests/Makefile.am	2021-05-27 08:10:21.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/tests/Makefile.am	2021-06-28 09:09:42.000000000 +0200
+@@ -108,7 +108,7 @@
+ libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
+ libutils_la_LIBADD = ../lib/libgnutls.la
+ 
+-indirect_tests = system-override-hash system-override-sig
++indirect_tests = system-override-hash system-override-sig system-override-sig-tls
+ 
+ ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
+ 	tls13/post-handshake-with-cert tls13/post-handshake-without-cert \
+@@ -509,7 +509,13 @@
+ dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
+ 	system-override-versions.sh system-override-invalid.sh \
+ 	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
+-	system-override-kx.sh system-override-default-priority-string.sh
++	system-override-kx.sh system-override-default-priority-string.sh \
++	system-override-sig-tls.sh
++
++dist_check_SCRIPTS += system-override-sig-allowlist.sh \
++	system-override-hash-allowlist.sh \
++	system-override-versions-allowlist.sh \
++	system-override-curves-allowlist.sh
+ endif
+ 
+ dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh
+@@ -605,6 +611,7 @@
+ endif
+ 
+ TEST_EXTENSIONS = .sh
++SH_LOG_COMPILER = $(SHELL)
+ LOG_COMPILER = $(VALGRIND)
+ 
+ distclean-local:
+diff -ruN gnutls-3.7.2/tests/Makefile.in gnutls-3.7.2-bootstrapped/tests/Makefile.in
+--- gnutls-3.7.2/tests/Makefile.in	2021-05-29 10:11:25.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/tests/Makefile.in	2021-06-28 09:11:42.000000000 +0200
+@@ -191,11 +191,20 @@
+ @WINDOWS_FALSE@	gnutls-cli-resume.sh profile-tests.sh \
+ @WINDOWS_FALSE@	server-weak-keys.sh
+ @WINDOWS_FALSE@am__append_17 = dtls-stress
+-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh system-override-hash.sh \
+-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions.sh system-override-invalid.sh \
+-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
+-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-kx.sh system-override-default-priority-string.sh
+-
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-hash.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-invalid.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-profiles.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-tls.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-kx.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-default-priority-string.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-sig-tls.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-sig-allowlist.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-hash-allowlist.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions-allowlist.sh \
++@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves-allowlist.sh
+ @WINDOWS_FALSE@am__append_19 = gnutls-cli-self-signed.sh \
+ @WINDOWS_FALSE@	gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \
+ @WINDOWS_FALSE@	dh-fips-approved.sh
+@@ -662,8 +671,8 @@
+ @ENABLE_PKCS11_TRUE@@HAVE_PKCS11_TRUST_STORE_TRUE@@P11KIT_0_23_11_API_TRUE@@WINDOWS_FALSE@	pkcs11/list-objects$(EXEEXT)
+ @WINDOWS_FALSE@am__EXEEXT_18 = datefudge-check$(EXEEXT)
+ am__EXEEXT_19 = system-override-hash$(EXEEXT) \
+-	system-override-sig$(EXEEXT) $(am__EXEEXT_16) $(am__EXEEXT_17) \
+-	$(am__EXEEXT_18)
++	system-override-sig$(EXEEXT) system-override-sig-tls$(EXEEXT) \
++	$(am__EXEEXT_16) $(am__EXEEXT_17) $(am__EXEEXT_18)
+ PROGRAMS = $(noinst_PROGRAMS)
+ LTLIBRARIES = $(noinst_LTLIBRARIES)
+ @ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock1_la_DEPENDENCIES =  \
+@@ -2366,6 +2375,11 @@
+ system_override_sig_LDADD = $(LDADD)
+ system_override_sig_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \
+ 	$(am__DEPENDENCIES_2)
++system_override_sig_tls_SOURCES = system-override-sig-tls.c
++system_override_sig_tls_OBJECTS = system-override-sig-tls.$(OBJEXT)
++system_override_sig_tls_LDADD = $(LDADD)
++system_override_sig_tls_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \
++	libutils.la $(am__DEPENDENCIES_2)
+ system_prio_file_SOURCES = system-prio-file.c
+ system_prio_file_OBJECTS = system-prio-file.$(OBJEXT)
+ system_prio_file_LDADD = $(LDADD)
+@@ -2997,10 +3011,13 @@
+ 	system-override-profiles.sh system-override-tls.sh \
+ 	system-override-kx.sh \
+ 	system-override-default-priority-string.sh \
+-	gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
+-	gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
+-	testpkcs11.sh certtool-pkcs11.sh p11-kit-load.sh danetool.sh \
+-	tpmtool_test.sh
++	system-override-sig-tls.sh system-override-sig-allowlist.sh \
++	system-override-hash-allowlist.sh \
++	system-override-versions-allowlist.sh \
++	system-override-curves-allowlist.sh gnutls-cli-self-signed.sh \
++	gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \
++	dh-fips-approved.sh p11-kit-trust.sh testpkcs11.sh \
++	certtool-pkcs11.sh p11-kit-load.sh danetool.sh tpmtool_test.sh
+ AM_V_P = $(am__v_P_@AM_V@)
+ am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+ am__v_P_0 = false
+@@ -3216,6 +3233,7 @@
+ 	./$(DEPDIR)/status-request.Po ./$(DEPDIR)/str-idna.Po \
+ 	./$(DEPDIR)/str-unicode.Po ./$(DEPDIR)/strict-der.Po \
+ 	./$(DEPDIR)/system-override-hash.Po \
++	./$(DEPDIR)/system-override-sig-tls.Po \
+ 	./$(DEPDIR)/system-override-sig.Po \
+ 	./$(DEPDIR)/system-prio-file.Po ./$(DEPDIR)/time.Po \
+ 	./$(DEPDIR)/tls-channel-binding.Po \
+@@ -3522,16 +3540,16 @@
+ 	ssl30-server-kx-neg.c status-request.c status-request-ext.c \
+ 	status-request-ok.c status-request-revoked.c str-idna.c \
+ 	str-unicode.c strict-der.c system-override-hash.c \
+-	system-override-sig.c system-prio-file.c time.c \
+-	tls-channel-binding.c tls-client-with-seccomp.c \
+-	tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \
+-	tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \
+-	tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \
+-	tls-record-size-limit-asym.c tls-session-ext-override.c \
+-	tls-session-ext-register.c tls-session-supplemental.c \
+-	tls-supplemental.c tls-with-seccomp.c \
+-	$(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \
+-	tls10-prf.c tls10-server-kx-neg.c \
++	system-override-sig.c system-override-sig-tls.c \
++	system-prio-file.c time.c tls-channel-binding.c \
++	tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \
++	tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \
++	tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \
++	tls-record-size-limit.c tls-record-size-limit-asym.c \
++	tls-session-ext-override.c tls-session-ext-register.c \
++	tls-session-supplemental.c tls-supplemental.c \
++	tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \
++	tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \
+ 	$(tls11_cert_key_exchange_SOURCES) \
+ 	$(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \
+ 	$(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \
+@@ -3707,16 +3725,16 @@
+ 	ssl30-server-kx-neg.c status-request.c status-request-ext.c \
+ 	status-request-ok.c status-request-revoked.c str-idna.c \
+ 	str-unicode.c strict-der.c system-override-hash.c \
+-	system-override-sig.c system-prio-file.c time.c \
+-	tls-channel-binding.c tls-client-with-seccomp.c \
+-	tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \
+-	tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \
+-	tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \
+-	tls-record-size-limit-asym.c tls-session-ext-override.c \
+-	tls-session-ext-register.c tls-session-supplemental.c \
+-	tls-supplemental.c tls-with-seccomp.c \
+-	$(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \
+-	tls10-prf.c tls10-server-kx-neg.c \
++	system-override-sig.c system-override-sig-tls.c \
++	system-prio-file.c time.c tls-channel-binding.c \
++	tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \
++	tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \
++	tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \
++	tls-record-size-limit.c tls-record-size-limit-asym.c \
++	tls-session-ext-override.c tls-session-ext-register.c \
++	tls-session-supplemental.c tls-supplemental.c \
++	tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \
++	tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \
+ 	$(tls11_cert_key_exchange_SOURCES) \
+ 	$(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \
+ 	$(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \
+@@ -5822,7 +5840,8 @@
+ libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
+ libutils_la_LIBADD = ../lib/libgnutls.la
+ indirect_tests = system-override-hash system-override-sig \
+-	$(am__append_17) $(am__append_22) $(am__append_28)
++	system-override-sig-tls $(am__append_17) $(am__append_22) \
++	$(am__append_28)
+ ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
+ 	tls13/post-handshake-with-cert \
+ 	tls13/post-handshake-without-cert tls13/cookie tls13/key_share \
+@@ -6115,6 +6134,7 @@
+ @ENABLE_CXX_TRUE@@HAVE_CMOCKA_TRUE@	-I$(top_builddir)/gl
+ 
+ TEST_EXTENSIONS = .sh
++SH_LOG_COMPILER = $(SHELL)
+ LOG_COMPILER = $(VALGRIND)
+ all: all-recursive
+ 
+@@ -7590,6 +7610,10 @@
+ 	@rm -f system-override-sig$(EXEEXT)
+ 	$(AM_V_CCLD)$(LINK) $(system_override_sig_OBJECTS) $(system_override_sig_LDADD) $(LIBS)
+ 
++system-override-sig-tls$(EXEEXT): $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_DEPENDENCIES) $(EXTRA_system_override_sig_tls_DEPENDENCIES) 
++	@rm -f system-override-sig-tls$(EXEEXT)
++	$(AM_V_CCLD)$(LINK) $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_LDADD) $(LIBS)
++
+ system-prio-file$(EXEEXT): $(system_prio_file_OBJECTS) $(system_prio_file_DEPENDENCIES) $(EXTRA_system_prio_file_DEPENDENCIES) 
+ 	@rm -f system-prio-file$(EXEEXT)
+ 	$(AM_V_CCLD)$(LINK) $(system_prio_file_OBJECTS) $(system_prio_file_LDADD) $(LIBS)
+@@ -8396,6 +8420,7 @@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str-unicode.Po@am__quote@ # am--include-marker
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strict-der.Po@am__quote@ # am--include-marker
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-hash.Po@am__quote@ # am--include-marker
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig-tls.Po@am__quote@ # am--include-marker
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig.Po@am__quote@ # am--include-marker
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-prio-file.Po@am__quote@ # am--include-marker
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/time.Po@am__quote@ # am--include-marker
+@@ -12588,6 +12613,7 @@
+ 	-rm -f ./$(DEPDIR)/str-unicode.Po
+ 	-rm -f ./$(DEPDIR)/strict-der.Po
+ 	-rm -f ./$(DEPDIR)/system-override-hash.Po
++	-rm -f ./$(DEPDIR)/system-override-sig-tls.Po
+ 	-rm -f ./$(DEPDIR)/system-override-sig.Po
+ 	-rm -f ./$(DEPDIR)/system-prio-file.Po
+ 	-rm -f ./$(DEPDIR)/time.Po
+@@ -13075,6 +13101,7 @@
+ 	-rm -f ./$(DEPDIR)/str-unicode.Po
+ 	-rm -f ./$(DEPDIR)/strict-der.Po
+ 	-rm -f ./$(DEPDIR)/system-override-hash.Po
++	-rm -f ./$(DEPDIR)/system-override-sig-tls.Po
+ 	-rm -f ./$(DEPDIR)/system-override-sig.Po
+ 	-rm -f ./$(DEPDIR)/system-prio-file.Po
+ 	-rm -f ./$(DEPDIR)/time.Po
+diff -ruN gnutls-3.7.2/tests/suite/Makefile.am gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am
+--- gnutls-3.7.2/tests/suite/Makefile.am	2021-05-27 08:08:22.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am	2021-06-28 09:09:42.000000000 +0200
+@@ -115,4 +115,5 @@
+ prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
+ 
+ TEST_EXTENSIONS = .sh
++SH_LOG_COMPILER = $(SHELL)
+ LOG_COMPILER = $(VALGRIND)
+diff -ruN gnutls-3.7.2/tests/suite/Makefile.in gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in
+--- gnutls-3.7.2/tests/suite/Makefile.in	2021-05-29 10:11:26.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in	2021-06-28 09:11:43.000000000 +0200
+@@ -2351,6 +2351,7 @@
+ nodist_check_SCRIPTS = $(scripts_to_test)
+ prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
+ TEST_EXTENSIONS = .sh
++SH_LOG_COMPILER = $(SHELL)
+ LOG_COMPILER = $(VALGRIND)
+ all: all-am
+ 
+diff -ruN gnutls-3.7.2/tests/system-override-curves-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh
+--- gnutls-3.7.2/tests/system-override-curves-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
+@@ -0,0 +1,113 @@
++#!/bin/sh
++
++# Copyright (C) 2019 Red Hat, Inc.
++#
++# Author: Nikos Mavrogiannopoulos
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with this program.  If not, see <https://www.gnu.org/licenses/>
++
++: ${srcdir=.}
++: ${SERV=../src/gnutls-serv${EXEEXT}}
++: ${CLI=../src/gnutls-cli${EXEEXT}}
++TMPFILE=config.$$.tmp
++TMPFILE2=log.$$.tmp
++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
++
++if ! test -x "${SERV}"; then
++	exit 77
++fi
++
++if ! test -x "${CLI}"; then
++	exit 77
++fi
++
++if test "${WINDIR}" != ""; then
++	exit 77
++fi
++
++. "${srcdir}/scripts/common.sh"
++
++# This test doesn't work in FIPS mode
++if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then
++	exit 77
++fi
++
++# We intentionally add stray spaces and tabs to check our parser
++cat <<_EOF_ > ${TMPFILE}
++[global]
++override-mode = allowlist
++
++[overrides]
++enabled-curve = secp384r1
++_EOF_
++
++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
++export GNUTLS_DEBUG_LEVEL=3
++
++"${CLI}" --list|grep ^Groups >${TMPFILE2}
++cat ${TMPFILE2}
++if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then
++	echo "Found disabled curve with --list"
++	exit 1
++fi
++
++if ! grep -i "SECP384R1" ${TMPFILE2};then
++	echo "Could not found secp384r1"
++	exit 1
++fi
++
++# Try whether a client connection with a disabled curve will succeed.
++
++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
++
++unset GNUTLS_SYSTEM_PRIORITY_FILE
++
++eval "${GETPORT}"
++launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
++PID=$!
++wait_server ${PID}
++
++"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null ||
++	fail "expected connection to succeed (1)"
++
++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
++
++"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
++	fail "expected connection to fail (2)"
++
++kill ${PID}
++wait
++
++# Try whether a server connection with a disabled curve will succeed.
++
++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
++
++eval "${GETPORT}"
++launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1}
++PID=$!
++wait_server ${PID}
++
++unset GNUTLS_SYSTEM_PRIORITY_FILE
++
++"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
++	fail "expected connection to fail (2)"
++
++kill ${PID}
++wait
++
++exit 0
+diff -ruN gnutls-3.7.2/tests/system-override-hash-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh
+--- gnutls-3.7.2/tests/system-override-hash-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
+@@ -0,0 +1,41 @@
++#!/bin/sh
++
++# Copyright (C) 2019 Nikos Mavrogiannopoulos
++#
++# Author: Nikos Mavrogiannopoulos
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++: ${builddir=.}
++TMPFILE=c.$$.tmp
++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
++
++cat <<_EOF_ > ${TMPFILE}
++[global]
++override-mode = allowlist
++
++[overrides]
++secure-hash = sha384
++secure-sig = rsa-pss-sha384
++_EOF_
++
++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
++
++"${builddir}/system-override-hash"
++rc=$?
++rm ${TMPFILE}
++exit $rc
+diff -ruN gnutls-3.7.2/tests/system-override-sig-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh
+--- gnutls-3.7.2/tests/system-override-sig-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
+@@ -0,0 +1,43 @@
++#!/bin/sh
++
++# Copyright (C) 2019 Nikos Mavrogiannopoulos
++#
++# Author: Nikos Mavrogiannopoulos
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++: ${builddir=.}
++TMPFILE=c.$$.tmp
++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
++
++cat <<_EOF_ > ${TMPFILE}
++[global]
++override-mode = allowlist
++
++[overrides]
++secure-hash = sha256
++secure-sig = rsa-sha256
++secure-hash = sha384
++secure-sig = rsa-pss-sha384
++_EOF_
++
++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
++
++"${builddir}/system-override-sig"
++rc=$?
++rm ${TMPFILE}
++exit $rc
+diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.c gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c
+--- gnutls-3.7.2/tests/system-override-sig-tls.c	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c	2021-06-25 17:46:13.000000000 +0200
+@@ -0,0 +1,200 @@
++/*
++ * Copyright (C) 2015-2021 Red Hat, Inc.
++ *
++ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <assert.h>
++#include <stdbool.h>
++#include <stdint.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++#include "utils.h"
++
++#define SKIP16(pos, total) { \
++	uint16_t _s; \
++	if (pos+2 > total) fail("error\n"); \
++	_s = (msg->data[pos] << 8) | msg->data[pos+1]; \
++	if ((size_t)(pos+2+_s) > total) fail("error\n"); \
++	pos += 2+_s; \
++	}
++
++#define SKIP8(pos, total) { \
++	uint8_t _s; \
++	if (pos+1 > total) fail("error\n"); \
++	_s = msg->data[pos]; \
++	if ((size_t)(pos+1+_s) > total) fail("error\n"); \
++	pos += 1+_s; \
++	}
++
++#define HANDSHAKE_SESSION_ID_POS 34
++
++#include "eagain-common.h"
++#include "cert-common.h"
++
++/* This tests whether the client omits signature algorithms marked as insecure,
++ * from the signature_algorithms extension.
++ */
++
++const char *side;
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "%s|<%d>| %s", side, level, str);
++}
++
++#define PRIO "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:" \
++	"+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384"
++/* rsa_pss_rsae_sha384 */
++#define SIGALGS_EXP "\x00\x02\x08\x05"
++
++static int
++ext_callback(void *ctx, unsigned tls_id,
++	     const unsigned char *data, unsigned size)
++{
++	if (tls_id == 13) {	/* signature algorithms */
++		if (size != sizeof(SIGALGS_EXP) - 1) {
++			fail("invalid signature_algorithms length: %u != 4\n",
++			     size);
++		}
++		if (memcmp(data, SIGALGS_EXP, sizeof(SIGALGS_EXP) - 1) != 0) {
++			fail("invalid signature_algorithms\n");
++		}
++	}
++	return 0;
++}
++
++static int
++handshake_callback(gnutls_session_t session, unsigned int htype,
++		   unsigned post, unsigned int incoming,
++		   const gnutls_datum_t *msg)
++{
++	assert(post);
++
++	if (!incoming && htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) {
++		int ret;
++		unsigned pos;
++		gnutls_datum_t mmsg;
++
++		assert(msg->size >= HANDSHAKE_SESSION_ID_POS);
++		pos = HANDSHAKE_SESSION_ID_POS;
++		SKIP8(pos, msg->size);
++		SKIP16(pos, msg->size);
++		SKIP8(pos, msg->size);
++
++		mmsg.data = &msg->data[pos];
++		mmsg.size = msg->size - pos;
++		ret = gnutls_ext_raw_parse(NULL, ext_callback, &mmsg, 0);
++		assert(ret >= 0);
++	}
++	return 0;
++}
++
++void doit(void)
++{
++	int ret;
++	/* Server stuff. */
++	gnutls_certificate_credentials_t serverx509cred;
++	gnutls_session_t server;
++	int sret = GNUTLS_E_AGAIN;
++	/* Client stuff. */
++	gnutls_certificate_credentials_t clientx509cred;
++	gnutls_session_t client;
++	int cret = GNUTLS_E_AGAIN;
++
++	global_init();
++
++	/* General init. */
++	gnutls_global_set_log_function(tls_log_func);
++	if (debug)
++		gnutls_global_set_log_level(6);
++
++	/* Init server */
++	gnutls_certificate_allocate_credentials(&serverx509cred);
++	gnutls_certificate_set_x509_key_mem(serverx509cred,
++					    &server2_cert, &server2_key,
++					    GNUTLS_X509_FMT_PEM);
++
++	gnutls_init(&server, GNUTLS_SERVER);
++	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
++				serverx509cred);
++
++	gnutls_priority_set_direct(server, PRIO, NULL);
++
++	gnutls_transport_set_push_function(server, server_push);
++	gnutls_transport_set_pull_function(server, server_pull);
++	gnutls_transport_set_pull_timeout_function(server,
++						   server_pull_timeout_func);
++	gnutls_transport_set_ptr(server, server);
++
++	/* Init client */
++	ret = gnutls_certificate_allocate_credentials(&clientx509cred);
++	if (ret < 0)
++		exit(1);
++
++	ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca2_cert, GNUTLS_X509_FMT_PEM);
++	if (ret < 0)
++		exit(1);
++
++	ret = gnutls_init(&client, GNUTLS_CLIENT);
++	if (ret < 0)
++		exit(1);
++
++	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
++				clientx509cred);
++	if (ret < 0)
++		exit(1);
++
++	ret = gnutls_priority_set_direct(client, PRIO, NULL);
++	if (ret < 0)
++		exit(1);
++
++	gnutls_transport_set_push_function(client, client_push);
++	gnutls_transport_set_pull_function(client, client_pull);
++	gnutls_transport_set_pull_timeout_function(client,
++						   client_pull_timeout_func);
++	gnutls_transport_set_ptr(client, client);
++
++	gnutls_handshake_set_hook_function(client,
++					   GNUTLS_HANDSHAKE_ANY,
++					   GNUTLS_HOOK_POST,
++					   handshake_callback);
++
++	HANDSHAKE(client, server);
++
++	gnutls_bye(client, GNUTLS_SHUT_RDWR);
++	gnutls_bye(server, GNUTLS_SHUT_RDWR);
++
++	gnutls_deinit(client);
++	gnutls_deinit(server);
++
++	gnutls_certificate_free_credentials(serverx509cred);
++	gnutls_certificate_free_credentials(clientx509cred);
++
++	gnutls_global_deinit();
++
++	reset_buffers();
++}
+diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh
+--- gnutls-3.7.2/tests/system-override-sig-tls.sh	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh	2021-06-25 17:46:13.000000000 +0200
+@@ -0,0 +1,39 @@
++#!/bin/sh
++
++# Copyright (C) 2019 Nikos Mavrogiannopoulos
++# Copyright (C) 2021 Red Hat, Inc.
++#
++# Author: Nikos Mavrogiannopoulos, Daiki Ueno
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++: ${builddir=.}
++TMPFILE=c.$$.tmp
++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
++
++cat <<_EOF_ > ${TMPFILE}
++[overrides]
++
++insecure-sig = rsa-pss-rsae-sha256
++_EOF_
++
++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
++
++"${builddir}/system-override-sig-tls"
++rc=$?
++rm ${TMPFILE}
++exit $rc
+diff -ruN gnutls-3.7.2/tests/system-override-versions-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh
+--- gnutls-3.7.2/tests/system-override-versions-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
+@@ -0,0 +1,109 @@
++#!/bin/sh
++
++# Copyright (C) 2019 Red Hat, Inc.
++#
++# Author: Nikos Mavrogiannopoulos
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++: ${srcdir=.}
++: ${SERV=../src/gnutls-serv${EXEEXT}}
++: ${CLI=../src/gnutls-cli${EXEEXT}}
++TMPFILE=config.$$.tmp
++TMPFILE2=log.$$.tmp
++export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
++
++if ! test -x "${SERV}"; then
++	exit 77
++fi
++
++if ! test -x "${CLI}"; then
++	exit 77
++fi
++
++if test "${WINDIR}" != ""; then
++	exit 77
++fi
++
++. "${srcdir}/scripts/common.sh"
++
++cat <<_EOF_ > ${TMPFILE}
++[global]
++override-mode = allowlist
++
++[overrides]
++enabled-version = tls1.1
++_EOF_
++
++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
++export GNUTLS_DEBUG_LEVEL=3
++
++"${CLI}" --list|grep Protocols >${TMPFILE2}
++cat ${TMPFILE2}
++if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then
++	echo "Found disabled protocol with --list"
++	exit 1
++fi
++
++PRIO=@SYSTEM:+CIPHER-ALL:+MAC-ALL:+GROUP-ALL
++
++"${CLI}" --priority "$PRIO" --list|grep Protocols >${TMPFILE2}
++cat ${TMPFILE2}
++if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then
++	echo "Found disabled protocol with --list --priority $PRIO"
++	exit 1
++fi
++
++# Try whether a client connection with these protocols will succeed.
++
++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
++
++unset GNUTLS_SYSTEM_PRIORITY_FILE
++
++eval "${GETPORT}"
++launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
++PID=$!
++wait_server ${PID}
++
++export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
++
++"${CLI}" -p "${PORT}" 127.0.0.1 --priority "$PRIO" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
++	fail "expected connection to fail (1)"
++
++kill ${PID}
++wait
++
++# Try whether a server connection with these protocols will succeed.
++
++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
++
++eval "${GETPORT}"
++launch_server --echo --priority "$PRIO" --x509keyfile ${KEY1} --x509certfile ${CERT1}
++PID=$!
++wait_server ${PID}
++
++unset GNUTLS_SYSTEM_PRIORITY_FILE
++
++"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
++	fail "expected connection to fail (2)"
++
++kill ${PID}
++wait
++
++exit 0
diff --git a/gnutls-3.7.2-key-share-ecdhx.patch b/gnutls-3.7.2-key-share-ecdhx.patch
new file mode 100644
index 0000000..21a69a5
--- /dev/null
+++ b/gnutls-3.7.2-key-share-ecdhx.patch
@@ -0,0 +1,92 @@
+From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 25 Jun 2021 08:39:12 +0200
+Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when
+ advertising
+
+Previously, if both X25519 and X448 groups were enabled in the
+priority string, the client sent both algorithms in a key_share
+extension, while it was only capable of handling one algorithm from
+the same (Edwards curve) category.  This adds an extra check so the
+client should send either X25519 or X448.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/ext/key_share.c     | 24 +++++++++++++++++++++---
+ tests/tls13/key_share.c |  3 +++
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
+index a8c4bb5cf..a4db3af95 100644
+--- a/lib/ext/key_share.c
++++ b/lib/ext/key_share.c
+@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session,
+ 	return 0;
+ }
+ 
++static inline bool
++pk_type_is_ecdhx(gnutls_pk_algorithm_t pk)
++{
++	return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448;
++}
++
++static inline bool
++pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b)
++{
++	return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b));
++}
++
+ /* returns data_size or a negative number on failure
+  */
+ static int
+@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session,
+ 			/* generate key shares for out top-(max_groups) groups
+ 			 * if they are of different PK type. */
+ 			for (i = 0; i < session->internals.priorities->groups.size; i++) {
++				unsigned int j;
++
+ 				group = session->internals.priorities->groups.entry[i];
+ 
+-				if (generated == 1 && group->pk == selected_groups[0])
+-					continue;
+-				else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0]))
++				for (j = 0; j < generated; j++) {
++					if (pk_type_equal(group->pk, selected_groups[j])) {
++						break;
++					}
++				}
++				if (j < generated) {
+ 					continue;
++				}
+ 
+ 				selected_groups[generated] = group->pk;
+ 
+diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c
+index 7f8f6295c..816a7d9b5 100644
+--- a/tests/tls13/key_share.c
++++ b/tests/tls13/key_share.c
+@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = {
+ 	[23] = GNUTLS_GROUP_SECP256R1,
+ 	[24] = GNUTLS_GROUP_SECP384R1,
+ 	[29] = GNUTLS_GROUP_X25519,
++	[30] = GNUTLS_GROUP_X448,
+ 	[0x100] = GNUTLS_GROUP_FFDHE2048,
+ 	[0x101] = GNUTLS_GROUP_FFDHE3072
+ };
+@@ -315,11 +316,13 @@ void doit(void)
+ 	start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
+ 	start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
+ 	start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2);
++	start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2);
+ 	start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2);
+ 
+ 	start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
+ 	start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
+ 	start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3);
++	start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3);
+ 	start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3);
+ 
+ 	/* test default behavior */
+-- 
+2.31.1
+
diff --git a/gnutls.spec b/gnutls.spec
index 2d15b56..7a3fc6b 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,8 +1,10 @@
 # This spec file has been automatically updated
 Version:	3.7.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
+Patch3:	gnutls-3.7.2-config-allowlisting.patch
+Patch4:	gnutls-3.7.2-key-share-ecdhx.patch
 %bcond_with bootstrap
 %bcond_without dane
 %if 0%{?rhel}
@@ -162,6 +164,10 @@ rm -f lib/minitasn1/*.c lib/minitasn1/*.h
 
 echo "SYSTEM=NORMAL" >> tests/system.prio
 
+%if !%{with bootstrap}
+touch doc/stamp* doc/*.texi doc/*.info doc/*.html doc/manpages/stamp_mans
+%endif
+
 # Note that we explicitly enable SHA1, as SHA1 deprecation is handled
 # via the crypto policies
 
@@ -295,6 +301,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Mon Jun 28 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-3
+- Enable allowlisting configuration mode (#1975421)
+
 * Sat Jun 26 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-2
 - Remove %%defattr invocations which are no longer necessary
 - libpkcs11mock1.* is not installed anymore