diff --git a/gnutls-3.7.2-config-allowlisting.patch b/gnutls-3.7.2-config-allowlisting.patch
new file mode 100644
index 0000000..484f053
--- /dev/null
+++ b/gnutls-3.7.2-config-allowlisting.patch
@@ -0,0 +1,8352 @@
+diff -ruN gnutls-3.7.2/aminclude_static.am gnutls-3.7.2-bootstrapped/aminclude_static.am
+--- gnutls-3.7.2/aminclude_static.am 2021-05-29 10:11:18.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/aminclude_static.am 2021-06-28 09:11:35.000000000 +0200
+@@ -1,6 +1,6 @@
+
+ # aminclude_static.am generated automatically by Autoconf
+-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
++# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
+
+
+ # Code coverage
+diff -ruN gnutls-3.7.2/AUTHORS gnutls-3.7.2-bootstrapped/AUTHORS
+--- gnutls-3.7.2/AUTHORS 2021-05-29 10:22:59.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/AUTHORS 2021-06-28 09:56:13.000000000 +0200
+@@ -37,8 +37,8 @@
+ Kevin Cernekee
+ Nikolay Sivov
+ Sahana Prasad
+-Michael Catanzaro
+ Alexander Sosedkin
++Michael Catanzaro
+ Daniel Lenski
+ JonasZhou
+ Stefan Sørensen
+diff -ruN gnutls-3.7.2/ChangeLog gnutls-3.7.2-bootstrapped/ChangeLog
+--- gnutls-3.7.2/ChangeLog 2021-05-29 10:23:25.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/ChangeLog 2021-06-28 09:56:40.000000000 +0200
+@@ -1,4 +1,63 @@
+ Author: Daiki Ueno
++Date: Mon Jun 28 07:04:55 2021 +0200
++
++ tests: set SH_LOG_COMPILER so sh tests run under $(SHELL)
++
++ This omits the need of setting executable bits on shell script tests.
++
++ Signed-off-by: Daiki Ueno
++
++Author: Daiki Ueno
++Date: Thu May 6 12:41:40 2021 +0200
++
++ priority: support allowlisting in configuration file
++
++ This adds a new mode of interpreting the [overrides] section. If
++ "override-mode" is set to "allowlisting" in the [global] section, all
++ the algorithms (hashes, signature algorithms, curves, and versions)
++ are initially marked as insecure/disabled. Then the user can enable
++ them by specifying allowlisting keywords such as "secure-hash" in the
++ [overrides] section.
++
++ Signed-off-by: Daiki Ueno
++ Co-authored-by: Alexander Sosedkin
++
++Author: Daiki Ueno
++Date: Wed May 5 16:27:55 2021 +0200
++
++ priority: refactor config file parsing
++
++ This adds the following refactoring:
++
++ - avoid side-effects during parsing the config file, by separating
++ application phase; the parsed configuration can be applied globally
++ with cfg_apply, after validation
++ - make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
++ name
++
++ Signed-off-by: Daiki Ueno
++
++Author: Daiki Ueno
++Date: Fri Jun 11 06:58:43 2021 +0200
++
++ priority: reflect system wide config when constructing sigalgs
++
++ Otherwise the client would advertise signature algorithms which it
++ cannot use and cause handshake to fail.
++
++ Reported by Philip Schaten in:
++ https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html
++
++ Signed-off-by: Daiki Ueno
++
++Author: Daiki Ueno
++Date: Wed Jun 9 14:29:11 2021 +0200
++
++ p11tool: mention how CKA_IDs of certs are calculated upon --write
++
++ Signed-off-by: Daiki Ueno
++
++Author: Daiki Ueno
+ Date: Sat May 29 07:18:17 2021 +0200
+
+ Release 3.7.2
+@@ -49224,3 +49283,13 @@
+ Date: Fri Nov 7 10:22:11 2014 +0100
+
+ doc: corrected values for INSECURE level
++
++Author: Nikos Mavrogiannopoulos
++Date: Fri Nov 7 08:55:40 2014 +0100
++
++ pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags
++
++Author: Nikos Mavrogiannopoulos
++Date: Fri Nov 7 08:44:46 2014 +0100
++
++ pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
+diff -ruN gnutls-3.7.2/doc/cha-config.texi gnutls-3.7.2-bootstrapped/doc/cha-config.texi
+--- gnutls-3.7.2/doc/cha-config.texi 2021-05-10 16:34:47.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/cha-config.texi 2021-06-28 09:09:14.000000000 +0200
+@@ -74,6 +74,7 @@
+ @item @code{insecure-sig-for-cert}: to mark the signature algorithm as insecure when used in certificates.
+ @item @code{insecure-sig}: to mark the signature algorithm as insecure for any use.
+ @item @code{insecure-hash}: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
++@item @code{disabled-curve}: to disable the specified elliptic curve.
+ @item @code{disabled-version}: to disable the specified TLS versions.
+ @item @code{tls-disabled-cipher}: to disable the specified ciphers for use in the TLS or DTLS protocols.
+ @item @code{tls-disabled-mac}: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
+@@ -82,11 +83,39 @@
+ @end itemize
+
+ Each of the options can be repeated multiple times when multiple values need
+-to be disabled.
++to be disabled or enabled.
+
+ The valid values for the options above can be found in the 'Protocols', 'Digests'
+ 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of the output of @code{gnutls-cli --list}.
+
++Sometimes the system administrator wants to enable only specific
++algorithms, despite the library defaults. GnuTLS provides an
++alternative mode of overriding: allowlisting.
++
++In the allowlisting mode, all the algorithms are initially marked as
++insecure or disabled, and shall be explicitly turned on by the options
++in the @code{[overrides]} section. Those options are mutually
++exclusive to the above ones for the blocklisting mode (the default)
++@itemize
++@item @code{secure-sig-for-cert}: to mark the signature algorithm as secure when used in certificates.
++@item @code{secure-sig}: to mark the signature algorithm as secure for any use.
++@item @code{secure-hash}: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
++@item @code{enabled-curve}: to enable the specified elliptic curve.
++@item @code{enabled-version}: to enable the specified TLS versions.
++@item @code{tls-enabled-cipher}: to enable the specified ciphers for use in the TLS or DTLS protocols.
++@item @code{tls-enabled-mac}: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
++@item @code{tls-enabled-group}: to enable the specified group for use in the TLS or DTLS protocols.
++@item @code{tls-enabled-kx}: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
++@end itemize
++
++The allowlisting mode can be enabled by adding @code{override-mode =
++allowlist} in the @code{[global]} section.
++
++When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
++
++@showfuncD{gnutls_ecc_curve_mark_enabled,gnutls_sign_mark_secure,gnutls_digest_mark_secure,gnutls_protocol_mark_enabled}
++@showfuncD{gnutls_ecc_curve_mark_disabled,gnutls_sign_mark_insecure,gnutls_digest_mark_insecure,gnutls_protocol_mark_disabled}
++
+ @subsection Examples
+
+ The following example marks as insecure all digital signature algorithms
+@@ -120,6 +149,20 @@
+ tls-disabled-group = group-ffdhe8192
+ @end example
+
++The following example demonstrates the use of the allowlisting
++mode. It disables all the signature algorithms but
++@code{RSA-SHA256}. Note that the hash algorithm @code{SHA256} also
++needs to be explicitly enabled.
++
++@example
++[global]
++override-mode = allowlist
++
++[overrides]
++secure-hash = sha256
++secure-sig = rsa-sha256
++@end example
++
+ @node Querying for disabled algorithms and protocols
+ @section Querying for disabled algorithms and protocols
+
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure
+--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,12 @@
++
++
++
++
++@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
++@var{dig}: is a digest algorithm
++
++Mark @code{dig} as insecure system wide. This only works if the allowlisting mode
++is used in the configuration file.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short
+--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure
+--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,12 @@
++
++
++
++
++@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
++@var{dig}: is a digest algorithm
++
++Invalidate previous system wide setting that marked @code{dig} as insecure. This
++only works if the allowlisting mode is used in the configuration file.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short
+--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled
+--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,15 @@
++
++
++
++
++@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
++@var{curve}: is an ECC curve
++
++Mark @code{curve} as disabled system wide. This setting can be reverted with
++@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
++uses the allowlisting mode.
++
++@strong{Returns:} 0 on success or negative error code otherwise.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short
+--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short 2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled
+--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,15 @@
++
++
++
++
++@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
++@var{curve}: is an ECC curve
++
++Invalidate previous system wide setting that marked @code{curve} as disabled. This
++only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()} or
++through the allowlisting mode in the configuration file.
++
++@strong{Returns:} 0 on success or negative error code otherwise.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short
+--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short 2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled
+--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,10 @@
++
++
++
++
++@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
++@var{version}: is a (gnutls) version number
++
++Mark @code{version} as disabled system wide. This only works if the allowlisting
++mode is used in the configuration file.
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short
+--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short 2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled
+--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,11 @@
++
++
++
++
++@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
++@var{version}: is a (gnutls) version number
++
++Invalidate previous system wide setting that marked @code{version} as
++disabled. This only works if the allowlisting mode is used in the
++configuration file.
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short
+--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short 2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure
+--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,18 @@
++
++
++
++
++@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
++@var{sign}: the sign algorithm
++
++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0
++
++Mark @code{sign} as insecure system wide. This only works if the
++allowlisting mode is used in the configuration file.
++
++If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set,
++and the algorithm was previously considered secure for all purposes,
++it only marks the algorithm as insecure for the use with certificates.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short
+--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short 2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure
+--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure 2021-06-28 09:39:50.000000000 +0200
+@@ -0,0 +1,22 @@
++
++
++
++
++@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
++@var{sign}: the sign algorithm
++
++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0
++
++Invalidate previous system wide setting that marked @code{sign} as
++insecure. This only works if the algorithm is marked as insecure
++with @code{gnutls_sign_mark_insecure()} or through the allowlisting mode
++in the configuration file.
++
++If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set,
++it marks it the algorithm as secure for all purposes.
++If the absence of this flag, it will mark it as
++"secure, but not for certificates" at most,
++but it won't restrict anything either.
++
++@strong{Since:} 3.7.3
++@end deftypefun
+diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short
+--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short 1970-01-01 01:00:00.000000000 +0100
++++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short 2021-06-28 09:39:51.000000000 +0200
+@@ -0,0 +1 @@
++@item @var{int} @ref{gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+diff -ruN gnutls-3.7.2/doc/gnutls-api.texi gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi
+--- gnutls-3.7.2/doc/gnutls-api.texi 2021-05-29 10:19:28.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi 2021-06-28 09:39:50.000000000 +0200
+@@ -2706,6 +2706,28 @@
+ integers indicating the available digests.
+ @end deftypefun
+
++@subheading gnutls_digest_mark_insecure
++@anchor{gnutls_digest_mark_insecure}
++@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
++@var{dig}: is a digest algorithm
++
++Mark @code{dig} as insecure system wide. This only works if the allowlisting mode
++is used in the configuration file.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
++@subheading gnutls_digest_mark_secure
++@anchor{gnutls_digest_mark_secure}
++@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
++@var{dig}: is a digest algorithm
++
++Invalidate previous system wide setting that marked @code{dig} as insecure. This
++only works if the allowlisting mode is used in the configuration file.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
+ @subheading gnutls_early_cipher_get
+ @anchor{gnutls_early_cipher_get}
+ @deftypefun {gnutls_cipher_algorithm_t} {gnutls_early_cipher_get} (gnutls_session_t @var{session})
+@@ -2820,6 +2842,34 @@
+ integers indicating the available curves.
+ @end deftypefun
+
++@subheading gnutls_ecc_curve_mark_disabled
++@anchor{gnutls_ecc_curve_mark_disabled}
++@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
++@var{curve}: is an ECC curve
++
++Mark @code{curve} as disabled system wide. This setting can be reverted with
++@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
++uses the allowlisting mode.
++
++@strong{Returns:} 0 on success or negative error code otherwise.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
++@subheading gnutls_ecc_curve_mark_enabled
++@anchor{gnutls_ecc_curve_mark_enabled}
++@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
++@var{curve}: is an ECC curve
++
++Invalidate previous system wide setting that marked @code{curve} as disabled. This
++only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()} or
++through the allowlisting mode in the configuration file.
++
++@strong{Returns:} 0 on success or negative error code otherwise.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
+ @subheading gnutls_error_is_fatal
+ @anchor{gnutls_error_is_fatal}
+ @deftypefun {int} {gnutls_error_is_fatal} (int @var{error})
+@@ -5026,6 +5076,25 @@
+ indicating the available protocols.
+ @end deftypefun
+
++@subheading gnutls_protocol_mark_disabled
++@anchor{gnutls_protocol_mark_disabled}
++@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
++@var{version}: is a (gnutls) version number
++
++Mark @code{version} as disabled system wide. This only works if the allowlisting
++mode is used in the configuration file.
++@end deftypefun
++
++@subheading gnutls_protocol_mark_enabled
++@anchor{gnutls_protocol_mark_enabled}
++@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
++@var{version}: is a (gnutls) version number
++
++Invalidate previous system wide setting that marked @code{version} as
++disabled. This only works if the allowlisting mode is used in the
++configuration file.
++@end deftypefun
++
+ @subheading gnutls_psk_allocate_client_credentials
+ @anchor{gnutls_psk_allocate_client_credentials}
+ @deftypefun {int} {gnutls_psk_allocate_client_credentials} (gnutls_psk_client_credentials_t * @var{sc})
+@@ -7027,6 +7096,44 @@
+ integers indicating the available ciphers.
+ @end deftypefun
+
++@subheading gnutls_sign_mark_insecure
++@anchor{gnutls_sign_mark_insecure}
++@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
++@var{sign}: the sign algorithm
++
++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0
++
++Mark @code{sign} as insecure system wide. This only works if the
++allowlisting mode is used in the configuration file.
++
++If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set,
++and the algorithm was previously considered secure for all purposes,
++it only marks the algorithm as insecure for the use with certificates.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
++@subheading gnutls_sign_mark_secure
++@anchor{gnutls_sign_mark_secure}
++@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
++@var{sign}: the sign algorithm
++
++@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0
++
++Invalidate previous system wide setting that marked @code{sign} as
++insecure. This only works if the algorithm is marked as insecure
++with @code{gnutls_sign_mark_insecure()} or through the allowlisting mode
++in the configuration file.
++
++If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set,
++it marks it the algorithm as secure for all purposes.
++If the absence of this flag, it will mark it as
++"secure, but not for certificates" at most,
++but it won't restrict anything either.
++
++@strong{Since:} 3.7.3
++@end deftypefun
++
+ @subheading gnutls_sign_supports_pk_algorithm
+ @anchor{gnutls_sign_supports_pk_algorithm}
+ @deftypefun {unsigned} {gnutls_sign_supports_pk_algorithm} (gnutls_sign_algorithm_t @var{sign}, gnutls_pk_algorithm_t @var{pk})
+diff -ruN gnutls-3.7.2/doc/gnutls.html gnutls-3.7.2-bootstrapped/doc/gnutls.html
+--- gnutls-3.7.2/doc/gnutls.html 2021-05-29 10:23:25.000000000 +0200
++++ gnutls-3.7.2-bootstrapped/doc/gnutls.html 2021-06-28 09:56:40.000000000 +0200
+@@ -8018,8 +8018,9 @@
+
write option.
+
+ This is the “writes the loaded objects to a pkcs #11 token” option.
+-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
+- one of –load-privkey, –load-pubkey, –load-certificate option.
++It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of –load-privkey, –load-pubkey, –load-certificate option.
++
++When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
+
id option.
+
+ This is the “sets an id for the write operation” option.
+@@ -16992,6 +16993,7 @@
+
insecure-sig-for-cert
: to mark the signature algorithm as insecure when used in certificates.
+ insecure-sig
: to mark the signature algorithm as insecure for any use.
+ insecure-hash
: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
++ disabled-curve
: to disable the specified elliptic curve.
+ disabled-version
: to disable the specified TLS versions.
+ tls-disabled-cipher
: to disable the specified ciphers for use in the TLS or DTLS protocols.
+ tls-disabled-mac
: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
+@@ -17000,11 +17002,49 @@
+
+
+ Each of the options can be repeated multiple times when multiple values need
+-to be disabled.
++to be disabled or enabled.
+
+ The valid values for the options above can be found in the ’Protocols’, ’Digests’
+ ’PK-signatures’, ’Protocols’, ’Ciphrers’, and ’MACs’ fields of the output of gnutls-cli --list
.
+
++Sometimes the system administrator wants to enable only specific
++algorithms, despite the library defaults. GnuTLS provides an
++alternative mode of overriding: allowlisting.
++
++In the allowlisting mode, all the algorithms are initially marked as
++insecure or disabled, and shall be explicitly turned on by the options
++in the [overrides]
section. Those options are mutually
++exclusive to the above ones for the blocklisting mode (the default)
++
++-
secure-sig-for-cert
: to mark the signature algorithm as secure when used in certificates.
++ -
secure-sig
: to mark the signature algorithm as secure for any use.
++ -
secure-hash
: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
++ -
enabled-curve
: to enable the specified elliptic curve.
++ -
enabled-version
: to enable the specified TLS versions.
++ -
tls-enabled-cipher
: to enable the specified ciphers for use in the TLS or DTLS protocols.
++ -
tls-enabled-mac
: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
++ -
tls-enabled-group
: to enable the specified group for use in the TLS or DTLS protocols.
++ -
tls-enabled-kx
: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
++
++
++The allowlisting mode can be enabled by adding override-mode =
++allowlist
in the [global]
section.
++
++When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
++
++
++int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t curve)
++int gnutls_sign_mark_secure (gnutls_sign_algorithm_t sign, unsigned flags)
++int gnutls_digest_mark_secure (gnutls_digest_algorithm_t dig)
++int gnutls_protocol_mark_enabled (gnutls_protocol_t version)
++
++
++int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t curve)
++int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t sign, unsigned flags)
++int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t dig)
++int gnutls_protocol_mark_disabled (gnutls_protocol_t version)
++
++
+ 8.2.1 Examples
+
+ The following example marks as insecure all digital signature algorithms
+@@ -17038,6 +17078,20 @@
+ tls-disabled-group = group-ffdhe8192
+
+
++
The following example demonstrates the use of the allowlisting
++mode. It disables all the signature algorithms but
++RSA-SHA256
. Note that the hash algorithm SHA256
also
++needs to be explicitly enabled.
++
++
++
[global]
++override-mode = allowlist
++
++[overrides]
++secure-hash = sha256
++secure-sig = rsa-sha256
++
++
+
+