gnutls/gnutls-3.7.2-config-allowlisting.patch

diff -ruN gnutls-3.7.2/aminclude_static.am gnutls-3.7.2-bootstrapped/aminclude_static.am
--- gnutls-3.7.2/aminclude_static.am	2021-05-29 10:11:18.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/aminclude_static.am	2021-06-28 09:11:35.000000000 +0200
@@ -1,6 +1,6 @@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
+# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
 
 
 # Code coverage
diff -ruN gnutls-3.7.2/AUTHORS gnutls-3.7.2-bootstrapped/AUTHORS
--- gnutls-3.7.2/AUTHORS	2021-05-29 10:22:59.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/AUTHORS	2021-06-28 09:56:13.000000000 +0200
@@ -37,8 +37,8 @@
 Kevin Cernekee <cernekee at gmail.com>
 Nikolay Sivov <nsivov at codeweavers.com>
 Sahana Prasad <sahana at redhat.com>
-Michael Catanzaro <mcatanzaro at gnome.org>
 Alexander Sosedkin <asosedkin at redhat.com>
+Michael Catanzaro <mcatanzaro at gnome.org>
 Daniel Lenski <dlenski at gmail.com>
 JonasZhou <JonasZhou at zhaoxin.com>
 Stefan Sørensen <stefan.sorensen at spectralink.com>
diff -ruN gnutls-3.7.2/ChangeLog gnutls-3.7.2-bootstrapped/ChangeLog
--- gnutls-3.7.2/ChangeLog	2021-05-29 10:23:25.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/ChangeLog	2021-06-28 09:56:40.000000000 +0200
@@ -1,4 +1,63 @@
 Author: Daiki Ueno <ueno@gnu.org>
+Date:   Mon Jun 28 07:04:55 2021 +0200
+
+    tests: set SH_LOG_COMPILER so sh tests run under $(SHELL)
+    
+    This omits the need of setting executable bits on shell script tests.
+    
+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Author: Daiki Ueno <ueno@gnu.org>
+Date:   Thu May 6 12:41:40 2021 +0200
+
+    priority: support allowlisting in configuration file
+    
+    This adds a new mode of interpreting the [overrides] section.  If
+    "override-mode" is set to "allowlisting" in the [global] section, all
+    the algorithms (hashes, signature algorithms, curves, and versions)
+    are initially marked as insecure/disabled.  Then the user can enable
+    them by specifying allowlisting keywords such as "secure-hash" in the
+    [overrides] section.
+    
+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
+    Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Author: Daiki Ueno <ueno@gnu.org>
+Date:   Wed May 5 16:27:55 2021 +0200
+
+    priority: refactor config file parsing
+    
+    This adds the following refactoring:
+    
+    - avoid side-effects during parsing the config file, by separating
+      application phase; the parsed configuration can be applied globally
+      with cfg_apply, after validation
+    - make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
+      name
+    
+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Author: Daiki Ueno <ueno@gnu.org>
+Date:   Fri Jun 11 06:58:43 2021 +0200
+
+    priority: reflect system wide config when constructing sigalgs
+    
+    Otherwise the client would advertise signature algorithms which it
+    cannot use and cause handshake to fail.
+    
+    Reported by Philip Schaten in:
+    https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html
+    
+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Author: Daiki Ueno <ueno@gnu.org>
+Date:   Wed Jun 9 14:29:11 2021 +0200
+
+    p11tool: mention how CKA_IDs of certs are calculated upon --write
+    
+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Author: Daiki Ueno <ueno@gnu.org>
 Date:   Sat May 29 07:18:17 2021 +0200
 
     Release 3.7.2
@@ -49224,3 +49283,13 @@
 Date:   Fri Nov 7 10:22:11 2014 +0100
 
     doc: corrected values for INSECURE level
+
+Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date:   Fri Nov 7 08:55:40 2014 +0100
+
+    pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags
+
+Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date:   Fri Nov 7 08:44:46 2014 +0100
+
+    pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
diff -ruN gnutls-3.7.2/doc/cha-config.texi gnutls-3.7.2-bootstrapped/doc/cha-config.texi
--- gnutls-3.7.2/doc/cha-config.texi	2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/cha-config.texi	2021-06-28 09:09:14.000000000 +0200
@@ -74,6 +74,7 @@
 @item @code{insecure-sig-for-cert}: to mark the signature algorithm as insecure when used in certificates.
 @item @code{insecure-sig}: to mark the signature algorithm as insecure for any use.
 @item @code{insecure-hash}: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
+@item @code{disabled-curve}: to disable the specified elliptic curve.
 @item @code{disabled-version}: to disable the specified TLS versions.
 @item @code{tls-disabled-cipher}: to disable the specified ciphers for use in the TLS or DTLS protocols.
 @item @code{tls-disabled-mac}: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
@@ -82,11 +83,39 @@
 @end itemize
 
 Each of the options can be repeated multiple times when multiple values need
-to be disabled.
+to be disabled or enabled.
 
 The valid values for the options above can be found in the 'Protocols', 'Digests'
 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of the output of @code{gnutls-cli --list}.
 
+Sometimes the system administrator wants to enable only specific
+algorithms, despite the library defaults. GnuTLS provides an
+alternative mode of overriding: allowlisting.
+
+In the allowlisting mode, all the algorithms are initially marked as
+insecure or disabled, and shall be explicitly turned on by the options
+in the @code{[overrides]} section. Those options are mutually
+exclusive to the above ones for the blocklisting mode (the default)
+@itemize
+@item @code{secure-sig-for-cert}: to mark the signature algorithm as secure when used in certificates.
+@item @code{secure-sig}: to mark the signature algorithm as secure for any use.
+@item @code{secure-hash}: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
+@item @code{enabled-curve}: to enable the specified elliptic curve.
+@item @code{enabled-version}: to enable the specified TLS versions.
+@item @code{tls-enabled-cipher}: to enable the specified ciphers for use in the TLS or DTLS protocols.
+@item @code{tls-enabled-mac}: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
+@item @code{tls-enabled-group}: to enable the specified group for use in the TLS or DTLS protocols.
+@item @code{tls-enabled-kx}: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
+@end itemize
+
+The allowlisting mode can be enabled by adding @code{override-mode =
+allowlist} in the @code{[global]} section.
+
+When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
+
+@showfuncD{gnutls_ecc_curve_mark_enabled,gnutls_sign_mark_secure,gnutls_digest_mark_secure,gnutls_protocol_mark_enabled}
+@showfuncD{gnutls_ecc_curve_mark_disabled,gnutls_sign_mark_insecure,gnutls_digest_mark_insecure,gnutls_protocol_mark_disabled}
+
 @subsection Examples
 
 The following example marks as insecure all digital signature algorithms
@@ -120,6 +149,20 @@
 tls-disabled-group = group-ffdhe8192
 @end example
 
+The following example demonstrates the use of the allowlisting
+mode. It disables all the signature algorithms but
+@code{RSA-SHA256}. Note that the hash algorithm @code{SHA256} also
+needs to be explicitly enabled.
+
+@example
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha256
+secure-sig = rsa-sha256
+@end example
+
 @node Querying for disabled algorithms and protocols
 @section Querying for disabled algorithms and protocols
 
diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure
--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,12 @@
+
+
+
+
+@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
+@var{dig}: is a digest algorithm
+
+Mark  @code{dig} as insecure system wide. This only works if the allowlisting mode
+is used in the configuration file.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short
--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure
--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,12 @@
+
+
+
+
+@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
+@var{dig}: is a digest algorithm
+
+Invalidate previous system wide setting that marked  @code{dig} as insecure. This
+only works if the allowlisting mode is used in the configuration file.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short
--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled
--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,15 @@
+
+
+
+
+@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
+@var{curve}: is an ECC curve
+
+Mark  @code{curve} as disabled system wide. This setting can be reverted with
+@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
+uses the allowlisting mode.
+
+@strong{Returns:} 0 on success or negative error code otherwise.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short
--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short	2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled
--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,15 @@
+
+
+
+
+@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
+@var{curve}: is an ECC curve
+
+Invalidate previous system wide setting that marked  @code{curve} as disabled. This
+only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()}  or
+through the allowlisting mode in the configuration file.
+
+@strong{Returns:} 0 on success or negative error code otherwise.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short
--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short	2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled
--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,10 @@
+
+
+
+
+@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
+@var{version}: is a (gnutls) version number
+
+Mark  @code{version} as disabled system wide. This only works if the allowlisting
+mode is used in the configuration file.
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short
--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short	2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled
--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,11 @@
+
+
+
+
+@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
+@var{version}: is a (gnutls) version number
+
+Invalidate previous system wide setting that marked  @code{version} as
+disabled. This only works if the allowlisting mode is used in the
+configuration file.
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short
--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short	2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure
--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,18 @@
+
+
+
+
+@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+@var{sign}: the sign algorithm
+
+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
+
+Mark  @code{sign} as insecure system wide. This only works if the
+allowlisting mode is used in the configuration file.
+
+If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
+and the algorithm was previously considered secure for all purposes,
+it only marks the algorithm as insecure for the use with certificates.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short
--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short	2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure
--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure	2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,22 @@
+
+
+
+
+@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+@var{sign}: the sign algorithm
+
+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
+
+Invalidate previous system wide setting that marked  @code{sign} as
+insecure. This only works if the algorithm is marked as insecure
+with @code{gnutls_sign_mark_insecure()}  or through the allowlisting mode
+in the configuration file.
+
+If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
+it marks it the algorithm as secure for all purposes.
+If the absence of this flag, it will mark it as
+"secure, but not for certificates" at most,
+but it won't restrict anything either.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short
--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short	2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
diff -ruN gnutls-3.7.2/doc/gnutls-api.texi gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi
--- gnutls-3.7.2/doc/gnutls-api.texi	2021-05-29 10:19:28.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi	2021-06-28 09:39:50.000000000 +0200
@@ -2706,6 +2706,28 @@
 integers indicating the available digests.
 @end deftypefun
 
+@subheading gnutls_digest_mark_insecure
+@anchor{gnutls_digest_mark_insecure}
+@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
+@var{dig}: is a digest algorithm
+
+Mark  @code{dig} as insecure system wide. This only works if the allowlisting mode
+is used in the configuration file.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
+@subheading gnutls_digest_mark_secure
+@anchor{gnutls_digest_mark_secure}
+@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
+@var{dig}: is a digest algorithm
+
+Invalidate previous system wide setting that marked  @code{dig} as insecure. This
+only works if the allowlisting mode is used in the configuration file.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
 @subheading gnutls_early_cipher_get
 @anchor{gnutls_early_cipher_get}
 @deftypefun {gnutls_cipher_algorithm_t} {gnutls_early_cipher_get} (gnutls_session_t @var{session})
@@ -2820,6 +2842,34 @@
 integers indicating the available curves.
 @end deftypefun
 
+@subheading gnutls_ecc_curve_mark_disabled
+@anchor{gnutls_ecc_curve_mark_disabled}
+@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
+@var{curve}: is an ECC curve
+
+Mark  @code{curve} as disabled system wide. This setting can be reverted with
+@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
+uses the allowlisting mode.
+
+@strong{Returns:} 0 on success or negative error code otherwise.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
+@subheading gnutls_ecc_curve_mark_enabled
+@anchor{gnutls_ecc_curve_mark_enabled}
+@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
+@var{curve}: is an ECC curve
+
+Invalidate previous system wide setting that marked  @code{curve} as disabled. This
+only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()}  or
+through the allowlisting mode in the configuration file.
+
+@strong{Returns:} 0 on success or negative error code otherwise.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
 @subheading gnutls_error_is_fatal
 @anchor{gnutls_error_is_fatal}
 @deftypefun {int} {gnutls_error_is_fatal} (int @var{error})
@@ -5026,6 +5076,25 @@
 indicating the available protocols.
 @end deftypefun
 
+@subheading gnutls_protocol_mark_disabled
+@anchor{gnutls_protocol_mark_disabled}
+@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
+@var{version}: is a (gnutls) version number
+
+Mark  @code{version} as disabled system wide. This only works if the allowlisting
+mode is used in the configuration file.
+@end deftypefun
+
+@subheading gnutls_protocol_mark_enabled
+@anchor{gnutls_protocol_mark_enabled}
+@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
+@var{version}: is a (gnutls) version number
+
+Invalidate previous system wide setting that marked  @code{version} as
+disabled. This only works if the allowlisting mode is used in the
+configuration file.
+@end deftypefun
+
 @subheading gnutls_psk_allocate_client_credentials
 @anchor{gnutls_psk_allocate_client_credentials}
 @deftypefun {int} {gnutls_psk_allocate_client_credentials} (gnutls_psk_client_credentials_t *            @var{sc})
@@ -7027,6 +7096,44 @@
 integers indicating the available ciphers.
 @end deftypefun
 
+@subheading gnutls_sign_mark_insecure
+@anchor{gnutls_sign_mark_insecure}
+@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+@var{sign}: the sign algorithm
+
+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
+
+Mark  @code{sign} as insecure system wide. This only works if the
+allowlisting mode is used in the configuration file.
+
+If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
+and the algorithm was previously considered secure for all purposes,
+it only marks the algorithm as insecure for the use with certificates.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
+@subheading gnutls_sign_mark_secure
+@anchor{gnutls_sign_mark_secure}
+@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+@var{sign}: the sign algorithm
+
+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
+
+Invalidate previous system wide setting that marked  @code{sign} as
+insecure. This only works if the algorithm is marked as insecure
+with @code{gnutls_sign_mark_insecure()}  or through the allowlisting mode
+in the configuration file.
+
+If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
+it marks it the algorithm as secure for all purposes.
+If the absence of this flag, it will mark it as
+"secure, but not for certificates" at most,
+but it won't restrict anything either.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
 @subheading gnutls_sign_supports_pk_algorithm
 @anchor{gnutls_sign_supports_pk_algorithm}
 @deftypefun {unsigned} {gnutls_sign_supports_pk_algorithm} (gnutls_sign_algorithm_t @var{sign}, gnutls_pk_algorithm_t @var{pk})
diff -ruN gnutls-3.7.2/doc/gnutls.html gnutls-3.7.2-bootstrapped/doc/gnutls.html
--- gnutls-3.7.2/doc/gnutls.html	2021-05-29 10:23:25.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.html	2021-06-28 09:56:40.000000000 +0200
@@ -8018,8 +8018,9 @@
 </p><span id="write-option_002e"></span><h4 class="subsubheading">write option.</h4>
 <span id="p11tool-write"></span>
 <p>This is the &ldquo;writes the loaded objects to a pkcs #11 token&rdquo; option.
-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
-    one of &ndash;load-privkey, &ndash;load-pubkey, &ndash;load-certificate option.
+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of &ndash;load-privkey, &ndash;load-pubkey, &ndash;load-certificate option.
+</p>
+<p>When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
 </p><span id="id-option_002e"></span><h4 class="subsubheading">id option.</h4>
 <span id="p11tool-id"></span>
 <p>This is the &ldquo;sets an id for the write operation&rdquo; option.
@@ -16992,6 +16993,7 @@
 <li> <code>insecure-sig-for-cert</code>: to mark the signature algorithm as insecure when used in certificates.
 </li><li> <code>insecure-sig</code>: to mark the signature algorithm as insecure for any use.
 </li><li> <code>insecure-hash</code>: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
+</li><li> <code>disabled-curve</code>: to disable the specified elliptic curve.
 </li><li> <code>disabled-version</code>: to disable the specified TLS versions.
 </li><li> <code>tls-disabled-cipher</code>: to disable the specified ciphers for use in the TLS or DTLS protocols.
 </li><li> <code>tls-disabled-mac</code>: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
@@ -17000,11 +17002,49 @@
 </li></ul>
 
 <p>Each of the options can be repeated multiple times when multiple values need
-to be disabled.
+to be disabled or enabled.
 </p>
 <p>The valid values for the options above can be found in the &rsquo;Protocols&rsquo;, &rsquo;Digests&rsquo;
 &rsquo;PK-signatures&rsquo;, &rsquo;Protocols&rsquo;, &rsquo;Ciphrers&rsquo;, and &rsquo;MACs&rsquo; fields of the output of <code>gnutls-cli --list</code>.
 </p>
+<p>Sometimes the system administrator wants to enable only specific
+algorithms, despite the library defaults. GnuTLS provides an
+alternative mode of overriding: allowlisting.
+</p>
+<p>In the allowlisting mode, all the algorithms are initially marked as
+insecure or disabled, and shall be explicitly turned on by the options
+in the <code>[overrides]</code> section. Those options are mutually
+exclusive to the above ones for the blocklisting mode (the default)
+</p><ul>
+<li> <code>secure-sig-for-cert</code>: to mark the signature algorithm as secure when used in certificates.
+</li><li> <code>secure-sig</code>: to mark the signature algorithm as secure for any use.
+</li><li> <code>secure-hash</code>: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
+</li><li> <code>enabled-curve</code>: to enable the specified elliptic curve.
+</li><li> <code>enabled-version</code>: to enable the specified TLS versions.
+</li><li> <code>tls-enabled-cipher</code>: to enable the specified ciphers for use in the TLS or DTLS protocols.
+</li><li> <code>tls-enabled-mac</code>: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
+</li><li> <code>tls-enabled-group</code>: to enable the specified group for use in the TLS or DTLS protocols.
+</li><li> <code>tls-enabled-kx</code>: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
+</li></ul>
+
+<p>The allowlisting mode can be enabled by adding <code>override-mode =
+allowlist</code> in the <code>[global]</code> section.
+</p>
+<p>When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
+</p>
+<dl compact="compact">
+<dt><code><var>int</var> <a href="#gnutls_005fecc_005fcurve_005fmark_005fenabled">gnutls_ecc_curve_mark_enabled</a> (gnutls_ecc_curve_t <var>curve</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fsign_005fmark_005fsecure">gnutls_sign_mark_secure</a> (gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fdigest_005fmark_005fsecure">gnutls_digest_mark_secure</a> (gnutls_digest_algorithm_t <var>dig</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fprotocol_005fmark_005fenabled">gnutls_protocol_mark_enabled</a> (gnutls_protocol_t <var>version</var>)</code></dt>
+</dl>
+<dl compact="compact">
+<dt><code><var>int</var> <a href="#gnutls_005fecc_005fcurve_005fmark_005fdisabled">gnutls_ecc_curve_mark_disabled</a> (gnutls_ecc_curve_t <var>curve</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fsign_005fmark_005finsecure">gnutls_sign_mark_insecure</a> (gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fdigest_005fmark_005finsecure">gnutls_digest_mark_insecure</a> (gnutls_digest_algorithm_t <var>dig</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fprotocol_005fmark_005fdisabled">gnutls_protocol_mark_disabled</a> (gnutls_protocol_t <var>version</var>)</code></dt>
+</dl>
+
 <span id="Examples"></span><h4 class="subsection">8.2.1 Examples</h4>
 
 <p>The following example marks as insecure all digital signature algorithms
@@ -17038,6 +17078,20 @@
 tls-disabled-group = group-ffdhe8192
 </pre></div>
 
+<p>The following example demonstrates the use of the allowlisting
+mode. It disables all the signature algorithms but
+<code>RSA-SHA256</code>. Note that the hash algorithm <code>SHA256</code> also
+needs to be explicitly enabled.
+</p>
+<div class="example">
+<pre class="example">[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha256
+secure-sig = rsa-sha256
+</pre></div>
+
 <hr>
 <span id="Querying-for-disabled-algorithms-and-protocols"></span><div class="header">
 <p>
@@ -23658,6 +23712,28 @@
 integers indicating the available digests.
 </p></dd></dl>
 
+<span id="gnutls_005fdigest_005fmark_005finsecure-1"></span><h4 class="subheading">gnutls_digest_mark_insecure</h4>
+<span id="gnutls_005fdigest_005fmark_005finsecure"></span><dl>
+<dt id="index-gnutls_005fdigest_005fmark_005finsecure">Function: <em>int</em> <strong>gnutls_digest_mark_insecure</strong> <em>(gnutls_digest_algorithm_t <var>dig</var>)</em></dt>
+<dd><p><var>dig</var>: is a digest algorithm
+</p>
+<p>Mark  <code>dig</code> as insecure system wide. This only works if the allowlisting mode
+is used in the configuration file.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
+<span id="gnutls_005fdigest_005fmark_005fsecure-1"></span><h4 class="subheading">gnutls_digest_mark_secure</h4>
+<span id="gnutls_005fdigest_005fmark_005fsecure"></span><dl>
+<dt id="index-gnutls_005fdigest_005fmark_005fsecure">Function: <em>int</em> <strong>gnutls_digest_mark_secure</strong> <em>(gnutls_digest_algorithm_t <var>dig</var>)</em></dt>
+<dd><p><var>dig</var>: is a digest algorithm
+</p>
+<p>Invalidate previous system wide setting that marked  <code>dig</code> as insecure. This
+only works if the allowlisting mode is used in the configuration file.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
 <span id="gnutls_005fearly_005fcipher_005fget-1"></span><h4 class="subheading">gnutls_early_cipher_get</h4>
 <span id="gnutls_005fearly_005fcipher_005fget"></span><dl>
 <dt id="index-gnutls_005fearly_005fcipher_005fget">Function: <em>gnutls_cipher_algorithm_t</em> <strong>gnutls_early_cipher_get</strong> <em>(gnutls_session_t <var>session</var>)</em></dt>
@@ -23772,6 +23848,34 @@
 integers indicating the available curves.
 </p></dd></dl>
 
+<span id="gnutls_005fecc_005fcurve_005fmark_005fdisabled-1"></span><h4 class="subheading">gnutls_ecc_curve_mark_disabled</h4>
+<span id="gnutls_005fecc_005fcurve_005fmark_005fdisabled"></span><dl>
+<dt id="index-gnutls_005fecc_005fcurve_005fmark_005fdisabled">Function: <em>int</em> <strong>gnutls_ecc_curve_mark_disabled</strong> <em>(gnutls_ecc_curve_t <var>curve</var>)</em></dt>
+<dd><p><var>curve</var>: is an ECC curve
+</p>
+<p>Mark  <code>curve</code> as disabled system wide. This setting can be reverted with
+<code>gnutls_ecc_curve_mark_enabled()</code> . This only works if the configuration file
+uses the allowlisting mode.
+</p>
+<p><strong>Returns:</strong> 0 on success or negative error code otherwise.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
+<span id="gnutls_005fecc_005fcurve_005fmark_005fenabled-1"></span><h4 class="subheading">gnutls_ecc_curve_mark_enabled</h4>
+<span id="gnutls_005fecc_005fcurve_005fmark_005fenabled"></span><dl>
+<dt id="index-gnutls_005fecc_005fcurve_005fmark_005fenabled">Function: <em>int</em> <strong>gnutls_ecc_curve_mark_enabled</strong> <em>(gnutls_ecc_curve_t <var>curve</var>)</em></dt>
+<dd><p><var>curve</var>: is an ECC curve
+</p>
+<p>Invalidate previous system wide setting that marked  <code>curve</code> as disabled. This
+only works if the curve is disabled with <code>gnutls_ecc_curve_mark_disabled()</code>  or
+through the allowlisting mode in the configuration file.
+</p>
+<p><strong>Returns:</strong> 0 on success or negative error code otherwise.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
 <span id="gnutls_005ferror_005fis_005ffatal-1"></span><h4 class="subheading">gnutls_error_is_fatal</h4>
 <span id="gnutls_005ferror_005fis_005ffatal"></span><dl>
 <dt id="index-gnutls_005ferror_005fis_005ffatal-1">Function: <em>int</em> <strong>gnutls_error_is_fatal</strong> <em>(int <var>error</var>)</em></dt>
@@ -25978,6 +26082,25 @@
 indicating the available protocols.
 </p></dd></dl>
 
+<span id="gnutls_005fprotocol_005fmark_005fdisabled-1"></span><h4 class="subheading">gnutls_protocol_mark_disabled</h4>
+<span id="gnutls_005fprotocol_005fmark_005fdisabled"></span><dl>
+<dt id="index-gnutls_005fprotocol_005fmark_005fdisabled">Function: <em>int</em> <strong>gnutls_protocol_mark_disabled</strong> <em>(gnutls_protocol_t <var>version</var>)</em></dt>
+<dd><p><var>version</var>: is a (gnutls) version number
+</p>
+<p>Mark  <code>version</code> as disabled system wide. This only works if the allowlisting
+mode is used in the configuration file.
+</p></dd></dl>
+
+<span id="gnutls_005fprotocol_005fmark_005fenabled-1"></span><h4 class="subheading">gnutls_protocol_mark_enabled</h4>
+<span id="gnutls_005fprotocol_005fmark_005fenabled"></span><dl>
+<dt id="index-gnutls_005fprotocol_005fmark_005fenabled">Function: <em>int</em> <strong>gnutls_protocol_mark_enabled</strong> <em>(gnutls_protocol_t <var>version</var>)</em></dt>
+<dd><p><var>version</var>: is a (gnutls) version number
+</p>
+<p>Invalidate previous system wide setting that marked  <code>version</code> as
+disabled. This only works if the allowlisting mode is used in the
+configuration file.
+</p></dd></dl>
+
 <span id="gnutls_005fpsk_005fallocate_005fclient_005fcredentials-1"></span><h4 class="subheading">gnutls_psk_allocate_client_credentials</h4>
 <span id="gnutls_005fpsk_005fallocate_005fclient_005fcredentials"></span><dl>
 <dt id="index-gnutls_005fpsk_005fallocate_005fclient_005fcredentials">Function: <em>int</em> <strong>gnutls_psk_allocate_client_credentials</strong> <em>(gnutls_psk_client_credentials_t *            <var>sc</var>)</em></dt>
@@ -27979,6 +28102,44 @@
 integers indicating the available ciphers.
 </p></dd></dl>
 
+<span id="gnutls_005fsign_005fmark_005finsecure-1"></span><h4 class="subheading">gnutls_sign_mark_insecure</h4>
+<span id="gnutls_005fsign_005fmark_005finsecure"></span><dl>
+<dt id="index-gnutls_005fsign_005fmark_005finsecure">Function: <em>int</em> <strong>gnutls_sign_mark_insecure</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</em></dt>
+<dd><p><var>sign</var>: the sign algorithm
+</p>
+<p><var>flags</var>: <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  or 0
+</p>
+<p>Mark  <code>sign</code> as insecure system wide. This only works if the
+allowlisting mode is used in the configuration file.
+</p>
+<p>If  <code>flags</code> has <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  bit set,
+and the algorithm was previously considered secure for all purposes,
+it only marks the algorithm as insecure for the use with certificates.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
+<span id="gnutls_005fsign_005fmark_005fsecure-1"></span><h4 class="subheading">gnutls_sign_mark_secure</h4>
+<span id="gnutls_005fsign_005fmark_005fsecure"></span><dl>
+<dt id="index-gnutls_005fsign_005fmark_005fsecure">Function: <em>int</em> <strong>gnutls_sign_mark_secure</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</em></dt>
+<dd><p><var>sign</var>: the sign algorithm
+</p>
+<p><var>flags</var>: <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  or 0
+</p>
+<p>Invalidate previous system wide setting that marked  <code>sign</code> as
+insecure. This only works if the algorithm is marked as insecure
+with <code>gnutls_sign_mark_insecure()</code>  or through the allowlisting mode
+in the configuration file.
+</p>
+<p>If  <code>flags</code> has <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  bit set,
+it marks it the algorithm as secure for all purposes.
+If the absence of this flag, it will mark it as
+&quot;secure, but not for certificates&quot; at most,
+but it won&rsquo;t restrict anything either.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
 <span id="gnutls_005fsign_005fsupports_005fpk_005falgorithm-1"></span><h4 class="subheading">gnutls_sign_supports_pk_algorithm</h4>
 <span id="gnutls_005fsign_005fsupports_005fpk_005falgorithm"></span><dl>
 <dt id="index-gnutls_005fsign_005fsupports_005fpk_005falgorithm">Function: <em>unsigned</em> <strong>gnutls_sign_supports_pk_algorithm</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, gnutls_pk_algorithm_t <var>pk</var>)</em></dt>
@@ -45743,6 +45904,8 @@
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fget_005fname"><code>gnutls_digest_get_name</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fget_005foid"><code>gnutls_digest_get_oid</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005flist"><code>gnutls_digest_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fmark_005finsecure"><code>gnutls_digest_mark_insecure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fmark_005fsecure"><code>gnutls_digest_mark_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fcookie_005fsend"><code>gnutls_dtls_cookie_send</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fcookie_005fverify"><code>gnutls_dtls_cookie_verify</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fget_005fdata_005fmtu"><code>gnutls_dtls_get_data_mtu</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
@@ -45762,6 +45925,8 @@
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fget_005fpk"><code>gnutls_ecc_curve_get_pk</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fget_005fsize"><code>gnutls_ecc_curve_get_size</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005flist"><code>gnutls_ecc_curve_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fmark_005fdisabled"><code>gnutls_ecc_curve_mark_disabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fmark_005fenabled"><code>gnutls_ecc_curve_mark_enabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005fber_005fdigest_005finfo"><code>gnutls_encode_ber_digest_info</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005fgost_005frs_005fvalue"><code>gnutls_encode_gost_rs_value</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005frs_005fvalue"><code>gnutls_encode_rs_value</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
@@ -46151,6 +46316,8 @@
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fget_005fname"><code>gnutls_protocol_get_name</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fget_005fversion"><code>gnutls_protocol_get_version</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005flist"><code>gnutls_protocol_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fmark_005fdisabled"><code>gnutls_protocol_mark_disabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fmark_005fenabled"><code>gnutls_protocol_mark_enabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fallocate_005fclient_005fcredentials"><code>gnutls_psk_allocate_client_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fallocate_005fserver_005fcredentials"><code>gnutls_psk_allocate_server_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fclient_005fget_005fhint"><code>gnutls_psk_client_get_hint</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
@@ -46325,6 +46492,8 @@
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fis_005fsecure"><code>gnutls_sign_is_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fis_005fsecure2"><code>gnutls_sign_is_secure2</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005flist"><code>gnutls_sign_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fmark_005finsecure"><code>gnutls_sign_mark_insecure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fmark_005fsecure"><code>gnutls_sign_mark_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fsupports_005fpk_005falgorithm"><code>gnutls_sign_supports_pk_algorithm</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fsrp_005fallocate_005fclient_005fcredentials"><code>gnutls_srp_allocate_client_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td valign="top"><a href="#index-gnutls_005fsrp_005fallocate_005fserver_005fcredentials"><code>gnutls_srp_allocate_server_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
diff -ruN gnutls-3.7.2/doc/gnutls.info gnutls-3.7.2-bootstrapped/doc/gnutls.info
--- gnutls-3.7.2/doc/gnutls.info	2021-05-29 10:23:25.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info	2021-06-28 09:56:40.000000000 +0200
@@ -29,12 +29,12 @@
 
 Indirect:
 gnutls.info-1: 1291
-gnutls.info-2: 322163
-gnutls.info-3: 605942
-gnutls.info-4: 1147244
-gnutls.info-5: 1463965
-gnutls.info-6: 1515571
-gnutls.info-7: 1896190
+gnutls.info-2: 322461
+gnutls.info-3: 606240
+gnutls.info-4: 1153831
+gnutls.info-5: 1470552
+gnutls.info-6: 1522158
+gnutls.info-7: 1903361
 
 Tag Table:
 (Indirect)
@@ -324,1507 +324,1515 @@
 Ref: p11tool set-id312425
 Ref: p11tool set-label312850
 Ref: p11tool write313198
-Ref: p11tool id313462
-Ref: p11tool mark-wrap313719
-Ref: p11tool mark-trusted313966
-Ref: p11tool mark-distrusted314330
-Ref: p11tool mark-decrypt314784
-Ref: p11tool mark-sign315061
-Ref: p11tool mark-ca315338
-Ref: p11tool mark-private315611
-Ref: p11tool ca315909
-Ref: p11tool private316043
-Ref: p11tool secret-key316198
-Ref: p11tool other-options316361
-Ref: p11tool debug316463
-Ref: p11tool so-login316604
-Ref: p11tool admin-login316848
-Ref: p11tool test-sign316989
-Ref: p11tool sign-params317283
-Ref: p11tool hash317623
-Ref: p11tool generate-random317919
-Ref: p11tool inder318093
-Ref: p11tool inraw318318
-Ref: p11tool outder318444
-Ref: p11tool outraw318696
-Ref: p11tool provider318829
-Ref: p11tool provider-opts319038
-Ref: p11tool batch319311
-Ref: p11tool exit status319464
-Ref: p11tool See Also319694
-Ref: p11tool Examples319742
-Node: Trusted Platform Module322163
-Ref: Trusted Platform Module-Footnote-1323956
-Ref: Trusted Platform Module-Footnote-2324004
-Node: Keys in TPM324061
-Node: Key generation325545
-Node: Using keys327813
-Node: tpmtool Invocation331458
-Ref: tpmtool usage331884
-Ref: tpmtool debug335196
-Ref: tpmtool generate-rsa335337
-Ref: tpmtool user335608
-Ref: tpmtool system335967
-Ref: tpmtool test-sign336321
-Ref: tpmtool sec-param336604
-Ref: tpmtool inder336930
-Ref: tpmtool outder337231
-Ref: tpmtool srk-well-known337450
-Ref: tpmtool exit status337606
-Ref: tpmtool See Also337836
-Ref: tpmtool Examples337897
-Node: How to use GnuTLS in applications338514
-Node: Introduction to the library339083
-Node: General idea339682
-Ref: fig-gnutls-design340531
-Ref: General idea-Footnote-1341836
-Node: Error handling341881
-Node: Common types344108
-Node: Debugging and auditing345442
-Ref: tab:environment346313
-Node: Thread safety349180
-Ref: Thread safety-Footnote-1351326
-Node: Running in a sandbox351538
-Node: Sessions and fork352932
-Node: Callback functions353484
-Node: Preparation354452
-Node: Headers354871
-Node: Initialization355160
-Ref: Initialization-Footnote-1356154
-Node: Version check356447
-Node: Building the source357322
-Node: Session initialization359433
-Ref: gnutls_init_flags_t360910
-Node: Associating the credentials367923
-Ref: tab:key-exchange-cred368699
-Node: Certificate credentials369830
-Node: Raw public-key credentials385415
-Node: SRP credentials386715
-Node: PSK credentials391613
-Node: Anonymous credentials395548
-Node: Setting up the transport layer396394
-Node: Asynchronous operation405947
-Node: Reducing round-trips410248
-Node: Zero-roundtrip mode413688
-Node: Anti-replay protection415893
-Node: DTLS sessions419538
-Ref: DTLS sessions-Footnote-1421842
-Node: DTLS and SCTP421919
-Node: TLS handshake422939
-Node: Data transfer and termination426857
-Node: Buffered data transfer435999
-Node: Handling alerts437800
-Node: Priority Strings441182
-Ref: tab:prio-keywords443782
-Ref: tab:prio-algorithms450860
-Ref: tab:prio-special1456290
-Ref: tab:prio-special2460137
-Ref: Priority Strings-Footnote-1466758
-Node: Selecting cryptographic key sizes466980
-Ref: tab:key-sizes467629
-Node: Advanced topics472378
-Node: Virtual hosts and credentials472876
-Node: Session resumption476201
-Node: Certificate verification484108
-Ref: dane_verify_status_t493829
-Node: TLS 1.2 re-authentication494234
-Node: TLS 1.3 re-authentication and re-key499091
-Node: Parameter generation500750
-Node: Deriving keys for other applications/protocols503397
-Node: Channel Bindings506627
-Node: Interoperability508166
-Node: Compatibility with the OpenSSL library509484
-Node: GnuTLS application examples510211
-Ref: examples510430
-Node: Client examples510723
-Node: Client example with X.509 certificate support511250
-Ref: ex-verify511488
-Node: Datagram TLS client example516532
-Node: Client using a smart card with TLS520937
-Ref: ex-pkcs11-client521174
-Node: Client with Resume capability example526469
-Ref: ex-resume-client526753
-Node: Client example with SSH-style certificate verification531940
-Node: Server examples536147
-Node: Echo server with X.509 authentication536501
-Node: DTLS echo server with X.509 authentication544225
-Node: More advanced client and servers558636
-Node: Client example with anonymous authentication559493
-Node: Using a callback to select the certificate to use563417
-Node: Obtaining session information569800
-Node: Advanced certificate verification example574013
-Ref: ex-verify2574289
-Node: Client example with PSK authentication579719
-Node: Client example with SRP authentication584085
-Node: Legacy client example with X.509 certificate support588369
-Ref: ex-verify-legacy588686
-Node: Client example in C++594639
-Node: Echo server with PSK authentication597211
-Node: Echo server with SRP authentication605942
-Node: Echo server with anonymous authentication612860
-Node: Helper functions for TCP connections618188
-Node: Helper functions for UDP connections619780
-Node: OCSP example621685
-Ref: Generate OCSP request621868
-Node: Miscellaneous examples631475
-Node: Checking for an alert631801
-Node: X.509 certificate parsing example633250
-Ref: ex-x509-info633507
-Node: Listing the ciphersuites in a priority string637536
-Node: PKCS12 structure generation example639853
-Node: System-wide configuration of the library644058
-Node: Application-specific priority strings645885
-Node: Disabling algorithms and protocols647333
-Node: Querying for disabled algorithms and protocols650217
-Node: Overriding the parameter verification profile651339
-Node: Overriding the default priority string652341
-Node: Using GnuTLS as a cryptographic library652958
-Ref: Using GnuTLS as a cryptographic library-Footnote-1653814
-Node: Symmetric algorithms653871
-Ref: gnutls_cipher_algorithm_t654631
-Ref: Symmetric algorithms-Footnote-1663061
-Node: Public key algorithms663146
-Node: Cryptographic Message Syntax / PKCS7667868
-Ref: gnutls_pkcs7_sign_flags671307
-Node: Hash and MAC functions672775
-Ref: gnutls_mac_algorithm_t673387
-Ref: gnutls_digest_algorithm_t676759
-Node: Random number generation677810
-Ref: gnutls_rnd_level_t678172
-Node: Overriding algorithms679279
-Node: Other included programs685597
-Node: gnutls-cli Invocation686168
-Ref: gnutls-cli usage686730
-Ref: gnutls-cli debug694480
-Ref: gnutls-cli tofu694621
-Ref: gnutls-cli strict-tofu695084
-Ref: gnutls-cli dane695486
-Ref: gnutls-cli local-dns695829
-Ref: gnutls-cli ca-verification696144
-Ref: gnutls-cli ocsp696499
-Ref: gnutls-cli resume696741
-Ref: gnutls-cli rehandshake696887
-Ref: gnutls-cli sni-hostname697054
-Ref: gnutls-cli verify-hostname697580
-Ref: gnutls-cli starttls697813
-Ref: gnutls-cli app-proto697997
-Ref: gnutls-cli starttls-proto698159
-Ref: gnutls-cli save-ocsp-multi698670
-Ref: gnutls-cli dh-bits699127
-Ref: gnutls-cli priority699478
-Ref: gnutls-cli rawpkkeyfile699856
-Ref: gnutls-cli rawpkfile700313
-Ref: gnutls-cli ranges700854
-Ref: gnutls-cli benchmark-ciphers701104
-Ref: gnutls-cli benchmark-tls-ciphers701422
-Ref: gnutls-cli list701741
-Ref: gnutls-cli priority-list702108
-Ref: gnutls-cli noticket702354
-Ref: gnutls-cli alpn702515
-Ref: gnutls-cli disable-extensions702824
-Ref: gnutls-cli single-key-share703056
-Ref: gnutls-cli post-handshake-auth703272
-Ref: gnutls-cli inline-commands703469
-Ref: gnutls-cli inline-commands-prefix703789
-Ref: gnutls-cli provider704192
-Ref: gnutls-cli logfile704389
-Ref: gnutls-cli waitresumption704746
-Ref: gnutls-cli ca-auto-retrieve705003
-Ref: gnutls-cli exit status705407
-Ref: gnutls-cli See Also705643
-Ref: gnutls-cli Examples705720
-Node: gnutls-serv Invocation709927
-Ref: gnutls-serv usage710404
-Ref: gnutls-serv debug715924
-Ref: gnutls-serv sni-hostname716065
-Ref: gnutls-serv alpn716397
-Ref: gnutls-serv require-client-cert716684
-Ref: gnutls-serv verify-client-cert716928
-Ref: gnutls-serv heartbeat717157
-Ref: gnutls-serv priority717308
-Ref: gnutls-serv x509keyfile717677
-Ref: gnutls-serv x509certfile718194
-Ref: gnutls-serv x509dsakeyfile718711
-Ref: gnutls-serv x509dsacertfile718875
-Ref: gnutls-serv x509ecckeyfile719042
-Ref: gnutls-serv x509ecccertfile719204
-Ref: gnutls-serv rawpkkeyfile719371
-Ref: gnutls-serv rawpkfile720190
-Ref: gnutls-serv ocsp-response721045
-Ref: gnutls-serv ignore-ocsp-response-errors721362
-Ref: gnutls-serv list721609
-Ref: gnutls-serv provider721847
-Ref: gnutls-serv exit status722044
-Ref: gnutls-serv See Also722282
-Ref: gnutls-serv Examples722360
-Node: gnutls-cli-debug Invocation727668
-Ref: gnutls-cli-debug usage728490
-Ref: gnutls-cli-debug debug730745
-Ref: gnutls-cli-debug app-proto730886
-Ref: gnutls-cli-debug starttls-proto731054
-Ref: gnutls-cli-debug exit status731433
-Ref: gnutls-cli-debug See Also731681
-Ref: gnutls-cli-debug Examples731764
-Node: Internal architecture of GnuTLS735261
-Node: The TLS Protocol735867
-Ref: fig-client-server736343
-Node: TLS Handshake Protocol736433
-Ref: fig-gnutls-handshake736875
-Ref: fig-gnutls-handshake-sequence737384
-Node: TLS Authentication Methods737482
-Ref: TLS Authentication Methods-Footnote-1739786
-Node: TLS Hello Extension Handling739852
-Node: Cryptographic Backend752954
-Ref: fig-crypto-layers753637
-Ref: Cryptographic Backend-Footnote-1756919
-Ref: Cryptographic Backend-Footnote-2757004
-Node: Random Number Generators-internals757112
-Node: FIPS140-2 mode764476
-Ref: gnutls_fips_mode_t767112
-Node: Upgrading from previous versions769259
-Node: Support783253
-Node: Getting help783501
-Node: Commercial Support784089
-Node: Bug Reports784360
-Node: Contributing785724
-Node: Certification787750
-Node: Error codes788214
-Node: Supported ciphersuites812847
-Ref: ciphersuites813020
-Node: API reference828064
-Node: Core TLS API828474
-Ref: gnutls_alert_get828701
-Ref: gnutls_alert_get_name829320
-Ref: gnutls_alert_get_strname829705
-Ref: gnutls_alert_send830040
-Ref: gnutls_alert_send_appropriate830918
-Ref: gnutls_alert_set_read_function831885
-Ref: gnutls_alpn_get_selected_protocol832269
-Ref: gnutls_alpn_set_protocols832933
-Ref: gnutls_anon_allocate_client_credentials833770
-Ref: gnutls_anon_allocate_server_credentials834155
-Ref: gnutls_anon_free_client_credentials834532
-Ref: gnutls_anon_free_server_credentials834821
-Ref: gnutls_anon_set_params_function835102
-Ref: gnutls_anon_set_server_dh_params835778
-Ref: gnutls_anon_set_server_known_dh_params836438
-Ref: gnutls_anon_set_server_params_function837347
-Ref: gnutls_anti_replay_deinit838010
-Ref: gnutls_anti_replay_enable838324
-Ref: gnutls_anti_replay_init838672
-Ref: gnutls_anti_replay_set_add_function839200
-Ref: gnutls_anti_replay_set_ptr840218
-Ref: gnutls_anti_replay_set_window840553
-Ref: gnutls_auth_client_get_type841321
-Ref: gnutls_auth_get_type841948
-Ref: gnutls_auth_server_get_type842760
-Ref: gnutls_base64_decode2843389
-Ref: gnutls_base64_encode2843945
-Ref: gnutls_buffer_append_data844565
-Ref: gnutls_bye844963
-Ref: gnutls_certificate_activation_time_peers846564
-Ref: gnutls_certificate_allocate_credentials846982
-Ref: gnutls_certificate_client_get_request_status847379
-Ref: gnutls_certificate_expiration_time_peers847787
-Ref: gnutls_certificate_free_ca_names848191
-Ref: gnutls_certificate_free_cas848860
-Ref: gnutls_certificate_free_credentials849263
-Ref: gnutls_certificate_free_crls849697
-Ref: gnutls_certificate_free_keys849997
-Ref: gnutls_certificate_get_crt_raw850431
-Ref: gnutls_certificate_get_issuer851502
-Ref: gnutls_certificate_get_ocsp_expiration852585
-Ref: gnutls_certificate_get_ours853756
-Ref: gnutls_certificate_get_peers854586
-Ref: gnutls_certificate_get_peers_subkey_id855709
-Ref: gnutls_certificate_get_verify_flags856065
-Ref: gnutls_certificate_get_x509_crt856478
-Ref: gnutls_certificate_get_x509_key858122
-Ref: gnutls_certificate_send_x509_rdn_sequence859437
-Ref: gnutls_certificate_server_set_request860144
-Ref: gnutls_certificate_set_dh_params860934
-Ref: gnutls_certificate_set_flags861753
-Ref: gnutls_certificate_set_known_dh_params862278
-Ref: gnutls_certificate_set_ocsp_status_request_file863206
-Ref: gnutls_certificate_set_ocsp_status_request_file2865112
-Ref: gnutls_certificate_set_ocsp_status_request_function866630
-Ref: gnutls_certificate_set_ocsp_status_request_function2868118
-Ref: gnutls_certificate_set_ocsp_status_request_mem870084
-Ref: gnutls_certificate_set_params_function871859
-Ref: gnutls_certificate_set_pin_function872556
-Ref: gnutls_certificate_set_rawpk_key_file873209
-Ref: gnutls_certificate_set_rawpk_key_mem876513
-Ref: gnutls_certificate_set_retrieve_function879660
-Ref: gnutls_certificate_set_verify_flags881790
-Ref: gnutls_certificate_set_verify_function882283
-Ref: gnutls_certificate_set_verify_limits883347
-Ref: gnutls_certificate_set_x509_crl884028
-Ref: gnutls_certificate_set_x509_crl_file884856
-Ref: gnutls_certificate_set_x509_crl_mem885637
-Ref: gnutls_certificate_set_x509_key886414
-Ref: gnutls_certificate_set_x509_key_file888082
-Ref: gnutls_certificate_set_x509_key_file2890318
-Ref: gnutls_certificate_set_x509_key_mem892852
-Ref: gnutls_certificate_set_x509_key_mem2894500
-Ref: gnutls_certificate_set_x509_simple_pkcs12_file896313
-Ref: gnutls_certificate_set_x509_simple_pkcs12_mem898443
-Ref: gnutls_certificate_set_x509_system_trust900543
-Ref: gnutls_certificate_set_x509_trust901113
-Ref: gnutls_certificate_set_x509_trust_dir902093
-Ref: gnutls_certificate_set_x509_trust_file902831
-Ref: gnutls_certificate_set_x509_trust_mem904007
-Ref: gnutls_certificate_type_get904950
-Ref: gnutls_certificate_type_get2905797
-Ref: gnutls_certificate_type_get_id907182
-Ref: gnutls_certificate_type_get_name907579
-Ref: gnutls_certificate_type_list907962
-Ref: gnutls_certificate_verification_status_print908316
-Ref: gnutls_certificate_verify_peers909074
-Ref: gnutls_certificate_verify_peers2911870
-Ref: gnutls_certificate_verify_peers3913785
-Ref: gnutls_check_version916095
-Ref: gnutls_cipher_get916837
-Ref: gnutls_cipher_get_id917142
-Ref: gnutls_cipher_get_key_size917524
-Ref: gnutls_cipher_get_name917888
-Ref: gnutls_cipher_list918235
-Ref: gnutls_cipher_suite_get_name918795
-Ref: gnutls_cipher_suite_info919663
-Ref: gnutls_credentials_clear920846
-Ref: gnutls_credentials_get921074
-Ref: gnutls_credentials_set922029
-Ref: gnutls_db_check_entry923393
-Ref: gnutls_db_check_entry_expire_time923850
-Ref: gnutls_db_check_entry_time924256
-Ref: gnutls_db_get_default_cache_expiration924647
-Ref: gnutls_db_get_ptr924842
-Ref: gnutls_db_remove_session925154
-Ref: gnutls_db_set_cache_expiration925691
-Ref: gnutls_db_set_ptr926112
-Ref: gnutls_db_set_remove_function926447
-Ref: gnutls_db_set_retrieve_function926950
-Ref: gnutls_db_set_store_function927636
-Ref: gnutls_deinit928103
-Ref: gnutls_dh_get_group928442
-Ref: gnutls_dh_get_peers_public_bits929294
-Ref: gnutls_dh_get_prime_bits929738
-Ref: gnutls_dh_get_pubkey930378
-Ref: gnutls_dh_get_secret_bits931076
-Ref: gnutls_dh_params_cpy931508
-Ref: gnutls_dh_params_deinit932016
-Ref: gnutls_dh_params_export2_pkcs3932257
-Ref: gnutls_dh_params_export_pkcs3933078
-Ref: gnutls_dh_params_export_raw934097
-Ref: gnutls_dh_params_generate2934850
-Ref: gnutls_dh_params_import_dsa936104
-Ref: gnutls_dh_params_import_pkcs3936581
-Ref: gnutls_dh_params_import_raw937320
-Ref: gnutls_dh_params_import_raw2937950
-Ref: gnutls_dh_params_import_raw3938664
-Ref: gnutls_dh_params_init939364
-Ref: gnutls_dh_set_prime_bits939695
-Ref: gnutls_digest_get_id940798
-Ref: gnutls_digest_get_name941224
-Ref: gnutls_digest_get_oid941570
-Ref: gnutls_digest_list941961
-Ref: gnutls_early_cipher_get942332
-Ref: gnutls_early_prf_hash_get942705
-Ref: gnutls_ecc_curve_get943123
-Ref: gnutls_ecc_curve_get_id943524
-Ref: gnutls_ecc_curve_get_name943905
-Ref: gnutls_ecc_curve_get_oid944239
-Ref: gnutls_ecc_curve_get_pk944584
-Ref: gnutls_ecc_curve_get_size944888
-Ref: gnutls_ecc_curve_list945117
-Ref: gnutls_error_is_fatal945440
-Ref: gnutls_error_to_alert946242
-Ref: gnutls_est_record_overhead_size946974
-Ref: gnutls_ext_get_current_msg947882
-Ref: gnutls_ext_get_data948573
-Ref: gnutls_ext_get_name949088
-Ref: gnutls_ext_get_name2949406
-Ref: gnutls_ext_raw_parse949916
-Ref: gnutls_ext_register951066
-Ref: gnutls_ext_set_data952701
-Ref: gnutls_fingerprint953212
-Ref: gnutls_fips140_mode_enabled954218
-Ref: gnutls_fips140_set_mode954772
-Ref: gnutls_get_system_config_file955825
-Ref: gnutls_global_deinit956201
-Ref: gnutls_global_init956651
-Ref: gnutls_global_set_audit_log_function957926
-Ref: gnutls_global_set_log_function958633
-Ref: gnutls_global_set_log_level959141
-Ref: gnutls_global_set_mutex959629
-Ref: gnutls_global_set_time_function960731
-Ref: gnutls_gost_paramset_get_name961168
-Ref: gnutls_gost_paramset_get_oid961544
-Ref: gnutls_group_get961921
-Ref: gnutls_group_get_id962291
-Ref: gnutls_group_get_name962638
-Ref: gnutls_group_list962958
-Ref: gnutls_handshake963280
-Ref: gnutls_handshake_description_get_name965385
-Ref: gnutls_handshake_get_last_in965773
-Ref: gnutls_handshake_get_last_out966398
-Ref: gnutls_handshake_set_hook_function967030
-Ref: gnutls_handshake_set_max_packet_length968422
-Ref: gnutls_handshake_set_post_client_hello_function969207
-Ref: gnutls_handshake_set_private_extensions970533
-Ref: gnutls_handshake_set_random971212
-Ref: gnutls_handshake_set_read_function971932
-Ref: gnutls_handshake_set_secret_function972333
-Ref: gnutls_handshake_set_timeout972712
-Ref: gnutls_handshake_write973402
-Ref: gnutls_heartbeat_allowed974103
-Ref: gnutls_heartbeat_enable974577
-Ref: gnutls_heartbeat_get_timeout975415
-Ref: gnutls_heartbeat_ping975954
-Ref: gnutls_heartbeat_pong977086
-Ref: gnutls_heartbeat_set_timeouts977493
-Ref: gnutls_hex2bin978264
-Ref: gnutls_hex_decode978983
-Ref: gnutls_hex_decode2979709
-Ref: gnutls_hex_encode980138
-Ref: gnutls_hex_encode2980735
-Ref: gnutls_idna_map981250
-Ref: gnutls_idna_reverse_map982380
-Ref: gnutls_init983145
-Ref: gnutls_key_generate983973
-Ref: gnutls_kx_get984390
-Ref: gnutls_kx_get_id984976
-Ref: gnutls_kx_get_name985320
-Ref: gnutls_kx_list985665
-Ref: gnutls_load_file985993
-Ref: gnutls_mac_get986765
-Ref: gnutls_mac_get_id987070
-Ref: gnutls_mac_get_key_size987483
-Ref: gnutls_mac_get_name987820
-Ref: gnutls_mac_list988139
-Ref: gnutls_memcmp988527
-Ref: gnutls_memset989087
-Ref: gnutls_ocsp_status_request_enable_client989481
-Ref: gnutls_ocsp_status_request_get990492
-Ref: gnutls_ocsp_status_request_get2991154
-Ref: gnutls_ocsp_status_request_is_checked992149
-Ref: gnutls_oid_to_digest993537
-Ref: gnutls_oid_to_ecc_curve993946
-Ref: gnutls_oid_to_gost_paramset994272
-Ref: gnutls_oid_to_mac994683
-Ref: gnutls_oid_to_pk995096
-Ref: gnutls_oid_to_sign995468
-Ref: gnutls_openpgp_send_cert995872
-Ref: gnutls_packet_deinit996174
-Ref: gnutls_packet_get996448
-Ref: gnutls_pem_base64_decode996953
-Ref: gnutls_pem_base64_decode2997808
-Ref: gnutls_pem_base64_encode998803
-Ref: gnutls_pem_base64_encode2999632
-Ref: gnutls_perror1000568
-Ref: gnutls_pk_algorithm_get_name1000864
-Ref: gnutls_pk_bits_to_sec_param1001220
-Ref: gnutls_pk_get_id1001694
-Ref: gnutls_pk_get_name1002212
-Ref: gnutls_pk_get_oid1002580
-Ref: gnutls_pk_list1002979
-Ref: gnutls_pk_to_sign1003312
-Ref: gnutls_prf1003723
-Ref: gnutls_prf_early1005718
-Ref: gnutls_prf_hash_get1007373
-Ref: gnutls_prf_raw1007905
-Ref: gnutls_prf_rfc57051009789
-Ref: gnutls_priority_certificate_type_list1011466
-Ref: gnutls_priority_certificate_type_list21012162
-Ref: gnutls_priority_cipher_list1012778
-Ref: gnutls_priority_deinit1013165
-Ref: gnutls_priority_ecc_curve_list1013408
-Ref: gnutls_priority_get_cipher_suite_index1013940
-Ref: gnutls_priority_group_list1014856
-Ref: gnutls_priority_init1015237
-Ref: gnutls_priority_init21016317
-Ref: gnutls_priority_kx_list1020691
-Ref: gnutls_priority_mac_list1021096
-Ref: gnutls_priority_protocol_list1021501
-Ref: gnutls_priority_set1021903
-Ref: gnutls_priority_set_direct1022558
-Ref: gnutls_priority_sign_list1023491
-Ref: gnutls_priority_string_list1023907
-Ref: gnutls_protocol_get_id1024539
-Ref: gnutls_protocol_get_name1024855
-Ref: gnutls_protocol_get_version1025214
-Ref: gnutls_protocol_list1025512
-Ref: gnutls_psk_allocate_client_credentials1025882
-Ref: gnutls_psk_allocate_server_credentials1026302
-Ref: gnutls_psk_client_get_hint1026698
-Ref: gnutls_psk_free_client_credentials1027325
-Ref: gnutls_psk_free_server_credentials1027608
-Ref: gnutls_psk_server_get_username1027883
-Ref: gnutls_psk_server_get_username21028590
-Ref: gnutls_psk_set_client_credentials1029284
-Ref: gnutls_psk_set_client_credentials21030307
-Ref: gnutls_psk_set_client_credentials_function1031087
-Ref: gnutls_psk_set_client_credentials_function21032090
-Ref: gnutls_psk_set_params_function1033247
-Ref: gnutls_psk_set_server_credentials_file1033927
-Ref: gnutls_psk_set_server_credentials_function1034788
-Ref: gnutls_psk_set_server_credentials_function21035742
-Ref: gnutls_psk_set_server_credentials_hint1036865
-Ref: gnutls_psk_set_server_dh_params1037489
-Ref: gnutls_psk_set_server_known_dh_params1038174
-Ref: gnutls_psk_set_server_params_function1039071
-Ref: gnutls_random_art1039712
-Ref: gnutls_range_split1040574
-Ref: gnutls_reauth1041656
-Ref: gnutls_record_can_use_length_hiding1043758
-Ref: gnutls_record_check_corked1044509
-Ref: gnutls_record_check_pending1044892
-Ref: gnutls_record_cork1045303
-Ref: gnutls_record_disable_padding1045717
-Ref: gnutls_record_discard_queued1046325
-Ref: gnutls_record_get_direction1046942
-Ref: gnutls_record_get_max_early_data_size1047923
-Ref: gnutls_record_get_max_size1048475
-Ref: gnutls_record_get_state1048842
-Ref: gnutls_record_overhead_size1049864
-Ref: gnutls_record_recv1050251
-Ref: gnutls_record_recv_early_data1051701
-Ref: gnutls_record_recv_packet1052763
-Ref: gnutls_record_recv_seq1053642
-Ref: gnutls_record_send1054628
-Ref: gnutls_record_send21056686
-Ref: gnutls_record_send_early_data1057838
-Ref: gnutls_record_send_range1058894
-Ref: gnutls_record_set_max_early_data_size1060073
-Ref: gnutls_record_set_max_recv_size1060719
-Ref: gnutls_record_set_max_size1061423
-Ref: gnutls_record_set_state1062602
-Ref: gnutls_record_set_timeout1063260
-Ref: gnutls_record_uncork1063861
-Ref: gnutls_rehandshake1064801
-Ref: gnutls_safe_renegotiation_status1066583
-Ref: gnutls_sec_param_get_name1066998
-Ref: gnutls_sec_param_to_pk_bits1067372
-Ref: gnutls_sec_param_to_symmetric_bits1068042
-Ref: gnutls_server_name_get1068426
-Ref: gnutls_server_name_set1069898
-Ref: gnutls_session_channel_binding1071056
-Ref: gnutls_session_enable_compatibility_mode1071774
-Ref: gnutls_session_etm_status1072481
-Ref: gnutls_session_ext_master_secret_status1072884
-Ref: gnutls_session_ext_register1073375
-Ref: gnutls_session_force_valid1075637
-Ref: gnutls_session_get_data1076058
-Ref: gnutls_session_get_data21076718
-Ref: gnutls_session_get_desc1078991
-Ref: gnutls_session_get_flags1079513
-Ref: gnutls_session_get_id1080051
-Ref: gnutls_session_get_id21081574
-Ref: gnutls_session_get_keylog_function1083044
-Ref: gnutls_session_get_master_secret1083451
-Ref: gnutls_session_get_ptr1083935
-Ref: gnutls_session_get_random1084330
-Ref: gnutls_session_get_verify_cert_status1084951
-Ref: gnutls_session_is_resumed1085624
-Ref: gnutls_session_key_update1085994
-Ref: gnutls_session_resumption_requested1086942
-Ref: gnutls_session_set_data1087324
-Ref: gnutls_session_set_id1088165
-Ref: gnutls_session_set_keylog_function1088840
-Ref: gnutls_session_set_premaster1089239
-Ref: gnutls_session_set_ptr1090334
-Ref: gnutls_session_set_verify_cert1090734
-Ref: gnutls_session_set_verify_cert21092078
-Ref: gnutls_session_set_verify_function1093262
-Ref: gnutls_session_supplemental_register1094374
-Ref: gnutls_session_ticket_enable_client1095632
-Ref: gnutls_session_ticket_enable_server1096125
-Ref: gnutls_session_ticket_key_generate1096919
-Ref: gnutls_session_ticket_send1097347
-Ref: gnutls_set_default_priority1097931
-Ref: gnutls_set_default_priority_append1099016
-Ref: gnutls_sign_algorithm_get1100358
-Ref: gnutls_sign_algorithm_get_client1100801
-Ref: gnutls_sign_algorithm_get_requested1101268
-Ref: gnutls_sign_get_hash_algorithm1102295
-Ref: gnutls_sign_get_id1102707
-Ref: gnutls_sign_get_name1103070
-Ref: gnutls_sign_get_oid1103402
-Ref: gnutls_sign_get_pk_algorithm1103788
-Ref: gnutls_sign_is_secure1104395
-Ref: gnutls_sign_is_secure21104665
-Ref: gnutls_sign_list1105001
-Ref: gnutls_sign_supports_pk_algorithm1105361
-Ref: gnutls_srp_allocate_client_credentials1105945
-Ref: gnutls_srp_allocate_server_credentials1106346
-Ref: gnutls_srp_base64_decode1106719
-Ref: gnutls_srp_base64_decode21107424
-Ref: gnutls_srp_base64_encode1108092
-Ref: gnutls_srp_base64_encode21108893
-Ref: gnutls_srp_free_client_credentials1109624
-Ref: gnutls_srp_free_server_credentials1109907
-Ref: gnutls_srp_server_get_username1110182
-Ref: gnutls_srp_set_client_credentials1110636
-Ref: gnutls_srp_set_client_credentials_function1111526
-Ref: gnutls_srp_set_prime_bits1112773
-Ref: gnutls_srp_set_server_credentials_file1113458
-Ref: gnutls_srp_set_server_credentials_function1114184
-Ref: gnutls_srp_set_server_fake_salt_seed1115899
-Ref: gnutls_srp_verifier1117402
-Ref: gnutls_srtp_get_keys1118330
-Ref: gnutls_srtp_get_mki1119724
-Ref: gnutls_srtp_get_profile_id1120293
-Ref: gnutls_srtp_get_profile_name1120751
-Ref: gnutls_srtp_get_selected_profile1121172
-Ref: gnutls_srtp_set_mki1121616
-Ref: gnutls_srtp_set_profile1122065
-Ref: gnutls_srtp_set_profile_direct1122597
-Ref: gnutls_store_commitment1123320
-Ref: gnutls_store_pubkey1124619
-Ref: gnutls_strerror1126406
-Ref: gnutls_strerror_name1126891
-Ref: gnutls_supplemental_get_name1127360
-Ref: gnutls_supplemental_recv1127782
-Ref: gnutls_supplemental_register1128252
-Ref: gnutls_supplemental_send1129364
-Ref: gnutls_system_recv_timeout1129809
-Ref: gnutls_tdb_deinit1130551
-Ref: gnutls_tdb_init1130766
-Ref: gnutls_tdb_set_store_commitment_func1131125
-Ref: gnutls_tdb_set_store_func1131806
-Ref: gnutls_tdb_set_verify_func1132395
-Ref: gnutls_transport_get_int1133139
-Ref: gnutls_transport_get_int21133547
-Ref: gnutls_transport_get_ptr1134050
-Ref: gnutls_transport_get_ptr21134466
-Ref: gnutls_transport_set_errno1135000
-Ref: gnutls_transport_set_errno_function1135987
-Ref: gnutls_transport_set_int1136524
-Ref: gnutls_transport_set_int21137078
-Ref: gnutls_transport_set_ptr1137807
-Ref: gnutls_transport_set_ptr21138220
-Ref: gnutls_transport_set_pull_function1138864
-Ref: gnutls_transport_set_pull_timeout_function1139644
-Ref: gnutls_transport_set_push_function1141347
-Ref: gnutls_transport_set_vec_push_function1142192
-Ref: gnutls_url_is_supported1142888
-Ref: gnutls_utf8_password_normalize1143308
-Ref: gnutls_verify_stored_pubkey1144097
-Node: Datagram TLS API1147244
-Ref: gnutls_dtls_cookie_send1147520
-Ref: gnutls_dtls_cookie_verify1148775
-Ref: gnutls_dtls_get_data_mtu1149719
-Ref: gnutls_dtls_get_mtu1150162
-Ref: gnutls_dtls_get_timeout1150605
-Ref: gnutls_dtls_prestate_set1151148
-Ref: gnutls_dtls_set_data_mtu1151732
-Ref: gnutls_dtls_set_mtu1152706
-Ref: gnutls_dtls_set_timeouts1153313
-Ref: gnutls_record_get_discarded1154317
-Node: X509 certificate API1154591
-Ref: gnutls_certificate_get_trust_list1154940
-Ref: gnutls_certificate_set_trust_list1155588
-Ref: gnutls_certificate_verification_profile_get_id1156363
-Ref: gnutls_certificate_verification_profile_get_name1156910
-Ref: gnutls_pkcs8_info1157293
-Ref: gnutls_pkcs_schema_get_name1158811
-Ref: gnutls_pkcs_schema_get_oid1159216
-Ref: gnutls_session_set_verify_output_function1159643
-Ref: gnutls_subject_alt_names_deinit1160800
-Ref: gnutls_subject_alt_names_get1161079
-Ref: gnutls_subject_alt_names_init1162089
-Ref: gnutls_subject_alt_names_set1162469
-Ref: gnutls_x509_aia_deinit1163288
-Ref: gnutls_x509_aia_get1163522
-Ref: gnutls_x509_aia_init1164681
-Ref: gnutls_x509_aia_set1165016
-Ref: gnutls_x509_aki_deinit1165811
-Ref: gnutls_x509_aki_get_cert_issuer1166075
-Ref: gnutls_x509_aki_get_id1167141
-Ref: gnutls_x509_aki_init1167680
-Ref: gnutls_x509_aki_set_cert_issuer1168029
-Ref: gnutls_x509_aki_set_id1169144
-Ref: gnutls_x509_cidr_to_rfc52801169573
-Ref: gnutls_x509_crl_check_issuer1170471
-Ref: gnutls_x509_crl_deinit1170919
-Ref: gnutls_x509_crl_dist_points_deinit1171151
-Ref: gnutls_x509_crl_dist_points_get1171446
-Ref: gnutls_x509_crl_dist_points_init1172420
-Ref: gnutls_x509_crl_dist_points_set1172816
-Ref: gnutls_x509_crl_export1173519
-Ref: gnutls_x509_crl_export21174402
-Ref: gnutls_x509_crl_get_authority_key_gn_serial1175122
-Ref: gnutls_x509_crl_get_authority_key_id1176436
-Ref: gnutls_x509_crl_get_crt_count1177499
-Ref: gnutls_x509_crl_get_crt_serial1177857
-Ref: gnutls_x509_crl_get_dn_oid1178761
-Ref: gnutls_x509_crl_get_extension_data1179567
-Ref: gnutls_x509_crl_get_extension_data21180684
-Ref: gnutls_x509_crl_get_extension_info1181563
-Ref: gnutls_x509_crl_get_extension_oid1182827
-Ref: gnutls_x509_crl_get_issuer_dn1183679
-Ref: gnutls_x509_crl_get_issuer_dn21184680
-Ref: gnutls_x509_crl_get_issuer_dn31185514
-Ref: gnutls_x509_crl_get_issuer_dn_by_oid1186492
-Ref: gnutls_x509_crl_get_next_update1188003
-Ref: gnutls_x509_crl_get_number1188437
-Ref: gnutls_x509_crl_get_raw_issuer_dn1189162
-Ref: gnutls_x509_crl_get_signature1189616
-Ref: gnutls_x509_crl_get_signature_algorithm1190163
-Ref: gnutls_x509_crl_get_signature_oid1190725
-Ref: gnutls_x509_crl_get_this_update1191386
-Ref: gnutls_x509_crl_get_version1191711
-Ref: gnutls_x509_crl_import1192019
-Ref: gnutls_x509_crl_init1192643
-Ref: gnutls_x509_crl_iter_crt_serial1193232
-Ref: gnutls_x509_crl_iter_deinit1194378
-Ref: gnutls_x509_crl_list_import1194623
-Ref: gnutls_x509_crl_list_import21195625
-Ref: gnutls_x509_crl_print1196491
-Ref: gnutls_x509_crl_set_authority_key_id1197140
-Ref: gnutls_x509_crl_set_crt1197793
-Ref: gnutls_x509_crl_set_crt_serial1198366
-Ref: gnutls_x509_crl_set_next_update1198998
-Ref: gnutls_x509_crl_set_number1199615
-Ref: gnutls_x509_crl_set_this_update1200192
-Ref: gnutls_x509_crl_set_version1200596
-Ref: gnutls_x509_crl_sign1201139
-Ref: gnutls_x509_crl_sign21201832
-Ref: gnutls_x509_crl_verify1203068
-Ref: gnutls_x509_crq_deinit1204312
-Ref: gnutls_x509_crq_export1204550
-Ref: gnutls_x509_crq_export21205547
-Ref: gnutls_x509_crq_get_attribute_by_oid1206321
-Ref: gnutls_x509_crq_get_attribute_data1207346
-Ref: gnutls_x509_crq_get_attribute_info1208458
-Ref: gnutls_x509_crq_get_basic_constraints1209655
-Ref: gnutls_x509_crq_get_challenge_password1210908
-Ref: gnutls_x509_crq_get_dn1211520
-Ref: gnutls_x509_crq_get_dn21212469
-Ref: gnutls_x509_crq_get_dn31213326
-Ref: gnutls_x509_crq_get_dn_by_oid1214334
-Ref: gnutls_x509_crq_get_dn_oid1215795
-Ref: gnutls_x509_crq_get_extension_by_oid1216582
-Ref: gnutls_x509_crq_get_extension_by_oid21217739
-Ref: gnutls_x509_crq_get_extension_data1218821
-Ref: gnutls_x509_crq_get_extension_data21219951
-Ref: gnutls_x509_crq_get_extension_info1220830
-Ref: gnutls_x509_crq_get_key_id1222091
-Ref: gnutls_x509_crq_get_key_purpose_oid1223158
-Ref: gnutls_x509_crq_get_key_rsa_raw1224173
-Ref: gnutls_x509_crq_get_key_usage1224797
-Ref: gnutls_x509_crq_get_pk_algorithm1225883
-Ref: gnutls_x509_crq_get_pk_oid1226604
-Ref: gnutls_x509_crq_get_private_key_usage_period1227261
-Ref: gnutls_x509_crq_get_signature_algorithm1227976
-Ref: gnutls_x509_crq_get_signature_oid1228615
-Ref: gnutls_x509_crq_get_spki1229276
-Ref: gnutls_x509_crq_get_subject_alt_name1229836
-Ref: gnutls_x509_crq_get_subject_alt_othername_oid1231394
-Ref: gnutls_x509_crq_get_tlsfeatures1232874
-Ref: gnutls_x509_crq_get_version1234003
-Ref: gnutls_x509_crq_import1234349
-Ref: gnutls_x509_crq_init1235031
-Ref: gnutls_x509_crq_print1235379
-Ref: gnutls_x509_crq_set_attribute_by_oid1236035
-Ref: gnutls_x509_crq_set_basic_constraints1236900
-Ref: gnutls_x509_crq_set_challenge_password1237644
-Ref: gnutls_x509_crq_set_dn1238095
-Ref: gnutls_x509_crq_set_dn_by_oid1238713
-Ref: gnutls_x509_crq_set_extension_by_oid1239843
-Ref: gnutls_x509_crq_set_key1240622
-Ref: gnutls_x509_crq_set_key_purpose_oid1241085
-Ref: gnutls_x509_crq_set_key_rsa_raw1241865
-Ref: gnutls_x509_crq_set_key_usage1242441
-Ref: gnutls_x509_crq_set_private_key_usage_period1242945
-Ref: gnutls_x509_crq_set_spki1243450
-Ref: gnutls_x509_crq_set_subject_alt_name1244321
-Ref: gnutls_x509_crq_set_subject_alt_othername1245147
-Ref: gnutls_x509_crq_set_tlsfeatures1245985
-Ref: gnutls_x509_crq_set_version1246535
-Ref: gnutls_x509_crq_sign1247020
-Ref: gnutls_x509_crq_sign21247791
-Ref: gnutls_x509_crq_verify1249123
-Ref: gnutls_x509_crt_check_email1249716
-Ref: gnutls_x509_crt_check_hostname1250244
-Ref: gnutls_x509_crt_check_hostname21250956
-Ref: gnutls_x509_crt_check_ip1252707
-Ref: gnutls_x509_crt_check_issuer1253321
-Ref: gnutls_x509_crt_check_key_purpose1254059
-Ref: gnutls_x509_crt_check_revocation1254753
-Ref: gnutls_x509_crt_cpy_crl_dist_points1255402
-Ref: gnutls_x509_crt_deinit1255991
-Ref: gnutls_x509_crt_equals1256209
-Ref: gnutls_x509_crt_equals21256591
-Ref: gnutls_x509_crt_export1257015
-Ref: gnutls_x509_crt_export21257926
-Ref: gnutls_x509_crt_get_activation_time1258624
-Ref: gnutls_x509_crt_get_authority_info_access1259002
-Ref: gnutls_x509_crt_get_authority_key_gn_serial1262476
-Ref: gnutls_x509_crt_get_authority_key_id1263917
-Ref: gnutls_x509_crt_get_basic_constraints1265048
-Ref: gnutls_x509_crt_get_ca_status1266262
-Ref: gnutls_x509_crt_get_crl_dist_points1267261
-Ref: gnutls_x509_crt_get_dn1268586
-Ref: gnutls_x509_crt_get_dn21269781
-Ref: gnutls_x509_crt_get_dn31270590
-Ref: gnutls_x509_crt_get_dn_by_oid1271550
-Ref: gnutls_x509_crt_get_dn_oid1273319
-Ref: gnutls_x509_crt_get_expiration_time1274347
-Ref: gnutls_x509_crt_get_extension_by_oid1274713
-Ref: gnutls_x509_crt_get_extension_by_oid21275840
-Ref: gnutls_x509_crt_get_extension_data1276913
-Ref: gnutls_x509_crt_get_extension_data21278002
-Ref: gnutls_x509_crt_get_extension_info1278867
-Ref: gnutls_x509_crt_get_extension_oid1280279
-Ref: gnutls_x509_crt_get_fingerprint1281242
-Ref: gnutls_x509_crt_get_inhibit_anypolicy1282130
-Ref: gnutls_x509_crt_get_issuer1283099
-Ref: gnutls_x509_crt_get_issuer_alt_name1283737
-Ref: gnutls_x509_crt_get_issuer_alt_name21285537
-Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1287119
-Ref: gnutls_x509_crt_get_issuer_dn1288768
-Ref: gnutls_x509_crt_get_issuer_dn21289889
-Ref: gnutls_x509_crt_get_issuer_dn31290736
-Ref: gnutls_x509_crt_get_issuer_dn_by_oid1291727
-Ref: gnutls_x509_crt_get_issuer_dn_oid1293514
-Ref: gnutls_x509_crt_get_issuer_unique_id1294550
-Ref: gnutls_x509_crt_get_key_id1295645
-Ref: gnutls_x509_crt_get_key_purpose_oid1296668
-Ref: gnutls_x509_crt_get_key_usage1297829
-Ref: gnutls_x509_crt_get_name_constraints1298889
-Ref: gnutls_x509_crt_get_pk_algorithm1300297
-Ref: gnutls_x509_crt_get_pk_dsa_raw1301086
-Ref: gnutls_x509_crt_get_pk_ecc_raw1301754
-Ref: gnutls_x509_crt_get_pk_gost_raw1302567
-Ref: gnutls_x509_crt_get_pk_oid1303411
-Ref: gnutls_x509_crt_get_pk_rsa_raw1304037
-Ref: gnutls_x509_crt_get_policy1304615
-Ref: gnutls_x509_crt_get_private_key_usage_period1305561
-Ref: gnutls_x509_crt_get_proxy1306313
-Ref: gnutls_x509_crt_get_raw_dn1307334
-Ref: gnutls_x509_crt_get_raw_issuer_dn1307927
-Ref: gnutls_x509_crt_get_serial1308506
-Ref: gnutls_x509_crt_get_signature1309246
-Ref: gnutls_x509_crt_get_signature_algorithm1309801
-Ref: gnutls_x509_crt_get_signature_oid1310414
-Ref: gnutls_x509_crt_get_spki1311072
-Ref: gnutls_x509_crt_get_subject1311558
-Ref: gnutls_x509_crt_get_subject_alt_name1312201
-Ref: gnutls_x509_crt_get_subject_alt_name21313960
-Ref: gnutls_x509_crt_get_subject_alt_othername_oid1315525
-Ref: gnutls_x509_crt_get_subject_key_id1317165
-Ref: gnutls_x509_crt_get_subject_unique_id1317997
-Ref: gnutls_x509_crt_get_tlsfeatures1319082
-Ref: gnutls_x509_crt_get_version1320194
-Ref: gnutls_x509_crt_import1320521
-Ref: gnutls_x509_crt_import_url1321222
-Ref: gnutls_x509_crt_init1321943
-Ref: gnutls_x509_crt_list_import1322290
-Ref: gnutls_x509_crt_list_import21323657
-Ref: gnutls_x509_crt_list_import_url1324729
-Ref: gnutls_x509_crt_list_verify1325953
-Ref: gnutls_x509_crt_print1327533
-Ref: gnutls_x509_crt_set_activation_time1328425
-Ref: gnutls_x509_crt_set_authority_info_access1328892
-Ref: gnutls_x509_crt_set_authority_key_id1329787
-Ref: gnutls_x509_crt_set_basic_constraints1330369
-Ref: gnutls_x509_crt_set_ca_status1331068
-Ref: gnutls_x509_crt_set_crl_dist_points1331666
-Ref: gnutls_x509_crt_set_crl_dist_points21332318
-Ref: gnutls_x509_crt_set_crq1333017
-Ref: gnutls_x509_crt_set_crq_extension_by_oid1333734
-Ref: gnutls_x509_crt_set_crq_extensions1334370
-Ref: gnutls_x509_crt_set_dn1334836
-Ref: gnutls_x509_crt_set_dn_by_oid1335719
-Ref: gnutls_x509_crt_set_expiration_time1336836
-Ref: gnutls_x509_crt_set_extension_by_oid1337381
-Ref: gnutls_x509_crt_set_flags1338156
-Ref: gnutls_x509_crt_set_inhibit_anypolicy1338664
-Ref: gnutls_x509_crt_set_issuer_alt_name1339174
-Ref: gnutls_x509_crt_set_issuer_alt_othername1340196
-Ref: gnutls_x509_crt_set_issuer_dn1341172
-Ref: gnutls_x509_crt_set_issuer_dn_by_oid1341811
-Ref: gnutls_x509_crt_set_issuer_unique_id1343090
-Ref: gnutls_x509_crt_set_key1343595
-Ref: gnutls_x509_crt_set_key_purpose_oid1344175
-Ref: gnutls_x509_crt_set_key_usage1344943
-Ref: gnutls_x509_crt_set_name_constraints1345402
-Ref: gnutls_x509_crt_set_pin_function1346024
-Ref: gnutls_x509_crt_set_policy1346692
-Ref: gnutls_x509_crt_set_private_key_usage_period1347545
-Ref: gnutls_x509_crt_set_proxy1348052
-Ref: gnutls_x509_crt_set_proxy_dn1348866
-Ref: gnutls_x509_crt_set_serial1349885
-Ref: gnutls_x509_crt_set_spki1350945
-Ref: gnutls_x509_crt_set_subject_alt_name1351800
-Ref: gnutls_x509_crt_set_subject_alt_othername1353040
-Ref: gnutls_x509_crt_set_subject_alternative_name1354048
-Ref: gnutls_x509_crt_set_subject_key_id1354946
-Ref: gnutls_x509_crt_set_subject_unique_id1355466
-Ref: gnutls_x509_crt_set_tlsfeatures1355989
-Ref: gnutls_x509_crt_set_version1356513
-Ref: gnutls_x509_crt_sign1357336
-Ref: gnutls_x509_crt_sign21358031
-Ref: gnutls_x509_crt_verify1359264
-Ref: gnutls_x509_crt_verify_data21360313
-Ref: gnutls_x509_dn_deinit1361317
-Ref: gnutls_x509_dn_export1361579
-Ref: gnutls_x509_dn_export21362473
-Ref: gnutls_x509_dn_get_rdn_ava1363134
-Ref: gnutls_x509_dn_get_str1364166
-Ref: gnutls_x509_dn_get_str21364762
-Ref: gnutls_x509_dn_import1365624
-Ref: gnutls_x509_dn_init1366240
-Ref: gnutls_x509_dn_oid_known1366661
-Ref: gnutls_x509_dn_oid_name1367330
-Ref: gnutls_x509_dn_set_str1367859
-Ref: gnutls_x509_ext_deinit1368458
-Ref: gnutls_x509_ext_export_aia1368702
-Ref: gnutls_x509_ext_export_authority_key_id1369296
-Ref: gnutls_x509_ext_export_basic_constraints1369952
-Ref: gnutls_x509_ext_export_crl_dist_points1370649
-Ref: gnutls_x509_ext_export_inhibit_anypolicy1371317
-Ref: gnutls_x509_ext_export_key_purposes1371985
-Ref: gnutls_x509_ext_export_key_usage1372604
-Ref: gnutls_x509_ext_export_name_constraints1373220
-Ref: gnutls_x509_ext_export_policies1373861
-Ref: gnutls_x509_ext_export_private_key_usage_period1374524
-Ref: gnutls_x509_ext_export_proxy1375189
-Ref: gnutls_x509_ext_export_subject_alt_names1376175
-Ref: gnutls_x509_ext_export_subject_key_id1376824
-Ref: gnutls_x509_ext_export_tlsfeatures1377446
-Ref: gnutls_x509_ext_import_aia1378064
-Ref: gnutls_x509_ext_import_authority_key_id1378769
-Ref: gnutls_x509_ext_import_basic_constraints1379437
-Ref: gnutls_x509_ext_import_crl_dist_points1380063
-Ref: gnutls_x509_ext_import_inhibit_anypolicy1380691
-Ref: gnutls_x509_ext_import_key_purposes1381606
-Ref: gnutls_x509_ext_import_key_usage1382240
-Ref: gnutls_x509_ext_import_name_constraints1383256
-Ref: gnutls_x509_ext_import_policies1384594
-Ref: gnutls_x509_ext_import_private_key_usage_period1385201
-Ref: gnutls_x509_ext_import_proxy1385816
-Ref: gnutls_x509_ext_import_subject_alt_names1386902
-Ref: gnutls_x509_ext_import_subject_key_id1387660
-Ref: gnutls_x509_ext_import_tlsfeatures1388295
-Ref: gnutls_x509_ext_print1389187
-Ref: gnutls_x509_key_purpose_deinit1389898
-Ref: gnutls_x509_key_purpose_get1390152
-Ref: gnutls_x509_key_purpose_init1390880
-Ref: gnutls_x509_key_purpose_set1391241
-Ref: gnutls_x509_name_constraints_add_excluded1391696
-Ref: gnutls_x509_name_constraints_add_permitted1392637
-Ref: gnutls_x509_name_constraints_check1393512
-Ref: gnutls_x509_name_constraints_check_crt1394349
-Ref: gnutls_x509_name_constraints_deinit1395219
-Ref: gnutls_x509_name_constraints_get_excluded1395519
-Ref: gnutls_x509_name_constraints_get_permitted1396590
-Ref: gnutls_x509_name_constraints_init1397644
-Ref: gnutls_x509_othername_to_virtual1398027
-Ref: gnutls_x509_policies_deinit1398646
-Ref: gnutls_x509_policies_get1398926
-Ref: gnutls_x509_policies_init1399712
-Ref: gnutls_x509_policies_set1400077
-Ref: gnutls_x509_policy_release1400544
-Ref: gnutls_x509_privkey_cpy1400908
-Ref: gnutls_x509_privkey_deinit1401378
-Ref: gnutls_x509_privkey_export1401619
-Ref: gnutls_x509_privkey_export21402654
-Ref: gnutls_x509_privkey_export2_pkcs81403532
-Ref: gnutls_x509_privkey_export_dsa_raw1404808
-Ref: gnutls_x509_privkey_export_ecc_raw1405548
-Ref: gnutls_x509_privkey_export_gost_raw1406431
-Ref: gnutls_x509_privkey_export_pkcs81407516
-Ref: gnutls_x509_privkey_export_rsa_raw1409021
-Ref: gnutls_x509_privkey_export_rsa_raw21409882
-Ref: gnutls_x509_privkey_fix1410868
-Ref: gnutls_x509_privkey_generate1411253
-Ref: gnutls_x509_privkey_generate21412778
-Ref: gnutls_x509_privkey_get_key_id1414937
-Ref: gnutls_x509_privkey_get_pk_algorithm1415956
-Ref: gnutls_x509_privkey_get_pk_algorithm21416384
-Ref: gnutls_x509_privkey_get_seed1416875
-Ref: gnutls_x509_privkey_get_spki1417699
-Ref: gnutls_x509_privkey_import1418234
-Ref: gnutls_x509_privkey_import21419029
-Ref: gnutls_x509_privkey_import_dsa_raw1420102
-Ref: gnutls_x509_privkey_import_ecc_raw1420834
-Ref: gnutls_x509_privkey_import_gost_raw1421650
-Ref: gnutls_x509_privkey_import_openssl1422926
-Ref: gnutls_x509_privkey_import_pkcs81423800
-Ref: gnutls_x509_privkey_import_rsa_raw1425247
-Ref: gnutls_x509_privkey_import_rsa_raw21426101
-Ref: gnutls_x509_privkey_init1427097
-Ref: gnutls_x509_privkey_sec_param1427442
-Ref: gnutls_x509_privkey_set_flags1427861
-Ref: gnutls_x509_privkey_set_pin_function1428411
-Ref: gnutls_x509_privkey_set_spki1429029
-Ref: gnutls_x509_privkey_sign_data1429576
-Ref: gnutls_x509_privkey_verify_params1430797
-Ref: gnutls_x509_privkey_verify_seed1431133
-Ref: gnutls_x509_rdn_get1431962
-Ref: gnutls_x509_rdn_get21432780
-Ref: gnutls_x509_rdn_get_by_oid1433688
-Ref: gnutls_x509_rdn_get_oid1434670
-Ref: gnutls_x509_spki_deinit1435415
-Ref: gnutls_x509_spki_get_rsa_pss_params1435697
-Ref: gnutls_x509_spki_init1436258
-Ref: gnutls_x509_spki_set_rsa_pss_params1436774
-Ref: gnutls_x509_tlsfeatures_add1437287
-Ref: gnutls_x509_tlsfeatures_check_crt1437743
-Ref: gnutls_x509_tlsfeatures_deinit1438343
-Ref: gnutls_x509_tlsfeatures_get1438621
-Ref: gnutls_x509_tlsfeatures_init1439181
-Ref: gnutls_x509_trust_list_add_cas1439566
-Ref: gnutls_x509_trust_list_add_crls1440751
-Ref: gnutls_x509_trust_list_add_named_crt1442129
-Ref: gnutls_x509_trust_list_add_system_trust1443344
-Ref: gnutls_x509_trust_list_add_trust_dir1444106
-Ref: gnutls_x509_trust_list_add_trust_file1444969
-Ref: gnutls_x509_trust_list_add_trust_mem1446116
-Ref: gnutls_x509_trust_list_deinit1447035
-Ref: gnutls_x509_trust_list_get_issuer1447661
-Ref: gnutls_x509_trust_list_get_issuer_by_dn1448711
-Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1449440
-Ref: gnutls_x509_trust_list_get_ptr1450248
-Ref: gnutls_x509_trust_list_init1450761
-Ref: gnutls_x509_trust_list_iter_deinit1451266
-Ref: gnutls_x509_trust_list_iter_get_ca1451575
-Ref: gnutls_x509_trust_list_remove_cas1452755
-Ref: gnutls_x509_trust_list_remove_trust_file1453610
-Ref: gnutls_x509_trust_list_remove_trust_mem1454311
-Ref: gnutls_x509_trust_list_set_getissuer_function1454969
-Ref: gnutls_x509_trust_list_set_ptr1456602
-Ref: gnutls_x509_trust_list_verify_crt1457140
-Ref: gnutls_x509_trust_list_verify_crt21458303
-Ref: gnutls_x509_trust_list_verify_named_crt1461237
-Node: PKCS 7 API1463965
-Ref: gnutls_pkcs7_add_attr1464261
-Ref: gnutls_pkcs7_attrs_deinit1465067
-Ref: gnutls_pkcs7_deinit1465302
-Ref: gnutls_pkcs7_delete_crl1465507
-Ref: gnutls_pkcs7_delete_crt1465936
-Ref: gnutls_pkcs7_export1466382
-Ref: gnutls_pkcs7_export21467282
-Ref: gnutls_pkcs7_get_attr1467943
-Ref: gnutls_pkcs7_get_crl_count1468830
-Ref: gnutls_pkcs7_get_crl_raw1469178
-Ref: gnutls_pkcs7_get_crl_raw21469953
-Ref: gnutls_pkcs7_get_crt_count1470584
-Ref: gnutls_pkcs7_get_crt_raw1470959
-Ref: gnutls_pkcs7_get_crt_raw21471859
-Ref: gnutls_pkcs7_get_embedded_data1472713
-Ref: gnutls_pkcs7_get_embedded_data_oid1473713
-Ref: gnutls_pkcs7_get_signature_count1474273
-Ref: gnutls_pkcs7_get_signature_info1474680
-Ref: gnutls_pkcs7_import1475353
-Ref: gnutls_pkcs7_init1475974
-Ref: gnutls_pkcs7_print1476398
-Ref: gnutls_pkcs7_print_signature_info1477143
-Ref: gnutls_pkcs7_set_crl1477948
-Ref: gnutls_pkcs7_set_crl_raw1478349
-Ref: gnutls_pkcs7_set_crt1478739
-Ref: gnutls_pkcs7_set_crt_raw1479223
-Ref: gnutls_pkcs7_sign1479636
-Ref: gnutls_pkcs7_signature_info_deinit1481075
-Ref: gnutls_pkcs7_verify1481428
-Ref: gnutls_pkcs7_verify_direct1482593
-Node: OCSP API1484053
-Ref: gnutls_ocsp_req_add_cert1484337
-Ref: gnutls_ocsp_req_add_cert_id1485297
-Ref: gnutls_ocsp_req_deinit1486617
-Ref: gnutls_ocsp_req_export1486834
-Ref: gnutls_ocsp_req_get_cert_id1487259
-Ref: gnutls_ocsp_req_get_extension1488851
-Ref: gnutls_ocsp_req_get_nonce1490267
-Ref: gnutls_ocsp_req_get_version1490921
-Ref: gnutls_ocsp_req_import1491308
-Ref: gnutls_ocsp_req_init1491804
-Ref: gnutls_ocsp_req_print1492132
-Ref: gnutls_ocsp_req_randomize_nonce1492868
-Ref: gnutls_ocsp_req_set_extension1493301
-Ref: gnutls_ocsp_req_set_nonce1493985
-Ref: gnutls_ocsp_resp_check_crt1494572
-Ref: gnutls_ocsp_resp_deinit1495156
-Ref: gnutls_ocsp_resp_export1495380
-Ref: gnutls_ocsp_resp_export21495806
-Ref: gnutls_ocsp_resp_get_certs1496326
-Ref: gnutls_ocsp_resp_get_extension1497451
-Ref: gnutls_ocsp_resp_get_nonce1498875
-Ref: gnutls_ocsp_resp_get_produced1499541
-Ref: gnutls_ocsp_resp_get_responder1499888
-Ref: gnutls_ocsp_resp_get_responder21500993
-Ref: gnutls_ocsp_resp_get_responder_raw_id1502256
-Ref: gnutls_ocsp_resp_get_response1503087
-Ref: gnutls_ocsp_resp_get_signature1504313
-Ref: gnutls_ocsp_resp_get_signature_algorithm1504802
-Ref: gnutls_ocsp_resp_get_single1505280
-Ref: gnutls_ocsp_resp_get_status1507222
-Ref: gnutls_ocsp_resp_get_version1507651
-Ref: gnutls_ocsp_resp_import1508059
-Ref: gnutls_ocsp_resp_import21508627
-Ref: gnutls_ocsp_resp_init1509255
-Ref: gnutls_ocsp_resp_list_import21509604
-Ref: gnutls_ocsp_resp_print1510795
-Ref: gnutls_ocsp_resp_verify1511521
-Ref: gnutls_ocsp_resp_verify_direct1513138
-Node: PKCS 12 API1515571
-Ref: gnutls_pkcs12_bag_decrypt1515861
-Ref: gnutls_pkcs12_bag_deinit1516293
-Ref: gnutls_pkcs12_bag_enc_info1516531
-Ref: gnutls_pkcs12_bag_encrypt1517904
-Ref: gnutls_pkcs12_bag_get_count1518409
-Ref: gnutls_pkcs12_bag_get_data1518720
-Ref: gnutls_pkcs12_bag_get_friendly_name1519326
-Ref: gnutls_pkcs12_bag_get_key_id1519963
-Ref: gnutls_pkcs12_bag_get_type1520582
-Ref: gnutls_pkcs12_bag_init1520952
-Ref: gnutls_pkcs12_bag_set_crl1521410
-Ref: gnutls_pkcs12_bag_set_crt1521843
-Ref: gnutls_pkcs12_bag_set_data1522289
-Ref: gnutls_pkcs12_bag_set_friendly_name1522760
-Ref: gnutls_pkcs12_bag_set_key_id1523444
-Ref: gnutls_pkcs12_bag_set_privkey1524118
-Ref: gnutls_pkcs12_deinit1524774
-Ref: gnutls_pkcs12_export1524976
-Ref: gnutls_pkcs12_export21525883
-Ref: gnutls_pkcs12_generate_mac1526559
-Ref: gnutls_pkcs12_generate_mac21526950
-Ref: gnutls_pkcs12_get_bag1527394
-Ref: gnutls_pkcs12_import1527980
-Ref: gnutls_pkcs12_init1528701
-Ref: gnutls_pkcs12_mac_info1529134
-Ref: gnutls_pkcs12_set_bag1530443
-Ref: gnutls_pkcs12_simple_parse1530849
-Ref: gnutls_pkcs12_verify_mac1533530
-Node: PKCS 11 API1533886
-Ref: gnutls_pkcs11_add_provider1534215
-Ref: gnutls_pkcs11_copy_attached_extension1534960
-Ref: gnutls_pkcs11_copy_pubkey1535819
-Ref: gnutls_pkcs11_copy_secret_key1536852
-Ref: gnutls_pkcs11_copy_x509_crt1537577
-Ref: gnutls_pkcs11_copy_x509_crt21538225
-Ref: gnutls_pkcs11_copy_x509_privkey1539193
-Ref: gnutls_pkcs11_copy_x509_privkey21540010
-Ref: gnutls_pkcs11_crt_is_known1540955
-Ref: gnutls_pkcs11_deinit1542091
-Ref: gnutls_pkcs11_delete_url1542408
-Ref: gnutls_pkcs11_get_pin_function1542924
-Ref: gnutls_pkcs11_get_raw_issuer1543307
-Ref: gnutls_pkcs11_get_raw_issuer_by_dn1544217
-Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1545256
-Ref: gnutls_pkcs11_init1546367
-Ref: gnutls_pkcs11_obj_deinit1547409
-Ref: gnutls_pkcs11_obj_export1547655
-Ref: gnutls_pkcs11_obj_export21548500
-Ref: gnutls_pkcs11_obj_export31549097
-Ref: gnutls_pkcs11_obj_export_url1549770
-Ref: gnutls_pkcs11_obj_flags_get_str1550297
-Ref: gnutls_pkcs11_obj_get_exts1550776
-Ref: gnutls_pkcs11_obj_get_flags1551712
-Ref: gnutls_pkcs11_obj_get_info1552249
-Ref: gnutls_pkcs11_obj_get_ptr1553513
-Ref: gnutls_pkcs11_obj_get_type1554422
-Ref: gnutls_pkcs11_obj_import_url1554772
-Ref: gnutls_pkcs11_obj_init1555692
-Ref: gnutls_pkcs11_obj_list_import_url31556077
-Ref: gnutls_pkcs11_obj_list_import_url41558018
-Ref: gnutls_pkcs11_obj_set_info1559694
-Ref: gnutls_pkcs11_obj_set_pin_function1560473
-Ref: gnutls_pkcs11_privkey_cpy1560984
-Ref: gnutls_pkcs11_privkey_deinit1561485
-Ref: gnutls_pkcs11_privkey_export_pubkey1561748
-Ref: gnutls_pkcs11_privkey_export_url1562552
-Ref: gnutls_pkcs11_privkey_generate1563062
-Ref: gnutls_pkcs11_privkey_generate21563734
-Ref: gnutls_pkcs11_privkey_generate31564964
-Ref: gnutls_pkcs11_privkey_get_info1566474
-Ref: gnutls_pkcs11_privkey_get_pk_algorithm1567356
-Ref: gnutls_pkcs11_privkey_import_url1567887
-Ref: gnutls_pkcs11_privkey_init1568588
-Ref: gnutls_pkcs11_privkey_set_pin_function1569303
-Ref: gnutls_pkcs11_privkey_status1569823
-Ref: gnutls_pkcs11_reinit1570199
-Ref: gnutls_pkcs11_set_pin_function1570759
-Ref: gnutls_pkcs11_set_token_function1571249
-Ref: gnutls_pkcs11_token_check_mechanism1571667
-Ref: gnutls_pkcs11_token_get_flags1572424
-Ref: gnutls_pkcs11_token_get_info1572966
-Ref: gnutls_pkcs11_token_get_mechanism1573989
-Ref: gnutls_pkcs11_token_get_ptr1574602
-Ref: gnutls_pkcs11_token_get_random1575301
-Ref: gnutls_pkcs11_token_get_url1575932
-Ref: gnutls_pkcs11_token_init1576600
-Ref: gnutls_pkcs11_token_set_pin1577238
-Ref: gnutls_pkcs11_type_get_name1578078
-Ref: gnutls_x509_crt_import_pkcs111578567
-Ref: gnutls_x509_crt_list_import_pkcs111579089
-Node: TPM API1579698
-Ref: gnutls_tpm_get_registered1579977
-Ref: gnutls_tpm_key_list_deinit1580370
-Ref: gnutls_tpm_key_list_get_url1580638
-Ref: gnutls_tpm_privkey_delete1581291
-Ref: gnutls_tpm_privkey_generate1581729
-Node: Abstract key API1583079
-Ref: gnutls_certificate_set_key1583400
-Ref: gnutls_certificate_set_retrieve_function21585536
-Ref: gnutls_certificate_set_retrieve_function31587786
-Ref: gnutls_pcert_deinit1590646
-Ref: gnutls_pcert_export_openpgp1590891
-Ref: gnutls_pcert_export_x5091591240
-Ref: gnutls_pcert_import_openpgp1591890
-Ref: gnutls_pcert_import_openpgp_raw1592289
-Ref: gnutls_pcert_import_rawpk1592858
-Ref: gnutls_pcert_import_rawpk_raw1593711
-Ref: gnutls_pcert_import_x5091594960
-Ref: gnutls_pcert_import_x509_list1595557
-Ref: gnutls_pcert_import_x509_raw1596747
-Ref: gnutls_pcert_list_import_x509_file1597453
-Ref: gnutls_pcert_list_import_x509_raw1598885
-Ref: gnutls_privkey_decrypt_data1600219
-Ref: gnutls_privkey_decrypt_data21600867
-Ref: gnutls_privkey_deinit1601692
-Ref: gnutls_privkey_export_dsa_raw1601941
-Ref: gnutls_privkey_export_dsa_raw21602671
-Ref: gnutls_privkey_export_ecc_raw1603477
-Ref: gnutls_privkey_export_ecc_raw21604339
-Ref: gnutls_privkey_export_gost_raw21605281
-Ref: gnutls_privkey_export_openpgp1606415
-Ref: gnutls_privkey_export_pkcs111606767
-Ref: gnutls_privkey_export_rsa_raw1607379
-Ref: gnutls_privkey_export_rsa_raw21608410
-Ref: gnutls_privkey_export_x5091609456
-Ref: gnutls_privkey_generate1610104
-Ref: gnutls_privkey_generate21611595
-Ref: gnutls_privkey_get_pk_algorithm1613723
-Ref: gnutls_privkey_get_seed1614337
-Ref: gnutls_privkey_get_spki1615136
-Ref: gnutls_privkey_get_type1615716
-Ref: gnutls_privkey_import_dsa_raw1616205
-Ref: gnutls_privkey_import_ecc_raw1616917
-Ref: gnutls_privkey_import_ext1617730
-Ref: gnutls_privkey_import_ext21618880
-Ref: gnutls_privkey_import_ext31620237
-Ref: gnutls_privkey_import_ext41621851
-Ref: gnutls_privkey_import_gost_raw1624611
-Ref: gnutls_privkey_import_openpgp1625819
-Ref: gnutls_privkey_import_openpgp_raw1626228
-Ref: gnutls_privkey_import_pkcs111626817
-Ref: gnutls_privkey_import_pkcs11_url1627575
-Ref: gnutls_privkey_import_rsa_raw1628024
-Ref: gnutls_privkey_import_tpm_raw1629020
-Ref: gnutls_privkey_import_tpm_url1629887
-Ref: gnutls_privkey_import_url1630990
-Ref: gnutls_privkey_import_x5091631537
-Ref: gnutls_privkey_import_x509_raw1632285
-Ref: gnutls_privkey_init1633064
-Ref: gnutls_privkey_set_flags1633982
-Ref: gnutls_privkey_set_pin_function1634507
-Ref: gnutls_privkey_set_spki1635077
-Ref: gnutls_privkey_sign_data1635650
-Ref: gnutls_privkey_sign_data21636670
-Ref: gnutls_privkey_sign_hash1637568
-Ref: gnutls_privkey_sign_hash21639005
-Ref: gnutls_privkey_status1640271
-Ref: gnutls_privkey_verify_params1640815
-Ref: gnutls_privkey_verify_seed1641177
-Ref: gnutls_pubkey_deinit1641889
-Ref: gnutls_pubkey_encrypt_data1642129
-Ref: gnutls_pubkey_export1642771
-Ref: gnutls_pubkey_export21643785
-Ref: gnutls_pubkey_export_dsa_raw1644558
-Ref: gnutls_pubkey_export_dsa_raw21645370
-Ref: gnutls_pubkey_export_ecc_raw1646254
-Ref: gnutls_pubkey_export_ecc_raw21647153
-Ref: gnutls_pubkey_export_ecc_x9621648132
-Ref: gnutls_pubkey_export_gost_raw21648791
-Ref: gnutls_pubkey_export_rsa_raw1649935
-Ref: gnutls_pubkey_export_rsa_raw21650632
-Ref: gnutls_pubkey_get_key_id1651393
-Ref: gnutls_pubkey_get_key_usage1652418
-Ref: gnutls_pubkey_get_openpgp_key_id1652915
-Ref: gnutls_pubkey_get_pk_algorithm1653554
-Ref: gnutls_pubkey_get_preferred_hash_algorithm1654202
-Ref: gnutls_pubkey_get_spki1655143
-Ref: gnutls_pubkey_import1655711
-Ref: gnutls_pubkey_import_dsa_raw1656395
-Ref: gnutls_pubkey_import_ecc_raw1657056
-Ref: gnutls_pubkey_import_ecc_x9621657824
-Ref: gnutls_pubkey_import_gost_raw1658460
-Ref: gnutls_pubkey_import_openpgp1659607
-Ref: gnutls_pubkey_import_openpgp_raw1659999
-Ref: gnutls_pubkey_import_pkcs111660568
-Ref: gnutls_pubkey_import_privkey1661110
-Ref: gnutls_pubkey_import_rsa_raw1661812
-Ref: gnutls_pubkey_import_tpm_raw1662336
-Ref: gnutls_pubkey_import_tpm_url1663113
-Ref: gnutls_pubkey_import_url1664005
-Ref: gnutls_pubkey_import_x5091664478
-Ref: gnutls_pubkey_import_x509_crq1664978
-Ref: gnutls_pubkey_import_x509_raw1665481
-Ref: gnutls_pubkey_init1666058
-Ref: gnutls_pubkey_print1666387
-Ref: gnutls_pubkey_set_key_usage1667121
-Ref: gnutls_pubkey_set_pin_function1667690
-Ref: gnutls_pubkey_set_spki1668255
-Ref: gnutls_pubkey_verify_data21668826
-Ref: gnutls_pubkey_verify_hash21669734
-Ref: gnutls_pubkey_verify_params1670858
-Ref: gnutls_register_custom_url1671216
-Ref: gnutls_system_key_add_x5091672154
-Ref: gnutls_system_key_delete1672899
-Ref: gnutls_system_key_iter_deinit1673323
-Ref: gnutls_system_key_iter_get_info1673591
-Ref: gnutls_x509_crl_privkey_sign1674865
-Ref: gnutls_x509_crq_privkey_sign1676134
-Ref: gnutls_x509_crq_set_pubkey1677496
-Ref: gnutls_x509_crt_privkey_sign1678004
-Ref: gnutls_x509_crt_set_pubkey1679247
-Node: Socket specific API1679700
-Ref: gnutls_transport_set_fastopen1679993
-Node: DANE API1681539
-Ref: dane_cert_type_name1681913
-Ref: dane_cert_usage_name1682203
-Ref: dane_match_type_name1682515
-Ref: dane_query_data1682798
-Ref: dane_query_deinit1683477
-Ref: dane_query_entries1683682
-Ref: dane_query_status1683924
-Ref: dane_query_tlsa1684218
-Ref: dane_query_to_raw_tlsa1684809
-Ref: dane_raw_tlsa1686151
-Ref: dane_state_deinit1687228
-Ref: dane_state_init1687420
-Ref: dane_state_set_dlv_file1687934
-Ref: dane_strerror1688235
-Ref: dane_verification_status_print1688734
-Ref: dane_verify_crt1689328
-Ref: dane_verify_crt_raw1691515
-Ref: dane_verify_session_crt1692748
-Node: Cryptographic API1694150
-Ref: gnutls_aead_cipher_decrypt1694651
-Ref: gnutls_aead_cipher_decryptv21696030
-Ref: gnutls_aead_cipher_deinit1696955
-Ref: gnutls_aead_cipher_encrypt1697283
-Ref: gnutls_aead_cipher_encryptv1698392
-Ref: gnutls_aead_cipher_encryptv21699540
-Ref: gnutls_aead_cipher_init1700468
-Ref: gnutls_cipher_add_auth1701134
-Ref: gnutls_cipher_decrypt1701714
-Ref: gnutls_cipher_decrypt21702338
-Ref: gnutls_cipher_deinit1703264
-Ref: gnutls_cipher_encrypt1703543
-Ref: gnutls_cipher_encrypt21704003
-Ref: gnutls_cipher_get_block_size1704780
-Ref: gnutls_cipher_get_iv_size1705060
-Ref: gnutls_cipher_get_tag_size1705542
-Ref: gnutls_cipher_init1705948
-Ref: gnutls_cipher_set_iv1706678
-Ref: gnutls_cipher_tag1707023
-Ref: gnutls_crypto_register_aead_cipher1707525
-Ref: gnutls_crypto_register_cipher1709129
-Ref: gnutls_crypto_register_digest1710910
-Ref: gnutls_crypto_register_mac1712134
-Ref: gnutls_decode_ber_digest_info1713562
-Ref: gnutls_decode_gost_rs_value1714361
-Ref: gnutls_decode_rs_value1715161
-Ref: gnutls_encode_ber_digest_info1715946
-Ref: gnutls_encode_gost_rs_value1716590
-Ref: gnutls_encode_rs_value1717336
-Ref: gnutls_hash1717956
-Ref: gnutls_hash_copy1718387
-Ref: gnutls_hash_deinit1718904
-Ref: gnutls_hash_fast1719232
-Ref: gnutls_hash_get_len1719749
-Ref: gnutls_hash_init1720082
-Ref: gnutls_hash_output1720618
-Ref: gnutls_hkdf_expand1720950
-Ref: gnutls_hkdf_extract1721653
-Ref: gnutls_hmac1722196
-Ref: gnutls_hmac_copy1722627
-Ref: gnutls_hmac_deinit1723108
-Ref: gnutls_hmac_fast1723435
-Ref: gnutls_hmac_get_key_size1724159
-Ref: gnutls_hmac_get_len1724620
-Ref: gnutls_hmac_init1724950
-Ref: gnutls_hmac_output1725733
-Ref: gnutls_hmac_set_nonce1726068
-Ref: gnutls_mac_get_nonce_size1726435
-Ref: gnutls_pbkdf21726751
-Ref: gnutls_rnd1727384
-Ref: gnutls_rnd_refresh1728022
-Node: Compatibility API1728308
-Ref: gnutls_compression_get1728650
-Ref: gnutls_compression_get_id1729002
-Ref: gnutls_compression_get_name1729366
-Ref: gnutls_compression_list1729748
-Ref: gnutls_global_set_mem_functions1730080
-Ref: gnutls_openpgp_privkey_sign_hash1731455
-Ref: gnutls_priority_compression_list1731884
-Ref: gnutls_x509_crt_get_preferred_hash_algorithm1732336
-Ref: gnutls_x509_privkey_sign_hash1733217
-Node: Copying Information1734087
-Node: Bibliography1759264
-Ref: CBCATT1759403
-Ref: GPGH1759581
-Ref: GUTPKI1759704
-Ref: PRNGATTACKS1759879
-Ref: KEYPIN1760079
-Ref: NISTSP800571760254
-Ref: RFC74131760502
-Ref: RFC79181760669
-Ref: RFC61251760846
-Ref: RFC76851761187
-Ref: RFC76131761362
-Ref: RFC22461761610
-Ref: RFC60831761771
-Ref: RFC44181762008
-Ref: RFC46801762175
-Ref: RFC76331762333
-Ref: RFC79191762505
-Ref: RFC45141762709
-Ref: RFC43461762913
-Ref: RFC43471763063
-Ref: RFC52461763230
-Ref: RFC24401763381
-Ref: RFC48801763563
-Ref: RFC42111763757
-Ref: RFC28171763951
-Ref: RFC28181764104
-Ref: RFC29451764218
-Ref: RFC73011764368
-Ref: RFC29861764588
-Ref: PKIX1764777
-Ref: RFC37491765040
-Ref: RFC38201765206
-Ref: RFC65201765449
-Ref: RFC57461765688
-Ref: RFC52801765897
-Ref: TLSTKT1766164
-Ref: PKCS121766396
-Ref: PKCS111766537
-Ref: RESCORLA1766683
-Ref: SELKEY1766779
-Ref: SSL31766938
-Ref: STEVENS1767129
-Ref: TLSEXT1767237
-Ref: TLSPGP1767454
-Ref: TLSSRP1767619
-Ref: TLSPSK1767816
-Ref: TOMSRP1767985
-Ref: WEGER1768098
-Ref: ECRYPT1768290
-Ref: RFC50561768495
-Ref: RFC57641768648
-Ref: RFC59291768936
-Ref: PKCS11URI1769079
-Ref: TPMURI1769215
-Ref: ANDERSON1769409
-Ref: RFC48211769555
-Ref: RFC25601769708
-Ref: RIVESTCRL1769902
-Node: Function and Data Index1770263
-Node: Concept Index1896190
+Ref: p11tool id313760
+Ref: p11tool mark-wrap314017
+Ref: p11tool mark-trusted314264
+Ref: p11tool mark-distrusted314628
+Ref: p11tool mark-decrypt315082
+Ref: p11tool mark-sign315359
+Ref: p11tool mark-ca315636
+Ref: p11tool mark-private315909
+Ref: p11tool ca316207
+Ref: p11tool private316341
+Ref: p11tool secret-key316496
+Ref: p11tool other-options316659
+Ref: p11tool debug316761
+Ref: p11tool so-login316902
+Ref: p11tool admin-login317146
+Ref: p11tool test-sign317287
+Ref: p11tool sign-params317581
+Ref: p11tool hash317921
+Ref: p11tool generate-random318217
+Ref: p11tool inder318391
+Ref: p11tool inraw318616
+Ref: p11tool outder318742
+Ref: p11tool outraw318994
+Ref: p11tool provider319127
+Ref: p11tool provider-opts319336
+Ref: p11tool batch319609
+Ref: p11tool exit status319762
+Ref: p11tool See Also319992
+Ref: p11tool Examples320040
+Node: Trusted Platform Module322461
+Ref: Trusted Platform Module-Footnote-1324254
+Ref: Trusted Platform Module-Footnote-2324302
+Node: Keys in TPM324359
+Node: Key generation325843
+Node: Using keys328111
+Node: tpmtool Invocation331756
+Ref: tpmtool usage332182
+Ref: tpmtool debug335494
+Ref: tpmtool generate-rsa335635
+Ref: tpmtool user335906
+Ref: tpmtool system336265
+Ref: tpmtool test-sign336619
+Ref: tpmtool sec-param336902
+Ref: tpmtool inder337228
+Ref: tpmtool outder337529
+Ref: tpmtool srk-well-known337748
+Ref: tpmtool exit status337904
+Ref: tpmtool See Also338134
+Ref: tpmtool Examples338195
+Node: How to use GnuTLS in applications338812
+Node: Introduction to the library339381
+Node: General idea339980
+Ref: fig-gnutls-design340829
+Ref: General idea-Footnote-1342134
+Node: Error handling342179
+Node: Common types344406
+Node: Debugging and auditing345740
+Ref: tab:environment346611
+Node: Thread safety349478
+Ref: Thread safety-Footnote-1351624
+Node: Running in a sandbox351836
+Node: Sessions and fork353230
+Node: Callback functions353782
+Node: Preparation354750
+Node: Headers355169
+Node: Initialization355458
+Ref: Initialization-Footnote-1356452
+Node: Version check356745
+Node: Building the source357620
+Node: Session initialization359731
+Ref: gnutls_init_flags_t361208
+Node: Associating the credentials368221
+Ref: tab:key-exchange-cred368997
+Node: Certificate credentials370128
+Node: Raw public-key credentials385713
+Node: SRP credentials387013
+Node: PSK credentials391911
+Node: Anonymous credentials395846
+Node: Setting up the transport layer396692
+Node: Asynchronous operation406245
+Node: Reducing round-trips410546
+Node: Zero-roundtrip mode413986
+Node: Anti-replay protection416191
+Node: DTLS sessions419836
+Ref: DTLS sessions-Footnote-1422140
+Node: DTLS and SCTP422217
+Node: TLS handshake423237
+Node: Data transfer and termination427155
+Node: Buffered data transfer436297
+Node: Handling alerts438098
+Node: Priority Strings441480
+Ref: tab:prio-keywords444080
+Ref: tab:prio-algorithms451158
+Ref: tab:prio-special1456588
+Ref: tab:prio-special2460435
+Ref: Priority Strings-Footnote-1467056
+Node: Selecting cryptographic key sizes467278
+Ref: tab:key-sizes467927
+Node: Advanced topics472676
+Node: Virtual hosts and credentials473174
+Node: Session resumption476499
+Node: Certificate verification484406
+Ref: dane_verify_status_t494127
+Node: TLS 1.2 re-authentication494532
+Node: TLS 1.3 re-authentication and re-key499389
+Node: Parameter generation501048
+Node: Deriving keys for other applications/protocols503695
+Node: Channel Bindings506925
+Node: Interoperability508464
+Node: Compatibility with the OpenSSL library509782
+Node: GnuTLS application examples510509
+Ref: examples510728
+Node: Client examples511021
+Node: Client example with X.509 certificate support511548
+Ref: ex-verify511786
+Node: Datagram TLS client example516830
+Node: Client using a smart card with TLS521235
+Ref: ex-pkcs11-client521472
+Node: Client with Resume capability example526767
+Ref: ex-resume-client527051
+Node: Client example with SSH-style certificate verification532238
+Node: Server examples536445
+Node: Echo server with X.509 authentication536799
+Node: DTLS echo server with X.509 authentication544523
+Node: More advanced client and servers558934
+Node: Client example with anonymous authentication559791
+Node: Using a callback to select the certificate to use563715
+Node: Obtaining session information570098
+Node: Advanced certificate verification example574311
+Ref: ex-verify2574587
+Node: Client example with PSK authentication580017
+Node: Client example with SRP authentication584383
+Node: Legacy client example with X.509 certificate support588667
+Ref: ex-verify-legacy588984
+Node: Client example in C++594937
+Node: Echo server with PSK authentication597509
+Node: Echo server with SRP authentication606240
+Node: Echo server with anonymous authentication613158
+Node: Helper functions for TCP connections618486
+Node: Helper functions for UDP connections620078
+Node: OCSP example621983
+Ref: Generate OCSP request622166
+Node: Miscellaneous examples631773
+Node: Checking for an alert632099
+Node: X.509 certificate parsing example633548
+Ref: ex-x509-info633805
+Node: Listing the ciphersuites in a priority string637834
+Node: PKCS12 structure generation example640151
+Node: System-wide configuration of the library644356
+Node: Application-specific priority strings646183
+Node: Disabling algorithms and protocols647631
+Node: Querying for disabled algorithms and protocols653128
+Node: Overriding the parameter verification profile654250
+Node: Overriding the default priority string655252
+Node: Using GnuTLS as a cryptographic library655869
+Ref: Using GnuTLS as a cryptographic library-Footnote-1656725
+Node: Symmetric algorithms656782
+Ref: gnutls_cipher_algorithm_t657542
+Ref: Symmetric algorithms-Footnote-1665972
+Node: Public key algorithms666057
+Node: Cryptographic Message Syntax / PKCS7670779
+Ref: gnutls_pkcs7_sign_flags674218
+Node: Hash and MAC functions675686
+Ref: gnutls_mac_algorithm_t676298
+Ref: gnutls_digest_algorithm_t679670
+Node: Random number generation680721
+Ref: gnutls_rnd_level_t681083
+Node: Overriding algorithms682190
+Node: Other included programs688508
+Node: gnutls-cli Invocation689079
+Ref: gnutls-cli usage689641
+Ref: gnutls-cli debug697391
+Ref: gnutls-cli tofu697532
+Ref: gnutls-cli strict-tofu697995
+Ref: gnutls-cli dane698397
+Ref: gnutls-cli local-dns698740
+Ref: gnutls-cli ca-verification699055
+Ref: gnutls-cli ocsp699410
+Ref: gnutls-cli resume699652
+Ref: gnutls-cli rehandshake699798
+Ref: gnutls-cli sni-hostname699965
+Ref: gnutls-cli verify-hostname700491
+Ref: gnutls-cli starttls700724
+Ref: gnutls-cli app-proto700908
+Ref: gnutls-cli starttls-proto701070
+Ref: gnutls-cli save-ocsp-multi701581
+Ref: gnutls-cli dh-bits702038
+Ref: gnutls-cli priority702389
+Ref: gnutls-cli rawpkkeyfile702767
+Ref: gnutls-cli rawpkfile703224
+Ref: gnutls-cli ranges703765
+Ref: gnutls-cli benchmark-ciphers704015
+Ref: gnutls-cli benchmark-tls-ciphers704333
+Ref: gnutls-cli list704652
+Ref: gnutls-cli priority-list705019
+Ref: gnutls-cli noticket705265
+Ref: gnutls-cli alpn705426
+Ref: gnutls-cli disable-extensions705735
+Ref: gnutls-cli single-key-share705967
+Ref: gnutls-cli post-handshake-auth706183
+Ref: gnutls-cli inline-commands706380
+Ref: gnutls-cli inline-commands-prefix706700
+Ref: gnutls-cli provider707103
+Ref: gnutls-cli logfile707300
+Ref: gnutls-cli waitresumption707657
+Ref: gnutls-cli ca-auto-retrieve707914
+Ref: gnutls-cli exit status708318
+Ref: gnutls-cli See Also708554
+Ref: gnutls-cli Examples708631
+Node: gnutls-serv Invocation712838
+Ref: gnutls-serv usage713315
+Ref: gnutls-serv debug718835
+Ref: gnutls-serv sni-hostname718976
+Ref: gnutls-serv alpn719308
+Ref: gnutls-serv require-client-cert719595
+Ref: gnutls-serv verify-client-cert719839
+Ref: gnutls-serv heartbeat720068
+Ref: gnutls-serv priority720219
+Ref: gnutls-serv x509keyfile720588
+Ref: gnutls-serv x509certfile721105
+Ref: gnutls-serv x509dsakeyfile721622
+Ref: gnutls-serv x509dsacertfile721786
+Ref: gnutls-serv x509ecckeyfile721953
+Ref: gnutls-serv x509ecccertfile722115
+Ref: gnutls-serv rawpkkeyfile722282
+Ref: gnutls-serv rawpkfile723101
+Ref: gnutls-serv ocsp-response723956
+Ref: gnutls-serv ignore-ocsp-response-errors724273
+Ref: gnutls-serv list724520
+Ref: gnutls-serv provider724758
+Ref: gnutls-serv exit status724955
+Ref: gnutls-serv See Also725193
+Ref: gnutls-serv Examples725271
+Node: gnutls-cli-debug Invocation730579
+Ref: gnutls-cli-debug usage731401
+Ref: gnutls-cli-debug debug733656
+Ref: gnutls-cli-debug app-proto733797
+Ref: gnutls-cli-debug starttls-proto733965
+Ref: gnutls-cli-debug exit status734344
+Ref: gnutls-cli-debug See Also734592
+Ref: gnutls-cli-debug Examples734675
+Node: Internal architecture of GnuTLS738172
+Node: The TLS Protocol738778
+Ref: fig-client-server739254
+Node: TLS Handshake Protocol739344
+Ref: fig-gnutls-handshake739786
+Ref: fig-gnutls-handshake-sequence740295
+Node: TLS Authentication Methods740393
+Ref: TLS Authentication Methods-Footnote-1742697
+Node: TLS Hello Extension Handling742763
+Node: Cryptographic Backend755865
+Ref: fig-crypto-layers756548
+Ref: Cryptographic Backend-Footnote-1759830
+Ref: Cryptographic Backend-Footnote-2759915
+Node: Random Number Generators-internals760023
+Node: FIPS140-2 mode767387
+Ref: gnutls_fips_mode_t770023
+Node: Upgrading from previous versions772170
+Node: Support786164
+Node: Getting help786412
+Node: Commercial Support787000
+Node: Bug Reports787271
+Node: Contributing788635
+Node: Certification790661
+Node: Error codes791125
+Node: Supported ciphersuites815758
+Ref: ciphersuites815931
+Node: API reference830975
+Node: Core TLS API831385
+Ref: gnutls_alert_get831612
+Ref: gnutls_alert_get_name832231
+Ref: gnutls_alert_get_strname832616
+Ref: gnutls_alert_send832951
+Ref: gnutls_alert_send_appropriate833829
+Ref: gnutls_alert_set_read_function834796
+Ref: gnutls_alpn_get_selected_protocol835180
+Ref: gnutls_alpn_set_protocols835844
+Ref: gnutls_anon_allocate_client_credentials836681
+Ref: gnutls_anon_allocate_server_credentials837066
+Ref: gnutls_anon_free_client_credentials837443
+Ref: gnutls_anon_free_server_credentials837732
+Ref: gnutls_anon_set_params_function838013
+Ref: gnutls_anon_set_server_dh_params838689
+Ref: gnutls_anon_set_server_known_dh_params839349
+Ref: gnutls_anon_set_server_params_function840258
+Ref: gnutls_anti_replay_deinit840921
+Ref: gnutls_anti_replay_enable841235
+Ref: gnutls_anti_replay_init841583
+Ref: gnutls_anti_replay_set_add_function842111
+Ref: gnutls_anti_replay_set_ptr843129
+Ref: gnutls_anti_replay_set_window843464
+Ref: gnutls_auth_client_get_type844232
+Ref: gnutls_auth_get_type844859
+Ref: gnutls_auth_server_get_type845671
+Ref: gnutls_base64_decode2846300
+Ref: gnutls_base64_encode2846856
+Ref: gnutls_buffer_append_data847476
+Ref: gnutls_bye847874
+Ref: gnutls_certificate_activation_time_peers849475
+Ref: gnutls_certificate_allocate_credentials849893
+Ref: gnutls_certificate_client_get_request_status850290
+Ref: gnutls_certificate_expiration_time_peers850698
+Ref: gnutls_certificate_free_ca_names851102
+Ref: gnutls_certificate_free_cas851771
+Ref: gnutls_certificate_free_credentials852174
+Ref: gnutls_certificate_free_crls852608
+Ref: gnutls_certificate_free_keys852908
+Ref: gnutls_certificate_get_crt_raw853342
+Ref: gnutls_certificate_get_issuer854413
+Ref: gnutls_certificate_get_ocsp_expiration855496
+Ref: gnutls_certificate_get_ours856667
+Ref: gnutls_certificate_get_peers857497
+Ref: gnutls_certificate_get_peers_subkey_id858620
+Ref: gnutls_certificate_get_verify_flags858976
+Ref: gnutls_certificate_get_x509_crt859389
+Ref: gnutls_certificate_get_x509_key861033
+Ref: gnutls_certificate_send_x509_rdn_sequence862348
+Ref: gnutls_certificate_server_set_request863055
+Ref: gnutls_certificate_set_dh_params863845
+Ref: gnutls_certificate_set_flags864664
+Ref: gnutls_certificate_set_known_dh_params865189
+Ref: gnutls_certificate_set_ocsp_status_request_file866117
+Ref: gnutls_certificate_set_ocsp_status_request_file2868023
+Ref: gnutls_certificate_set_ocsp_status_request_function869541
+Ref: gnutls_certificate_set_ocsp_status_request_function2871029
+Ref: gnutls_certificate_set_ocsp_status_request_mem872995
+Ref: gnutls_certificate_set_params_function874770
+Ref: gnutls_certificate_set_pin_function875467
+Ref: gnutls_certificate_set_rawpk_key_file876120
+Ref: gnutls_certificate_set_rawpk_key_mem879424
+Ref: gnutls_certificate_set_retrieve_function882571
+Ref: gnutls_certificate_set_verify_flags884701
+Ref: gnutls_certificate_set_verify_function885194
+Ref: gnutls_certificate_set_verify_limits886258
+Ref: gnutls_certificate_set_x509_crl886939
+Ref: gnutls_certificate_set_x509_crl_file887767
+Ref: gnutls_certificate_set_x509_crl_mem888548
+Ref: gnutls_certificate_set_x509_key889325
+Ref: gnutls_certificate_set_x509_key_file890993
+Ref: gnutls_certificate_set_x509_key_file2893229
+Ref: gnutls_certificate_set_x509_key_mem895763
+Ref: gnutls_certificate_set_x509_key_mem2897411
+Ref: gnutls_certificate_set_x509_simple_pkcs12_file899224
+Ref: gnutls_certificate_set_x509_simple_pkcs12_mem901354
+Ref: gnutls_certificate_set_x509_system_trust903454
+Ref: gnutls_certificate_set_x509_trust904024
+Ref: gnutls_certificate_set_x509_trust_dir905004
+Ref: gnutls_certificate_set_x509_trust_file905742
+Ref: gnutls_certificate_set_x509_trust_mem906918
+Ref: gnutls_certificate_type_get907861
+Ref: gnutls_certificate_type_get2908708
+Ref: gnutls_certificate_type_get_id910093
+Ref: gnutls_certificate_type_get_name910490
+Ref: gnutls_certificate_type_list910873
+Ref: gnutls_certificate_verification_status_print911227
+Ref: gnutls_certificate_verify_peers911985
+Ref: gnutls_certificate_verify_peers2914781
+Ref: gnutls_certificate_verify_peers3916696
+Ref: gnutls_check_version919006
+Ref: gnutls_cipher_get919748
+Ref: gnutls_cipher_get_id920053
+Ref: gnutls_cipher_get_key_size920435
+Ref: gnutls_cipher_get_name920799
+Ref: gnutls_cipher_list921146
+Ref: gnutls_cipher_suite_get_name921706
+Ref: gnutls_cipher_suite_info922574
+Ref: gnutls_credentials_clear923757
+Ref: gnutls_credentials_get923985
+Ref: gnutls_credentials_set924940
+Ref: gnutls_db_check_entry926304
+Ref: gnutls_db_check_entry_expire_time926761
+Ref: gnutls_db_check_entry_time927167
+Ref: gnutls_db_get_default_cache_expiration927558
+Ref: gnutls_db_get_ptr927753
+Ref: gnutls_db_remove_session928065
+Ref: gnutls_db_set_cache_expiration928602
+Ref: gnutls_db_set_ptr929023
+Ref: gnutls_db_set_remove_function929358
+Ref: gnutls_db_set_retrieve_function929861
+Ref: gnutls_db_set_store_function930547
+Ref: gnutls_deinit931014
+Ref: gnutls_dh_get_group931353
+Ref: gnutls_dh_get_peers_public_bits932205
+Ref: gnutls_dh_get_prime_bits932649
+Ref: gnutls_dh_get_pubkey933289
+Ref: gnutls_dh_get_secret_bits933987
+Ref: gnutls_dh_params_cpy934419
+Ref: gnutls_dh_params_deinit934927
+Ref: gnutls_dh_params_export2_pkcs3935168
+Ref: gnutls_dh_params_export_pkcs3935989
+Ref: gnutls_dh_params_export_raw937008
+Ref: gnutls_dh_params_generate2937761
+Ref: gnutls_dh_params_import_dsa939015
+Ref: gnutls_dh_params_import_pkcs3939492
+Ref: gnutls_dh_params_import_raw940231
+Ref: gnutls_dh_params_import_raw2940861
+Ref: gnutls_dh_params_import_raw3941575
+Ref: gnutls_dh_params_init942275
+Ref: gnutls_dh_set_prime_bits942606
+Ref: gnutls_digest_get_id943709
+Ref: gnutls_digest_get_name944135
+Ref: gnutls_digest_get_oid944481
+Ref: gnutls_digest_list944872
+Ref: gnutls_digest_mark_insecure945251
+Ref: gnutls_digest_mark_secure945570
+Ref: gnutls_early_cipher_get945923
+Ref: gnutls_early_prf_hash_get946296
+Ref: gnutls_ecc_curve_get946714
+Ref: gnutls_ecc_curve_get_id947115
+Ref: gnutls_ecc_curve_get_name947496
+Ref: gnutls_ecc_curve_get_oid947830
+Ref: gnutls_ecc_curve_get_pk948175
+Ref: gnutls_ecc_curve_get_size948479
+Ref: gnutls_ecc_curve_list948708
+Ref: gnutls_ecc_curve_mark_disabled949049
+Ref: gnutls_ecc_curve_mark_enabled949506
+Ref: gnutls_error_is_fatal949986
+Ref: gnutls_error_to_alert950788
+Ref: gnutls_est_record_overhead_size951520
+Ref: gnutls_ext_get_current_msg952428
+Ref: gnutls_ext_get_data953119
+Ref: gnutls_ext_get_name953634
+Ref: gnutls_ext_get_name2953952
+Ref: gnutls_ext_raw_parse954462
+Ref: gnutls_ext_register955612
+Ref: gnutls_ext_set_data957247
+Ref: gnutls_fingerprint957758
+Ref: gnutls_fips140_mode_enabled958764
+Ref: gnutls_fips140_set_mode959318
+Ref: gnutls_get_system_config_file960371
+Ref: gnutls_global_deinit960747
+Ref: gnutls_global_init961197
+Ref: gnutls_global_set_audit_log_function962472
+Ref: gnutls_global_set_log_function963179
+Ref: gnutls_global_set_log_level963687
+Ref: gnutls_global_set_mutex964175
+Ref: gnutls_global_set_time_function965277
+Ref: gnutls_gost_paramset_get_name965714
+Ref: gnutls_gost_paramset_get_oid966090
+Ref: gnutls_group_get966467
+Ref: gnutls_group_get_id966837
+Ref: gnutls_group_get_name967184
+Ref: gnutls_group_list967504
+Ref: gnutls_handshake967826
+Ref: gnutls_handshake_description_get_name969931
+Ref: gnutls_handshake_get_last_in970319
+Ref: gnutls_handshake_get_last_out970944
+Ref: gnutls_handshake_set_hook_function971576
+Ref: gnutls_handshake_set_max_packet_length972968
+Ref: gnutls_handshake_set_post_client_hello_function973753
+Ref: gnutls_handshake_set_private_extensions975079
+Ref: gnutls_handshake_set_random975758
+Ref: gnutls_handshake_set_read_function976478
+Ref: gnutls_handshake_set_secret_function976879
+Ref: gnutls_handshake_set_timeout977258
+Ref: gnutls_handshake_write977948
+Ref: gnutls_heartbeat_allowed978649
+Ref: gnutls_heartbeat_enable979123
+Ref: gnutls_heartbeat_get_timeout979961
+Ref: gnutls_heartbeat_ping980500
+Ref: gnutls_heartbeat_pong981632
+Ref: gnutls_heartbeat_set_timeouts982039
+Ref: gnutls_hex2bin982810
+Ref: gnutls_hex_decode983529
+Ref: gnutls_hex_decode2984255
+Ref: gnutls_hex_encode984684
+Ref: gnutls_hex_encode2985281
+Ref: gnutls_idna_map985796
+Ref: gnutls_idna_reverse_map986926
+Ref: gnutls_init987691
+Ref: gnutls_key_generate988519
+Ref: gnutls_kx_get988936
+Ref: gnutls_kx_get_id989522
+Ref: gnutls_kx_get_name989866
+Ref: gnutls_kx_list990211
+Ref: gnutls_load_file990539
+Ref: gnutls_mac_get991311
+Ref: gnutls_mac_get_id991616
+Ref: gnutls_mac_get_key_size992029
+Ref: gnutls_mac_get_name992366
+Ref: gnutls_mac_list992685
+Ref: gnutls_memcmp993073
+Ref: gnutls_memset993633
+Ref: gnutls_ocsp_status_request_enable_client994027
+Ref: gnutls_ocsp_status_request_get995038
+Ref: gnutls_ocsp_status_request_get2995700
+Ref: gnutls_ocsp_status_request_is_checked996695
+Ref: gnutls_oid_to_digest998083
+Ref: gnutls_oid_to_ecc_curve998492
+Ref: gnutls_oid_to_gost_paramset998818
+Ref: gnutls_oid_to_mac999229
+Ref: gnutls_oid_to_pk999642
+Ref: gnutls_oid_to_sign1000014
+Ref: gnutls_openpgp_send_cert1000418
+Ref: gnutls_packet_deinit1000720
+Ref: gnutls_packet_get1000994
+Ref: gnutls_pem_base64_decode1001499
+Ref: gnutls_pem_base64_decode21002354
+Ref: gnutls_pem_base64_encode1003349
+Ref: gnutls_pem_base64_encode21004178
+Ref: gnutls_perror1005114
+Ref: gnutls_pk_algorithm_get_name1005410
+Ref: gnutls_pk_bits_to_sec_param1005766
+Ref: gnutls_pk_get_id1006240
+Ref: gnutls_pk_get_name1006758
+Ref: gnutls_pk_get_oid1007126
+Ref: gnutls_pk_list1007525
+Ref: gnutls_pk_to_sign1007858
+Ref: gnutls_prf1008269
+Ref: gnutls_prf_early1010264
+Ref: gnutls_prf_hash_get1011919
+Ref: gnutls_prf_raw1012451
+Ref: gnutls_prf_rfc57051014335
+Ref: gnutls_priority_certificate_type_list1016012
+Ref: gnutls_priority_certificate_type_list21016708
+Ref: gnutls_priority_cipher_list1017324
+Ref: gnutls_priority_deinit1017711
+Ref: gnutls_priority_ecc_curve_list1017954
+Ref: gnutls_priority_get_cipher_suite_index1018486
+Ref: gnutls_priority_group_list1019402
+Ref: gnutls_priority_init1019783
+Ref: gnutls_priority_init21020863
+Ref: gnutls_priority_kx_list1025237
+Ref: gnutls_priority_mac_list1025642
+Ref: gnutls_priority_protocol_list1026047
+Ref: gnutls_priority_set1026449
+Ref: gnutls_priority_set_direct1027104
+Ref: gnutls_priority_sign_list1028037
+Ref: gnutls_priority_string_list1028453
+Ref: gnutls_protocol_get_id1029085
+Ref: gnutls_protocol_get_name1029401
+Ref: gnutls_protocol_get_version1029760
+Ref: gnutls_protocol_list1030058
+Ref: gnutls_protocol_mark_disabled1030410
+Ref: gnutls_protocol_mark_enabled1030727
+Ref: gnutls_psk_allocate_client_credentials1031103
+Ref: gnutls_psk_allocate_server_credentials1031523
+Ref: gnutls_psk_client_get_hint1031919
+Ref: gnutls_psk_free_client_credentials1032546
+Ref: gnutls_psk_free_server_credentials1032829
+Ref: gnutls_psk_server_get_username1033104
+Ref: gnutls_psk_server_get_username21033811
+Ref: gnutls_psk_set_client_credentials1034505
+Ref: gnutls_psk_set_client_credentials21035528
+Ref: gnutls_psk_set_client_credentials_function1036308
+Ref: gnutls_psk_set_client_credentials_function21037311
+Ref: gnutls_psk_set_params_function1038468
+Ref: gnutls_psk_set_server_credentials_file1039148
+Ref: gnutls_psk_set_server_credentials_function1040009
+Ref: gnutls_psk_set_server_credentials_function21040963
+Ref: gnutls_psk_set_server_credentials_hint1042086
+Ref: gnutls_psk_set_server_dh_params1042710
+Ref: gnutls_psk_set_server_known_dh_params1043395
+Ref: gnutls_psk_set_server_params_function1044292
+Ref: gnutls_random_art1044933
+Ref: gnutls_range_split1045795
+Ref: gnutls_reauth1046877
+Ref: gnutls_record_can_use_length_hiding1048979
+Ref: gnutls_record_check_corked1049730
+Ref: gnutls_record_check_pending1050113
+Ref: gnutls_record_cork1050524
+Ref: gnutls_record_disable_padding1050938
+Ref: gnutls_record_discard_queued1051546
+Ref: gnutls_record_get_direction1052163
+Ref: gnutls_record_get_max_early_data_size1053144
+Ref: gnutls_record_get_max_size1053696
+Ref: gnutls_record_get_state1054063
+Ref: gnutls_record_overhead_size1055085
+Ref: gnutls_record_recv1055472
+Ref: gnutls_record_recv_early_data1056922
+Ref: gnutls_record_recv_packet1057984
+Ref: gnutls_record_recv_seq1058863
+Ref: gnutls_record_send1059849
+Ref: gnutls_record_send21061907
+Ref: gnutls_record_send_early_data1063059
+Ref: gnutls_record_send_range1064115
+Ref: gnutls_record_set_max_early_data_size1065294
+Ref: gnutls_record_set_max_recv_size1065940
+Ref: gnutls_record_set_max_size1066644
+Ref: gnutls_record_set_state1067823
+Ref: gnutls_record_set_timeout1068481
+Ref: gnutls_record_uncork1069082
+Ref: gnutls_rehandshake1070022
+Ref: gnutls_safe_renegotiation_status1071804
+Ref: gnutls_sec_param_get_name1072219
+Ref: gnutls_sec_param_to_pk_bits1072593
+Ref: gnutls_sec_param_to_symmetric_bits1073263
+Ref: gnutls_server_name_get1073647
+Ref: gnutls_server_name_set1075119
+Ref: gnutls_session_channel_binding1076277
+Ref: gnutls_session_enable_compatibility_mode1076995
+Ref: gnutls_session_etm_status1077702
+Ref: gnutls_session_ext_master_secret_status1078105
+Ref: gnutls_session_ext_register1078596
+Ref: gnutls_session_force_valid1080858
+Ref: gnutls_session_get_data1081279
+Ref: gnutls_session_get_data21081939
+Ref: gnutls_session_get_desc1084212
+Ref: gnutls_session_get_flags1084734
+Ref: gnutls_session_get_id1085272
+Ref: gnutls_session_get_id21086795
+Ref: gnutls_session_get_keylog_function1088265
+Ref: gnutls_session_get_master_secret1088672
+Ref: gnutls_session_get_ptr1089156
+Ref: gnutls_session_get_random1089551
+Ref: gnutls_session_get_verify_cert_status1090172
+Ref: gnutls_session_is_resumed1090845
+Ref: gnutls_session_key_update1091215
+Ref: gnutls_session_resumption_requested1092163
+Ref: gnutls_session_set_data1092545
+Ref: gnutls_session_set_id1093386
+Ref: gnutls_session_set_keylog_function1094061
+Ref: gnutls_session_set_premaster1094460
+Ref: gnutls_session_set_ptr1095555
+Ref: gnutls_session_set_verify_cert1095955
+Ref: gnutls_session_set_verify_cert21097299
+Ref: gnutls_session_set_verify_function1098483
+Ref: gnutls_session_supplemental_register1099595
+Ref: gnutls_session_ticket_enable_client1100853
+Ref: gnutls_session_ticket_enable_server1101346
+Ref: gnutls_session_ticket_key_generate1102140
+Ref: gnutls_session_ticket_send1102568
+Ref: gnutls_set_default_priority1103152
+Ref: gnutls_set_default_priority_append1104237
+Ref: gnutls_sign_algorithm_get1105579
+Ref: gnutls_sign_algorithm_get_client1106022
+Ref: gnutls_sign_algorithm_get_requested1106489
+Ref: gnutls_sign_get_hash_algorithm1107516
+Ref: gnutls_sign_get_id1107928
+Ref: gnutls_sign_get_name1108291
+Ref: gnutls_sign_get_oid1108623
+Ref: gnutls_sign_get_pk_algorithm1109009
+Ref: gnutls_sign_is_secure1109616
+Ref: gnutls_sign_is_secure21109886
+Ref: gnutls_sign_list1110222
+Ref: gnutls_sign_mark_insecure1110566
+Ref: gnutls_sign_mark_secure1111163
+Ref: gnutls_sign_supports_pk_algorithm1111948
+Ref: gnutls_srp_allocate_client_credentials1112532
+Ref: gnutls_srp_allocate_server_credentials1112933
+Ref: gnutls_srp_base64_decode1113306
+Ref: gnutls_srp_base64_decode21114011
+Ref: gnutls_srp_base64_encode1114679
+Ref: gnutls_srp_base64_encode21115480
+Ref: gnutls_srp_free_client_credentials1116211
+Ref: gnutls_srp_free_server_credentials1116494
+Ref: gnutls_srp_server_get_username1116769
+Ref: gnutls_srp_set_client_credentials1117223
+Ref: gnutls_srp_set_client_credentials_function1118113
+Ref: gnutls_srp_set_prime_bits1119360
+Ref: gnutls_srp_set_server_credentials_file1120045
+Ref: gnutls_srp_set_server_credentials_function1120771
+Ref: gnutls_srp_set_server_fake_salt_seed1122486
+Ref: gnutls_srp_verifier1123989
+Ref: gnutls_srtp_get_keys1124917
+Ref: gnutls_srtp_get_mki1126311
+Ref: gnutls_srtp_get_profile_id1126880
+Ref: gnutls_srtp_get_profile_name1127338
+Ref: gnutls_srtp_get_selected_profile1127759
+Ref: gnutls_srtp_set_mki1128203
+Ref: gnutls_srtp_set_profile1128652
+Ref: gnutls_srtp_set_profile_direct1129184
+Ref: gnutls_store_commitment1129907
+Ref: gnutls_store_pubkey1131206
+Ref: gnutls_strerror1132993
+Ref: gnutls_strerror_name1133478
+Ref: gnutls_supplemental_get_name1133947
+Ref: gnutls_supplemental_recv1134369
+Ref: gnutls_supplemental_register1134839
+Ref: gnutls_supplemental_send1135951
+Ref: gnutls_system_recv_timeout1136396
+Ref: gnutls_tdb_deinit1137138
+Ref: gnutls_tdb_init1137353
+Ref: gnutls_tdb_set_store_commitment_func1137712
+Ref: gnutls_tdb_set_store_func1138393
+Ref: gnutls_tdb_set_verify_func1138982
+Ref: gnutls_transport_get_int1139726
+Ref: gnutls_transport_get_int21140134
+Ref: gnutls_transport_get_ptr1140637
+Ref: gnutls_transport_get_ptr21141053
+Ref: gnutls_transport_set_errno1141587
+Ref: gnutls_transport_set_errno_function1142574
+Ref: gnutls_transport_set_int1143111
+Ref: gnutls_transport_set_int21143665
+Ref: gnutls_transport_set_ptr1144394
+Ref: gnutls_transport_set_ptr21144807
+Ref: gnutls_transport_set_pull_function1145451
+Ref: gnutls_transport_set_pull_timeout_function1146231
+Ref: gnutls_transport_set_push_function1147934
+Ref: gnutls_transport_set_vec_push_function1148779
+Ref: gnutls_url_is_supported1149475
+Ref: gnutls_utf8_password_normalize1149895
+Ref: gnutls_verify_stored_pubkey1150684
+Node: Datagram TLS API1153831
+Ref: gnutls_dtls_cookie_send1154107
+Ref: gnutls_dtls_cookie_verify1155362
+Ref: gnutls_dtls_get_data_mtu1156306
+Ref: gnutls_dtls_get_mtu1156749
+Ref: gnutls_dtls_get_timeout1157192
+Ref: gnutls_dtls_prestate_set1157735
+Ref: gnutls_dtls_set_data_mtu1158319
+Ref: gnutls_dtls_set_mtu1159293
+Ref: gnutls_dtls_set_timeouts1159900
+Ref: gnutls_record_get_discarded1160904
+Node: X509 certificate API1161178
+Ref: gnutls_certificate_get_trust_list1161527
+Ref: gnutls_certificate_set_trust_list1162175
+Ref: gnutls_certificate_verification_profile_get_id1162950
+Ref: gnutls_certificate_verification_profile_get_name1163497
+Ref: gnutls_pkcs8_info1163880
+Ref: gnutls_pkcs_schema_get_name1165398
+Ref: gnutls_pkcs_schema_get_oid1165803
+Ref: gnutls_session_set_verify_output_function1166230
+Ref: gnutls_subject_alt_names_deinit1167387
+Ref: gnutls_subject_alt_names_get1167666
+Ref: gnutls_subject_alt_names_init1168676
+Ref: gnutls_subject_alt_names_set1169056
+Ref: gnutls_x509_aia_deinit1169875
+Ref: gnutls_x509_aia_get1170109
+Ref: gnutls_x509_aia_init1171268
+Ref: gnutls_x509_aia_set1171603
+Ref: gnutls_x509_aki_deinit1172398
+Ref: gnutls_x509_aki_get_cert_issuer1172662
+Ref: gnutls_x509_aki_get_id1173728
+Ref: gnutls_x509_aki_init1174267
+Ref: gnutls_x509_aki_set_cert_issuer1174616
+Ref: gnutls_x509_aki_set_id1175731
+Ref: gnutls_x509_cidr_to_rfc52801176160
+Ref: gnutls_x509_crl_check_issuer1177058
+Ref: gnutls_x509_crl_deinit1177506
+Ref: gnutls_x509_crl_dist_points_deinit1177738
+Ref: gnutls_x509_crl_dist_points_get1178033
+Ref: gnutls_x509_crl_dist_points_init1179007
+Ref: gnutls_x509_crl_dist_points_set1179403
+Ref: gnutls_x509_crl_export1180106
+Ref: gnutls_x509_crl_export21180989
+Ref: gnutls_x509_crl_get_authority_key_gn_serial1181709
+Ref: gnutls_x509_crl_get_authority_key_id1183023
+Ref: gnutls_x509_crl_get_crt_count1184086
+Ref: gnutls_x509_crl_get_crt_serial1184444
+Ref: gnutls_x509_crl_get_dn_oid1185348
+Ref: gnutls_x509_crl_get_extension_data1186154
+Ref: gnutls_x509_crl_get_extension_data21187271
+Ref: gnutls_x509_crl_get_extension_info1188150
+Ref: gnutls_x509_crl_get_extension_oid1189414
+Ref: gnutls_x509_crl_get_issuer_dn1190266
+Ref: gnutls_x509_crl_get_issuer_dn21191267
+Ref: gnutls_x509_crl_get_issuer_dn31192101
+Ref: gnutls_x509_crl_get_issuer_dn_by_oid1193079
+Ref: gnutls_x509_crl_get_next_update1194590
+Ref: gnutls_x509_crl_get_number1195024
+Ref: gnutls_x509_crl_get_raw_issuer_dn1195749
+Ref: gnutls_x509_crl_get_signature1196203
+Ref: gnutls_x509_crl_get_signature_algorithm1196750
+Ref: gnutls_x509_crl_get_signature_oid1197312
+Ref: gnutls_x509_crl_get_this_update1197973
+Ref: gnutls_x509_crl_get_version1198298
+Ref: gnutls_x509_crl_import1198606
+Ref: gnutls_x509_crl_init1199230
+Ref: gnutls_x509_crl_iter_crt_serial1199819
+Ref: gnutls_x509_crl_iter_deinit1200965
+Ref: gnutls_x509_crl_list_import1201210
+Ref: gnutls_x509_crl_list_import21202212
+Ref: gnutls_x509_crl_print1203078
+Ref: gnutls_x509_crl_set_authority_key_id1203727
+Ref: gnutls_x509_crl_set_crt1204380
+Ref: gnutls_x509_crl_set_crt_serial1204953
+Ref: gnutls_x509_crl_set_next_update1205585
+Ref: gnutls_x509_crl_set_number1206202
+Ref: gnutls_x509_crl_set_this_update1206779
+Ref: gnutls_x509_crl_set_version1207183
+Ref: gnutls_x509_crl_sign1207726
+Ref: gnutls_x509_crl_sign21208419
+Ref: gnutls_x509_crl_verify1209655
+Ref: gnutls_x509_crq_deinit1210899
+Ref: gnutls_x509_crq_export1211137
+Ref: gnutls_x509_crq_export21212134
+Ref: gnutls_x509_crq_get_attribute_by_oid1212908
+Ref: gnutls_x509_crq_get_attribute_data1213933
+Ref: gnutls_x509_crq_get_attribute_info1215045
+Ref: gnutls_x509_crq_get_basic_constraints1216242
+Ref: gnutls_x509_crq_get_challenge_password1217495
+Ref: gnutls_x509_crq_get_dn1218107
+Ref: gnutls_x509_crq_get_dn21219056
+Ref: gnutls_x509_crq_get_dn31219913
+Ref: gnutls_x509_crq_get_dn_by_oid1220921
+Ref: gnutls_x509_crq_get_dn_oid1222382
+Ref: gnutls_x509_crq_get_extension_by_oid1223169
+Ref: gnutls_x509_crq_get_extension_by_oid21224326
+Ref: gnutls_x509_crq_get_extension_data1225408
+Ref: gnutls_x509_crq_get_extension_data21226538
+Ref: gnutls_x509_crq_get_extension_info1227417
+Ref: gnutls_x509_crq_get_key_id1228678
+Ref: gnutls_x509_crq_get_key_purpose_oid1229745
+Ref: gnutls_x509_crq_get_key_rsa_raw1230760
+Ref: gnutls_x509_crq_get_key_usage1231384
+Ref: gnutls_x509_crq_get_pk_algorithm1232470
+Ref: gnutls_x509_crq_get_pk_oid1233191
+Ref: gnutls_x509_crq_get_private_key_usage_period1233848
+Ref: gnutls_x509_crq_get_signature_algorithm1234563
+Ref: gnutls_x509_crq_get_signature_oid1235202
+Ref: gnutls_x509_crq_get_spki1235863
+Ref: gnutls_x509_crq_get_subject_alt_name1236423
+Ref: gnutls_x509_crq_get_subject_alt_othername_oid1237981
+Ref: gnutls_x509_crq_get_tlsfeatures1239461
+Ref: gnutls_x509_crq_get_version1240590
+Ref: gnutls_x509_crq_import1240936
+Ref: gnutls_x509_crq_init1241618
+Ref: gnutls_x509_crq_print1241966
+Ref: gnutls_x509_crq_set_attribute_by_oid1242622
+Ref: gnutls_x509_crq_set_basic_constraints1243487
+Ref: gnutls_x509_crq_set_challenge_password1244231
+Ref: gnutls_x509_crq_set_dn1244682
+Ref: gnutls_x509_crq_set_dn_by_oid1245300
+Ref: gnutls_x509_crq_set_extension_by_oid1246430
+Ref: gnutls_x509_crq_set_key1247209
+Ref: gnutls_x509_crq_set_key_purpose_oid1247672
+Ref: gnutls_x509_crq_set_key_rsa_raw1248452
+Ref: gnutls_x509_crq_set_key_usage1249028
+Ref: gnutls_x509_crq_set_private_key_usage_period1249532
+Ref: gnutls_x509_crq_set_spki1250037
+Ref: gnutls_x509_crq_set_subject_alt_name1250908
+Ref: gnutls_x509_crq_set_subject_alt_othername1251734
+Ref: gnutls_x509_crq_set_tlsfeatures1252572
+Ref: gnutls_x509_crq_set_version1253122
+Ref: gnutls_x509_crq_sign1253607
+Ref: gnutls_x509_crq_sign21254378
+Ref: gnutls_x509_crq_verify1255710
+Ref: gnutls_x509_crt_check_email1256303
+Ref: gnutls_x509_crt_check_hostname1256831
+Ref: gnutls_x509_crt_check_hostname21257543
+Ref: gnutls_x509_crt_check_ip1259294
+Ref: gnutls_x509_crt_check_issuer1259908
+Ref: gnutls_x509_crt_check_key_purpose1260646
+Ref: gnutls_x509_crt_check_revocation1261340
+Ref: gnutls_x509_crt_cpy_crl_dist_points1261989
+Ref: gnutls_x509_crt_deinit1262578
+Ref: gnutls_x509_crt_equals1262796
+Ref: gnutls_x509_crt_equals21263178
+Ref: gnutls_x509_crt_export1263602
+Ref: gnutls_x509_crt_export21264513
+Ref: gnutls_x509_crt_get_activation_time1265211
+Ref: gnutls_x509_crt_get_authority_info_access1265589
+Ref: gnutls_x509_crt_get_authority_key_gn_serial1269063
+Ref: gnutls_x509_crt_get_authority_key_id1270504
+Ref: gnutls_x509_crt_get_basic_constraints1271635
+Ref: gnutls_x509_crt_get_ca_status1272849
+Ref: gnutls_x509_crt_get_crl_dist_points1273848
+Ref: gnutls_x509_crt_get_dn1275173
+Ref: gnutls_x509_crt_get_dn21276368
+Ref: gnutls_x509_crt_get_dn31277177
+Ref: gnutls_x509_crt_get_dn_by_oid1278137
+Ref: gnutls_x509_crt_get_dn_oid1279906
+Ref: gnutls_x509_crt_get_expiration_time1280934
+Ref: gnutls_x509_crt_get_extension_by_oid1281300
+Ref: gnutls_x509_crt_get_extension_by_oid21282427
+Ref: gnutls_x509_crt_get_extension_data1283500
+Ref: gnutls_x509_crt_get_extension_data21284589
+Ref: gnutls_x509_crt_get_extension_info1285454
+Ref: gnutls_x509_crt_get_extension_oid1286866
+Ref: gnutls_x509_crt_get_fingerprint1287829
+Ref: gnutls_x509_crt_get_inhibit_anypolicy1288717
+Ref: gnutls_x509_crt_get_issuer1289686
+Ref: gnutls_x509_crt_get_issuer_alt_name1290324
+Ref: gnutls_x509_crt_get_issuer_alt_name21292124
+Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1293706
+Ref: gnutls_x509_crt_get_issuer_dn1295355
+Ref: gnutls_x509_crt_get_issuer_dn21296476
+Ref: gnutls_x509_crt_get_issuer_dn31297323
+Ref: gnutls_x509_crt_get_issuer_dn_by_oid1298314
+Ref: gnutls_x509_crt_get_issuer_dn_oid1300101
+Ref: gnutls_x509_crt_get_issuer_unique_id1301137
+Ref: gnutls_x509_crt_get_key_id1302232
+Ref: gnutls_x509_crt_get_key_purpose_oid1303255
+Ref: gnutls_x509_crt_get_key_usage1304416
+Ref: gnutls_x509_crt_get_name_constraints1305476
+Ref: gnutls_x509_crt_get_pk_algorithm1306884
+Ref: gnutls_x509_crt_get_pk_dsa_raw1307673
+Ref: gnutls_x509_crt_get_pk_ecc_raw1308341
+Ref: gnutls_x509_crt_get_pk_gost_raw1309154
+Ref: gnutls_x509_crt_get_pk_oid1309998
+Ref: gnutls_x509_crt_get_pk_rsa_raw1310624
+Ref: gnutls_x509_crt_get_policy1311202
+Ref: gnutls_x509_crt_get_private_key_usage_period1312148
+Ref: gnutls_x509_crt_get_proxy1312900
+Ref: gnutls_x509_crt_get_raw_dn1313921
+Ref: gnutls_x509_crt_get_raw_issuer_dn1314514
+Ref: gnutls_x509_crt_get_serial1315093
+Ref: gnutls_x509_crt_get_signature1315833
+Ref: gnutls_x509_crt_get_signature_algorithm1316388
+Ref: gnutls_x509_crt_get_signature_oid1317001
+Ref: gnutls_x509_crt_get_spki1317659
+Ref: gnutls_x509_crt_get_subject1318145
+Ref: gnutls_x509_crt_get_subject_alt_name1318788
+Ref: gnutls_x509_crt_get_subject_alt_name21320547
+Ref: gnutls_x509_crt_get_subject_alt_othername_oid1322112
+Ref: gnutls_x509_crt_get_subject_key_id1323752
+Ref: gnutls_x509_crt_get_subject_unique_id1324584
+Ref: gnutls_x509_crt_get_tlsfeatures1325669
+Ref: gnutls_x509_crt_get_version1326781
+Ref: gnutls_x509_crt_import1327108
+Ref: gnutls_x509_crt_import_url1327809
+Ref: gnutls_x509_crt_init1328530
+Ref: gnutls_x509_crt_list_import1328877
+Ref: gnutls_x509_crt_list_import21330244
+Ref: gnutls_x509_crt_list_import_url1331316
+Ref: gnutls_x509_crt_list_verify1332540
+Ref: gnutls_x509_crt_print1334120
+Ref: gnutls_x509_crt_set_activation_time1335012
+Ref: gnutls_x509_crt_set_authority_info_access1335479
+Ref: gnutls_x509_crt_set_authority_key_id1336374
+Ref: gnutls_x509_crt_set_basic_constraints1336956
+Ref: gnutls_x509_crt_set_ca_status1337655
+Ref: gnutls_x509_crt_set_crl_dist_points1338253
+Ref: gnutls_x509_crt_set_crl_dist_points21338905
+Ref: gnutls_x509_crt_set_crq1339604
+Ref: gnutls_x509_crt_set_crq_extension_by_oid1340321
+Ref: gnutls_x509_crt_set_crq_extensions1340957
+Ref: gnutls_x509_crt_set_dn1341423
+Ref: gnutls_x509_crt_set_dn_by_oid1342306
+Ref: gnutls_x509_crt_set_expiration_time1343423
+Ref: gnutls_x509_crt_set_extension_by_oid1343968
+Ref: gnutls_x509_crt_set_flags1344743
+Ref: gnutls_x509_crt_set_inhibit_anypolicy1345251
+Ref: gnutls_x509_crt_set_issuer_alt_name1345761
+Ref: gnutls_x509_crt_set_issuer_alt_othername1346783
+Ref: gnutls_x509_crt_set_issuer_dn1347759
+Ref: gnutls_x509_crt_set_issuer_dn_by_oid1348398
+Ref: gnutls_x509_crt_set_issuer_unique_id1349677
+Ref: gnutls_x509_crt_set_key1350182
+Ref: gnutls_x509_crt_set_key_purpose_oid1350762
+Ref: gnutls_x509_crt_set_key_usage1351530
+Ref: gnutls_x509_crt_set_name_constraints1351989
+Ref: gnutls_x509_crt_set_pin_function1352611
+Ref: gnutls_x509_crt_set_policy1353279
+Ref: gnutls_x509_crt_set_private_key_usage_period1354132
+Ref: gnutls_x509_crt_set_proxy1354639
+Ref: gnutls_x509_crt_set_proxy_dn1355453
+Ref: gnutls_x509_crt_set_serial1356472
+Ref: gnutls_x509_crt_set_spki1357532
+Ref: gnutls_x509_crt_set_subject_alt_name1358387
+Ref: gnutls_x509_crt_set_subject_alt_othername1359627
+Ref: gnutls_x509_crt_set_subject_alternative_name1360635
+Ref: gnutls_x509_crt_set_subject_key_id1361533
+Ref: gnutls_x509_crt_set_subject_unique_id1362053
+Ref: gnutls_x509_crt_set_tlsfeatures1362576
+Ref: gnutls_x509_crt_set_version1363100
+Ref: gnutls_x509_crt_sign1363923
+Ref: gnutls_x509_crt_sign21364618
+Ref: gnutls_x509_crt_verify1365851
+Ref: gnutls_x509_crt_verify_data21366900
+Ref: gnutls_x509_dn_deinit1367904
+Ref: gnutls_x509_dn_export1368166
+Ref: gnutls_x509_dn_export21369060
+Ref: gnutls_x509_dn_get_rdn_ava1369721
+Ref: gnutls_x509_dn_get_str1370753
+Ref: gnutls_x509_dn_get_str21371349
+Ref: gnutls_x509_dn_import1372211
+Ref: gnutls_x509_dn_init1372827
+Ref: gnutls_x509_dn_oid_known1373248
+Ref: gnutls_x509_dn_oid_name1373917
+Ref: gnutls_x509_dn_set_str1374446
+Ref: gnutls_x509_ext_deinit1375045
+Ref: gnutls_x509_ext_export_aia1375289
+Ref: gnutls_x509_ext_export_authority_key_id1375883
+Ref: gnutls_x509_ext_export_basic_constraints1376539
+Ref: gnutls_x509_ext_export_crl_dist_points1377236
+Ref: gnutls_x509_ext_export_inhibit_anypolicy1377904
+Ref: gnutls_x509_ext_export_key_purposes1378572
+Ref: gnutls_x509_ext_export_key_usage1379191
+Ref: gnutls_x509_ext_export_name_constraints1379807
+Ref: gnutls_x509_ext_export_policies1380448
+Ref: gnutls_x509_ext_export_private_key_usage_period1381111
+Ref: gnutls_x509_ext_export_proxy1381776
+Ref: gnutls_x509_ext_export_subject_alt_names1382762
+Ref: gnutls_x509_ext_export_subject_key_id1383411
+Ref: gnutls_x509_ext_export_tlsfeatures1384033
+Ref: gnutls_x509_ext_import_aia1384651
+Ref: gnutls_x509_ext_import_authority_key_id1385356
+Ref: gnutls_x509_ext_import_basic_constraints1386024
+Ref: gnutls_x509_ext_import_crl_dist_points1386650
+Ref: gnutls_x509_ext_import_inhibit_anypolicy1387278
+Ref: gnutls_x509_ext_import_key_purposes1388193
+Ref: gnutls_x509_ext_import_key_usage1388827
+Ref: gnutls_x509_ext_import_name_constraints1389843
+Ref: gnutls_x509_ext_import_policies1391181
+Ref: gnutls_x509_ext_import_private_key_usage_period1391788
+Ref: gnutls_x509_ext_import_proxy1392403
+Ref: gnutls_x509_ext_import_subject_alt_names1393489
+Ref: gnutls_x509_ext_import_subject_key_id1394247
+Ref: gnutls_x509_ext_import_tlsfeatures1394882
+Ref: gnutls_x509_ext_print1395774
+Ref: gnutls_x509_key_purpose_deinit1396485
+Ref: gnutls_x509_key_purpose_get1396739
+Ref: gnutls_x509_key_purpose_init1397467
+Ref: gnutls_x509_key_purpose_set1397828
+Ref: gnutls_x509_name_constraints_add_excluded1398283
+Ref: gnutls_x509_name_constraints_add_permitted1399224
+Ref: gnutls_x509_name_constraints_check1400099
+Ref: gnutls_x509_name_constraints_check_crt1400936
+Ref: gnutls_x509_name_constraints_deinit1401806
+Ref: gnutls_x509_name_constraints_get_excluded1402106
+Ref: gnutls_x509_name_constraints_get_permitted1403177
+Ref: gnutls_x509_name_constraints_init1404231
+Ref: gnutls_x509_othername_to_virtual1404614
+Ref: gnutls_x509_policies_deinit1405233
+Ref: gnutls_x509_policies_get1405513
+Ref: gnutls_x509_policies_init1406299
+Ref: gnutls_x509_policies_set1406664
+Ref: gnutls_x509_policy_release1407131
+Ref: gnutls_x509_privkey_cpy1407495
+Ref: gnutls_x509_privkey_deinit1407965
+Ref: gnutls_x509_privkey_export1408206
+Ref: gnutls_x509_privkey_export21409241
+Ref: gnutls_x509_privkey_export2_pkcs81410119
+Ref: gnutls_x509_privkey_export_dsa_raw1411395
+Ref: gnutls_x509_privkey_export_ecc_raw1412135
+Ref: gnutls_x509_privkey_export_gost_raw1413018
+Ref: gnutls_x509_privkey_export_pkcs81414103
+Ref: gnutls_x509_privkey_export_rsa_raw1415608
+Ref: gnutls_x509_privkey_export_rsa_raw21416469
+Ref: gnutls_x509_privkey_fix1417455
+Ref: gnutls_x509_privkey_generate1417840
+Ref: gnutls_x509_privkey_generate21419365
+Ref: gnutls_x509_privkey_get_key_id1421524
+Ref: gnutls_x509_privkey_get_pk_algorithm1422543
+Ref: gnutls_x509_privkey_get_pk_algorithm21422971
+Ref: gnutls_x509_privkey_get_seed1423462
+Ref: gnutls_x509_privkey_get_spki1424286
+Ref: gnutls_x509_privkey_import1424821
+Ref: gnutls_x509_privkey_import21425616
+Ref: gnutls_x509_privkey_import_dsa_raw1426689
+Ref: gnutls_x509_privkey_import_ecc_raw1427421
+Ref: gnutls_x509_privkey_import_gost_raw1428237
+Ref: gnutls_x509_privkey_import_openssl1429513
+Ref: gnutls_x509_privkey_import_pkcs81430387
+Ref: gnutls_x509_privkey_import_rsa_raw1431834
+Ref: gnutls_x509_privkey_import_rsa_raw21432688
+Ref: gnutls_x509_privkey_init1433684
+Ref: gnutls_x509_privkey_sec_param1434029
+Ref: gnutls_x509_privkey_set_flags1434448
+Ref: gnutls_x509_privkey_set_pin_function1434998
+Ref: gnutls_x509_privkey_set_spki1435616
+Ref: gnutls_x509_privkey_sign_data1436163
+Ref: gnutls_x509_privkey_verify_params1437384
+Ref: gnutls_x509_privkey_verify_seed1437720
+Ref: gnutls_x509_rdn_get1438549
+Ref: gnutls_x509_rdn_get21439367
+Ref: gnutls_x509_rdn_get_by_oid1440275
+Ref: gnutls_x509_rdn_get_oid1441257
+Ref: gnutls_x509_spki_deinit1442002
+Ref: gnutls_x509_spki_get_rsa_pss_params1442284
+Ref: gnutls_x509_spki_init1442845
+Ref: gnutls_x509_spki_set_rsa_pss_params1443361
+Ref: gnutls_x509_tlsfeatures_add1443874
+Ref: gnutls_x509_tlsfeatures_check_crt1444330
+Ref: gnutls_x509_tlsfeatures_deinit1444930
+Ref: gnutls_x509_tlsfeatures_get1445208
+Ref: gnutls_x509_tlsfeatures_init1445768
+Ref: gnutls_x509_trust_list_add_cas1446153
+Ref: gnutls_x509_trust_list_add_crls1447338
+Ref: gnutls_x509_trust_list_add_named_crt1448716
+Ref: gnutls_x509_trust_list_add_system_trust1449931
+Ref: gnutls_x509_trust_list_add_trust_dir1450693
+Ref: gnutls_x509_trust_list_add_trust_file1451556
+Ref: gnutls_x509_trust_list_add_trust_mem1452703
+Ref: gnutls_x509_trust_list_deinit1453622
+Ref: gnutls_x509_trust_list_get_issuer1454248
+Ref: gnutls_x509_trust_list_get_issuer_by_dn1455298
+Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1456027
+Ref: gnutls_x509_trust_list_get_ptr1456835
+Ref: gnutls_x509_trust_list_init1457348
+Ref: gnutls_x509_trust_list_iter_deinit1457853
+Ref: gnutls_x509_trust_list_iter_get_ca1458162
+Ref: gnutls_x509_trust_list_remove_cas1459342
+Ref: gnutls_x509_trust_list_remove_trust_file1460197
+Ref: gnutls_x509_trust_list_remove_trust_mem1460898
+Ref: gnutls_x509_trust_list_set_getissuer_function1461556
+Ref: gnutls_x509_trust_list_set_ptr1463189
+Ref: gnutls_x509_trust_list_verify_crt1463727
+Ref: gnutls_x509_trust_list_verify_crt21464890
+Ref: gnutls_x509_trust_list_verify_named_crt1467824
+Node: PKCS 7 API1470552
+Ref: gnutls_pkcs7_add_attr1470848
+Ref: gnutls_pkcs7_attrs_deinit1471654
+Ref: gnutls_pkcs7_deinit1471889
+Ref: gnutls_pkcs7_delete_crl1472094
+Ref: gnutls_pkcs7_delete_crt1472523
+Ref: gnutls_pkcs7_export1472969
+Ref: gnutls_pkcs7_export21473869
+Ref: gnutls_pkcs7_get_attr1474530
+Ref: gnutls_pkcs7_get_crl_count1475417
+Ref: gnutls_pkcs7_get_crl_raw1475765
+Ref: gnutls_pkcs7_get_crl_raw21476540
+Ref: gnutls_pkcs7_get_crt_count1477171
+Ref: gnutls_pkcs7_get_crt_raw1477546
+Ref: gnutls_pkcs7_get_crt_raw21478446
+Ref: gnutls_pkcs7_get_embedded_data1479300
+Ref: gnutls_pkcs7_get_embedded_data_oid1480300
+Ref: gnutls_pkcs7_get_signature_count1480860
+Ref: gnutls_pkcs7_get_signature_info1481267
+Ref: gnutls_pkcs7_import1481940
+Ref: gnutls_pkcs7_init1482561
+Ref: gnutls_pkcs7_print1482985
+Ref: gnutls_pkcs7_print_signature_info1483730
+Ref: gnutls_pkcs7_set_crl1484535
+Ref: gnutls_pkcs7_set_crl_raw1484936
+Ref: gnutls_pkcs7_set_crt1485326
+Ref: gnutls_pkcs7_set_crt_raw1485810
+Ref: gnutls_pkcs7_sign1486223
+Ref: gnutls_pkcs7_signature_info_deinit1487662
+Ref: gnutls_pkcs7_verify1488015
+Ref: gnutls_pkcs7_verify_direct1489180
+Node: OCSP API1490640
+Ref: gnutls_ocsp_req_add_cert1490924
+Ref: gnutls_ocsp_req_add_cert_id1491884
+Ref: gnutls_ocsp_req_deinit1493204
+Ref: gnutls_ocsp_req_export1493421
+Ref: gnutls_ocsp_req_get_cert_id1493846
+Ref: gnutls_ocsp_req_get_extension1495438
+Ref: gnutls_ocsp_req_get_nonce1496854
+Ref: gnutls_ocsp_req_get_version1497508
+Ref: gnutls_ocsp_req_import1497895
+Ref: gnutls_ocsp_req_init1498391
+Ref: gnutls_ocsp_req_print1498719
+Ref: gnutls_ocsp_req_randomize_nonce1499455
+Ref: gnutls_ocsp_req_set_extension1499888
+Ref: gnutls_ocsp_req_set_nonce1500572
+Ref: gnutls_ocsp_resp_check_crt1501159
+Ref: gnutls_ocsp_resp_deinit1501743
+Ref: gnutls_ocsp_resp_export1501967
+Ref: gnutls_ocsp_resp_export21502393
+Ref: gnutls_ocsp_resp_get_certs1502913
+Ref: gnutls_ocsp_resp_get_extension1504038
+Ref: gnutls_ocsp_resp_get_nonce1505462
+Ref: gnutls_ocsp_resp_get_produced1506128
+Ref: gnutls_ocsp_resp_get_responder1506475
+Ref: gnutls_ocsp_resp_get_responder21507580
+Ref: gnutls_ocsp_resp_get_responder_raw_id1508843
+Ref: gnutls_ocsp_resp_get_response1509674
+Ref: gnutls_ocsp_resp_get_signature1510900
+Ref: gnutls_ocsp_resp_get_signature_algorithm1511389
+Ref: gnutls_ocsp_resp_get_single1511867
+Ref: gnutls_ocsp_resp_get_status1513809
+Ref: gnutls_ocsp_resp_get_version1514238
+Ref: gnutls_ocsp_resp_import1514646
+Ref: gnutls_ocsp_resp_import21515214
+Ref: gnutls_ocsp_resp_init1515842
+Ref: gnutls_ocsp_resp_list_import21516191
+Ref: gnutls_ocsp_resp_print1517382
+Ref: gnutls_ocsp_resp_verify1518108
+Ref: gnutls_ocsp_resp_verify_direct1519725
+Node: PKCS 12 API1522158
+Ref: gnutls_pkcs12_bag_decrypt1522448
+Ref: gnutls_pkcs12_bag_deinit1522880
+Ref: gnutls_pkcs12_bag_enc_info1523118
+Ref: gnutls_pkcs12_bag_encrypt1524491
+Ref: gnutls_pkcs12_bag_get_count1524996
+Ref: gnutls_pkcs12_bag_get_data1525307
+Ref: gnutls_pkcs12_bag_get_friendly_name1525913
+Ref: gnutls_pkcs12_bag_get_key_id1526550
+Ref: gnutls_pkcs12_bag_get_type1527169
+Ref: gnutls_pkcs12_bag_init1527539
+Ref: gnutls_pkcs12_bag_set_crl1527997
+Ref: gnutls_pkcs12_bag_set_crt1528430
+Ref: gnutls_pkcs12_bag_set_data1528876
+Ref: gnutls_pkcs12_bag_set_friendly_name1529347
+Ref: gnutls_pkcs12_bag_set_key_id1530031
+Ref: gnutls_pkcs12_bag_set_privkey1530705
+Ref: gnutls_pkcs12_deinit1531361
+Ref: gnutls_pkcs12_export1531563
+Ref: gnutls_pkcs12_export21532470
+Ref: gnutls_pkcs12_generate_mac1533146
+Ref: gnutls_pkcs12_generate_mac21533537
+Ref: gnutls_pkcs12_get_bag1533981
+Ref: gnutls_pkcs12_import1534567
+Ref: gnutls_pkcs12_init1535288
+Ref: gnutls_pkcs12_mac_info1535721
+Ref: gnutls_pkcs12_set_bag1537030
+Ref: gnutls_pkcs12_simple_parse1537436
+Ref: gnutls_pkcs12_verify_mac1540117
+Node: PKCS 11 API1540473
+Ref: gnutls_pkcs11_add_provider1540802
+Ref: gnutls_pkcs11_copy_attached_extension1541547
+Ref: gnutls_pkcs11_copy_pubkey1542406
+Ref: gnutls_pkcs11_copy_secret_key1543439
+Ref: gnutls_pkcs11_copy_x509_crt1544164
+Ref: gnutls_pkcs11_copy_x509_crt21544812
+Ref: gnutls_pkcs11_copy_x509_privkey1545780
+Ref: gnutls_pkcs11_copy_x509_privkey21546597
+Ref: gnutls_pkcs11_crt_is_known1547542
+Ref: gnutls_pkcs11_deinit1548678
+Ref: gnutls_pkcs11_delete_url1548995
+Ref: gnutls_pkcs11_get_pin_function1549511
+Ref: gnutls_pkcs11_get_raw_issuer1549894
+Ref: gnutls_pkcs11_get_raw_issuer_by_dn1550804
+Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1551843
+Ref: gnutls_pkcs11_init1552954
+Ref: gnutls_pkcs11_obj_deinit1553996
+Ref: gnutls_pkcs11_obj_export1554242
+Ref: gnutls_pkcs11_obj_export21555087
+Ref: gnutls_pkcs11_obj_export31555684
+Ref: gnutls_pkcs11_obj_export_url1556357
+Ref: gnutls_pkcs11_obj_flags_get_str1556884
+Ref: gnutls_pkcs11_obj_get_exts1557363
+Ref: gnutls_pkcs11_obj_get_flags1558299
+Ref: gnutls_pkcs11_obj_get_info1558836
+Ref: gnutls_pkcs11_obj_get_ptr1560100
+Ref: gnutls_pkcs11_obj_get_type1561009
+Ref: gnutls_pkcs11_obj_import_url1561359
+Ref: gnutls_pkcs11_obj_init1562279
+Ref: gnutls_pkcs11_obj_list_import_url31562664
+Ref: gnutls_pkcs11_obj_list_import_url41564605
+Ref: gnutls_pkcs11_obj_set_info1566281
+Ref: gnutls_pkcs11_obj_set_pin_function1567060
+Ref: gnutls_pkcs11_privkey_cpy1567571
+Ref: gnutls_pkcs11_privkey_deinit1568072
+Ref: gnutls_pkcs11_privkey_export_pubkey1568335
+Ref: gnutls_pkcs11_privkey_export_url1569139
+Ref: gnutls_pkcs11_privkey_generate1569649
+Ref: gnutls_pkcs11_privkey_generate21570321
+Ref: gnutls_pkcs11_privkey_generate31571551
+Ref: gnutls_pkcs11_privkey_get_info1573061
+Ref: gnutls_pkcs11_privkey_get_pk_algorithm1573943
+Ref: gnutls_pkcs11_privkey_import_url1574474
+Ref: gnutls_pkcs11_privkey_init1575175
+Ref: gnutls_pkcs11_privkey_set_pin_function1575890
+Ref: gnutls_pkcs11_privkey_status1576410
+Ref: gnutls_pkcs11_reinit1576786
+Ref: gnutls_pkcs11_set_pin_function1577346
+Ref: gnutls_pkcs11_set_token_function1577836
+Ref: gnutls_pkcs11_token_check_mechanism1578254
+Ref: gnutls_pkcs11_token_get_flags1579011
+Ref: gnutls_pkcs11_token_get_info1579553
+Ref: gnutls_pkcs11_token_get_mechanism1580576
+Ref: gnutls_pkcs11_token_get_ptr1581189
+Ref: gnutls_pkcs11_token_get_random1581888
+Ref: gnutls_pkcs11_token_get_url1582519
+Ref: gnutls_pkcs11_token_init1583187
+Ref: gnutls_pkcs11_token_set_pin1583825
+Ref: gnutls_pkcs11_type_get_name1584665
+Ref: gnutls_x509_crt_import_pkcs111585154
+Ref: gnutls_x509_crt_list_import_pkcs111585676
+Node: TPM API1586285
+Ref: gnutls_tpm_get_registered1586564
+Ref: gnutls_tpm_key_list_deinit1586957
+Ref: gnutls_tpm_key_list_get_url1587225
+Ref: gnutls_tpm_privkey_delete1587878
+Ref: gnutls_tpm_privkey_generate1588316
+Node: Abstract key API1589666
+Ref: gnutls_certificate_set_key1589987
+Ref: gnutls_certificate_set_retrieve_function21592123
+Ref: gnutls_certificate_set_retrieve_function31594373
+Ref: gnutls_pcert_deinit1597233
+Ref: gnutls_pcert_export_openpgp1597478
+Ref: gnutls_pcert_export_x5091597827
+Ref: gnutls_pcert_import_openpgp1598477
+Ref: gnutls_pcert_import_openpgp_raw1598876
+Ref: gnutls_pcert_import_rawpk1599445
+Ref: gnutls_pcert_import_rawpk_raw1600298
+Ref: gnutls_pcert_import_x5091601547
+Ref: gnutls_pcert_import_x509_list1602144
+Ref: gnutls_pcert_import_x509_raw1603334
+Ref: gnutls_pcert_list_import_x509_file1604040
+Ref: gnutls_pcert_list_import_x509_raw1605472
+Ref: gnutls_privkey_decrypt_data1606806
+Ref: gnutls_privkey_decrypt_data21607454
+Ref: gnutls_privkey_deinit1608279
+Ref: gnutls_privkey_export_dsa_raw1608528
+Ref: gnutls_privkey_export_dsa_raw21609258
+Ref: gnutls_privkey_export_ecc_raw1610064
+Ref: gnutls_privkey_export_ecc_raw21610926
+Ref: gnutls_privkey_export_gost_raw21611868
+Ref: gnutls_privkey_export_openpgp1613002
+Ref: gnutls_privkey_export_pkcs111613354
+Ref: gnutls_privkey_export_rsa_raw1613966
+Ref: gnutls_privkey_export_rsa_raw21614997
+Ref: gnutls_privkey_export_x5091616043
+Ref: gnutls_privkey_generate1616691
+Ref: gnutls_privkey_generate21618182
+Ref: gnutls_privkey_get_pk_algorithm1620310
+Ref: gnutls_privkey_get_seed1620924
+Ref: gnutls_privkey_get_spki1621723
+Ref: gnutls_privkey_get_type1622303
+Ref: gnutls_privkey_import_dsa_raw1622792
+Ref: gnutls_privkey_import_ecc_raw1623504
+Ref: gnutls_privkey_import_ext1624317
+Ref: gnutls_privkey_import_ext21625467
+Ref: gnutls_privkey_import_ext31626824
+Ref: gnutls_privkey_import_ext41628438
+Ref: gnutls_privkey_import_gost_raw1631198
+Ref: gnutls_privkey_import_openpgp1632406
+Ref: gnutls_privkey_import_openpgp_raw1632815
+Ref: gnutls_privkey_import_pkcs111633404
+Ref: gnutls_privkey_import_pkcs11_url1634162
+Ref: gnutls_privkey_import_rsa_raw1634611
+Ref: gnutls_privkey_import_tpm_raw1635607
+Ref: gnutls_privkey_import_tpm_url1636474
+Ref: gnutls_privkey_import_url1637577
+Ref: gnutls_privkey_import_x5091638124
+Ref: gnutls_privkey_import_x509_raw1638872
+Ref: gnutls_privkey_init1639651
+Ref: gnutls_privkey_set_flags1640569
+Ref: gnutls_privkey_set_pin_function1641094
+Ref: gnutls_privkey_set_spki1641664
+Ref: gnutls_privkey_sign_data1642237
+Ref: gnutls_privkey_sign_data21643257
+Ref: gnutls_privkey_sign_hash1644155
+Ref: gnutls_privkey_sign_hash21645592
+Ref: gnutls_privkey_status1646858
+Ref: gnutls_privkey_verify_params1647402
+Ref: gnutls_privkey_verify_seed1647764
+Ref: gnutls_pubkey_deinit1648476
+Ref: gnutls_pubkey_encrypt_data1648716
+Ref: gnutls_pubkey_export1649358
+Ref: gnutls_pubkey_export21650372
+Ref: gnutls_pubkey_export_dsa_raw1651145
+Ref: gnutls_pubkey_export_dsa_raw21651957
+Ref: gnutls_pubkey_export_ecc_raw1652841
+Ref: gnutls_pubkey_export_ecc_raw21653740
+Ref: gnutls_pubkey_export_ecc_x9621654719
+Ref: gnutls_pubkey_export_gost_raw21655378
+Ref: gnutls_pubkey_export_rsa_raw1656522
+Ref: gnutls_pubkey_export_rsa_raw21657219
+Ref: gnutls_pubkey_get_key_id1657980
+Ref: gnutls_pubkey_get_key_usage1659005
+Ref: gnutls_pubkey_get_openpgp_key_id1659502
+Ref: gnutls_pubkey_get_pk_algorithm1660141
+Ref: gnutls_pubkey_get_preferred_hash_algorithm1660789
+Ref: gnutls_pubkey_get_spki1661730
+Ref: gnutls_pubkey_import1662298
+Ref: gnutls_pubkey_import_dsa_raw1662982
+Ref: gnutls_pubkey_import_ecc_raw1663643
+Ref: gnutls_pubkey_import_ecc_x9621664411
+Ref: gnutls_pubkey_import_gost_raw1665047
+Ref: gnutls_pubkey_import_openpgp1666194
+Ref: gnutls_pubkey_import_openpgp_raw1666586
+Ref: gnutls_pubkey_import_pkcs111667155
+Ref: gnutls_pubkey_import_privkey1667697
+Ref: gnutls_pubkey_import_rsa_raw1668399
+Ref: gnutls_pubkey_import_tpm_raw1668923
+Ref: gnutls_pubkey_import_tpm_url1669700
+Ref: gnutls_pubkey_import_url1670592
+Ref: gnutls_pubkey_import_x5091671065
+Ref: gnutls_pubkey_import_x509_crq1671565
+Ref: gnutls_pubkey_import_x509_raw1672068
+Ref: gnutls_pubkey_init1672645
+Ref: gnutls_pubkey_print1672974
+Ref: gnutls_pubkey_set_key_usage1673708
+Ref: gnutls_pubkey_set_pin_function1674277
+Ref: gnutls_pubkey_set_spki1674842
+Ref: gnutls_pubkey_verify_data21675413
+Ref: gnutls_pubkey_verify_hash21676321
+Ref: gnutls_pubkey_verify_params1677445
+Ref: gnutls_register_custom_url1677803
+Ref: gnutls_system_key_add_x5091678741
+Ref: gnutls_system_key_delete1679486
+Ref: gnutls_system_key_iter_deinit1679910
+Ref: gnutls_system_key_iter_get_info1680178
+Ref: gnutls_x509_crl_privkey_sign1681452
+Ref: gnutls_x509_crq_privkey_sign1682721
+Ref: gnutls_x509_crq_set_pubkey1684083
+Ref: gnutls_x509_crt_privkey_sign1684591
+Ref: gnutls_x509_crt_set_pubkey1685834
+Node: Socket specific API1686287
+Ref: gnutls_transport_set_fastopen1686580
+Node: DANE API1688126
+Ref: dane_cert_type_name1688500
+Ref: dane_cert_usage_name1688790
+Ref: dane_match_type_name1689102
+Ref: dane_query_data1689385
+Ref: dane_query_deinit1690064
+Ref: dane_query_entries1690269
+Ref: dane_query_status1690511
+Ref: dane_query_tlsa1690805
+Ref: dane_query_to_raw_tlsa1691396
+Ref: dane_raw_tlsa1692738
+Ref: dane_state_deinit1693815
+Ref: dane_state_init1694007
+Ref: dane_state_set_dlv_file1694521
+Ref: dane_strerror1694822
+Ref: dane_verification_status_print1695321
+Ref: dane_verify_crt1695915
+Ref: dane_verify_crt_raw1698102
+Ref: dane_verify_session_crt1699335
+Node: Cryptographic API1700737
+Ref: gnutls_aead_cipher_decrypt1701238
+Ref: gnutls_aead_cipher_decryptv21702617
+Ref: gnutls_aead_cipher_deinit1703542
+Ref: gnutls_aead_cipher_encrypt1703870
+Ref: gnutls_aead_cipher_encryptv1704979
+Ref: gnutls_aead_cipher_encryptv21706127
+Ref: gnutls_aead_cipher_init1707055
+Ref: gnutls_cipher_add_auth1707721
+Ref: gnutls_cipher_decrypt1708301
+Ref: gnutls_cipher_decrypt21708925
+Ref: gnutls_cipher_deinit1709851
+Ref: gnutls_cipher_encrypt1710130
+Ref: gnutls_cipher_encrypt21710590
+Ref: gnutls_cipher_get_block_size1711367
+Ref: gnutls_cipher_get_iv_size1711647
+Ref: gnutls_cipher_get_tag_size1712129
+Ref: gnutls_cipher_init1712535
+Ref: gnutls_cipher_set_iv1713265
+Ref: gnutls_cipher_tag1713610
+Ref: gnutls_crypto_register_aead_cipher1714112
+Ref: gnutls_crypto_register_cipher1715716
+Ref: gnutls_crypto_register_digest1717497
+Ref: gnutls_crypto_register_mac1718721
+Ref: gnutls_decode_ber_digest_info1720149
+Ref: gnutls_decode_gost_rs_value1720948
+Ref: gnutls_decode_rs_value1721748
+Ref: gnutls_encode_ber_digest_info1722533
+Ref: gnutls_encode_gost_rs_value1723177
+Ref: gnutls_encode_rs_value1723923
+Ref: gnutls_hash1724543
+Ref: gnutls_hash_copy1724974
+Ref: gnutls_hash_deinit1725491
+Ref: gnutls_hash_fast1725819
+Ref: gnutls_hash_get_len1726336
+Ref: gnutls_hash_init1726669
+Ref: gnutls_hash_output1727205
+Ref: gnutls_hkdf_expand1727537
+Ref: gnutls_hkdf_extract1728240
+Ref: gnutls_hmac1728783
+Ref: gnutls_hmac_copy1729214
+Ref: gnutls_hmac_deinit1729695
+Ref: gnutls_hmac_fast1730022
+Ref: gnutls_hmac_get_key_size1730746
+Ref: gnutls_hmac_get_len1731207
+Ref: gnutls_hmac_init1731537
+Ref: gnutls_hmac_output1732320
+Ref: gnutls_hmac_set_nonce1732655
+Ref: gnutls_mac_get_nonce_size1733022
+Ref: gnutls_pbkdf21733338
+Ref: gnutls_rnd1733971
+Ref: gnutls_rnd_refresh1734609
+Node: Compatibility API1734895
+Ref: gnutls_compression_get1735237
+Ref: gnutls_compression_get_id1735589
+Ref: gnutls_compression_get_name1735953
+Ref: gnutls_compression_list1736335
+Ref: gnutls_global_set_mem_functions1736667
+Ref: gnutls_openpgp_privkey_sign_hash1738042
+Ref: gnutls_priority_compression_list1738471
+Ref: gnutls_x509_crt_get_preferred_hash_algorithm1738923
+Ref: gnutls_x509_privkey_sign_hash1739804
+Node: Copying Information1740674
+Node: Bibliography1765851
+Ref: CBCATT1765990
+Ref: GPGH1766168
+Ref: GUTPKI1766291
+Ref: PRNGATTACKS1766466
+Ref: KEYPIN1766666
+Ref: NISTSP800571766841
+Ref: RFC74131767089
+Ref: RFC79181767256
+Ref: RFC61251767433
+Ref: RFC76851767774
+Ref: RFC76131767949
+Ref: RFC22461768197
+Ref: RFC60831768358
+Ref: RFC44181768595
+Ref: RFC46801768762
+Ref: RFC76331768920
+Ref: RFC79191769092
+Ref: RFC45141769296
+Ref: RFC43461769500
+Ref: RFC43471769650
+Ref: RFC52461769817
+Ref: RFC24401769968
+Ref: RFC48801770150
+Ref: RFC42111770344
+Ref: RFC28171770538
+Ref: RFC28181770691
+Ref: RFC29451770805
+Ref: RFC73011770955
+Ref: RFC29861771175
+Ref: PKIX1771364
+Ref: RFC37491771627
+Ref: RFC38201771793
+Ref: RFC65201772036
+Ref: RFC57461772275
+Ref: RFC52801772484
+Ref: TLSTKT1772751
+Ref: PKCS121772983
+Ref: PKCS111773124
+Ref: RESCORLA1773270
+Ref: SELKEY1773366
+Ref: SSL31773525
+Ref: STEVENS1773716
+Ref: TLSEXT1773824
+Ref: TLSPGP1774041
+Ref: TLSSRP1774206
+Ref: TLSPSK1774403
+Ref: TOMSRP1774572
+Ref: WEGER1774685
+Ref: ECRYPT1774877
+Ref: RFC50561775082
+Ref: RFC57641775235
+Ref: RFC59291775523
+Ref: PKCS11URI1775666
+Ref: TPMURI1775802
+Ref: ANDERSON1775996
+Ref: RFC48211776142
+Ref: RFC25601776295
+Ref: RIVESTCRL1776489
+Node: Function and Data Index1776850
+Node: Concept Index1903361
 
 End Tag Table
 
diff -ruN gnutls-3.7.2/doc/gnutls.info-1 gnutls-3.7.2-bootstrapped/doc/gnutls.info-1
--- gnutls-3.7.2/doc/gnutls.info-1	2021-05-29 10:19:34.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-1	2021-06-28 09:39:56.000000000 +0200
@@ -7426,6 +7426,12 @@
 to a token.  Must be combined with one of -load-privkey, -load-pubkey,
 -load-certificate option.
 
+When writing a certificate object, its CKA_ID is set to the same CKA_ID
+of the corresponding public key, if it exists on the token; otherwise it
+will be derived from the X.509 Subject Key Identifier of the
+certificate.  If this behavior is undesired, write the public key to the
+token beforehand.
+
 id option.
 ..........
 
diff -ruN gnutls-3.7.2/doc/gnutls.info-3 gnutls-3.7.2-bootstrapped/doc/gnutls.info-3
--- gnutls-3.7.2/doc/gnutls.info-3	2021-05-29 10:19:36.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-3	2021-06-28 09:39:58.000000000 +0200
@@ -1350,6 +1350,7 @@
    * 'insecure-hash': to mark the hash algorithm as insecure for digital
      signature use (provides a more generic way to disable digital
      signatures for broken hash algorithms).
+   * 'disabled-curve': to disable the specified elliptic curve.
    * 'disabled-version': to disable the specified TLS versions.
    * 'tls-disabled-cipher': to disable the specified ciphers for use in
      the TLS or DTLS protocols.
@@ -1362,12 +1363,54 @@
      earlier).
 
 Each of the options can be repeated multiple times when multiple values
-need to be disabled.
+need to be disabled or enabled.
 
 The valid values for the options above can be found in the 'Protocols',
 'Digests' 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of
 the output of 'gnutls-cli --list'.
 
+Sometimes the system administrator wants to enable only specific
+algorithms, despite the library defaults.  GnuTLS provides an
+alternative mode of overriding: allowlisting.
+
+In the allowlisting mode, all the algorithms are initially marked as
+insecure or disabled, and shall be explicitly turned on by the options
+in the '[overrides]' section.  Those options are mutually exclusive to
+the above ones for the blocklisting mode (the default)
+   * 'secure-sig-for-cert': to mark the signature algorithm as secure
+     when used in certificates.
+   * 'secure-sig': to mark the signature algorithm as secure for any
+     use.
+   * 'secure-hash': to mark the hash algorithm as secure for digital
+     signature use (provides a more generic way to enable digital
+     signatures for broken hash algorithms).
+   * 'enabled-curve': to enable the specified elliptic curve.
+   * 'enabled-version': to enable the specified TLS versions.
+   * 'tls-enabled-cipher': to enable the specified ciphers for use in
+     the TLS or DTLS protocols.
+   * 'tls-enabled-mac': to enable the specified MAC algorithms for use
+     in the TLS or DTLS protocols.
+   * 'tls-enabled-group': to enable the specified group for use in the
+     TLS or DTLS protocols.
+   * 'tls-enabled-kx': to enable the specified key exchange algorithms
+     for use in the TLS or DTLS protocols (applies to TLS1.2 or
+     earlier).
+
+The allowlisting mode can be enabled by adding 'override-mode =
+allowlist' in the '[global]' section.
+
+When the allowlisting mode is in effect, it is also possible for the
+applications to modify the setting through the API.
+
+'INT *note gnutls_ecc_curve_mark_enabled:: (gnutls_ecc_curve_t CURVE)'
+'INT *note gnutls_sign_mark_secure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)'
+'INT *note gnutls_digest_mark_secure:: (gnutls_digest_algorithm_t DIG)'
+'INT *note gnutls_protocol_mark_enabled:: (gnutls_protocol_t VERSION)'
+'INT *note gnutls_ecc_curve_mark_disabled:: (gnutls_ecc_curve_t CURVE)'
+'INT *note gnutls_sign_mark_insecure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)'
+'INT *note gnutls_digest_mark_insecure:: (gnutls_digest_algorithm_t DIG)'
+'INT *note gnutls_protocol_mark_disabled:: (gnutls_protocol_t VERSION)'
+
 8.2.1 Examples
 --------------
 
@@ -1396,6 +1439,17 @@
      tls-disabled-mac = sha1
      tls-disabled-group = group-ffdhe8192
 
+The following example demonstrates the use of the allowlisting mode.  It
+disables all the signature algorithms but 'RSA-SHA256'.  Note that the
+hash algorithm 'SHA256' also needs to be explicitly enabled.
+
+     [global]
+     override-mode = allowlist
+
+     [overrides]
+     secure-hash = sha256
+     secure-sig = rsa-sha256
+
 
 File: gnutls.info,  Node: Querying for disabled algorithms and protocols,  Next: Overriding the parameter verification profile,  Prev: Disabling algorithms and protocols,  Up: System-wide configuration of the library
 
@@ -8538,6 +8592,31 @@
      'gnutls_digest_algorithm_t' integers indicating the available
      digests.
 
+gnutls_digest_mark_insecure
+---------------------------
+
+ -- Function: int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t
+          DIG)
+     DIG: is a digest algorithm
+
+     Mark 'dig' as insecure system wide.  This only works if the
+     allowlisting mode is used in the configuration file.
+
+     *Since:* 3.7.3
+
+gnutls_digest_mark_secure
+-------------------------
+
+ -- Function: int gnutls_digest_mark_secure (gnutls_digest_algorithm_t
+          DIG)
+     DIG: is a digest algorithm
+
+     Invalidate previous system wide setting that marked 'dig' as
+     insecure.  This only works if the allowlisting mode is used in the
+     configuration file.
+
+     *Since:* 3.7.3
+
 gnutls_early_cipher_get
 -----------------------
 
@@ -8657,6 +8736,37 @@
      *Returns:* Return a (0)-terminated list of 'gnutls_ecc_curve_t'
      integers indicating the available curves.
 
+gnutls_ecc_curve_mark_disabled
+------------------------------
+
+ -- Function: int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t
+          CURVE)
+     CURVE: is an ECC curve
+
+     Mark 'curve' as disabled system wide.  This setting can be reverted
+     with 'gnutls_ecc_curve_mark_enabled()' .  This only works if the
+     configuration file uses the allowlisting mode.
+
+     *Returns:* 0 on success or negative error code otherwise.
+
+     *Since:* 3.7.3
+
+gnutls_ecc_curve_mark_enabled
+-----------------------------
+
+ -- Function: int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t
+          CURVE)
+     CURVE: is an ECC curve
+
+     Invalidate previous system wide setting that marked 'curve' as
+     disabled.  This only works if the curve is disabled with
+     'gnutls_ecc_curve_mark_disabled()' or through the allowlisting mode
+     in the configuration file.
+
+     *Returns:* 0 on success or negative error code otherwise.
+
+     *Since:* 3.7.3
+
 gnutls_error_is_fatal
 ---------------------
 
@@ -11047,6 +11157,27 @@
      *Returns:* a (0)-terminated list of 'gnutls_protocol_t' integers
      indicating the available protocols.
 
+gnutls_protocol_mark_disabled
+-----------------------------
+
+ -- Function: int gnutls_protocol_mark_disabled (gnutls_protocol_t
+          VERSION)
+     VERSION: is a (gnutls) version number
+
+     Mark 'version' as disabled system wide.  This only works if the
+     allowlisting mode is used in the configuration file.
+
+gnutls_protocol_mark_enabled
+----------------------------
+
+ -- Function: int gnutls_protocol_mark_enabled (gnutls_protocol_t
+          VERSION)
+     VERSION: is a (gnutls) version number
+
+     Invalidate previous system wide setting that marked 'version' as
+     disabled.  This only works if the allowlisting mode is used in the
+     configuration file.
+
 gnutls_psk_allocate_client_credentials
 --------------------------------------
 
@@ -13235,6 +13366,45 @@
      *Returns:* a (0)-terminated list of 'gnutls_sign_algorithm_t'
      integers indicating the available ciphers.
 
+gnutls_sign_mark_insecure
+-------------------------
+
+ -- Function: int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t
+          SIGN, unsigned FLAGS)
+     SIGN: the sign algorithm
+
+     FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0
+
+     Mark 'sign' as insecure system wide.  This only works if the
+     allowlisting mode is used in the configuration file.
+
+     If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, and the
+     algorithm was previously considered secure for all purposes, it
+     only marks the algorithm as insecure for the use with certificates.
+
+     *Since:* 3.7.3
+
+gnutls_sign_mark_secure
+-----------------------
+
+ -- Function: int gnutls_sign_mark_secure (gnutls_sign_algorithm_t SIGN,
+          unsigned FLAGS)
+     SIGN: the sign algorithm
+
+     FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0
+
+     Invalidate previous system wide setting that marked 'sign' as
+     insecure.  This only works if the algorithm is marked as insecure
+     with 'gnutls_sign_mark_insecure()' or through the allowlisting mode
+     in the configuration file.
+
+     If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, it
+     marks it the algorithm as secure for all purposes.  If the absence
+     of this flag, it will mark it as "secure, but not for certificates"
+     at most, but it won't restrict anything either.
+
+     *Since:* 3.7.3
+
 gnutls_sign_supports_pk_algorithm
 ---------------------------------
 
diff -ruN gnutls-3.7.2/doc/gnutls.info-6 gnutls-3.7.2-bootstrapped/doc/gnutls.info-6
--- gnutls-3.7.2/doc/gnutls.info-6	2021-05-29 10:19:38.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-6	2021-06-28 09:40:00.000000000 +0200
@@ -7847,6 +7847,8 @@
 * gnutls_digest_get_name:                Core TLS API.       (line 3005)
 * gnutls_digest_get_oid:                 Core TLS API.       (line 3017)
 * gnutls_digest_list:                    Core TLS API.       (line 3032)
+* gnutls_digest_mark_insecure:           Core TLS API.       (line 3046)
+* gnutls_digest_mark_secure:             Core TLS API.       (line 3058)
 * gnutls_dtls_cookie_send:               Datagram TLS API.   (line   11)
 * gnutls_dtls_cookie_verify:             Datagram TLS API.   (line   45)
 * gnutls_dtls_get_data_mtu:              Datagram TLS API.   (line   74)
@@ -7858,71 +7860,73 @@
 * gnutls_dtls_set_data_mtu:              Datagram TLS API.   (line  139)
 * gnutls_dtls_set_mtu:                   Datagram TLS API.   (line  165)
 * gnutls_dtls_set_timeouts:              Datagram TLS API.   (line  182)
-* gnutls_early_cipher_get:               Core TLS API.       (line 3046)
-* gnutls_early_prf_hash_get:             Core TLS API.       (line 3060)
-* gnutls_ecc_curve_get:                  Core TLS API.       (line 3075)
-* gnutls_ecc_curve_get_id:               Core TLS API.       (line 3089)
-* gnutls_ecc_curve_get_name:             Core TLS API.       (line 3103)
-* gnutls_ecc_curve_get_oid:              Core TLS API.       (line 3117)
-* gnutls_ecc_curve_get_pk:               Core TLS API.       (line 3131)
-* gnutls_ecc_curve_get_size:             Core TLS API.       (line 3143)
-* gnutls_ecc_curve_list:                 Core TLS API.       (line 3153)
+* gnutls_early_cipher_get:               Core TLS API.       (line 3071)
+* gnutls_early_prf_hash_get:             Core TLS API.       (line 3085)
+* gnutls_ecc_curve_get:                  Core TLS API.       (line 3100)
+* gnutls_ecc_curve_get_id:               Core TLS API.       (line 3114)
+* gnutls_ecc_curve_get_name:             Core TLS API.       (line 3128)
+* gnutls_ecc_curve_get_oid:              Core TLS API.       (line 3142)
+* gnutls_ecc_curve_get_pk:               Core TLS API.       (line 3156)
+* gnutls_ecc_curve_get_size:             Core TLS API.       (line 3168)
+* gnutls_ecc_curve_list:                 Core TLS API.       (line 3178)
+* gnutls_ecc_curve_mark_disabled:        Core TLS API.       (line 3190)
+* gnutls_ecc_curve_mark_enabled:         Core TLS API.       (line 3205)
 * gnutls_encode_ber_digest_info:         Cryptographic API.  (line  689)
 * gnutls_encode_gost_rs_value:           Cryptographic API.  (line  709)
 * gnutls_encode_rs_value:                Cryptographic API.  (line  732)
 * gnutls_error_is_fatal:                 Data transfer and termination.
                                                              (line   82)
-* gnutls_error_is_fatal <1>:             Core TLS API.       (line 3165)
+* gnutls_error_is_fatal <1>:             Core TLS API.       (line 3221)
 * gnutls_error_to_alert:                 Handling alerts.    (line   66)
-* gnutls_error_to_alert <1>:             Core TLS API.       (line 3185)
-* gnutls_est_record_overhead_size:       Core TLS API.       (line 3204)
-* gnutls_ext_get_current_msg:            Core TLS API.       (line 3231)
-* gnutls_ext_get_data:                   Core TLS API.       (line 3249)
-* gnutls_ext_get_name:                   Core TLS API.       (line 3268)
-* gnutls_ext_get_name2:                  Core TLS API.       (line 3279)
-* gnutls_ext_raw_parse:                  Core TLS API.       (line 3296)
-* gnutls_ext_register:                   Core TLS API.       (line 3327)
-* gnutls_ext_set_data:                   Core TLS API.       (line 3374)
-* gnutls_fingerprint:                    Core TLS API.       (line 3391)
-* gnutls_fips140_mode_enabled:           Core TLS API.       (line 3418)
-* gnutls_fips140_set_mode:               Core TLS API.       (line 3436)
+* gnutls_error_to_alert <1>:             Core TLS API.       (line 3241)
+* gnutls_est_record_overhead_size:       Core TLS API.       (line 3260)
+* gnutls_ext_get_current_msg:            Core TLS API.       (line 3287)
+* gnutls_ext_get_data:                   Core TLS API.       (line 3305)
+* gnutls_ext_get_name:                   Core TLS API.       (line 3324)
+* gnutls_ext_get_name2:                  Core TLS API.       (line 3335)
+* gnutls_ext_raw_parse:                  Core TLS API.       (line 3352)
+* gnutls_ext_register:                   Core TLS API.       (line 3383)
+* gnutls_ext_set_data:                   Core TLS API.       (line 3430)
+* gnutls_fingerprint:                    Core TLS API.       (line 3447)
+* gnutls_fips140_mode_enabled:           Core TLS API.       (line 3474)
+* gnutls_fips140_set_mode:               Core TLS API.       (line 3492)
 * gnutls_get_system_config_file:         System-wide configuration of the library.
                                                              (line   24)
-* gnutls_get_system_config_file <1>:     Core TLS API.       (line 3462)
-* gnutls_global_deinit:                  Core TLS API.       (line 3476)
-* gnutls_global_init:                    Core TLS API.       (line 3489)
+* gnutls_get_system_config_file <1>:     Core TLS API.       (line 3518)
+* gnutls_global_deinit:                  Core TLS API.       (line 3532)
+* gnutls_global_init:                    Core TLS API.       (line 3545)
 * gnutls_global_set_audit_log_function:  Debugging and auditing.
                                                              (line   64)
-* gnutls_global_set_audit_log_function <1>: Core TLS API.    (line 3518)
-* gnutls_global_set_log_function:        Core TLS API.       (line 3537)
-* gnutls_global_set_log_level:           Core TLS API.       (line 3552)
+* gnutls_global_set_audit_log_function <1>: Core TLS API.    (line 3574)
+* gnutls_global_set_log_function:        Core TLS API.       (line 3593)
+* gnutls_global_set_log_level:           Core TLS API.       (line 3608)
 * gnutls_global_set_mem_functions:       Compatibility API.  (line   60)
-* gnutls_global_set_mutex:               Core TLS API.       (line 3565)
-* gnutls_global_set_time_function:       Core TLS API.       (line 3594)
-* gnutls_gost_paramset_get_name:         Core TLS API.       (line 3608)
-* gnutls_gost_paramset_get_oid:          Core TLS API.       (line 3622)
-* gnutls_group_get:                      Core TLS API.       (line 3636)
-* gnutls_group_get_id:                   Core TLS API.       (line 3649)
-* gnutls_group_get_name:                 Core TLS API.       (line 3662)
-* gnutls_group_list:                     Core TLS API.       (line 3675)
+* gnutls_global_set_mutex:               Core TLS API.       (line 3621)
+* gnutls_global_set_time_function:       Core TLS API.       (line 3650)
+* gnutls_gost_paramset_get_name:         Core TLS API.       (line 3664)
+* gnutls_gost_paramset_get_oid:          Core TLS API.       (line 3678)
+* gnutls_group_get:                      Core TLS API.       (line 3692)
+* gnutls_group_get_id:                   Core TLS API.       (line 3705)
+* gnutls_group_get_name:                 Core TLS API.       (line 3718)
+* gnutls_group_list:                     Core TLS API.       (line 3731)
 * gnutls_handshake:                      TLS handshake.      (line   10)
-* gnutls_handshake <1>:                  Core TLS API.       (line 3689)
-* gnutls_handshake_description_get_name: Core TLS API.       (line 3732)
-* gnutls_handshake_get_last_in:          Core TLS API.       (line 3744)
-* gnutls_handshake_get_last_out:         Core TLS API.       (line 3761)
+* gnutls_handshake <1>:                  Core TLS API.       (line 3745)
+* gnutls_handshake_description_get_name: Core TLS API.       (line 3788)
+* gnutls_handshake_get_last_in:          Core TLS API.       (line 3800)
+* gnutls_handshake_get_last_out:         Core TLS API.       (line 3817)
 * gnutls_handshake_set_hook_function:    Virtual hosts and credentials.
                                                              (line   56)
-* gnutls_handshake_set_hook_function <1>: Core TLS API.      (line 3778)
-* gnutls_handshake_set_max_packet_length: Core TLS API.      (line 3815)
+* gnutls_handshake_set_hook_function <1>: Core TLS API.      (line 3834)
+* gnutls_handshake_set_max_packet_length: Core TLS API.      (line 3871)
 * gnutls_handshake_set_post_client_hello_function: Core TLS API.
-                                                             (line 3836)
-* gnutls_handshake_set_private_extensions: Core TLS API.     (line 3867)
-* gnutls_handshake_set_random:           Core TLS API.       (line 3886)
-* gnutls_handshake_set_read_function:    Core TLS API.       (line 3908)
-* gnutls_handshake_set_secret_function:  Core TLS API.       (line 3922)
+                                                             (line 3892)
+* gnutls_handshake_set_private_extensions: Core TLS API.     (line 3923)
+* gnutls_handshake_set_random:           Core TLS API.       (line 3942)
+* gnutls_handshake_set_read_function:    Core TLS API.       (line 3964)
+* gnutls_handshake_set_secret_function:  Core TLS API.       (line 3978)
 * gnutls_handshake_set_timeout:          TLS handshake.      (line   50)
-* gnutls_handshake_set_timeout <1>:      Core TLS API.       (line 3936)
-* gnutls_handshake_write:                Core TLS API.       (line 3956)
+* gnutls_handshake_set_timeout <1>:      Core TLS API.       (line 3992)
+* gnutls_handshake_write:                Core TLS API.       (line 4012)
 * gnutls_hash:                           Cryptographic API.  (line  753)
 * gnutls_hash_copy:                      Cryptographic API.  (line  771)
 * gnutls_hash_deinit:                    Cryptographic API.  (line  787)
@@ -7930,17 +7934,17 @@
 * gnutls_hash_get_len:                   Cryptographic API.  (line  821)
 * gnutls_hash_init:                      Cryptographic API.  (line  835)
 * gnutls_hash_output:                    Cryptographic API.  (line  853)
-* gnutls_heartbeat_allowed:              Core TLS API.       (line 3977)
-* gnutls_heartbeat_enable:               Core TLS API.       (line 3994)
-* gnutls_heartbeat_get_timeout:          Core TLS API.       (line 4018)
-* gnutls_heartbeat_ping:                 Core TLS API.       (line 4034)
-* gnutls_heartbeat_pong:                 Core TLS API.       (line 4066)
-* gnutls_heartbeat_set_timeouts:         Core TLS API.       (line 4082)
-* gnutls_hex2bin:                        Core TLS API.       (line 4104)
-* gnutls_hex_decode:                     Core TLS API.       (line 4127)
-* gnutls_hex_decode2:                    Core TLS API.       (line 4149)
-* gnutls_hex_encode:                     Core TLS API.       (line 4164)
-* gnutls_hex_encode2:                    Core TLS API.       (line 4183)
+* gnutls_heartbeat_allowed:              Core TLS API.       (line 4033)
+* gnutls_heartbeat_enable:               Core TLS API.       (line 4050)
+* gnutls_heartbeat_get_timeout:          Core TLS API.       (line 4074)
+* gnutls_heartbeat_ping:                 Core TLS API.       (line 4090)
+* gnutls_heartbeat_pong:                 Core TLS API.       (line 4122)
+* gnutls_heartbeat_set_timeouts:         Core TLS API.       (line 4138)
+* gnutls_hex2bin:                        Core TLS API.       (line 4160)
+* gnutls_hex_decode:                     Core TLS API.       (line 4183)
+* gnutls_hex_decode2:                    Core TLS API.       (line 4205)
+* gnutls_hex_encode:                     Core TLS API.       (line 4220)
+* gnutls_hex_encode2:                    Core TLS API.       (line 4239)
 * gnutls_hkdf_expand:                    Cryptographic API.  (line  867)
 * gnutls_hkdf_extract:                   Cryptographic API.  (line  891)
 * gnutls_hmac:                           Cryptographic API.  (line  912)
@@ -7952,25 +7956,25 @@
 * gnutls_hmac_init:                      Cryptographic API.  (line 1015)
 * gnutls_hmac_output:                    Cryptographic API.  (line 1041)
 * gnutls_hmac_set_nonce:                 Cryptographic API.  (line 1055)
-* gnutls_idna_map:                       Core TLS API.       (line 4201)
-* gnutls_idna_reverse_map:               Core TLS API.       (line 4232)
+* gnutls_idna_map:                       Core TLS API.       (line 4257)
+* gnutls_idna_reverse_map:               Core TLS API.       (line 4288)
 * gnutls_init:                           Session initialization.
                                                              (line   14)
-* gnutls_init <1>:                       Core TLS API.       (line 4258)
-* gnutls_key_generate:                   Core TLS API.       (line 4281)
-* gnutls_kx_get:                         Core TLS API.       (line 4298)
-* gnutls_kx_get_id:                      Core TLS API.       (line 4315)
-* gnutls_kx_get_name:                    Core TLS API.       (line 4327)
-* gnutls_kx_list:                        Core TLS API.       (line 4339)
-* gnutls_load_file:                      Core TLS API.       (line 4351)
-* gnutls_mac_get:                        Core TLS API.       (line 4374)
-* gnutls_mac_get_id:                     Core TLS API.       (line 4386)
-* gnutls_mac_get_key_size:               Core TLS API.       (line 4399)
-* gnutls_mac_get_name:                   Core TLS API.       (line 4411)
+* gnutls_init <1>:                       Core TLS API.       (line 4314)
+* gnutls_key_generate:                   Core TLS API.       (line 4337)
+* gnutls_kx_get:                         Core TLS API.       (line 4354)
+* gnutls_kx_get_id:                      Core TLS API.       (line 4371)
+* gnutls_kx_get_name:                    Core TLS API.       (line 4383)
+* gnutls_kx_list:                        Core TLS API.       (line 4395)
+* gnutls_load_file:                      Core TLS API.       (line 4407)
+* gnutls_mac_get:                        Core TLS API.       (line 4430)
+* gnutls_mac_get_id:                     Core TLS API.       (line 4442)
+* gnutls_mac_get_key_size:               Core TLS API.       (line 4455)
+* gnutls_mac_get_name:                   Core TLS API.       (line 4467)
 * gnutls_mac_get_nonce_size:             Cryptographic API.  (line 1070)
-* gnutls_mac_list:                       Core TLS API.       (line 4423)
-* gnutls_memcmp:                         Core TLS API.       (line 4435)
-* gnutls_memset:                         Core TLS API.       (line 4456)
+* gnutls_mac_list:                       Core TLS API.       (line 4479)
+* gnutls_memcmp:                         Core TLS API.       (line 4491)
+* gnutls_memset:                         Core TLS API.       (line 4512)
 * gnutls_ocsp_req_add_cert:              OCSP API.           (line   12)
 * gnutls_ocsp_req_add_cert_id:           OCSP API.           (line   36)
 * gnutls_ocsp_req_deinit:                OCSP API.           (line   69)
@@ -8011,20 +8015,20 @@
 * gnutls_ocsp_resp_print:                OCSP API.           (line  757)
 * gnutls_ocsp_resp_verify:               OCSP API.           (line  780)
 * gnutls_ocsp_resp_verify_direct:        OCSP API.           (line  818)
-* gnutls_ocsp_status_request_enable_client: Core TLS API.    (line 4471)
-* gnutls_ocsp_status_request_get:        Core TLS API.       (line 4499)
-* gnutls_ocsp_status_request_get2:       Core TLS API.       (line 4518)
-* gnutls_ocsp_status_request_is_checked: Core TLS API.       (line 4544)
-* gnutls_oid_to_digest:                  Core TLS API.       (line 4578)
-* gnutls_oid_to_ecc_curve:               Core TLS API.       (line 4593)
-* gnutls_oid_to_gost_paramset:           Core TLS API.       (line 4605)
-* gnutls_oid_to_mac:                     Core TLS API.       (line 4620)
-* gnutls_oid_to_pk:                      Core TLS API.       (line 4635)
-* gnutls_oid_to_sign:                    Core TLS API.       (line 4649)
+* gnutls_ocsp_status_request_enable_client: Core TLS API.    (line 4527)
+* gnutls_ocsp_status_request_get:        Core TLS API.       (line 4555)
+* gnutls_ocsp_status_request_get2:       Core TLS API.       (line 4574)
+* gnutls_ocsp_status_request_is_checked: Core TLS API.       (line 4600)
+* gnutls_oid_to_digest:                  Core TLS API.       (line 4634)
+* gnutls_oid_to_ecc_curve:               Core TLS API.       (line 4649)
+* gnutls_oid_to_gost_paramset:           Core TLS API.       (line 4661)
+* gnutls_oid_to_mac:                     Core TLS API.       (line 4676)
+* gnutls_oid_to_pk:                      Core TLS API.       (line 4691)
+* gnutls_oid_to_sign:                    Core TLS API.       (line 4705)
 * gnutls_openpgp_privkey_sign_hash:      Compatibility API.  (line   95)
-* gnutls_openpgp_send_cert:              Core TLS API.       (line 4664)
-* gnutls_packet_deinit:                  Core TLS API.       (line 4677)
-* gnutls_packet_get:                     Core TLS API.       (line 4688)
+* gnutls_openpgp_send_cert:              Core TLS API.       (line 4720)
+* gnutls_packet_deinit:                  Core TLS API.       (line 4733)
+* gnutls_packet_get:                     Core TLS API.       (line 4744)
 * gnutls_pbkdf2:                         Cryptographic API.  (line 1083)
 * gnutls_pcert_deinit:                   Abstract key API.   (line  176)
 * gnutls_pcert_export_openpgp:           Abstract key API.   (line  186)
@@ -8038,11 +8042,11 @@
 * gnutls_pcert_import_x509_raw:          Abstract key API.   (line  370)
 * gnutls_pcert_list_import_x509_file:    Abstract key API.   (line  393)
 * gnutls_pcert_list_import_x509_raw:     Abstract key API.   (line  430)
-* gnutls_pem_base64_decode:              Core TLS API.       (line 4706)
-* gnutls_pem_base64_decode2:             Core TLS API.       (line 4730)
-* gnutls_pem_base64_encode:              Core TLS API.       (line 4758)
-* gnutls_pem_base64_encode2:             Core TLS API.       (line 4781)
-* gnutls_perror:                         Core TLS API.       (line 4809)
+* gnutls_pem_base64_decode:              Core TLS API.       (line 4762)
+* gnutls_pem_base64_decode2:             Core TLS API.       (line 4786)
+* gnutls_pem_base64_encode:              Core TLS API.       (line 4814)
+* gnutls_pem_base64_encode2:             Core TLS API.       (line 4837)
+* gnutls_perror:                         Core TLS API.       (line 4865)
 * gnutls_pkcs11_add_provider:            PKCS11 Manual Initialization.
                                                              (line   13)
 * gnutls_pkcs11_add_provider <1>:        PKCS 11 API.        (line   12)
@@ -8183,39 +8187,39 @@
                                                              (line  122)
 * gnutls_pkcs_schema_get_oid:            X509 certificate API.
                                                              (line  137)
-* gnutls_pk_algorithm_get_name:          Core TLS API.       (line 4818)
+* gnutls_pk_algorithm_get_name:          Core TLS API.       (line 4874)
 * gnutls_pk_bits_to_sec_param:           Selecting cryptographic key sizes.
                                                              (line   91)
-* gnutls_pk_bits_to_sec_param <1>:       Core TLS API.       (line 4830)
-* gnutls_pk_get_id:                      Core TLS API.       (line 4847)
-* gnutls_pk_get_name:                    Core TLS API.       (line 4862)
-* gnutls_pk_get_oid:                     Core TLS API.       (line 4876)
-* gnutls_pk_list:                        Core TLS API.       (line 4891)
-* gnutls_pk_to_sign:                     Core TLS API.       (line 4905)
-* gnutls_prf:                            Core TLS API.       (line 4920)
-* gnutls_prf_early:                      Core TLS API.       (line 4970)
-* gnutls_prf_hash_get:                   Core TLS API.       (line 5015)
-* gnutls_prf_raw:                        Core TLS API.       (line 5032)
+* gnutls_pk_bits_to_sec_param <1>:       Core TLS API.       (line 4886)
+* gnutls_pk_get_id:                      Core TLS API.       (line 4903)
+* gnutls_pk_get_name:                    Core TLS API.       (line 4918)
+* gnutls_pk_get_oid:                     Core TLS API.       (line 4932)
+* gnutls_pk_list:                        Core TLS API.       (line 4947)
+* gnutls_pk_to_sign:                     Core TLS API.       (line 4961)
+* gnutls_prf:                            Core TLS API.       (line 4976)
+* gnutls_prf_early:                      Core TLS API.       (line 5026)
+* gnutls_prf_hash_get:                   Core TLS API.       (line 5071)
+* gnutls_prf_raw:                        Core TLS API.       (line 5088)
 * gnutls_prf_rfc5705:                    Deriving keys for other applications/protocols.
                                                              (line   16)
-* gnutls_prf_rfc5705 <1>:                Core TLS API.       (line 5077)
-* gnutls_priority_certificate_type_list: Core TLS API.       (line 5124)
-* gnutls_priority_certificate_type_list2: Core TLS API.      (line 5145)
-* gnutls_priority_cipher_list:           Core TLS API.       (line 5165)
+* gnutls_prf_rfc5705 <1>:                Core TLS API.       (line 5133)
+* gnutls_priority_certificate_type_list: Core TLS API.       (line 5180)
+* gnutls_priority_certificate_type_list2: Core TLS API.      (line 5201)
+* gnutls_priority_cipher_list:           Core TLS API.       (line 5221)
 * gnutls_priority_compression_list:      Compatibility API.  (line  111)
-* gnutls_priority_deinit:                Core TLS API.       (line 5180)
-* gnutls_priority_ecc_curve_list:        Core TLS API.       (line 5189)
-* gnutls_priority_get_cipher_suite_index: Core TLS API.      (line 5207)
-* gnutls_priority_group_list:            Core TLS API.       (line 5232)
-* gnutls_priority_init:                  Core TLS API.       (line 5247)
-* gnutls_priority_init2:                 Core TLS API.       (line 5275)
-* gnutls_priority_kx_list:               Core TLS API.       (line 5383)
-* gnutls_priority_mac_list:              Core TLS API.       (line 5399)
-* gnutls_priority_protocol_list:         Core TLS API.       (line 5414)
-* gnutls_priority_set:                   Core TLS API.       (line 5430)
-* gnutls_priority_set_direct:            Core TLS API.       (line 5448)
-* gnutls_priority_sign_list:             Core TLS API.       (line 5472)
-* gnutls_priority_string_list:           Core TLS API.       (line 5488)
+* gnutls_priority_deinit:                Core TLS API.       (line 5236)
+* gnutls_priority_ecc_curve_list:        Core TLS API.       (line 5245)
+* gnutls_priority_get_cipher_suite_index: Core TLS API.      (line 5263)
+* gnutls_priority_group_list:            Core TLS API.       (line 5288)
+* gnutls_priority_init:                  Core TLS API.       (line 5303)
+* gnutls_priority_init2:                 Core TLS API.       (line 5331)
+* gnutls_priority_kx_list:               Core TLS API.       (line 5439)
+* gnutls_priority_mac_list:              Core TLS API.       (line 5455)
+* gnutls_priority_protocol_list:         Core TLS API.       (line 5470)
+* gnutls_priority_set:                   Core TLS API.       (line 5486)
+* gnutls_priority_set_direct:            Core TLS API.       (line 5504)
+* gnutls_priority_sign_list:             Core TLS API.       (line 5528)
+* gnutls_priority_string_list:           Core TLS API.       (line 5544)
 * gnutls_privkey_decrypt_data:           Operations.         (line  144)
 * gnutls_privkey_decrypt_data <1>:       Abstract key API.   (line  465)
 * gnutls_privkey_decrypt_data2:          Abstract key API.   (line  488)
@@ -8275,33 +8279,35 @@
 * gnutls_privkey_status:                 Abstract key API.   (line 1705)
 * gnutls_privkey_verify_params:          Abstract key API.   (line 1721)
 * gnutls_privkey_verify_seed:            Abstract key API.   (line 1734)
-* gnutls_protocol_get_id:                Core TLS API.       (line 5508)
-* gnutls_protocol_get_name:              Core TLS API.       (line 5520)
-* gnutls_protocol_get_version:           Core TLS API.       (line 5532)
-* gnutls_protocol_list:                  Core TLS API.       (line 5543)
-* gnutls_psk_allocate_client_credentials: Core TLS API.      (line 5555)
-* gnutls_psk_allocate_server_credentials: Core TLS API.      (line 5567)
-* gnutls_psk_client_get_hint:            Core TLS API.       (line 5579)
-* gnutls_psk_free_client_credentials:    Core TLS API.       (line 5598)
-* gnutls_psk_free_server_credentials:    Core TLS API.       (line 5607)
-* gnutls_psk_server_get_username:        Core TLS API.       (line 5616)
-* gnutls_psk_server_get_username2:       Core TLS API.       (line 5636)
-* gnutls_psk_set_client_credentials:     Core TLS API.       (line 5657)
-* gnutls_psk_set_client_credentials2:    Core TLS API.       (line 5683)
+* gnutls_protocol_get_id:                Core TLS API.       (line 5564)
+* gnutls_protocol_get_name:              Core TLS API.       (line 5576)
+* gnutls_protocol_get_version:           Core TLS API.       (line 5588)
+* gnutls_protocol_list:                  Core TLS API.       (line 5599)
+* gnutls_protocol_mark_disabled:         Core TLS API.       (line 5611)
+* gnutls_protocol_mark_enabled:          Core TLS API.       (line 5621)
+* gnutls_psk_allocate_client_credentials: Core TLS API.      (line 5632)
+* gnutls_psk_allocate_server_credentials: Core TLS API.      (line 5644)
+* gnutls_psk_client_get_hint:            Core TLS API.       (line 5656)
+* gnutls_psk_free_client_credentials:    Core TLS API.       (line 5675)
+* gnutls_psk_free_server_credentials:    Core TLS API.       (line 5684)
+* gnutls_psk_server_get_username:        Core TLS API.       (line 5693)
+* gnutls_psk_server_get_username2:       Core TLS API.       (line 5713)
+* gnutls_psk_set_client_credentials:     Core TLS API.       (line 5734)
+* gnutls_psk_set_client_credentials2:    Core TLS API.       (line 5760)
 * gnutls_psk_set_client_credentials_function: PSK credentials.
                                                              (line   22)
 * gnutls_psk_set_client_credentials_function <1>: Core TLS API.
-                                                             (line 5706)
-* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5731)
-* gnutls_psk_set_params_function:        Core TLS API.       (line 5760)
+                                                             (line 5783)
+* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5808)
+* gnutls_psk_set_params_function:        Core TLS API.       (line 5837)
 * gnutls_psk_set_server_credentials_file: PSK credentials.   (line   59)
-* gnutls_psk_set_server_credentials_file <1>: Core TLS API.  (line 5778)
-* gnutls_psk_set_server_credentials_function: Core TLS API.  (line 5800)
-* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5825)
-* gnutls_psk_set_server_credentials_hint: Core TLS API.      (line 5854)
-* gnutls_psk_set_server_dh_params:       Core TLS API.       (line 5873)
-* gnutls_psk_set_server_known_dh_params: Core TLS API.       (line 5891)
-* gnutls_psk_set_server_params_function: Core TLS API.       (line 5915)
+* gnutls_psk_set_server_credentials_file <1>: Core TLS API.  (line 5855)
+* gnutls_psk_set_server_credentials_function: Core TLS API.  (line 5877)
+* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5902)
+* gnutls_psk_set_server_credentials_hint: Core TLS API.      (line 5931)
+* gnutls_psk_set_server_dh_params:       Core TLS API.       (line 5950)
+* gnutls_psk_set_server_known_dh_params: Core TLS API.       (line 5968)
+* gnutls_psk_set_server_params_function: Core TLS API.       (line 5992)
 * gnutls_pubkey_deinit:                  Abstract key API.   (line 1758)
 * gnutls_pubkey_encrypt_data:            Operations.         (line   60)
 * gnutls_pubkey_encrypt_data <1>:        Abstract key API.   (line 1768)
@@ -8351,169 +8357,171 @@
 * gnutls_pubkey_verify_hash2:            Operations.         (line   33)
 * gnutls_pubkey_verify_hash2 <1>:        Abstract key API.   (line 2681)
 * gnutls_pubkey_verify_params:           Abstract key API.   (line 2711)
-* gnutls_random_art:                     Core TLS API.       (line 5933)
-* gnutls_range_split:                    Core TLS API.       (line 5960)
-* gnutls_reauth:                         Core TLS API.       (line 5986)
-* gnutls_record_can_use_length_hiding:   Core TLS API.       (line 6032)
-* gnutls_record_check_corked:            Core TLS API.       (line 6050)
+* gnutls_random_art:                     Core TLS API.       (line 6010)
+* gnutls_range_split:                    Core TLS API.       (line 6037)
+* gnutls_reauth:                         Core TLS API.       (line 6063)
+* gnutls_record_can_use_length_hiding:   Core TLS API.       (line 6109)
+* gnutls_record_check_corked:            Core TLS API.       (line 6127)
 * gnutls_record_check_pending:           Data transfer and termination.
                                                              (line  138)
-* gnutls_record_check_pending <1>:       Core TLS API.       (line 6064)
+* gnutls_record_check_pending <1>:       Core TLS API.       (line 6141)
 * gnutls_record_cork:                    Buffered data transfer.
                                                              (line   12)
-* gnutls_record_cork <1>:                Core TLS API.       (line 6077)
-* gnutls_record_disable_padding:         Core TLS API.       (line 6091)
-* gnutls_record_discard_queued:          Core TLS API.       (line 6106)
+* gnutls_record_cork <1>:                Core TLS API.       (line 6154)
+* gnutls_record_disable_padding:         Core TLS API.       (line 6168)
+* gnutls_record_discard_queued:          Core TLS API.       (line 6183)
 * gnutls_record_get_direction:           Asynchronous operation.
                                                              (line   65)
-* gnutls_record_get_direction <1>:       Core TLS API.       (line 6125)
+* gnutls_record_get_direction <1>:       Core TLS API.       (line 6202)
 * gnutls_record_get_discarded:           Datagram TLS API.   (line  209)
-* gnutls_record_get_max_early_data_size: Core TLS API.       (line 6148)
-* gnutls_record_get_max_size:            Core TLS API.       (line 6164)
-* gnutls_record_get_state:               Core TLS API.       (line 6176)
-* gnutls_record_overhead_size:           Core TLS API.       (line 6207)
+* gnutls_record_get_max_early_data_size: Core TLS API.       (line 6225)
+* gnutls_record_get_max_size:            Core TLS API.       (line 6241)
+* gnutls_record_get_state:               Core TLS API.       (line 6253)
+* gnutls_record_overhead_size:           Core TLS API.       (line 6284)
 * gnutls_record_recv:                    Data transfer and termination.
                                                              (line   53)
-* gnutls_record_recv <1>:                Core TLS API.       (line 6220)
-* gnutls_record_recv_early_data:         Core TLS API.       (line 6252)
-* gnutls_record_recv_packet:             Core TLS API.       (line 6280)
+* gnutls_record_recv <1>:                Core TLS API.       (line 6297)
+* gnutls_record_recv_early_data:         Core TLS API.       (line 6329)
+* gnutls_record_recv_packet:             Core TLS API.       (line 6357)
 * gnutls_record_recv_seq:                Data transfer and termination.
                                                              (line  108)
-* gnutls_record_recv_seq <1>:            Core TLS API.       (line 6304)
+* gnutls_record_recv_seq <1>:            Core TLS API.       (line 6381)
 * gnutls_record_send:                    Data transfer and termination.
                                                              (line   12)
-* gnutls_record_send <1>:                Core TLS API.       (line 6331)
+* gnutls_record_send <1>:                Core TLS API.       (line 6408)
 * gnutls_record_send2:                   On Record Padding.  (line   23)
-* gnutls_record_send2 <1>:               Core TLS API.       (line 6375)
-* gnutls_record_send_early_data:         Core TLS API.       (line 6408)
-* gnutls_record_send_range:              Core TLS API.       (line 6436)
-* gnutls_record_set_max_early_data_size: Core TLS API.       (line 6465)
-* gnutls_record_set_max_recv_size:       Core TLS API.       (line 6484)
-* gnutls_record_set_max_size:            Core TLS API.       (line 6506)
-* gnutls_record_set_state:               Core TLS API.       (line 6535)
-* gnutls_record_set_timeout:             Core TLS API.       (line 6556)
+* gnutls_record_send2 <1>:               Core TLS API.       (line 6452)
+* gnutls_record_send_early_data:         Core TLS API.       (line 6485)
+* gnutls_record_send_range:              Core TLS API.       (line 6513)
+* gnutls_record_set_max_early_data_size: Core TLS API.       (line 6542)
+* gnutls_record_set_max_recv_size:       Core TLS API.       (line 6561)
+* gnutls_record_set_max_size:            Core TLS API.       (line 6583)
+* gnutls_record_set_state:               Core TLS API.       (line 6612)
+* gnutls_record_set_timeout:             Core TLS API.       (line 6633)
 * gnutls_record_uncork:                  Buffered data transfer.
                                                              (line   23)
-* gnutls_record_uncork <1>:              Core TLS API.       (line 6575)
+* gnutls_record_uncork <1>:              Core TLS API.       (line 6652)
 * gnutls_register_custom_url:            Application-specific keys.
                                                              (line   69)
 * gnutls_register_custom_url <1>:        Abstract key API.   (line 2724)
 * gnutls_rehandshake:                    TLS 1.2 re-authentication.
                                                              (line   70)
-* gnutls_rehandshake <1>:                Core TLS API.       (line 6600)
+* gnutls_rehandshake <1>:                Core TLS API.       (line 6677)
 * gnutls_rnd:                            Random number generation.
                                                              (line   21)
 * gnutls_rnd <1>:                        Cryptographic API.  (line 1108)
 * gnutls_rnd_refresh:                    Cryptographic API.  (line 1130)
 * gnutls_safe_renegotiation_status:      TLS 1.2 re-authentication.
                                                              (line   44)
-* gnutls_safe_renegotiation_status <1>:  Core TLS API.       (line 6640)
-* gnutls_sec_param_get_name:             Core TLS API.       (line 6655)
+* gnutls_safe_renegotiation_status <1>:  Core TLS API.       (line 6717)
+* gnutls_sec_param_get_name:             Core TLS API.       (line 6732)
 * gnutls_sec_param_to_pk_bits:           Selecting cryptographic key sizes.
                                                              (line   75)
-* gnutls_sec_param_to_pk_bits <1>:       Core TLS API.       (line 6669)
-* gnutls_sec_param_to_symmetric_bits:    Core TLS API.       (line 6688)
-* gnutls_server_name_get:                Core TLS API.       (line 6702)
-* gnutls_server_name_set:                Core TLS API.       (line 6741)
-* gnutls_session_channel_binding:        Core TLS API.       (line 6772)
-* gnutls_session_enable_compatibility_mode: Core TLS API.    (line 6793)
-* gnutls_session_etm_status:             Core TLS API.       (line 6813)
-* gnutls_session_ext_master_secret_status: Core TLS API.     (line 6826)
-* gnutls_session_ext_register:           Core TLS API.       (line 6840)
-* gnutls_session_force_valid:            Core TLS API.       (line 6896)
-* gnutls_session_get_data:               Core TLS API.       (line 6907)
-* gnutls_session_get_data2:              Core TLS API.       (line 6927)
-* gnutls_session_get_desc:               Core TLS API.       (line 6975)
-* gnutls_session_get_flags:              Core TLS API.       (line 6992)
-* gnutls_session_get_id:                 Core TLS API.       (line 7011)
+* gnutls_sec_param_to_pk_bits <1>:       Core TLS API.       (line 6746)
+* gnutls_sec_param_to_symmetric_bits:    Core TLS API.       (line 6765)
+* gnutls_server_name_get:                Core TLS API.       (line 6779)
+* gnutls_server_name_set:                Core TLS API.       (line 6818)
+* gnutls_session_channel_binding:        Core TLS API.       (line 6849)
+* gnutls_session_enable_compatibility_mode: Core TLS API.    (line 6870)
+* gnutls_session_etm_status:             Core TLS API.       (line 6890)
+* gnutls_session_ext_master_secret_status: Core TLS API.     (line 6903)
+* gnutls_session_ext_register:           Core TLS API.       (line 6917)
+* gnutls_session_force_valid:            Core TLS API.       (line 6973)
+* gnutls_session_get_data:               Core TLS API.       (line 6984)
+* gnutls_session_get_data2:              Core TLS API.       (line 7004)
+* gnutls_session_get_desc:               Core TLS API.       (line 7052)
+* gnutls_session_get_flags:              Core TLS API.       (line 7069)
+* gnutls_session_get_id:                 Core TLS API.       (line 7088)
 * gnutls_session_get_id2:                Session resumption. (line   49)
-* gnutls_session_get_id2 <1>:            Core TLS API.       (line 7045)
-* gnutls_session_get_keylog_function:    Core TLS API.       (line 7078)
-* gnutls_session_get_master_secret:      Core TLS API.       (line 7092)
-* gnutls_session_get_ptr:                Core TLS API.       (line 7108)
-* gnutls_session_get_random:             Core TLS API.       (line 7120)
-* gnutls_session_get_verify_cert_status: Core TLS API.       (line 7140)
+* gnutls_session_get_id2 <1>:            Core TLS API.       (line 7122)
+* gnutls_session_get_keylog_function:    Core TLS API.       (line 7155)
+* gnutls_session_get_master_secret:      Core TLS API.       (line 7169)
+* gnutls_session_get_ptr:                Core TLS API.       (line 7185)
+* gnutls_session_get_random:             Core TLS API.       (line 7197)
+* gnutls_session_get_verify_cert_status: Core TLS API.       (line 7217)
 * gnutls_session_is_resumed:             Session resumption. (line   40)
-* gnutls_session_is_resumed <1>:         Core TLS API.       (line 7160)
-* gnutls_session_key_update:             Core TLS API.       (line 7172)
+* gnutls_session_is_resumed <1>:         Core TLS API.       (line 7237)
+* gnutls_session_key_update:             Core TLS API.       (line 7249)
 * gnutls_session_resumption_requested:   Session resumption. (line  150)
-* gnutls_session_resumption_requested <1>: Core TLS API.     (line 7199)
-* gnutls_session_set_data:               Core TLS API.       (line 7212)
-* gnutls_session_set_id:                 Core TLS API.       (line 7235)
-* gnutls_session_set_keylog_function:    Core TLS API.       (line 7256)
-* gnutls_session_set_premaster:          Core TLS API.       (line 7270)
-* gnutls_session_set_ptr:                Core TLS API.       (line 7305)
+* gnutls_session_resumption_requested <1>: Core TLS API.     (line 7276)
+* gnutls_session_set_data:               Core TLS API.       (line 7289)
+* gnutls_session_set_id:                 Core TLS API.       (line 7312)
+* gnutls_session_set_keylog_function:    Core TLS API.       (line 7333)
+* gnutls_session_set_premaster:          Core TLS API.       (line 7347)
+* gnutls_session_set_ptr:                Core TLS API.       (line 7382)
 * gnutls_session_set_verify_cert:        Certificate credentials.
                                                              (line  267)
-* gnutls_session_set_verify_cert <1>:    Core TLS API.       (line 7318)
-* gnutls_session_set_verify_cert2:       Core TLS API.       (line 7351)
-* gnutls_session_set_verify_function:    Core TLS API.       (line 7383)
+* gnutls_session_set_verify_cert <1>:    Core TLS API.       (line 7395)
+* gnutls_session_set_verify_cert2:       Core TLS API.       (line 7428)
+* gnutls_session_set_verify_function:    Core TLS API.       (line 7460)
 * gnutls_session_set_verify_output_function: X509 certificate API.
                                                              (line  152)
-* gnutls_session_supplemental_register:  Core TLS API.       (line 7412)
-* gnutls_session_ticket_enable_client:   Core TLS API.       (line 7448)
+* gnutls_session_supplemental_register:  Core TLS API.       (line 7489)
+* gnutls_session_ticket_enable_client:   Core TLS API.       (line 7525)
 * gnutls_session_ticket_enable_server:   Session resumption. (line  117)
-* gnutls_session_ticket_enable_server <1>: Core TLS API.     (line 7464)
+* gnutls_session_ticket_enable_server <1>: Core TLS API.     (line 7541)
 * gnutls_session_ticket_key_generate:    Session resumption. (line  137)
-* gnutls_session_ticket_key_generate <1>: Core TLS API.      (line 7487)
+* gnutls_session_ticket_key_generate <1>: Core TLS API.      (line 7564)
 * gnutls_session_ticket_send:            Session resumption. (line  170)
-* gnutls_session_ticket_send <1>:        Core TLS API.       (line 7503)
-* gnutls_set_default_priority:           Core TLS API.       (line 7521)
-* gnutls_set_default_priority_append:    Core TLS API.       (line 7547)
-* gnutls_sign_algorithm_get:             Core TLS API.       (line 7583)
-* gnutls_sign_algorithm_get_client:      Core TLS API.       (line 7597)
-* gnutls_sign_algorithm_get_requested:   Core TLS API.       (line 7612)
-* gnutls_sign_get_hash_algorithm:        Core TLS API.       (line 7639)
-* gnutls_sign_get_id:                    Core TLS API.       (line 7654)
-* gnutls_sign_get_name:                  Core TLS API.       (line 7666)
-* gnutls_sign_get_oid:                   Core TLS API.       (line 7678)
-* gnutls_sign_get_pk_algorithm:          Core TLS API.       (line 7692)
-* gnutls_sign_is_secure:                 Core TLS API.       (line 7710)
-* gnutls_sign_is_secure2:                Core TLS API.       (line 7720)
-* gnutls_sign_list:                      Core TLS API.       (line 7732)
-* gnutls_sign_supports_pk_algorithm:     Core TLS API.       (line 7743)
-* gnutls_srp_allocate_client_credentials: Core TLS API.      (line 7761)
-* gnutls_srp_allocate_server_credentials: Core TLS API.      (line 7773)
-* gnutls_srp_base64_decode:              Core TLS API.       (line 7785)
-* gnutls_srp_base64_decode2:             Core TLS API.       (line 7807)
-* gnutls_srp_base64_encode:              Core TLS API.       (line 7827)
-* gnutls_srp_base64_encode2:             Core TLS API.       (line 7849)
-* gnutls_srp_free_client_credentials:    Core TLS API.       (line 7870)
-* gnutls_srp_free_server_credentials:    Core TLS API.       (line 7879)
-* gnutls_srp_server_get_username:        Core TLS API.       (line 7888)
-* gnutls_srp_set_client_credentials:     Core TLS API.       (line 7901)
+* gnutls_session_ticket_send <1>:        Core TLS API.       (line 7580)
+* gnutls_set_default_priority:           Core TLS API.       (line 7598)
+* gnutls_set_default_priority_append:    Core TLS API.       (line 7624)
+* gnutls_sign_algorithm_get:             Core TLS API.       (line 7660)
+* gnutls_sign_algorithm_get_client:      Core TLS API.       (line 7674)
+* gnutls_sign_algorithm_get_requested:   Core TLS API.       (line 7689)
+* gnutls_sign_get_hash_algorithm:        Core TLS API.       (line 7716)
+* gnutls_sign_get_id:                    Core TLS API.       (line 7731)
+* gnutls_sign_get_name:                  Core TLS API.       (line 7743)
+* gnutls_sign_get_oid:                   Core TLS API.       (line 7755)
+* gnutls_sign_get_pk_algorithm:          Core TLS API.       (line 7769)
+* gnutls_sign_is_secure:                 Core TLS API.       (line 7787)
+* gnutls_sign_is_secure2:                Core TLS API.       (line 7797)
+* gnutls_sign_list:                      Core TLS API.       (line 7809)
+* gnutls_sign_mark_insecure:             Core TLS API.       (line 7820)
+* gnutls_sign_mark_secure:               Core TLS API.       (line 7838)
+* gnutls_sign_supports_pk_algorithm:     Core TLS API.       (line 7859)
+* gnutls_srp_allocate_client_credentials: Core TLS API.      (line 7877)
+* gnutls_srp_allocate_server_credentials: Core TLS API.      (line 7889)
+* gnutls_srp_base64_decode:              Core TLS API.       (line 7901)
+* gnutls_srp_base64_decode2:             Core TLS API.       (line 7923)
+* gnutls_srp_base64_encode:              Core TLS API.       (line 7943)
+* gnutls_srp_base64_encode2:             Core TLS API.       (line 7965)
+* gnutls_srp_free_client_credentials:    Core TLS API.       (line 7986)
+* gnutls_srp_free_server_credentials:    Core TLS API.       (line 7995)
+* gnutls_srp_server_get_username:        Core TLS API.       (line 8004)
+* gnutls_srp_set_client_credentials:     Core TLS API.       (line 8017)
 * gnutls_srp_set_client_credentials_function: SRP credentials.
                                                              (line   19)
 * gnutls_srp_set_client_credentials_function <1>: Core TLS API.
-                                                             (line 7924)
-* gnutls_srp_set_prime_bits:             Core TLS API.       (line 7957)
+                                                             (line 8040)
+* gnutls_srp_set_prime_bits:             Core TLS API.       (line 8073)
 * gnutls_srp_set_server_credentials_file: SRP credentials.   (line   56)
-* gnutls_srp_set_server_credentials_file <1>: Core TLS API.  (line 7978)
+* gnutls_srp_set_server_credentials_file <1>: Core TLS API.  (line 8094)
 * gnutls_srp_set_server_credentials_function: SRP credentials.
                                                              (line   72)
 * gnutls_srp_set_server_credentials_function <1>: Core TLS API.
-                                                             (line 7997)
-* gnutls_srp_set_server_fake_salt_seed:  Core TLS API.       (line 8035)
+                                                             (line 8113)
+* gnutls_srp_set_server_fake_salt_seed:  Core TLS API.       (line 8151)
 * gnutls_srp_verifier:                   Authentication using SRP.
                                                              (line   45)
-* gnutls_srp_verifier <1>:               Core TLS API.       (line 8072)
+* gnutls_srp_verifier <1>:               Core TLS API.       (line 8188)
 * gnutls_srtp_get_keys:                  SRTP.               (line   31)
-* gnutls_srtp_get_keys <1>:              Core TLS API.       (line 8101)
-* gnutls_srtp_get_mki:                   Core TLS API.       (line 8139)
-* gnutls_srtp_get_profile_id:            Core TLS API.       (line 8157)
-* gnutls_srtp_get_profile_name:          Core TLS API.       (line 8173)
-* gnutls_srtp_get_selected_profile:      Core TLS API.       (line 8188)
-* gnutls_srtp_set_mki:                   Core TLS API.       (line 8204)
-* gnutls_srtp_set_profile:               Core TLS API.       (line 8221)
-* gnutls_srtp_set_profile_direct:        Core TLS API.       (line 8238)
+* gnutls_srtp_get_keys <1>:              Core TLS API.       (line 8217)
+* gnutls_srtp_get_mki:                   Core TLS API.       (line 8255)
+* gnutls_srtp_get_profile_id:            Core TLS API.       (line 8273)
+* gnutls_srtp_get_profile_name:          Core TLS API.       (line 8289)
+* gnutls_srtp_get_selected_profile:      Core TLS API.       (line 8304)
+* gnutls_srtp_set_mki:                   Core TLS API.       (line 8320)
+* gnutls_srtp_set_profile:               Core TLS API.       (line 8337)
+* gnutls_srtp_set_profile_direct:        Core TLS API.       (line 8354)
 * gnutls_store_commitment:               Certificate verification.
                                                              (line  115)
-* gnutls_store_commitment <1>:           Core TLS API.       (line 8259)
+* gnutls_store_commitment <1>:           Core TLS API.       (line 8375)
 * gnutls_store_pubkey:                   Certificate verification.
                                                              (line   64)
-* gnutls_store_pubkey <1>:               Core TLS API.       (line 8299)
-* gnutls_strerror:                       Core TLS API.       (line 8348)
-* gnutls_strerror_name:                  Core TLS API.       (line 8362)
+* gnutls_store_pubkey <1>:               Core TLS API.       (line 8415)
+* gnutls_strerror:                       Core TLS API.       (line 8464)
+* gnutls_strerror_name:                  Core TLS API.       (line 8478)
 * gnutls_subject_alt_names_deinit:       X509 certificate API.
                                                              (line  181)
 * gnutls_subject_alt_names_get:          X509 certificate API.
@@ -8522,22 +8530,22 @@
                                                              (line  221)
 * gnutls_subject_alt_names_set:          X509 certificate API.
                                                              (line  235)
-* gnutls_supplemental_get_name:          Core TLS API.       (line 8377)
-* gnutls_supplemental_recv:              Core TLS API.       (line 8390)
-* gnutls_supplemental_register:          Core TLS API.       (line 8405)
-* gnutls_supplemental_send:              Core TLS API.       (line 8436)
+* gnutls_supplemental_get_name:          Core TLS API.       (line 8493)
+* gnutls_supplemental_recv:              Core TLS API.       (line 8506)
+* gnutls_supplemental_register:          Core TLS API.       (line 8521)
+* gnutls_supplemental_send:              Core TLS API.       (line 8552)
 * gnutls_system_key_add_x509:            Abstract key API.   (line 2750)
 * gnutls_system_key_delete:              Abstract key API.   (line 2776)
 * gnutls_system_key_iter_deinit:         Abstract key API.   (line 2792)
 * gnutls_system_key_iter_get_info:       Application-specific keys.
                                                              (line   20)
 * gnutls_system_key_iter_get_info <1>:   Abstract key API.   (line 2803)
-* gnutls_system_recv_timeout:            Core TLS API.       (line 8450)
-* gnutls_tdb_deinit:                     Core TLS API.       (line 8473)
-* gnutls_tdb_init:                       Core TLS API.       (line 8482)
-* gnutls_tdb_set_store_commitment_func:  Core TLS API.       (line 8493)
-* gnutls_tdb_set_store_func:             Core TLS API.       (line 8513)
-* gnutls_tdb_set_verify_func:            Core TLS API.       (line 8532)
+* gnutls_system_recv_timeout:            Core TLS API.       (line 8566)
+* gnutls_tdb_deinit:                     Core TLS API.       (line 8589)
+* gnutls_tdb_init:                       Core TLS API.       (line 8598)
+* gnutls_tdb_set_store_commitment_func:  Core TLS API.       (line 8609)
+* gnutls_tdb_set_store_func:             Core TLS API.       (line 8629)
+* gnutls_tdb_set_verify_func:            Core TLS API.       (line 8648)
 * gnutls_tpm_get_registered:             TPM API.            (line   12)
 * gnutls_tpm_key_list_deinit:            TPM API.            (line   27)
 * gnutls_tpm_key_list_get_url:           TPM API.            (line   38)
@@ -8546,44 +8554,44 @@
 * gnutls_tpm_privkey_delete <2>:         TPM API.            (line   60)
 * gnutls_tpm_privkey_generate:           Key generation.     (line    9)
 * gnutls_tpm_privkey_generate <1>:       TPM API.            (line   76)
-* gnutls_transport_get_int:              Core TLS API.       (line 8554)
-* gnutls_transport_get_int2:             Core TLS API.       (line 8568)
-* gnutls_transport_get_ptr:              Core TLS API.       (line 8585)
-* gnutls_transport_get_ptr2:             Core TLS API.       (line 8598)
+* gnutls_transport_get_int:              Core TLS API.       (line 8670)
+* gnutls_transport_get_int2:             Core TLS API.       (line 8684)
+* gnutls_transport_get_ptr:              Core TLS API.       (line 8701)
+* gnutls_transport_get_ptr2:             Core TLS API.       (line 8714)
 * gnutls_transport_set_errno:            Setting up the transport layer.
                                                              (line  116)
-* gnutls_transport_set_errno <1>:        Core TLS API.       (line 8614)
-* gnutls_transport_set_errno_function:   Core TLS API.       (line 8637)
+* gnutls_transport_set_errno <1>:        Core TLS API.       (line 8730)
+* gnutls_transport_set_errno_function:   Core TLS API.       (line 8753)
 * gnutls_transport_set_fastopen:         Reducing round-trips.
                                                              (line   22)
 * gnutls_transport_set_fastopen <1>:     Socket specific API.
                                                              (line   11)
-* gnutls_transport_set_int:              Core TLS API.       (line 8655)
-* gnutls_transport_set_int2:             Core TLS API.       (line 8673)
-* gnutls_transport_set_ptr:              Core TLS API.       (line 8695)
-* gnutls_transport_set_ptr2:             Core TLS API.       (line 8708)
+* gnutls_transport_set_int:              Core TLS API.       (line 8771)
+* gnutls_transport_set_int2:             Core TLS API.       (line 8789)
+* gnutls_transport_set_ptr:              Core TLS API.       (line 8811)
+* gnutls_transport_set_ptr2:             Core TLS API.       (line 8824)
 * gnutls_transport_set_pull_function:    Setting up the transport layer.
                                                              (line   56)
-* gnutls_transport_set_pull_function <1>: Core TLS API.      (line 8725)
+* gnutls_transport_set_pull_function <1>: Core TLS API.      (line 8841)
 * gnutls_transport_set_pull_timeout_function: Setting up the transport layer.
                                                              (line   71)
 * gnutls_transport_set_pull_timeout_function <1>: Setting up the transport layer.
                                                              (line  156)
 * gnutls_transport_set_pull_timeout_function <2>: Core TLS API.
-                                                             (line 8743)
+                                                             (line 8859)
 * gnutls_transport_set_push_function:    Setting up the transport layer.
                                                              (line   23)
-* gnutls_transport_set_push_function <1>: Core TLS API.      (line 8783)
+* gnutls_transport_set_push_function <1>: Core TLS API.      (line 8899)
 * gnutls_transport_set_vec_push_function: Setting up the transport layer.
                                                              (line   40)
-* gnutls_transport_set_vec_push_function <1>: Core TLS API.  (line 8803)
+* gnutls_transport_set_vec_push_function <1>: Core TLS API.  (line 8919)
 * gnutls_url_is_supported:               Abstract public keys.
                                                              (line   57)
-* gnutls_url_is_supported <1>:           Core TLS API.       (line 8822)
-* gnutls_utf8_password_normalize:        Core TLS API.       (line 8836)
+* gnutls_url_is_supported <1>:           Core TLS API.       (line 8938)
+* gnutls_utf8_password_normalize:        Core TLS API.       (line 8952)
 * gnutls_verify_stored_pubkey:           Certificate verification.
                                                              (line   18)
-* gnutls_verify_stored_pubkey <1>:       Core TLS API.       (line 8861)
+* gnutls_verify_stored_pubkey <1>:       Core TLS API.       (line 8977)
 * gnutls_x509_aia_deinit:                X509 certificate API.
                                                              (line  262)
 * gnutls_x509_aia_get:                   X509 certificate API.
diff -ruN gnutls-3.7.2/doc/invoke-p11tool.texi gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi
--- gnutls-3.7.2/doc/invoke-p11tool.texi	2021-05-29 10:19:05.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi	2021-06-28 09:39:25.000000000 +0200
@@ -403,8 +403,9 @@
 @anchor{p11tool write}
 
 This is the ``writes the loaded objects to a pkcs #11 token'' option.
-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
-    one of --load-privkey, --load-pubkey, --load-certificate option.
+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.
+
+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
 @subsubheading id option.
 @anchor{p11tool id}
 
diff -ruN gnutls-3.7.2/doc/Makefile.am gnutls-3.7.2-bootstrapped/doc/Makefile.am
--- gnutls-3.7.2/doc/Makefile.am	2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/Makefile.am	2021-06-28 09:09:14.000000000 +0200
@@ -974,6 +974,10 @@
 FUNCS += functions/gnutls_digest_get_oid.short
 FUNCS += functions/gnutls_digest_list
 FUNCS += functions/gnutls_digest_list.short
+FUNCS += functions/gnutls_digest_mark_insecure
+FUNCS += functions/gnutls_digest_mark_insecure.short
+FUNCS += functions/gnutls_digest_mark_secure
+FUNCS += functions/gnutls_digest_mark_secure.short
 FUNCS += functions/gnutls_dtls_cookie_send
 FUNCS += functions/gnutls_dtls_cookie_send.short
 FUNCS += functions/gnutls_dtls_cookie_verify
@@ -1010,6 +1014,10 @@
 FUNCS += functions/gnutls_ecc_curve_get_size.short
 FUNCS += functions/gnutls_ecc_curve_list
 FUNCS += functions/gnutls_ecc_curve_list.short
+FUNCS += functions/gnutls_ecc_curve_mark_disabled
+FUNCS += functions/gnutls_ecc_curve_mark_disabled.short
+FUNCS += functions/gnutls_ecc_curve_mark_enabled
+FUNCS += functions/gnutls_ecc_curve_mark_enabled.short
 FUNCS += functions/gnutls_encode_ber_digest_info
 FUNCS += functions/gnutls_encode_ber_digest_info.short
 FUNCS += functions/gnutls_encode_gost_rs_value
@@ -1730,6 +1738,10 @@
 FUNCS += functions/gnutls_protocol_get_version.short
 FUNCS += functions/gnutls_protocol_list
 FUNCS += functions/gnutls_protocol_list.short
+FUNCS += functions/gnutls_protocol_mark_disabled
+FUNCS += functions/gnutls_protocol_mark_disabled.short
+FUNCS += functions/gnutls_protocol_mark_enabled
+FUNCS += functions/gnutls_protocol_mark_enabled.short
 FUNCS += functions/gnutls_psk_allocate_client_credentials
 FUNCS += functions/gnutls_psk_allocate_client_credentials.short
 FUNCS += functions/gnutls_psk_allocate_server_credentials
@@ -2024,6 +2036,10 @@
 FUNCS += functions/gnutls_sign_is_secure2.short
 FUNCS += functions/gnutls_sign_list
 FUNCS += functions/gnutls_sign_list.short
+FUNCS += functions/gnutls_sign_mark_insecure
+FUNCS += functions/gnutls_sign_mark_insecure.short
+FUNCS += functions/gnutls_sign_mark_secure
+FUNCS += functions/gnutls_sign_mark_secure.short
 FUNCS += functions/gnutls_sign_supports_pk_algorithm
 FUNCS += functions/gnutls_sign_supports_pk_algorithm.short
 FUNCS += functions/gnutls_srp_allocate_client_credentials
diff -ruN gnutls-3.7.2/doc/Makefile.in gnutls-3.7.2-bootstrapped/doc/Makefile.in
--- gnutls-3.7.2/doc/Makefile.in	2021-05-29 10:11:20.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/Makefile.in	2021-06-28 09:11:37.000000000 +0200
@@ -2697,6 +2697,10 @@
 	functions/gnutls_digest_get_oid.short \
 	functions/gnutls_digest_list \
 	functions/gnutls_digest_list.short \
+	functions/gnutls_digest_mark_insecure \
+	functions/gnutls_digest_mark_insecure.short \
+	functions/gnutls_digest_mark_secure \
+	functions/gnutls_digest_mark_secure.short \
 	functions/gnutls_dtls_cookie_send \
 	functions/gnutls_dtls_cookie_send.short \
 	functions/gnutls_dtls_cookie_verify \
@@ -2733,6 +2737,10 @@
 	functions/gnutls_ecc_curve_get_size.short \
 	functions/gnutls_ecc_curve_list \
 	functions/gnutls_ecc_curve_list.short \
+	functions/gnutls_ecc_curve_mark_disabled \
+	functions/gnutls_ecc_curve_mark_disabled.short \
+	functions/gnutls_ecc_curve_mark_enabled \
+	functions/gnutls_ecc_curve_mark_enabled.short \
 	functions/gnutls_encode_ber_digest_info \
 	functions/gnutls_encode_ber_digest_info.short \
 	functions/gnutls_encode_gost_rs_value \
@@ -3403,6 +3411,10 @@
 	functions/gnutls_protocol_get_version.short \
 	functions/gnutls_protocol_list \
 	functions/gnutls_protocol_list.short \
+	functions/gnutls_protocol_mark_disabled \
+	functions/gnutls_protocol_mark_disabled.short \
+	functions/gnutls_protocol_mark_enabled \
+	functions/gnutls_protocol_mark_enabled.short \
 	functions/gnutls_psk_allocate_client_credentials \
 	functions/gnutls_psk_allocate_client_credentials.short \
 	functions/gnutls_psk_allocate_server_credentials \
@@ -3692,6 +3704,10 @@
 	functions/gnutls_sign_is_secure2 \
 	functions/gnutls_sign_is_secure2.short \
 	functions/gnutls_sign_list functions/gnutls_sign_list.short \
+	functions/gnutls_sign_mark_insecure \
+	functions/gnutls_sign_mark_insecure.short \
+	functions/gnutls_sign_mark_secure \
+	functions/gnutls_sign_mark_secure.short \
 	functions/gnutls_sign_supports_pk_algorithm \
 	functions/gnutls_sign_supports_pk_algorithm.short \
 	functions/gnutls_srp_allocate_client_credentials \
diff -ruN gnutls-3.7.2/doc/manpages/certtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1
--- gnutls-3.7.2/doc/manpages/certtool.1	2021-05-29 10:15:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1	2021-06-28 09:35:22.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH certtool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH certtool 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/manpages/danetool.1 gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1
--- gnutls-3.7.2/doc/manpages/danetool.1	2021-05-29 10:15:24.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1	2021-06-28 09:35:24.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH danetool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH danetool 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1
--- gnutls-3.7.2/doc/manpages/gnutls-cli.1	2021-05-29 10:15:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1	2021-06-28 09:35:22.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH gnutls-cli 1 "29 May 2021" "3.7.2" "User Commands"
+.TH gnutls-cli 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1
--- gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1	2021-05-29 10:15:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1	2021-06-28 09:35:22.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH gnutls-cli-debug 1 "29 May 2021" "3.7.2" "User Commands"
+.TH gnutls-cli-debug 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3
--- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3	2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,36 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
+.TH "gnutls_digest_mark_insecure" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_digest_mark_insecure \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t " dig ");"
+.SH ARGUMENTS
+.IP "gnutls_digest_algorithm_t dig" 12
+is a digest algorithm
+.SH "DESCRIPTION"
+Mark  \fIdig\fP as insecure system wide. This only works if the allowlisting mode
+is used in the configuration file.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3
--- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3	2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,36 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
+.TH "gnutls_digest_mark_secure" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_digest_mark_secure \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_digest_mark_secure(gnutls_digest_algorithm_t " dig ");"
+.SH ARGUMENTS
+.IP "gnutls_digest_algorithm_t dig" 12
+is a digest algorithm
+.SH "DESCRIPTION"
+Invalidate previous system wide setting that marked  \fIdig\fP as insecure. This
+only works if the allowlisting mode is used in the configuration file.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3
--- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3	2021-06-28 09:35:38.000000000 +0200
@@ -0,0 +1,39 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
+.TH "gnutls_ecc_curve_mark_disabled" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_ecc_curve_mark_disabled \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t " curve ");"
+.SH ARGUMENTS
+.IP "gnutls_ecc_curve_t curve" 12
+is an ECC curve
+.SH "DESCRIPTION"
+Mark  \fIcurve\fP as disabled system wide. This setting can be reverted with
+\fBgnutls_ecc_curve_mark_enabled()\fP. This only works if the configuration file
+uses the allowlisting mode.
+.SH "RETURNS"
+0 on success or negative error code otherwise.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3
--- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3	2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,39 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
+.TH "gnutls_ecc_curve_mark_enabled" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_ecc_curve_mark_enabled \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t " curve ");"
+.SH ARGUMENTS
+.IP "gnutls_ecc_curve_t curve" 12
+is an ECC curve
+.SH "DESCRIPTION"
+Invalidate previous system wide setting that marked  \fIcurve\fP as disabled. This
+only works if the curve is disabled with \fBgnutls_ecc_curve_mark_disabled()\fP or
+through the allowlisting mode in the configuration file.
+.SH "RETURNS"
+0 on success or negative error code otherwise.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3
--- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3	2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,34 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
+.TH "gnutls_protocol_mark_disabled" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_protocol_mark_disabled \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_protocol_mark_disabled(gnutls_protocol_t " version ");"
+.SH ARGUMENTS
+.IP "gnutls_protocol_t version" 12
+is a (gnutls) version number
+.SH "DESCRIPTION"
+Mark  \fIversion\fP as disabled system wide. This only works if the allowlisting
+mode is used in the configuration file.
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3
--- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3	2021-06-28 09:35:40.000000000 +0200
@@ -0,0 +1,35 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
+.TH "gnutls_protocol_mark_enabled" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_protocol_mark_enabled \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_protocol_mark_enabled(gnutls_protocol_t " version ");"
+.SH ARGUMENTS
+.IP "gnutls_protocol_t version" 12
+is a (gnutls) version number
+.SH "DESCRIPTION"
+Invalidate previous system wide setting that marked  \fIversion\fP as
+disabled. This only works if the allowlisting mode is used in the
+configuration file.
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls-serv.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1
--- gnutls-3.7.2/doc/manpages/gnutls-serv.1	2021-05-29 10:15:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1	2021-06-28 09:35:22.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH gnutls-serv 1 "29 May 2021" "3.7.2" "User Commands"
+.TH gnutls-serv 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3
--- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3	2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,42 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
+.TH "gnutls_sign_mark_insecure" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_sign_mark_insecure \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");"
+.SH ARGUMENTS
+.IP "gnutls_sign_algorithm_t sign" 12
+the sign algorithm
+.IP "unsigned flags" 12
+\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0
+.SH "DESCRIPTION"
+Mark  \fIsign\fP as insecure system wide. This only works if the
+allowlisting mode is used in the configuration file.
+
+If  \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set,
+and the algorithm was previously considered secure for all purposes,
+it only marks the algorithm as insecure for the use with certificates.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3
--- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3	2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,46 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
+.TH "gnutls_sign_mark_secure" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_sign_mark_secure \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_sign_mark_secure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");"
+.SH ARGUMENTS
+.IP "gnutls_sign_algorithm_t sign" 12
+the sign algorithm
+.IP "unsigned flags" 12
+\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0
+.SH "DESCRIPTION"
+Invalidate previous system wide setting that marked  \fIsign\fP as
+insecure. This only works if the algorithm is marked as insecure
+with \fBgnutls_sign_mark_insecure()\fP or through the allowlisting mode
+in the configuration file.
+
+If  \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set,
+it marks it the algorithm as secure for all purposes.
+If the absence of this flag, it will mark it as
+"secure, but not for certificates" at most,
+but it won't restrict anything either.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/Makefile.am gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am
--- gnutls-3.7.2/doc/manpages/Makefile.am	2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am	2021-06-28 09:09:14.000000000 +0200
@@ -289,6 +289,8 @@
 APIMANS += gnutls_digest_get_name.3
 APIMANS += gnutls_digest_get_oid.3
 APIMANS += gnutls_digest_list.3
+APIMANS += gnutls_digest_mark_insecure.3
+APIMANS += gnutls_digest_mark_secure.3
 APIMANS += gnutls_dtls_cookie_send.3
 APIMANS += gnutls_dtls_cookie_verify.3
 APIMANS += gnutls_dtls_get_data_mtu.3
@@ -307,6 +309,8 @@
 APIMANS += gnutls_ecc_curve_get_pk.3
 APIMANS += gnutls_ecc_curve_get_size.3
 APIMANS += gnutls_ecc_curve_list.3
+APIMANS += gnutls_ecc_curve_mark_disabled.3
+APIMANS += gnutls_ecc_curve_mark_enabled.3
 APIMANS += gnutls_encode_ber_digest_info.3
 APIMANS += gnutls_encode_gost_rs_value.3
 APIMANS += gnutls_encode_rs_value.3
@@ -667,6 +671,8 @@
 APIMANS += gnutls_protocol_get_name.3
 APIMANS += gnutls_protocol_get_version.3
 APIMANS += gnutls_protocol_list.3
+APIMANS += gnutls_protocol_mark_disabled.3
+APIMANS += gnutls_protocol_mark_enabled.3
 APIMANS += gnutls_psk_allocate_client_credentials.3
 APIMANS += gnutls_psk_allocate_server_credentials.3
 APIMANS += gnutls_psk_client_get_hint.3
@@ -814,6 +820,8 @@
 APIMANS += gnutls_sign_is_secure.3
 APIMANS += gnutls_sign_is_secure2.3
 APIMANS += gnutls_sign_list.3
+APIMANS += gnutls_sign_mark_insecure.3
+APIMANS += gnutls_sign_mark_secure.3
 APIMANS += gnutls_sign_supports_pk_algorithm.3
 APIMANS += gnutls_srp_allocate_client_credentials.3
 APIMANS += gnutls_srp_allocate_server_credentials.3
diff -ruN gnutls-3.7.2/doc/manpages/Makefile.in gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in
--- gnutls-3.7.2/doc/manpages/Makefile.in	2021-05-29 10:11:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in	2021-06-28 09:11:38.000000000 +0200
@@ -2185,6 +2185,7 @@
 	gnutls_dh_params_init.3 gnutls_dh_set_prime_bits.3 \
 	gnutls_digest_get_id.3 gnutls_digest_get_name.3 \
 	gnutls_digest_get_oid.3 gnutls_digest_list.3 \
+	gnutls_digest_mark_insecure.3 gnutls_digest_mark_secure.3 \
 	gnutls_dtls_cookie_send.3 gnutls_dtls_cookie_verify.3 \
 	gnutls_dtls_get_data_mtu.3 gnutls_dtls_get_mtu.3 \
 	gnutls_dtls_get_timeout.3 gnutls_dtls_prestate_set.3 \
@@ -2194,6 +2195,8 @@
 	gnutls_ecc_curve_get_id.3 gnutls_ecc_curve_get_name.3 \
 	gnutls_ecc_curve_get_oid.3 gnutls_ecc_curve_get_pk.3 \
 	gnutls_ecc_curve_get_size.3 gnutls_ecc_curve_list.3 \
+	gnutls_ecc_curve_mark_disabled.3 \
+	gnutls_ecc_curve_mark_enabled.3 \
 	gnutls_encode_ber_digest_info.3 gnutls_encode_gost_rs_value.3 \
 	gnutls_encode_rs_value.3 gnutls_error_is_fatal.3 \
 	gnutls_error_to_alert.3 gnutls_est_record_overhead_size.3 \
@@ -2399,7 +2402,8 @@
 	gnutls_privkey_status.3 gnutls_privkey_verify_params.3 \
 	gnutls_privkey_verify_seed.3 gnutls_protocol_get_id.3 \
 	gnutls_protocol_get_name.3 gnutls_protocol_get_version.3 \
-	gnutls_protocol_list.3 \
+	gnutls_protocol_list.3 gnutls_protocol_mark_disabled.3 \
+	gnutls_protocol_mark_enabled.3 \
 	gnutls_psk_allocate_client_credentials.3 \
 	gnutls_psk_allocate_server_credentials.3 \
 	gnutls_psk_client_get_hint.3 \
@@ -2498,6 +2502,7 @@
 	gnutls_sign_get_name.3 gnutls_sign_get_oid.3 \
 	gnutls_sign_get_pk_algorithm.3 gnutls_sign_is_secure.3 \
 	gnutls_sign_is_secure2.3 gnutls_sign_list.3 \
+	gnutls_sign_mark_insecure.3 gnutls_sign_mark_secure.3 \
 	gnutls_sign_supports_pk_algorithm.3 \
 	gnutls_srp_allocate_client_credentials.3 \
 	gnutls_srp_allocate_server_credentials.3 \
diff -ruN gnutls-3.7.2/doc/manpages/ocsptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1
--- gnutls-3.7.2/doc/manpages/ocsptool.1	2021-05-29 10:15:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1	2021-06-28 09:35:23.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ocsptool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH ocsptool 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/manpages/p11tool.1 gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1
--- gnutls-3.7.2/doc/manpages/p11tool.1	2021-05-29 10:15:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1	2021-06-28 09:35:23.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH p11tool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH p11tool 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
@@ -230,8 +230,9 @@
 .NOP \f\*[B-Font]\-\-write\f[]
 Writes the loaded objects to a PKCS #11 token.
 .sp
-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
-    one of \--load-privkey, \--load-pubkey, \--load-certificate option.
+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option.
+.sp
+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
 .TP
 .NOP \f\*[B-Font]\-\-delete\f[]
 Deletes the objects matching the given PKCS #11 URL.
diff -ruN gnutls-3.7.2/doc/manpages/psktool.1 gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1
--- gnutls-3.7.2/doc/manpages/psktool.1	2021-05-29 10:15:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1	2021-06-28 09:35:23.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH psktool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH psktool 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/manpages/srptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1
--- gnutls-3.7.2/doc/manpages/srptool.1	2021-05-29 10:15:24.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1	2021-06-28 09:35:24.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH srptool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH srptool 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/manpages/tpmtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1
--- gnutls-3.7.2/doc/manpages/tpmtool.1	2021-05-29 10:15:23.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1	2021-06-28 09:35:23.000000000 +0200
@@ -10,7 +10,7 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH tpmtool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH tpmtool 1 "28 Jun 2021" "3.7.2" "User Commands"
 .\"
 .\" DO NOT EDIT THIS FILE (in-mem file)
 .\"
diff -ruN gnutls-3.7.2/doc/reference/gnutls-sections.txt gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt
--- gnutls-3.7.2/doc/reference/gnutls-sections.txt	2021-05-29 10:23:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt	2021-06-28 09:56:37.000000000 +0200
@@ -267,6 +267,8 @@
 encipher_type
 GNUTLS_SIGN_FLAG_TLS13_OK
 GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE
+GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE
+GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE
 gnutls_sign_entry_st
 gnutls_ecc_curve_entry_st
 MAX_ECC_CURVE_SIZE
@@ -1486,6 +1488,14 @@
 gnutls_sign_algorithm_get_requested
 gnutls_cipher_get_name
 gnutls_oid_to_digest
+gnutls_ecc_curve_mark_disabled
+gnutls_ecc_curve_mark_enabled
+gnutls_sign_mark_insecure
+gnutls_sign_mark_secure
+gnutls_digest_mark_insecure
+gnutls_digest_mark_secure
+gnutls_protocol_mark_disabled
+gnutls_protocol_mark_enabled
 gnutls_error_is_fatal
 gnutls_perror
 gnutls_strerror
@@ -2268,6 +2278,8 @@
 gnutls_group_entry_st
 GNUTLS_MAC_FLAG_PREIMAGE_INSECURE
 GNUTLS_MAC_FLAG_CONTINUOUS_MAC
+GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE
+GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE
 mac_entry_st
 version_entry_st
 sign_algorithm_st
diff -ruN gnutls-3.7.2/lib/algorithms/ecc.c gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c
--- gnutls-3.7.2/lib/algorithms/ecc.c	2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c	2021-06-28 09:09:14.000000000 +0200
@@ -351,13 +351,83 @@
 	return ret;
 }
 
-int _gnutls_ecc_curve_mark_disabled(const char *name)
+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
+int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve)
 {
 	gnutls_ecc_curve_entry_st *p;
 
 	for(p = ecc_curves; p->name != NULL; p++) {
-		if (c_strcasecmp(p->name, name) == 0) {
-			p->supported = 0;
+		if (p->id == curve) {
+			p->supported = false;
+			return 0;
+		}
+	}
+
+	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+}
+
+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
+void _gnutls_ecc_curve_mark_disabled_all(void)
+{
+	gnutls_ecc_curve_entry_st *p;
+
+	for(p = ecc_curves; p->name != NULL; p++) {
+		p->supported = false;
+		p->supported_revertible = true;
+	}
+}
+
+/**
+ * gnutls_ecc_curve_mark_enabled:
+ * @curve: is an ECC curve
+ *
+ * Mark @curve as disabled system wide. This setting can be reverted with
+ * gnutls_ecc_curve_mark_enabled(). This only works if the configuration file
+ * uses the allowlisting mode.
+ *
+ * Returns: 0 on success or negative error code otherwise.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve)
+{
+	gnutls_ecc_curve_entry_st *p;
+
+	for(p = ecc_curves; p->name != NULL; p++) {
+		if (p->id == curve) {
+			if (!p->supported_revertible) {
+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+			}
+			p->supported = false;
+			return 0;
+		}
+	}
+
+	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+}
+
+/**
+ * gnutls_ecc_curve_mark_enabled:
+ * @curve: is an ECC curve
+ *
+ * Invalidate previous system wide setting that marked @curve as disabled. This
+ * only works if the curve is disabled with gnutls_ecc_curve_mark_disabled() or
+ * through the allowlisting mode in the configuration file.
+ *
+ * Returns: 0 on success or negative error code otherwise.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve)
+{
+	gnutls_ecc_curve_entry_st *p;
+
+	for(p = ecc_curves; p->name != NULL; p++) {
+		if (p->id == curve) {
+			if (!p->supported_revertible) {
+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+			}
+			p->supported = true;
 			return 0;
 		}
 	}
diff -ruN gnutls-3.7.2/lib/algorithms/groups.c gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c
--- gnutls-3.7.2/lib/algorithms/groups.c	2021-04-19 09:28:28.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c	2021-06-28 09:09:14.000000000 +0200
@@ -276,6 +276,24 @@
 	return ret;
 }
 
+
+/* Similar to gnutls_group_get_id, except that it does not check if
+ * the curve is supported.
+ */
+gnutls_group_t _gnutls_group_get_id(const char *name)
+{
+	gnutls_group_t ret = GNUTLS_GROUP_INVALID;
+
+	GNUTLS_GROUP_LOOP(
+		if (c_strcasecmp(p->name, name) == 0) {
+			ret = p->id;
+			break;
+		}
+	);
+
+	return ret;
+}
+
 /**
  * gnutls_group_get_name:
  * @group: is an element from %gnutls_group_t
diff -ruN gnutls-3.7.2/lib/algorithms/mac.c gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c
--- gnutls-3.7.2/lib/algorithms/mac.c	2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c	2021-06-28 09:09:14.000000000 +0200
@@ -291,13 +291,56 @@
 	return ret;
 }
 
-int _gnutls_digest_mark_insecure(const char *name)
+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
+int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig)
 {
 #ifndef DISABLE_SYSTEM_CONFIG
 	mac_entry_st *p;
 
 	for(p = hash_algorithms; p->name != NULL; p++) {
-		if (p->oid != NULL && c_strcasecmp(p->name, name) == 0) {
+		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
+			p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
+			return 0;
+		}
+	}
+
+#endif
+	return GNUTLS_E_INVALID_REQUEST;
+}
+
+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
+void _gnutls_digest_mark_insecure_all(void)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	mac_entry_st *p;
+
+	for(p = hash_algorithms; p->name != NULL; p++) {
+		p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE |
+			GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
+	}
+
+#endif
+}
+
+/**
+ * gnutls_digest_mark_insecure:
+ * @dig: is a digest algorithm
+ *
+ * Mark @dig as insecure system wide. This only works if the allowlisting mode
+ * is used in the configuration file.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	mac_entry_st *p;
+
+	for(p = hash_algorithms; p->name != NULL; p++) {
+		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
+			if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) {
+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+			}
 			p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
 			return 0;
 		}
@@ -307,6 +350,34 @@
 	return GNUTLS_E_INVALID_REQUEST;
 }
 
+/**
+ * gnutls_digest_mark_secure:
+ * @dig: is a digest algorithm
+ *
+ * Invalidate previous system wide setting that marked @dig as insecure. This
+ * only works if the allowlisting mode is used in the configuration file.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	mac_entry_st *p;
+
+	for(p = hash_algorithms; p->name != NULL; p++) {
+		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
+			if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) {
+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+			}
+			p->flags &= ~GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
+			return 0;
+		}
+	}
+
+#endif
+	return GNUTLS_E_INVALID_REQUEST;
+}
+
 unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig)
 {
 	const mac_entry_st *p;
@@ -320,6 +391,21 @@
 	return 1;
 }
 
+bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig,	unsigned flags)
+{
+	const mac_entry_st *p;
+
+	for(p = hash_algorithms; p->name != NULL; p++) {
+		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
+			return (p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE &&
+				!(flags & GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE &&
+				  p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE));
+		}
+	}
+
+	return true;
+}
+
 /**
  * gnutls_mac_get_id:
  * @name: is a MAC algorithm name
diff -ruN gnutls-3.7.2/lib/algorithms/protocols.c gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c
--- gnutls-3.7.2/lib/algorithms/protocols.c	2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c	2021-06-28 09:09:14.000000000 +0200
@@ -198,14 +198,82 @@
 	return 0;
 }
 
-int _gnutls_version_mark_disabled(const char *name)
+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
+int _gnutls_version_mark_disabled(gnutls_protocol_t version)
 {
 #ifndef DISABLE_SYSTEM_CONFIG
 	version_entry_st *p;
 
 	for (p = sup_versions; p->name != NULL; p++)
-		if (c_strcasecmp(p->name, name) == 0) {
-			p->supported = 0;
+		if (p->id == version) {
+			p->supported = false;
+			return 0;
+		}
+
+#endif
+	return GNUTLS_E_INVALID_REQUEST;
+}
+
+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
+void _gnutls_version_mark_disabled_all(void)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	version_entry_st *p;
+
+	for (p = sup_versions; p->name != NULL; p++) {
+		p->supported = false;
+		p->supported_revertible = true;
+	}
+
+#endif
+}
+
+/**
+ * gnutls_protocol_mark_disabled:
+ * @version: is a (gnutls) version number
+ *
+ * Mark @version as disabled system wide. This only works if the allowlisting
+ * mode is used in the configuration file.
+ *
+ */
+int gnutls_protocol_mark_disabled(gnutls_protocol_t version)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	version_entry_st *p;
+
+	for (p = sup_versions; p->name != NULL; p++)
+		if (p->id == version) {
+			if (!p->supported_revertible) {
+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+			}
+			p->supported = false;
+			return 0;
+		}
+
+#endif
+	return GNUTLS_E_INVALID_REQUEST;
+}
+
+/**
+ * gnutls_protocol_mark_enabled:
+ * @version: is a (gnutls) version number
+ *
+ * Invalidate previous system wide setting that marked @version as
+ * disabled. This only works if the allowlisting mode is used in the
+ * configuration file.
+ *
+ */
+int gnutls_protocol_mark_enabled(gnutls_protocol_t version)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	version_entry_st *p;
+
+	for (p = sup_versions; p->name != NULL; p++)
+		if (p->id == version) {
+			if (!p->supported_revertible) {
+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+			}
+			p->supported = true;
 			return 0;
 		}
 
@@ -469,6 +537,25 @@
 	return supported_protocols;
 }
 
+/* Return all versions, including non-supported ones.
+ */
+const gnutls_protocol_t *_gnutls_protocol_list(void)
+{
+	const version_entry_st *p;
+	static gnutls_protocol_t protocols[MAX_ALGOS] = { 0 };
+
+	if (protocols[0] == 0) {
+		int i = 0;
+
+		for (p = sup_versions; p->name != NULL; p++) {
+			protocols[i++] = p->id;
+		}
+		protocols[i++] = 0;
+	}
+
+	return protocols;
+}
+
 /* Returns a version number given the major and minor numbers.
  */
 gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor)
diff -ruN gnutls-3.7.2/lib/algorithms/sign.c gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c
--- gnutls-3.7.2/lib/algorithms/sign.c	2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c	2021-06-28 09:09:14.000000000 +0200
@@ -453,16 +453,23 @@
 
 bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags)
 {
-	if (se->hash != GNUTLS_DIG_UNKNOWN && _gnutls_digest_is_insecure(se->hash))
-		return gnutls_assert_val(0);
+	if (se->hash != GNUTLS_DIG_UNKNOWN &&
+	    _gnutls_digest_is_insecure2(se->hash,
+					flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE ?
+					GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE :
+					0)) {
+		return gnutls_assert_val(false);
+	}
 
-	if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS)
-		return (se->slevel==_SECURE)?1:0;
-	else
-		return (se->slevel==_SECURE || se->slevel == _INSECURE_FOR_CERTS)?1:0;
+	return (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS ?
+		se->slevel == _SECURE :
+		(se->slevel == _SECURE || se->slevel == _INSECURE_FOR_CERTS)) ||
+		(flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE &&
+		 se->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE);
 }
 
-int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t level)
+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
+int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, hash_security_level_t level)
 {
 #ifndef DISABLE_SYSTEM_CONFIG
 	gnutls_sign_entry_st *p;
@@ -471,11 +478,106 @@
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
 	for(p = sign_algorithms; p->name != NULL; p++) {
-		if (c_strcasecmp(p->name, name) == 0) {
+		if (p->id && p->id == sign) {
+			if (p->slevel < level)
 				p->slevel = level;
 			return 0;
 		}
 	}
+#endif
+	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+}
+
+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
+void _gnutls_sign_mark_insecure_all(hash_security_level_t level)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	gnutls_sign_entry_st *p;
+
+	for(p = sign_algorithms; p->name != NULL; p++) {
+		if (p->slevel < level)
+			p->slevel = level;
+		p->flags |= GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE;
+	}
+#endif
+}
+
+/**
+ * gnutls_sign_mark_insecure:
+ * @sign: the sign algorithm
+ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0
+ *
+ * Mark @sign as insecure system wide. This only works if the
+ * allowlisting mode is used in the configuration file.
+ *
+ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set,
+ * and the algorithm was previously considered secure for all purposes,
+ * it only marks the algorithm as insecure for the use with certificates.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	gnutls_sign_entry_st *p;
+
+	for(p = sign_algorithms; p->name != NULL; p++) {
+		if (p->id && p->id == sign) {
+			if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) {
+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+			}
+			if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) {
+				if (p->slevel < _INSECURE_FOR_CERTS)
+					p->slevel = _INSECURE_FOR_CERTS;
+			} else {
+				p->slevel = _INSECURE;
+			}
+			return 0;
+		}
+	}
+#endif
+	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+}
+// TODO: really not sure about the intuitiveness of the interface of this one,
+//       the flag naming isn't ideal here
+
+/**
+ * gnutls_sign_mark_secure:
+ * @sign: the sign algorithm
+ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0
+ *
+ * Invalidate previous system wide setting that marked @sign as
+ * insecure. This only works if the algorithm is marked as insecure
+ * with gnutls_sign_mark_insecure() or through the allowlisting mode
+ * in the configuration file.
+ *
+ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set,
+ * it marks it the algorithm as secure for all purposes.
+ * If the absence of this flag, it will mark it as
+ * "secure, but not for certificates" at most,
+ * but it won't restrict anything either.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+	gnutls_sign_entry_st *p;
+
+	for(p = sign_algorithms; p->name != NULL; p++) {
+		if (p->id && p->id == sign) {
+			if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) {
+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+			}
+			if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) {
+				p->slevel = _SECURE;
+			} else {
+				if (p->slevel > _INSECURE_FOR_CERTS)
+					p->slevel = _INSECURE_FOR_CERTS;
+			}
+			return 0;
+		}
+	}
 #endif
 	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 }
diff -ruN gnutls-3.7.2/lib/algorithms.h gnutls-3.7.2-bootstrapped/lib/algorithms.h
--- gnutls-3.7.2/lib/algorithms.h	2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms.h	2021-06-28 09:09:14.000000000 +0200
@@ -345,15 +345,27 @@
 	_INSECURE
 } hash_security_level_t;
 
-int _gnutls_ecc_curve_mark_disabled(const char *name);
-int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t);
-int _gnutls_digest_mark_insecure(const char *name);
+int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve);
+int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t, hash_security_level_t);
+int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig);
 unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig);
-int _gnutls_version_mark_disabled(const char *name);
+bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig,	unsigned flags);
+const gnutls_protocol_t *_gnutls_protocol_list(void);
+int _gnutls_version_mark_disabled(gnutls_protocol_t version);
 gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name);
 
+/* these functions are for revertible settings, meaning that algorithms marked
+ * as disabled/insecure with mark_*_all functions can be re-enabled with
+ * mark_{enabled,secure} functions */
+void _gnutls_ecc_curve_mark_disabled_all(void);
+void _gnutls_sign_mark_insecure_all(hash_security_level_t level);
+void _gnutls_digest_mark_insecure_all(void);
+void _gnutls_version_mark_disabled_all(void);
+
 #define GNUTLS_SIGN_FLAG_TLS13_OK	1 /* if it is ok to use under TLS1.3 */
 #define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */
+#define GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE (1 << 2)
+#define GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3)
 struct gnutls_sign_entry_st {
 	const char *name;
 	const char *oid;
@@ -448,6 +460,7 @@
 	unsigned sig_size;	/* the size of curve signatures in bytes (EdDSA) */
 	unsigned gost_curve;
 	bool supported;
+	bool supported_revertible;
 	gnutls_group_t group;
 } gnutls_ecc_curve_entry_st;
 
@@ -459,6 +472,7 @@
 gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t);
 const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num);
 const gnutls_group_entry_st * _gnutls_id_to_group(unsigned id);
+gnutls_group_t _gnutls_group_get_id(const char *name);
 
 gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits);
 #define MAX_ECC_CURVE_SIZE 66
diff -ruN gnutls-3.7.2/lib/gnutls_int.h gnutls-3.7.2-bootstrapped/lib/gnutls_int.h
--- gnutls-3.7.2/lib/gnutls_int.h	2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/gnutls_int.h	2021-06-28 09:09:14.000000000 +0200
@@ -662,6 +662,8 @@
 
 #define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE	1  /* if this algorithm should not be trusted for pre-image attacks */
 #define GNUTLS_MAC_FLAG_CONTINUOUS_MAC		(1 << 1) /* if this MAC should be used in a 'continuous' way in TLS */
+#define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE	(1 << 2)  /* if this algorithm should not be trusted for pre-image attacks, but can be enabled through API */
+#define GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE	(1 << 3)  /* when checking with _gnutls_digest_is_insecure2, don't treat revertible setting as fatal */
 /* This structure is used both for MACs and digests
  */
 typedef struct mac_entry_st {
@@ -685,6 +687,7 @@
 	uint8_t minor;		/* defined by the protocol */
 	transport_t transport;	/* Type of transport, stream or datagram */
 	bool supported;	/* 0 not supported, > 0 is supported */
+	bool supported_revertible;
 	bool explicit_iv;
 	bool extensions;	/* whether it supports extensions */
 	bool selectable_sighash;	/* whether signatures can be selected */
diff -ruN gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in
--- gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in	2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in	2021-06-28 09:09:14.000000000 +0200
@@ -1438,6 +1438,16 @@
 				 gnutls_mac_algorithm_t * mac,
 				 gnutls_protocol_t * min_version);
 
+  /* functions for run-time enablement of algorithms */
+int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve);
+int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve);
+int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags);
+int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags);
+int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig);
+int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig);
+int gnutls_protocol_mark_disabled(gnutls_protocol_t version);
+int gnutls_protocol_mark_enabled(gnutls_protocol_t version);
+
   /* error functions */
 int gnutls_error_is_fatal(int error) __GNUTLS_CONST__;
 int gnutls_error_to_alert(int err, int *level);
diff -ruN gnutls-3.7.2/lib/libgnutls.map gnutls-3.7.2-bootstrapped/lib/libgnutls.map
--- gnutls-3.7.2/lib/libgnutls.map	2021-05-29 07:16:27.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/libgnutls.map	2021-06-28 09:09:14.000000000 +0200
@@ -1355,6 +1355,21 @@
 	*;
 } GNUTLS_3_7_0;
 
+GNUTLS_3_7_3
+{
+ global:
+	gnutls_ecc_curve_mark_disabled;
+	gnutls_ecc_curve_mark_enabled;
+	gnutls_sign_mark_insecure;
+	gnutls_sign_mark_secure;
+	gnutls_digest_mark_insecure;
+	gnutls_digest_mark_secure;
+	gnutls_protocol_mark_disabled;
+	gnutls_protocol_mark_enabled;
+ local:
+	*;
+} GNUTLS_3_7_2;
+
 GNUTLS_FIPS140_3_4 {
   global:
 	gnutls_cipher_self_test;
diff -ruN gnutls-3.7.2/lib/priority.c gnutls-3.7.2-bootstrapped/lib/priority.c
--- gnutls-3.7.2/lib/priority.c	2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/priority.c	2021-06-28 09:09:14.000000000 +0200
@@ -700,6 +700,7 @@
 #define LEVEL_SUITEB128 "SUITEB128"
 #define LEVEL_SUITEB192 "SUITEB192"
 #define LEVEL_LEGACY "LEGACY"
+#define LEVEL_SYSTEM "SYSTEM"
 
 struct priority_groups_st {
 	const char *name;
@@ -1001,17 +1002,22 @@
 
 static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN;
 static name_val_array_t system_wide_priority_strings = NULL;
+static char *system_wide_priority_string = NULL;
 static unsigned system_wide_priority_strings_init = 0;
 static unsigned system_wide_default_priority_string = 0;
 static unsigned fail_on_invalid_config = 0;
-static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0};
-static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0};
-static unsigned system_wide_disabled_groups[MAX_ALGOS+1] = {0};
-static unsigned system_wide_disabled_kxs[MAX_ALGOS+1] = {0};
+static bool system_wide_allowlisting;
+static unsigned system_wide_tls_ciphers[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_macs[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_groups[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_kxs[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_sigs[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_vers[MAX_ALGOS+1] = {0};
 
 static const char *system_priority_file = SYSTEM_PRIORITY_FILE;
 static time_t system_priority_last_mod = 0;
 
+#define GLOBAL_SECTION "global"
 #define CUSTOM_PRIORITY_SECTION "priorities"
 #define OVERRIDES_SECTION "overrides"
 #define MAX_ALGO_NAME 2048
@@ -1051,108 +1057,479 @@
 	return out;
 }
 
-/* This function parses a gnutls configuration file and updates internal
- * settings accordingly.
+struct cfg {
+	bool allowlisting;
+
+	name_val_array_t priority_strings;
+	bool priority_strings_init;
+	char *default_priority_string;
+	gnutls_certificate_verification_profiles_t verification_profile;
+
+	gnutls_cipher_algorithm_t ciphers[MAX_ALGOS+1];
+	gnutls_mac_algorithm_t macs[MAX_ALGOS+1];
+	gnutls_group_t groups[MAX_ALGOS+1];
+	gnutls_kx_algorithm_t kxs[MAX_ALGOS+1];
+
+	gnutls_digest_algorithm_t *hashes;
+	size_t hashes_size;
+	gnutls_sign_algorithm_t *sigs;
+	size_t sigs_size;
+	gnutls_sign_algorithm_t *sigs_for_cert;
+	size_t sigs_for_cert_size;
+	gnutls_protocol_t *versions;
+	size_t versions_size;
+	gnutls_ecc_curve_t *curves;
+	size_t curves_size;
+};
+
+static inline void
+cfg_deinit(struct cfg *cfg)
+{
+	if (cfg->priority_strings) {
+		_name_val_array_clear(&cfg->priority_strings);
+	}
+	cfg->priority_strings_init = false;
+	gnutls_free(cfg->default_priority_string);
+	gnutls_free(cfg->hashes);
+	gnutls_free(cfg->sigs);
+	gnutls_free(cfg->sigs_for_cert);
+	gnutls_free(cfg->versions);
+	gnutls_free(cfg->curves);
+}
+
+static inline int
+cfg_apply(struct cfg *cfg)
+{
+	size_t i;
+
+	system_wide_verification_profile = cfg->verification_profile;
+
+	if (cfg->priority_strings_init) {
+		system_wide_priority_strings = cfg->priority_strings;
+		cfg->priority_strings = NULL;
+		cfg->priority_strings_init = false;
+		system_wide_priority_strings_init = 1;
+	}
+
+	if (cfg->default_priority_string) {
+		_clear_default_system_priority();
+		_gnutls_default_priority_string = cfg->default_priority_string;
+		cfg->default_priority_string = NULL;
+		system_wide_default_priority_string = 1;
+	}
+
+	system_wide_allowlisting = cfg->allowlisting;
+	memcpy(system_wide_tls_ciphers, cfg->ciphers, sizeof(cfg->ciphers));
+	memcpy(system_wide_tls_macs, cfg->macs, sizeof(cfg->macs));
+	memcpy(system_wide_tls_groups, cfg->groups, sizeof(cfg->groups));
+	memcpy(system_wide_tls_kxs, cfg->kxs, sizeof(cfg->kxs));
+
+	if (cfg->allowlisting) {
+		unsigned tls_sig_sem = 0;
+		size_t j;
+
+		_gnutls_digest_mark_insecure_all();
+		for (i = 0; i < cfg->hashes_size; i++) {
+			int ret = gnutls_digest_mark_secure(cfg->hashes[i]);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+		_gnutls_sign_mark_insecure_all(_INSECURE);
+		for (i = 0; i < cfg->sigs_size; i++) {
+			int ret = gnutls_sign_mark_secure(cfg->sigs[i], 0);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+		for (i = 0; i < cfg->sigs_for_cert_size; i++) {
+			int ret = gnutls_sign_mark_secure(cfg->sigs_for_cert[i],
+							  GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+		_gnutls_version_mark_disabled_all();
+		for (i = 0, j = 0; i < cfg->versions_size; i++) {
+			const version_entry_st *vers;
+			int ret = gnutls_protocol_mark_enabled(cfg->versions[i]);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+			vers = version_to_entry(cfg->versions[i]);
+			if (vers && vers->supported) {
+				tls_sig_sem |= vers->tls_sig_sem;
+				system_wide_tls_vers[j++] = vers->id;
+			}
+		}
+		_gnutls_ecc_curve_mark_disabled_all();
+		for (i = 0; i < cfg->curves_size; i++) {
+			int ret = gnutls_ecc_curve_mark_enabled(cfg->curves[i]);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+		for (i = 0, j = 0; i < cfg->sigs_size; i++) {
+			const gnutls_sign_entry_st *se;
+
+			se = _gnutls_sign_to_entry(cfg->sigs[i]);
+			if (se != NULL && se->aid.tls_sem & tls_sig_sem &&
+			    _gnutls_sign_is_secure2(se, 0)) {
+				system_wide_tls_sigs[j++] = se->id;
+			}
+		}
+	} else {
+		for (i = 0; i < cfg->hashes_size; i++) {
+			int ret = _gnutls_digest_mark_insecure(cfg->hashes[i]);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+		for (i = 0; i < cfg->sigs_size; i++) {
+			int ret = _gnutls_sign_mark_insecure(cfg->sigs[i], _INSECURE);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+		for (i = 0; i < cfg->sigs_for_cert_size; i++) {
+			int ret = _gnutls_sign_mark_insecure(cfg->sigs_for_cert[i], _INSECURE_FOR_CERTS);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+		for (i = 0; i < cfg->versions_size; i++) {
+			int ret = _gnutls_version_mark_disabled(cfg->versions[i]);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+		for (i = 0; i < cfg->curves_size; i++) {
+			int ret = _gnutls_ecc_curve_mark_disabled(cfg->curves[i]);
+			if (unlikely(ret < 0)) {
+				return ret;
+			}
+		}
+	}
+
+	return 0;
+}
+
+/* This function parse the global section of the configuration file.
+ */
+static int global_ini_handler(void *ctx, const char *section, const char *name, const char *value)
+{
+	char *p;
+	char str[MAX_ALGO_NAME];
+	struct cfg *cfg = ctx;
+
+	if (section != NULL && c_strcasecmp(section, GLOBAL_SECTION) == 0) {
+		if (c_strcasecmp(name, "override-mode") == 0) {
+			p = clear_spaces(value, str);
+			if (c_strcasecmp(value, "allowlist") == 0) {
+				cfg->allowlisting = true;
+			} else if (c_strcasecmp(value, "blocklist") == 0) {
+				cfg->allowlisting = false;
+			} else {
+				_gnutls_debug_log("cfg: unknown override mode %s\n",
+					p);
+				if (fail_on_invalid_config)
+					return 0;
+			}
+		} else {
+			_gnutls_debug_log("unknown parameter %s\n", name);
+			if (fail_on_invalid_config)
+				return 0;
+		}
+	}
+
+	return 1;
+}
+
+static bool
+override_allowed(struct cfg *cfg, const char *name)
+{
+	static const struct {
+		const char *allowlist_name;
+		const char *blocklist_name;
+	} names[] = {
+		{ "secure-hash", "insecure-hash" },
+		{ "secure-sig", "insecure-sig" },
+		{ "secure-sig-for-cert", "insecure-sig-for-cert" },
+		{ "enabled-version", "disabled-version" },
+		{ "enabled-curve", "disabled-curve" },
+		{ "tls-enabled-cipher", "tls-disabled-cipher" },
+		{ "tls-enabled-group", "tls-disabled-group" },
+		{ "tls-enabled-kx", "tls-disabled-kx" },
+		{ "tls-enabled-mac", "tls-disabled-mac" }
+	};
+	size_t i;
+
+	for (i = 0; i < sizeof(names) / sizeof(names[0]); i++) {
+		if (c_strcasecmp(name,
+				 cfg->allowlisting ?
+				 names[i].blocklist_name :
+				 names[i].allowlist_name) == 0)
+			return false;
+	}
+
+	return true;
+}
+
+/* This function parses a gnutls configuration file.  Updating internal settings
+ * according to the parsed configuration is done by cfg_apply.
  */
-static int cfg_ini_handler(void *_ctx, const char *section, const char *name, const char *value)
+static int cfg_ini_handler(void *ctx, const char *section, const char *name, const char *value)
 {
 	char *p;
-	int ret, type;
+	int ret;
 	unsigned i;
 	char str[MAX_ALGO_NAME];
+	struct cfg *cfg = ctx;
 
 	/* Note that we intentionally overwrite the value above; inih does
 	 * not use that value after we handle it. */
 
 	/* Parse sections */
 	if (section == NULL || section[0] == 0 || c_strcasecmp(section, CUSTOM_PRIORITY_SECTION)==0) {
-		if (system_wide_priority_strings_init == 0) {
-			_name_val_array_init(&system_wide_priority_strings);
-			system_wide_priority_strings_init = 1;
+		if (!cfg->priority_strings_init) {
+			_name_val_array_init(&cfg->priority_strings);
+			cfg->priority_strings_init = true;
 		}
 
 		_gnutls_debug_log("cfg: adding priority: %s -> %s\n", name, value);
 
-		ret = _name_val_array_append(&system_wide_priority_strings, name, value);
+		ret = _name_val_array_append(&cfg->priority_strings, name, value);
 		if (ret < 0)
 			return 0;
 	} else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) {
-		if (c_strcasecmp(name, "default-priority-string")==0) {
-			_clear_default_system_priority();
+		if (!override_allowed(cfg, name)) {
+			_gnutls_debug_log("cfg: %s is not allowed in this mode\n",
+					  name);
+			if (fail_on_invalid_config)
+				return 0;
+		} else if (c_strcasecmp(name, "default-priority-string")==0) {
+			if (cfg->default_priority_string) {
+				gnutls_free(cfg->default_priority_string);
+				cfg->default_priority_string = NULL;
+			}
 			p = clear_spaces(value, str);
 			_gnutls_debug_log("cfg: setting default-priority-string to %s\n", p);
 			if (strlen(p) > 0) {
-				_gnutls_default_priority_string = gnutls_strdup(p);
-				if (!_gnutls_default_priority_string) {
-					_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
+				cfg->default_priority_string = gnutls_strdup(p);
+				if (!cfg->default_priority_string) {
 					_gnutls_debug_log("cfg: failed setting default-priority-string\n");
 					return 0;
 				}
-				system_wide_default_priority_string = 1;
 			} else {
 				_gnutls_debug_log("cfg: empty default-priority-string, using default\n");
 				if (fail_on_invalid_config)
 					return 0;
 			}
-		} else if (c_strcasecmp(name, "insecure-hash")==0) {
+		} else if (c_strcasecmp(name, "insecure-hash") == 0 ||
+			   c_strcasecmp(name, "secure-hash") == 0) {
+			gnutls_digest_algorithm_t dig, *tmp;
+
 			p = clear_spaces(value, str);
 
-			_gnutls_debug_log("cfg: marking hash %s as insecure\n",
-					  p);
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: marking hash %s as secure\n",
+						  p);
+			} else {
+				_gnutls_debug_log("cfg: marking hash %s as insecure\n",
+						  p);
+			}
 
-			ret = _gnutls_digest_mark_insecure(p);
-			if (ret < 0) {
+			dig = gnutls_digest_get_id(p);
+			if (dig == GNUTLS_DIG_UNKNOWN) {
 				_gnutls_debug_log("cfg: found unknown hash %s in %s\n",
 						  p, name);
 				if (fail_on_invalid_config)
 					return 0;
+				goto exit;
+			}
+			tmp = _gnutls_reallocarray(cfg->hashes,
+						   cfg->hashes_size + 1,
+						   sizeof(gnutls_digest_algorithm_t));
+			if (!tmp) {
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: failed marking hash %s as secure\n",
+							  p);
+				} else {
+					_gnutls_debug_log("cfg: failed marking hash %s as insecure\n",
+							  p);
+				}
+				if (fail_on_invalid_config)
+					return 0;
+				goto exit;
 			}
-		} else if (c_strcasecmp(name, "insecure-sig")==0 || c_strcasecmp(name, "insecure-sig-for-cert")==0) {
+
+			cfg->hashes = tmp;
+			cfg->hashes[cfg->hashes_size] = dig;
+			cfg->hashes_size++;
+		} else if (c_strcasecmp(name, "insecure-sig") == 0 ||
+			   c_strcasecmp(name, "secure-sig") == 0) {
+			gnutls_sign_algorithm_t sig, *tmp;
+
 			p = clear_spaces(value, str);
 
-			if (c_strcasecmp(name, "insecure-sig")==0) {
-				type = _INSECURE;
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: marking signature %s as secure\n",
+						  p);
+			} else {
 				_gnutls_debug_log("cfg: marking signature %s as insecure\n",
 						  p);
+			}
+
+			sig = gnutls_sign_get_id(p);
+			if (sig == GNUTLS_SIGN_UNKNOWN) {
+				_gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
+						  p, name);
+				if (fail_on_invalid_config)
+					return 0;
+				goto exit;
+			}
+			tmp = _gnutls_reallocarray(cfg->sigs,
+						   cfg->sigs_size + 1,
+						   sizeof(gnutls_sign_algorithm_t));
+			if (!tmp) {
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: failed marking signature %s as secure\n",
+							  p);
+				} else {
+					_gnutls_debug_log("cfg: failed marking signature %s as insecure\n",
+							  p);
+				}
+				if (fail_on_invalid_config)
+					return 0;
+				goto exit;
+			}
+
+			cfg->sigs = tmp;
+			cfg->sigs[cfg->sigs_size] = sig;
+			cfg->sigs_size++;
+		} else if (c_strcasecmp(name, "insecure-sig-for-cert") == 0 ||
+			   c_strcasecmp(name, "secure-sig-for-cert") == 0) {
+			gnutls_sign_algorithm_t sig, *tmp;
+
+			p = clear_spaces(value, str);
+
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: marking signature %s as secure for certs\n",
+						  p);
 			} else {
 				_gnutls_debug_log("cfg: marking signature %s as insecure for certs\n",
 						  p);
-				type = _INSECURE_FOR_CERTS;
 			}
 
-			ret = _gnutls_sign_mark_insecure(p, type);
-			if (ret < 0) {
+			sig = gnutls_sign_get_id(p);
+			if (sig == GNUTLS_SIGN_UNKNOWN) {
 				_gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
 						  p, name);
 				if (fail_on_invalid_config)
 					return 0;
+				goto exit;
+			}
+			tmp = _gnutls_reallocarray(cfg->sigs_for_cert,
+						   cfg->sigs_for_cert_size + 1,
+						   sizeof(gnutls_sign_algorithm_t));
+			if (!tmp) {
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: failed marking signature %s as secure for certs\n",
+							  p);
+				} else {
+					_gnutls_debug_log("cfg: failed marking signature %s as insecure for certs\n",
+							  p);
+				}
+				if (fail_on_invalid_config)
+					return 0;
+				goto exit;
 			}
-		} else if (c_strcasecmp(name, "disabled-version")==0) {
+
+			cfg->sigs_for_cert = tmp;
+			cfg->sigs_for_cert[cfg->sigs_for_cert_size] = sig;
+			cfg->sigs_for_cert_size++;
+		} else if (c_strcasecmp(name, "disabled-version") == 0 ||
+			   c_strcasecmp(name, "enabled-version") == 0) {
+			gnutls_protocol_t prot, *tmp;
+
 			p = clear_spaces(value, str);
 
-			_gnutls_debug_log("cfg: disabling version %s\n",
-					  p);
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: enabling version %s\n",
+						  p);
+			} else {
+				_gnutls_debug_log("cfg: disabling version %s\n",
+						  p);
+			}
 
-			ret = _gnutls_version_mark_disabled(p);
-			if (ret < 0) {
+			prot = gnutls_protocol_get_id(p);
+			if (prot == GNUTLS_VERSION_UNKNOWN) {
 				_gnutls_debug_log("cfg: found unknown version %s in %s\n",
 						  p, name);
 				if (fail_on_invalid_config)
 					return 0;
+				goto exit;
 			}
-		} else if (c_strcasecmp(name, "disabled-curve")==0) {
+			tmp = _gnutls_reallocarray(cfg->versions,
+						   cfg->versions_size + 1,
+						   sizeof(gnutls_protocol_t));
+			if (!tmp) {
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: failed enabling version %s\n",
+							  p);
+				} else {
+					_gnutls_debug_log("cfg: failed disabling version %s\n",
+							  p);
+				}
+				if (fail_on_invalid_config)
+					return 0;
+				goto exit;
+			}
+
+			cfg->versions = tmp;
+			cfg->versions[cfg->versions_size] = prot;
+			cfg->versions_size++;
+		} else if (c_strcasecmp(name, "disabled-curve") == 0 ||
+			   c_strcasecmp(name, "enabled-curve") == 0) {
+			gnutls_ecc_curve_t curve, *tmp;
+
 			p = clear_spaces(value, str);
 
-			_gnutls_debug_log("cfg: disabling curve %s\n",
-					  p);
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: enabling curve %s\n",
+						  p);
+			} else {
+				_gnutls_debug_log("cfg: disabling curve %s\n",
+						  p);
+			}
 
-			ret = _gnutls_ecc_curve_mark_disabled(p);
-			if (ret < 0) {
+			curve = gnutls_ecc_curve_get_id(p);
+			if (curve == GNUTLS_ECC_CURVE_INVALID) {
 				_gnutls_debug_log("cfg: found unknown curve %s in %s\n",
 						  p, name);
 				if (fail_on_invalid_config)
 					return 0;
+				goto exit;
+			}
+			tmp = _gnutls_reallocarray(cfg->curves,
+						   cfg->curves_size + 1,
+						   sizeof(gnutls_ecc_curve_t));
+			if (!tmp) {
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: failed enabling curve %s\n",
+							  p);
+				} else {
+					_gnutls_debug_log("cfg: failed disabling curve %s\n",
+							  p);
+				}
+				if (fail_on_invalid_config)
+					return 0;
+				goto exit;
 			}
+
+			cfg->curves = tmp;
+			cfg->curves[cfg->curves_size] = curve;
+			cfg->curves_size++;
 		} else if (c_strcasecmp(name, "min-verification-profile")==0) {
 			gnutls_certificate_verification_profiles_t profile;
 			profile = gnutls_certificate_verification_profile_get_id(value);
@@ -1162,47 +1539,65 @@
 						  value, name);
 				if (fail_on_invalid_config)
 					return 0;
+				goto exit;
 			}
 
-			system_wide_verification_profile = profile;
-		} else if (c_strcasecmp(name, "tls-disabled-cipher")==0) {
-			unsigned algo;
+			cfg->verification_profile = profile;
+		} else if (c_strcasecmp(name, "tls-disabled-cipher") == 0 ||
+			   c_strcasecmp(name, "tls-enabled-cipher") == 0) {
+			gnutls_cipher_algorithm_t algo;
 
 			p = clear_spaces(value, str);
 
-			_gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
-					  p);
-
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: enabling cipher %s for TLS\n",
+						  p);
+			} else {
+				_gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
+						  p);
+			}
 
 			algo = gnutls_cipher_get_id(p);
-			if (algo == 0) {
+			if (algo == GNUTLS_CIPHER_UNKNOWN) {
 				_gnutls_debug_log("cfg: unknown algorithm %s listed at %s\n",
 						  p, name);
 				if (fail_on_invalid_config)
 					return 0;
+				goto exit;
 			}
 
 			i = 0;
-			while (system_wide_disabled_ciphers[i] != 0)
+			while (cfg->ciphers[i] != 0)
 				i++;
 
 			if (i > MAX_ALGOS-1) {
-				_gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
-						  i, name);
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: too many (%d) enabled ciphers from %s\n",
+							  i, name);
+				} else {
+					_gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
+							  i, name);
+				}
 				if (fail_on_invalid_config)
 					return 0;
 				goto exit;
 			}
-			system_wide_disabled_ciphers[i] = algo;
-			system_wide_disabled_ciphers[i+1] = 0;
+			cfg->ciphers[i] = algo;
+			cfg->ciphers[i+1] = 0;
 
-		} else if (c_strcasecmp(name, "tls-disabled-mac")==0) {
-			unsigned algo;
+		} else if (c_strcasecmp(name, "tls-disabled-mac") == 0 ||
+			   c_strcasecmp(name, "tls-enabled-mac") == 0) {
+			gnutls_mac_algorithm_t algo;
 
 			p = clear_spaces(value, str);
 
-			_gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
-					  p);
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: enabling MAC %s for TLS\n",
+						  p);
+			} else {
+				_gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
+						  p);
+			}
 
 			algo = gnutls_mac_get_id(p);
 			if (algo == 0) {
@@ -1214,30 +1609,41 @@
 			}
 
 			i = 0;
-			while (system_wide_disabled_macs[i] != 0)
+			while (cfg->macs[i] != 0)
 				i++;
 
 			if (i > MAX_ALGOS-1) {
-				_gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
-						  i, name);
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: too many (%d) enabled MACs from %s\n",
+							  i, name);
+				} else {
+					_gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
+							  i, name);
+				}
 				if (fail_on_invalid_config)
 					return 0;
 				goto exit;
 			}
-			system_wide_disabled_macs[i] = algo;
-			system_wide_disabled_macs[i+1] = 0;
-		} else if (c_strcasecmp(name, "tls-disabled-group")==0) {
-			unsigned algo;
+			cfg->macs[i] = algo;
+			cfg->macs[i+1] = 0;
+		} else if (c_strcasecmp(name, "tls-disabled-group") == 0 ||
+			   c_strcasecmp(name, "tls-enabled-group") == 0) {
+			gnutls_group_t algo;
 
 			p = clear_spaces(value, str);
 
-			if (strlen(p) > 6)
-				p += 6; // skip GROUP-
+			if (c_strncasecmp(p, "GROUP-", 6) == 0)
+				p += 6;
 
-			_gnutls_debug_log("cfg: disabling group %s for TLS\n",
-					  p);
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: enabling group %s for TLS\n",
+						  p);
+			} else {
+				_gnutls_debug_log("cfg: disabling group %s for TLS\n",
+						  p);
+			}
 
-			algo = gnutls_group_get_id(p);
+			algo = _gnutls_group_get_id(p);
 			if (algo == 0) {
 				_gnutls_debug_log("cfg: unknown group %s listed at %s\n",
 						  p, name);
@@ -1247,25 +1653,36 @@
 			}
 
 			i = 0;
-			while (system_wide_disabled_groups[i] != 0)
+			while (cfg->groups[i] != 0)
 				i++;
 
 			if (i > MAX_ALGOS-1) {
-				_gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
-						  i, name);
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: too many (%d) enabled groups from %s\n",
+							  i, name);
+				} else {
+					_gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
+							  i, name);
+				}
 				if (fail_on_invalid_config)
 					return 0;
 				goto exit;
 			}
-			system_wide_disabled_groups[i] = algo;
-			system_wide_disabled_groups[i+1] = 0;
-		} else if (c_strcasecmp(name, "tls-disabled-kx")==0) {
+			cfg->groups[i] = algo;
+			cfg->groups[i+1] = 0;
+		} else if (c_strcasecmp(name, "tls-disabled-kx") == 0 ||
+			   c_strcasecmp(name, "tls-enabled-kx") == 0) {
 			unsigned algo;
 
 			p = clear_spaces(value, str);
 
-			_gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
-					  p);
+			if (cfg->allowlisting) {
+				_gnutls_debug_log("cfg: enabling key exchange %s for TLS\n",
+						  p);
+			} else {
+				_gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
+						  p);
+			}
 
 			algo = gnutls_kx_get_id(p);
 			if (algo == 0) {
@@ -1277,24 +1694,29 @@
 			}
 
 			i = 0;
-			while (system_wide_disabled_kxs[i] != 0)
+			while (cfg->kxs[i] != 0)
 				i++;
 
 			if (i > MAX_ALGOS-1) {
-				_gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
-						  i, name);
+				if (cfg->allowlisting) {
+					_gnutls_debug_log("cfg: too many (%d) enabled key exchanges from %s\n",
+							  i, name);
+				} else {
+					_gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
+							  i, name);
+				}
 				if (fail_on_invalid_config)
 					return 0;
 				goto exit;
 			}
-			system_wide_disabled_kxs[i] = algo;
-			system_wide_disabled_kxs[i+1] = 0;
+			cfg->kxs[i] = algo;
+			cfg->kxs[i+1] = 0;
 		} else {
 			_gnutls_debug_log("unknown parameter %s\n", name);
 			if (fail_on_invalid_config)
 				return 0;
 		}
-	} else {
+	} else if (c_strcasecmp(section, GLOBAL_SECTION) != 0) {
 		_gnutls_debug_log("cfg: unknown section %s\n",
 				  section);
 		if (fail_on_invalid_config)
@@ -1310,6 +1732,7 @@
 	int ret;
 	struct stat sb;
 	FILE *fp;
+	struct cfg cfg;
 
 	if (stat(system_priority_file, &sb) < 0) {
 		_gnutls_debug_log("cfg: unable to access: %s: %d\n",
@@ -1327,21 +1750,41 @@
 	if (system_wide_priority_strings_init != 0)
 		_name_val_array_clear(&system_wide_priority_strings);
 
+	gnutls_free(system_wide_priority_string);
+	system_wide_priority_string = NULL;
+
 	fp = fopen(system_priority_file, "re");
 	if (fp == NULL) {
 		_gnutls_debug_log("cfg: unable to open: %s: %d\n",
 				  system_priority_file, errno);
 		return;
 	}
-	ret = ini_parse_file(fp, cfg_ini_handler, NULL);
+	/* Parsing the configuration file needs to be done in 2 phases: first
+	 * parsing the [global] section and then the other sections, because the
+	 * [global] section modifies the parsing behavior.
+	 */
+	memset(&cfg, 0, sizeof(cfg));
+	ret = ini_parse_file(fp, global_ini_handler, &cfg);
+	if (ret == 0) {
+		if (fseek(fp, 0L, SEEK_SET) < 0) {
+			_gnutls_debug_log("cfg: unable to rewind: %s: %d\n",
+					  system_priority_file, ret);
+			if (fail_on_invalid_config)
+				exit(1);
+		}
+		ret = ini_parse_file(fp, cfg_ini_handler, &cfg);
+	}
 	fclose(fp);
 	if (ret != 0) {
+		cfg_deinit(&cfg);
 		_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
 				  system_priority_file, ret);
 		if (fail_on_invalid_config)
 			exit(1);
 		return;
 	}
+	cfg_apply(&cfg);
+	cfg_deinit(&cfg);
 
 	_gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n",
 			  system_priority_file,
@@ -1368,6 +1811,7 @@
 void _gnutls_unload_system_priorities(void)
 {
 	_name_val_array_clear(&system_wide_priority_strings);
+	gnutls_free(system_wide_priority_string);
 	_clear_default_system_priority();
 	system_priority_last_mod = 0;
 }
@@ -1391,6 +1835,124 @@
 		return NULL;
 }
 
+static const char *
+resolve_priorities_from_system_wide_allowlisting(void)
+{
+	gnutls_buffer_st buf;
+	int ret;
+	size_t i;
+
+	if (system_wide_priority_string) {
+		return system_wide_priority_string;
+	}
+
+	assert(system_wide_allowlisting);
+
+	_gnutls_buffer_init(&buf);
+
+	ret = _gnutls_buffer_append_str(&buf, "NONE");
+	if (ret < 0) {
+		_gnutls_buffer_clear(&buf);
+		return NULL;
+	}
+
+	for (i = 0; system_wide_tls_kxs[i] != 0; i++) {
+		ret = _gnutls_buffer_append_str(&buf, ":+");
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+
+		ret = _gnutls_buffer_append_str(&buf,
+						gnutls_kx_get_name(system_wide_tls_kxs[i]));
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+	}
+
+	for (i = 0; system_wide_tls_groups[i] != 0; i++) {
+		ret = _gnutls_buffer_append_str(&buf, ":+GROUP-");
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+
+		ret = _gnutls_buffer_append_str(&buf,
+						gnutls_group_get_name(system_wide_tls_groups[i]));
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+	}
+
+	for (i = 0; system_wide_tls_ciphers[i] != 0; i++) {
+		ret = _gnutls_buffer_append_str(&buf, ":+");
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+
+		ret = _gnutls_buffer_append_str(&buf,
+						gnutls_cipher_get_name(system_wide_tls_ciphers[i]));
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+	}
+
+	for (i = 0; system_wide_tls_macs[i] != 0; i++) {
+		ret = _gnutls_buffer_append_str(&buf, ":+");
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+
+		ret = _gnutls_buffer_append_str(&buf,
+						gnutls_mac_get_name(system_wide_tls_macs[i]));
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+	}
+
+	for (i = 0; system_wide_tls_sigs[i] != 0; i++) {
+		ret = _gnutls_buffer_append_str(&buf, ":+SIGN-");
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+
+		ret = _gnutls_buffer_append_str(&buf,
+						gnutls_sign_get_name(system_wide_tls_sigs[i]));
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+	}
+
+	for (i = 0; system_wide_tls_vers[i] != 0; i++) {
+		ret = _gnutls_buffer_append_str(&buf, ":+VERS-");
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+
+		ret = _gnutls_buffer_append_str(&buf,
+						gnutls_protocol_get_name(system_wide_tls_vers[i]));
+		if (ret < 0) {
+			_gnutls_buffer_clear(&buf);
+			return NULL;
+		}
+	}
+
+	gnutls_free(system_wide_priority_string);
+	system_wide_priority_string = gnutls_strdup((char *)buf.data);
+	_gnutls_buffer_clear(&buf);
+
+	return system_wide_priority_string;
+}
+
 #define S(str) ((str!=NULL)?str:"")
 
 /* Returns the new priorities if a priority string prefixed
@@ -1445,7 +2007,13 @@
 			 */
 			_gnutls_update_system_priorities();
 
-			p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
+			if (system_wide_allowlisting &&
+			    ss_len == sizeof(LEVEL_SYSTEM) - 1 &&
+			    strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) {
+				p = resolve_priorities_from_system_wide_allowlisting();
+			} else {
+				p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
+			}
 
 			_gnutls_debug_log("resolved '%.*s' to '%s', next '%.*s'\n",
 					  ss_len, ss, S(p), ss_next_len, S(ss_next));
@@ -1548,48 +2116,52 @@
 	priority_cache->groups.size = 0;
 	priority_cache->groups.have_ffdhe = 0;
 
-	/* disable key exchanges which are globally disabled */
-	z = 0;
-	while (system_wide_disabled_kxs[z] != 0) {
-		for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
-			if (priority_cache->_kx.priorities[i] != system_wide_disabled_kxs[z])
-				priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
-		}
-		priority_cache->_kx.num_priorities = j;
-		z++;
-	}
-
-	/* disable groups which are globally disabled */
-	z = 0;
-	while (system_wide_disabled_groups[z] != 0) {
-		for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
-			if (priority_cache->_supported_ecc.priorities[i] != system_wide_disabled_groups[z])
-				priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
-		}
-		priority_cache->_supported_ecc.num_priorities = j;
-		z++;
-	}
-
-	/* disable ciphers which are globally disabled */
-	z = 0;
-	while (system_wide_disabled_ciphers[z] != 0) {
-		for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
-			if (priority_cache->_cipher.priorities[i] != system_wide_disabled_ciphers[z])
-				priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
-		}
-		priority_cache->_cipher.num_priorities = j;
-		z++;
-	}
-
-	/* disable MACs which are globally disabled */
-	z = 0;
-	while (system_wide_disabled_macs[z] != 0) {
-		for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
-			if (priority_cache->_mac.priorities[i] != system_wide_disabled_macs[z])
-				priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
+	/* in blocklisting mode, apply system wide disablement of key exchanges,
+	 * groups, MACs, and ciphers. */
+	if (!system_wide_allowlisting) {
+		/* disable key exchanges which are globally disabled */
+		z = 0;
+		while (system_wide_tls_kxs[z] != 0) {
+			for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
+				if (priority_cache->_kx.priorities[i] != system_wide_tls_kxs[z])
+					priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
+			}
+			priority_cache->_kx.num_priorities = j;
+			z++;
+		}
+
+		/* disable groups which are globally disabled */
+		z = 0;
+		while (system_wide_tls_groups[z] != 0) {
+			for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
+				if (priority_cache->_supported_ecc.priorities[i] != system_wide_tls_groups[z])
+					priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
+			}
+			priority_cache->_supported_ecc.num_priorities = j;
+			z++;
+		}
+
+		/* disable ciphers which are globally disabled */
+		z = 0;
+		while (system_wide_tls_ciphers[z] != 0) {
+			for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
+				if (priority_cache->_cipher.priorities[i] != system_wide_tls_ciphers[z])
+					priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
+			}
+			priority_cache->_cipher.num_priorities = j;
+			z++;
+		}
+
+		/* disable MACs which are globally disabled */
+		z = 0;
+		while (system_wide_tls_macs[z] != 0) {
+			for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
+				if (priority_cache->_mac.priorities[i] != system_wide_tls_macs[z])
+					priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
+			}
+			priority_cache->_mac.num_priorities = j;
+			z++;
 		}
-		priority_cache->_mac.num_priorities = j;
-		z++;
 	}
 
 	for (j=0;j<priority_cache->_cipher.num_priorities;j++) {
@@ -1737,10 +2309,15 @@
 	for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) {
 		se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]);
 		if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) {
-			/* if the signature algorithm semantics are not compatible with
-			 * the protocol's, then skip. */
-			if ((se->aid.tls_sem & tls_sig_sem) == 0)
+			/* if the signature algorithm semantics is not
+			 * compatible with the protocol's, or the algorithm is
+			 * marked as insecure, then skip. */
+			if ((se->aid.tls_sem & tls_sig_sem) == 0 ||
+			    !_gnutls_sign_is_secure2(se, system_wide_allowlisting ?
+						     GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE :
+						     0)) {
 				continue;
+			}
 			priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se;
 		}
 	}
@@ -2017,6 +2594,9 @@
 	(*priority_cache)->min_record_version = 1;
 	gnutls_atomic_init(&(*priority_cache)->usage_cnt);
 
+	if (system_wide_allowlisting && !priorities) {
+		priorities = "@" LEVEL_SYSTEM;
+	}
 	if (priorities == NULL) {
 		priorities = _gnutls_default_priority_string;
 		resolved_match = 0;
@@ -2150,7 +2730,7 @@
 						_supported_groups_gost);
 				} else {
 					if ((algo =
-					     gnutls_group_get_id
+					     _gnutls_group_get_id
 					     (&broken_list[i][7])) !=
 					    GNUTLS_GROUP_INVALID)
 						fn(&(*priority_cache)->
diff -ruN gnutls-3.7.2/Makefile.in gnutls-3.7.2-bootstrapped/Makefile.in
--- gnutls-3.7.2/Makefile.in	2021-05-29 10:11:20.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/Makefile.in	2021-06-28 09:11:37.000000000 +0200
@@ -35,7 +35,7 @@
 # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
+# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
 VPATH = @srcdir@
 am__is_gnu_make = { \
   if test -z '$(MAKELEVEL)'; then \
diff -ruN gnutls-3.7.2/NEWS gnutls-3.7.2-bootstrapped/NEWS
--- gnutls-3.7.2/NEWS	2021-05-29 10:08:56.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/NEWS	2021-06-28 09:09:14.000000000 +0200
@@ -5,6 +5,23 @@
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
+* Version 3.7.3 (unreleased)
+
+** libgnutls: The allowlisting configuration mode has been added to the system-wide
+   settings. In this mode, all the algorithms are initially marked as insecure
+   or disabled, while the applications can re-enable them either through the
+   [overrides] section of the configuration file or the new API (#1172).
+
+** API and ABI modifications:
+gnutls_ecc_curve_mark_disabled: Added.
+gnutls_ecc_curve_mark_enabled: Added.
+gnutls_sign_mark_insecure: Added.
+gnutls_sign_mark_secure: Added.
+gnutls_digest_mark_insecure: Added.
+gnutls_digest_mark_secure: Added.
+gnutls_protocol_mark_disabled: Added.
+gnutls_protocol_mark_enabled: Added.
+
 * Version 3.7.2 (released 2021-05-29)
 
 ** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
diff -ruN gnutls-3.7.2/po/cs.po gnutls-3.7.2-bootstrapped/po/cs.po
--- gnutls-3.7.2/po/cs.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/cs.po	2021-06-28 09:35:00.000000000 +0200
@@ -9,7 +9,7 @@
 msgstr ""
 "Project-Id-Version: gnutls 3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2019-06-18 07:01+02:00\n"
 "Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
 "Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/de.po gnutls-3.7.2-bootstrapped/po/de.po
--- gnutls-3.7.2/po/de.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/de.po	2021-06-28 09:35:00.000000000 +0200
@@ -10,7 +10,7 @@
 msgstr ""
 "Project-Id-Version: gnutls 3.2.3\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2019-05-16 20:42+0200\n"
 "Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
 "Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/eo.po gnutls-3.7.2-bootstrapped/po/eo.po
--- gnutls-3.7.2/po/eo.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/eo.po	2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
 msgstr ""
 "Project-Id-Version: gnutls 3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2019-07-15 13:25-0300\n"
 "Last-Translator: Felipe Castro <fefcas@gmail.com>\n"
 "Language-Team: Esperanto <translation-team-eo@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/es.po gnutls-3.7.2-bootstrapped/po/es.po
--- gnutls-3.7.2/po/es.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/es.po	2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
 msgstr ""
 "Project-Id-Version: libgnutls 3.2.3\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2018-05-02 19:11+0200\n"
 "Last-Translator: Francisco Javier Serrador <fserrador@gmail.com>\n"
 "Language-Team: Spanish <es@tp.org.es>\n"
diff -ruN gnutls-3.7.2/po/fi.po gnutls-3.7.2-bootstrapped/po/fi.po
--- gnutls-3.7.2/po/fi.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/fi.po	2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
 msgstr ""
 "Project-Id-Version: libgnutls 3.2.1\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2013-06-19 17:09+0300\n"
 "Last-Translator: Jorma Karvonen <karvonen.jorma@gmail.com>\n"
 "Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/fr.po gnutls-3.7.2-bootstrapped/po/fr.po
--- gnutls-3.7.2/po/fr.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/fr.po	2021-06-28 09:35:00.000000000 +0200
@@ -12,7 +12,7 @@
 msgstr ""
 "Project-Id-Version: gnutls 3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2019-08-12 01:03+0200\n"
 "Last-Translator: Stéphane Aulery <lkppo@free.fr>\n"
 "Language-Team: French <traduc@traduc.org>\n"
diff -ruN gnutls-3.7.2/po/gnutls.pot gnutls-3.7.2-bootstrapped/po/gnutls.pot
--- gnutls-3.7.2/po/gnutls.pot	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/gnutls.pot	2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
 msgstr ""
 "Project-Id-Version: gnutls 3.7.2\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
diff -ruN gnutls-3.7.2/po/it.po gnutls-3.7.2-bootstrapped/po/it.po
--- gnutls-3.7.2/po/it.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/it.po	2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
 msgstr ""
 "Project-Id-Version: gnutls-3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2019-08-02 11:43+0200\n"
 "Last-Translator: Milo Casagrande <milo@milo.name>\n"
 "Language-Team: Italian <tp@lists.linux.it>\n"
Binary files gnutls-3.7.2/po/ms.gmo and gnutls-3.7.2-bootstrapped/po/ms.gmo differ
diff -ruN gnutls-3.7.2/po/ms.po gnutls-3.7.2-bootstrapped/po/ms.po
--- gnutls-3.7.2/po/ms.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/ms.po	2021-06-28 09:35:00.000000000 +0200
@@ -7,8 +7,8 @@
 msgstr ""
 "Project-Id-Version: gnutls 3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-"PO-Revision-Date: 2021-04-20 16:03+0800\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+"PO-Revision-Date: 2021-06-14 00:17+0800\n"
 "Last-Translator: Sharuzzaman Ahmat Raslan <sharuzzaman@gmail.com>\n"
 "Language-Team: Malay <translation-team-ms@lists.sourceforge.net>\n"
 "Language: ms\n"
@@ -16,7 +16,7 @@
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Poedit 2.4.2\n"
+"X-Generator: Poedit 3.0\n"
 
 #: lib/alert.c:39
 msgid "Close notify"
@@ -139,7 +139,7 @@
 #: lib/alert.c:83
 #, fuzzy
 msgid "An extension was expected but was not seen"
-msgstr "')' dijangka\n"
+msgstr "Sambungan tidak disokong telah dihantar"
 
 #: lib/alert.c:86
 msgid "No supported application protocol could be negotiated"
@@ -1224,20 +1224,19 @@
 msgstr "%s\t\t\tnamaLain OID: %.*s\n"
 
 #: lib/x509/output.c:152
-#, fuzzy, c-format
-#| msgid "\t\t\tXMPP Address: %.*s\n"
+#, c-format
 msgid "%sXMPP Address: %.*s\n"
-msgstr "\t\t\tAlamat XMPP: %.*s\n"
+msgstr "%sAlamat XMPP: %.*s\n"
 
 #: lib/x509/output.c:156
-#, fuzzy, c-format
+#, c-format
 msgid "%sKRB5Principal: %.*s\n"
-msgstr "%s: %s.\n"
+msgstr "%sKRB5Principal: %.*s\n"
 
 #: lib/x509/output.c:160
-#, fuzzy, c-format
+#, c-format
 msgid "%sUnknown name: "
-msgstr "Nama"
+msgstr "%sNama tidak diketahui: "
 
 #: lib/x509/output.c:302
 #, c-format
@@ -1266,14 +1265,14 @@
 "\t\t\tLambakan Hex: "
 
 #: lib/x509/output.c:347
-#, fuzzy, c-format
+#, c-format
 msgid "%s\t\t\tPermitted:\n"
-msgstr "TDB: Tulis tidak dibenarkan"
+msgstr "%s\t\t\tDibenarkan:\n"
 
 #: lib/x509/output.c:359
-#, fuzzy, c-format
+#, c-format
 msgid "%s\t\t\tExcluded:\n"
-msgstr "%s%s: %.*s (%s)\n"
+msgstr "%s\t\t\tDikecualikan:\n"
 
 #: lib/x509/output.c:399 lib/x509/output.c:401 lib/x509/output.c:403
 #, c-format
diff -ruN gnutls-3.7.2/po/nl.po gnutls-3.7.2-bootstrapped/po/nl.po
--- gnutls-3.7.2/po/nl.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/nl.po	2021-06-28 09:35:00.000000000 +0200
@@ -10,7 +10,7 @@
 msgstr ""
 "Project-Id-Version: libgnutls-3.2.1\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2013-06-13 19:56+0200\n"
 "Last-Translator: Benno Schulenberg <benno@vertaalt.nl>\n"
 "Language-Team: Dutch <vertaling@vrijschrift.org>\n"
diff -ruN gnutls-3.7.2/po/pl.po gnutls-3.7.2-bootstrapped/po/pl.po
--- gnutls-3.7.2/po/pl.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/pl.po	2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
 msgstr ""
 "Project-Id-Version: gnutls-3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2019-06-01 08:22+0200\n"
 "Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
 "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/pt_BR.po gnutls-3.7.2-bootstrapped/po/pt_BR.po
--- gnutls-3.7.2/po/pt_BR.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/pt_BR.po	2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
 msgstr ""
 "Project-Id-Version: gnutls 3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2019-06-11 03:55-0200\n"
 "Last-Translator: Rafael Fontenelle <rafaelff@gnome.org>\n"
 "Language-Team: Brazilian Portuguese <ldpbr-translation@lists.sourceforge."
diff -ruN gnutls-3.7.2/po/sr.po gnutls-3.7.2-bootstrapped/po/sr.po
--- gnutls-3.7.2/po/sr.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/sr.po	2021-06-28 09:35:00.000000000 +0200
@@ -6,7 +6,7 @@
 msgstr ""
 "Project-Id-Version: gnutls-3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2020-08-04 15:21+0200\n"
 "Last-Translator: Мирослав Николић <miroslavnikolic@rocketmail.com>\n"
 "Language-Team: Serbian <(nothing)>\n"
diff -ruN gnutls-3.7.2/po/sv.po gnutls-3.7.2-bootstrapped/po/sv.po
--- gnutls-3.7.2/po/sv.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/sv.po	2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
 msgstr ""
 "Project-Id-Version: libgnutls 3.2.3\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2017-06-22 13:44+0200\n"
 "Last-Translator: Anders Jonsson <anders.jonsson@norsjovallen.se>\n"
 "Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
diff -ruN gnutls-3.7.2/po/uk.po gnutls-3.7.2-bootstrapped/po/uk.po
--- gnutls-3.7.2/po/uk.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/uk.po	2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
 msgstr ""
 "Project-Id-Version: gnutls 3.6.8\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2019-06-06 21:38+0300\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <trans-uk@lists.fedoraproject.org>\n"
diff -ruN gnutls-3.7.2/po/vi.po gnutls-3.7.2-bootstrapped/po/vi.po
--- gnutls-3.7.2/po/vi.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/vi.po	2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
 msgstr ""
 "Project-Id-Version: libgnutls-3.2.3\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2013-08-06 07:13+0700\n"
 "Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
 "Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/zh_CN.po gnutls-3.7.2-bootstrapped/po/zh_CN.po
--- gnutls-3.7.2/po/zh_CN.po	2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/zh_CN.po	2021-06-28 09:35:00.000000000 +0200
@@ -10,7 +10,7 @@
 msgstr ""
 "Project-Id-Version: libgnutls 3.2.3\n"
 "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
 "PO-Revision-Date: 2015-11-10 09:47-0500\n"
 "Last-Translator: Mingye Wang (Arthur2e5) <arthur200126@gmail.com>\n"
 "Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
diff -ruN gnutls-3.7.2/src/p11tool-args.def gnutls-3.7.2-bootstrapped/src/p11tool-args.def
--- gnutls-3.7.2/src/p11tool-args.def	2021-04-19 09:28:28.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/src/p11tool-args.def	2021-06-25 17:46:01.000000000 +0200
@@ -268,8 +268,9 @@
 flag = {
     name      = write;
     descrip   = "Writes the loaded objects to a PKCS #11 token";
-    doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
-    one of --load-privkey, --load-pubkey, --load-certificate option.";
+    doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.
+
+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.";
 };
 
 flag = {
diff -ruN gnutls-3.7.2/tests/Makefile.am gnutls-3.7.2-bootstrapped/tests/Makefile.am
--- gnutls-3.7.2/tests/Makefile.am	2021-05-27 08:10:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/tests/Makefile.am	2021-06-28 09:09:42.000000000 +0200
@@ -108,7 +108,7 @@
 libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
 libutils_la_LIBADD = ../lib/libgnutls.la
 
-indirect_tests = system-override-hash system-override-sig
+indirect_tests = system-override-hash system-override-sig system-override-sig-tls
 
 ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
 	tls13/post-handshake-with-cert tls13/post-handshake-without-cert \
@@ -509,7 +509,13 @@
 dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
 	system-override-versions.sh system-override-invalid.sh \
 	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
-	system-override-kx.sh system-override-default-priority-string.sh
+	system-override-kx.sh system-override-default-priority-string.sh \
+	system-override-sig-tls.sh
+
+dist_check_SCRIPTS += system-override-sig-allowlist.sh \
+	system-override-hash-allowlist.sh \
+	system-override-versions-allowlist.sh \
+	system-override-curves-allowlist.sh
 endif
 
 dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh
@@ -605,6 +611,7 @@
 endif
 
 TEST_EXTENSIONS = .sh
+SH_LOG_COMPILER = $(SHELL)
 LOG_COMPILER = $(VALGRIND)
 
 distclean-local:
diff -ruN gnutls-3.7.2/tests/Makefile.in gnutls-3.7.2-bootstrapped/tests/Makefile.in
--- gnutls-3.7.2/tests/Makefile.in	2021-05-29 10:11:25.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/tests/Makefile.in	2021-06-28 09:11:42.000000000 +0200
@@ -191,11 +191,20 @@
 @WINDOWS_FALSE@	gnutls-cli-resume.sh profile-tests.sh \
 @WINDOWS_FALSE@	server-weak-keys.sh
 @WINDOWS_FALSE@am__append_17 = dtls-stress
-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh system-override-hash.sh \
-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions.sh system-override-invalid.sh \
-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-kx.sh system-override-default-priority-string.sh
-
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-hash.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-invalid.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-profiles.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-tls.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-kx.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-default-priority-string.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-sig-tls.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-sig-allowlist.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-hash-allowlist.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions-allowlist.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves-allowlist.sh
 @WINDOWS_FALSE@am__append_19 = gnutls-cli-self-signed.sh \
 @WINDOWS_FALSE@	gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \
 @WINDOWS_FALSE@	dh-fips-approved.sh
@@ -662,8 +671,8 @@
 @ENABLE_PKCS11_TRUE@@HAVE_PKCS11_TRUST_STORE_TRUE@@P11KIT_0_23_11_API_TRUE@@WINDOWS_FALSE@	pkcs11/list-objects$(EXEEXT)
 @WINDOWS_FALSE@am__EXEEXT_18 = datefudge-check$(EXEEXT)
 am__EXEEXT_19 = system-override-hash$(EXEEXT) \
-	system-override-sig$(EXEEXT) $(am__EXEEXT_16) $(am__EXEEXT_17) \
-	$(am__EXEEXT_18)
+	system-override-sig$(EXEEXT) system-override-sig-tls$(EXEEXT) \
+	$(am__EXEEXT_16) $(am__EXEEXT_17) $(am__EXEEXT_18)
 PROGRAMS = $(noinst_PROGRAMS)
 LTLIBRARIES = $(noinst_LTLIBRARIES)
 @ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock1_la_DEPENDENCIES =  \
@@ -2366,6 +2375,11 @@
 system_override_sig_LDADD = $(LDADD)
 system_override_sig_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \
 	$(am__DEPENDENCIES_2)
+system_override_sig_tls_SOURCES = system-override-sig-tls.c
+system_override_sig_tls_OBJECTS = system-override-sig-tls.$(OBJEXT)
+system_override_sig_tls_LDADD = $(LDADD)
+system_override_sig_tls_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \
+	libutils.la $(am__DEPENDENCIES_2)
 system_prio_file_SOURCES = system-prio-file.c
 system_prio_file_OBJECTS = system-prio-file.$(OBJEXT)
 system_prio_file_LDADD = $(LDADD)
@@ -2997,10 +3011,13 @@
 	system-override-profiles.sh system-override-tls.sh \
 	system-override-kx.sh \
 	system-override-default-priority-string.sh \
-	gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
-	gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
-	testpkcs11.sh certtool-pkcs11.sh p11-kit-load.sh danetool.sh \
-	tpmtool_test.sh
+	system-override-sig-tls.sh system-override-sig-allowlist.sh \
+	system-override-hash-allowlist.sh \
+	system-override-versions-allowlist.sh \
+	system-override-curves-allowlist.sh gnutls-cli-self-signed.sh \
+	gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \
+	dh-fips-approved.sh p11-kit-trust.sh testpkcs11.sh \
+	certtool-pkcs11.sh p11-kit-load.sh danetool.sh tpmtool_test.sh
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -3216,6 +3233,7 @@
 	./$(DEPDIR)/status-request.Po ./$(DEPDIR)/str-idna.Po \
 	./$(DEPDIR)/str-unicode.Po ./$(DEPDIR)/strict-der.Po \
 	./$(DEPDIR)/system-override-hash.Po \
+	./$(DEPDIR)/system-override-sig-tls.Po \
 	./$(DEPDIR)/system-override-sig.Po \
 	./$(DEPDIR)/system-prio-file.Po ./$(DEPDIR)/time.Po \
 	./$(DEPDIR)/tls-channel-binding.Po \
@@ -3522,16 +3540,16 @@
 	ssl30-server-kx-neg.c status-request.c status-request-ext.c \
 	status-request-ok.c status-request-revoked.c str-idna.c \
 	str-unicode.c strict-der.c system-override-hash.c \
-	system-override-sig.c system-prio-file.c time.c \
-	tls-channel-binding.c tls-client-with-seccomp.c \
-	tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \
-	tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \
-	tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \
-	tls-record-size-limit-asym.c tls-session-ext-override.c \
-	tls-session-ext-register.c tls-session-supplemental.c \
-	tls-supplemental.c tls-with-seccomp.c \
-	$(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \
-	tls10-prf.c tls10-server-kx-neg.c \
+	system-override-sig.c system-override-sig-tls.c \
+	system-prio-file.c time.c tls-channel-binding.c \
+	tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \
+	tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \
+	tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \
+	tls-record-size-limit.c tls-record-size-limit-asym.c \
+	tls-session-ext-override.c tls-session-ext-register.c \
+	tls-session-supplemental.c tls-supplemental.c \
+	tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \
+	tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \
 	$(tls11_cert_key_exchange_SOURCES) \
 	$(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \
 	$(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \
@@ -3707,16 +3725,16 @@
 	ssl30-server-kx-neg.c status-request.c status-request-ext.c \
 	status-request-ok.c status-request-revoked.c str-idna.c \
 	str-unicode.c strict-der.c system-override-hash.c \
-	system-override-sig.c system-prio-file.c time.c \
-	tls-channel-binding.c tls-client-with-seccomp.c \
-	tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \
-	tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \
-	tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \
-	tls-record-size-limit-asym.c tls-session-ext-override.c \
-	tls-session-ext-register.c tls-session-supplemental.c \
-	tls-supplemental.c tls-with-seccomp.c \
-	$(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \
-	tls10-prf.c tls10-server-kx-neg.c \
+	system-override-sig.c system-override-sig-tls.c \
+	system-prio-file.c time.c tls-channel-binding.c \
+	tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \
+	tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \
+	tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \
+	tls-record-size-limit.c tls-record-size-limit-asym.c \
+	tls-session-ext-override.c tls-session-ext-register.c \
+	tls-session-supplemental.c tls-supplemental.c \
+	tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \
+	tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \
 	$(tls11_cert_key_exchange_SOURCES) \
 	$(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \
 	$(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \
@@ -5822,7 +5840,8 @@
 libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
 libutils_la_LIBADD = ../lib/libgnutls.la
 indirect_tests = system-override-hash system-override-sig \
-	$(am__append_17) $(am__append_22) $(am__append_28)
+	system-override-sig-tls $(am__append_17) $(am__append_22) \
+	$(am__append_28)
 ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
 	tls13/post-handshake-with-cert \
 	tls13/post-handshake-without-cert tls13/cookie tls13/key_share \
@@ -6115,6 +6134,7 @@
 @ENABLE_CXX_TRUE@@HAVE_CMOCKA_TRUE@	-I$(top_builddir)/gl
 
 TEST_EXTENSIONS = .sh
+SH_LOG_COMPILER = $(SHELL)
 LOG_COMPILER = $(VALGRIND)
 all: all-recursive
 
@@ -7590,6 +7610,10 @@
 	@rm -f system-override-sig$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(system_override_sig_OBJECTS) $(system_override_sig_LDADD) $(LIBS)
 
+system-override-sig-tls$(EXEEXT): $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_DEPENDENCIES) $(EXTRA_system_override_sig_tls_DEPENDENCIES) 
+	@rm -f system-override-sig-tls$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_LDADD) $(LIBS)
+
 system-prio-file$(EXEEXT): $(system_prio_file_OBJECTS) $(system_prio_file_DEPENDENCIES) $(EXTRA_system_prio_file_DEPENDENCIES) 
 	@rm -f system-prio-file$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(system_prio_file_OBJECTS) $(system_prio_file_LDADD) $(LIBS)
@@ -8396,6 +8420,7 @@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str-unicode.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strict-der.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-hash.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig-tls.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-prio-file.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/time.Po@am__quote@ # am--include-marker
@@ -12588,6 +12613,7 @@
 	-rm -f ./$(DEPDIR)/str-unicode.Po
 	-rm -f ./$(DEPDIR)/strict-der.Po
 	-rm -f ./$(DEPDIR)/system-override-hash.Po
+	-rm -f ./$(DEPDIR)/system-override-sig-tls.Po
 	-rm -f ./$(DEPDIR)/system-override-sig.Po
 	-rm -f ./$(DEPDIR)/system-prio-file.Po
 	-rm -f ./$(DEPDIR)/time.Po
@@ -13075,6 +13101,7 @@
 	-rm -f ./$(DEPDIR)/str-unicode.Po
 	-rm -f ./$(DEPDIR)/strict-der.Po
 	-rm -f ./$(DEPDIR)/system-override-hash.Po
+	-rm -f ./$(DEPDIR)/system-override-sig-tls.Po
 	-rm -f ./$(DEPDIR)/system-override-sig.Po
 	-rm -f ./$(DEPDIR)/system-prio-file.Po
 	-rm -f ./$(DEPDIR)/time.Po
diff -ruN gnutls-3.7.2/tests/suite/Makefile.am gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am
--- gnutls-3.7.2/tests/suite/Makefile.am	2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am	2021-06-28 09:09:42.000000000 +0200
@@ -115,4 +115,5 @@
 prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
 
 TEST_EXTENSIONS = .sh
+SH_LOG_COMPILER = $(SHELL)
 LOG_COMPILER = $(VALGRIND)
diff -ruN gnutls-3.7.2/tests/suite/Makefile.in gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in
--- gnutls-3.7.2/tests/suite/Makefile.in	2021-05-29 10:11:26.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in	2021-06-28 09:11:43.000000000 +0200
@@ -2351,6 +2351,7 @@
 nodist_check_SCRIPTS = $(scripts_to_test)
 prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
 TEST_EXTENSIONS = .sh
+SH_LOG_COMPILER = $(SHELL)
 LOG_COMPILER = $(VALGRIND)
 all: all-am
 
diff -ruN gnutls-3.7.2/tests/system-override-curves-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh
--- gnutls-3.7.2/tests/system-override-curves-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
@@ -0,0 +1,113 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>
+
+: ${srcdir=.}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+TMPFILE=config.$$.tmp
+TMPFILE2=log.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+if ! test -x "${SERV}"; then
+	exit 77
+fi
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+# This test doesn't work in FIPS mode
+if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then
+	exit 77
+fi
+
+# We intentionally add stray spaces and tabs to check our parser
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+enabled-curve = secp384r1
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+export GNUTLS_DEBUG_LEVEL=3
+
+"${CLI}" --list|grep ^Groups >${TMPFILE2}
+cat ${TMPFILE2}
+if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then
+	echo "Found disabled curve with --list"
+	exit 1
+fi
+
+if ! grep -i "SECP384R1" ${TMPFILE2};then
+	echo "Could not found secp384r1"
+	exit 1
+fi
+
+# Try whether a client connection with a disabled curve will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null ||
+	fail "expected connection to succeed (1)"
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+# Try whether a server connection with a disabled curve will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+exit 0
diff -ruN gnutls-3.7.2/tests/system-override-hash-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh
--- gnutls-3.7.2/tests/system-override-hash-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+TMPFILE=c.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha384
+secure-sig = rsa-pss-sha384
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${builddir}/system-override-hash"
+rc=$?
+rm ${TMPFILE}
+exit $rc
diff -ruN gnutls-3.7.2/tests/system-override-sig-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh
--- gnutls-3.7.2/tests/system-override-sig-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+TMPFILE=c.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha256
+secure-sig = rsa-sha256
+secure-hash = sha384
+secure-sig = rsa-pss-sha384
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${builddir}/system-override-sig"
+rc=$?
+rm ${TMPFILE}
+exit $rc
diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.c gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c
--- gnutls-3.7.2/tests/system-override-sig-tls.c	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c	2021-06-25 17:46:13.000000000 +0200
@@ -0,0 +1,200 @@
+/*
+ * Copyright (C) 2015-2021 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <assert.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <gnutls/gnutls.h>
+#include "utils.h"
+
+#define SKIP16(pos, total) { \
+	uint16_t _s; \
+	if (pos+2 > total) fail("error\n"); \
+	_s = (msg->data[pos] << 8) | msg->data[pos+1]; \
+	if ((size_t)(pos+2+_s) > total) fail("error\n"); \
+	pos += 2+_s; \
+	}
+
+#define SKIP8(pos, total) { \
+	uint8_t _s; \
+	if (pos+1 > total) fail("error\n"); \
+	_s = msg->data[pos]; \
+	if ((size_t)(pos+1+_s) > total) fail("error\n"); \
+	pos += 1+_s; \
+	}
+
+#define HANDSHAKE_SESSION_ID_POS 34
+
+#include "eagain-common.h"
+#include "cert-common.h"
+
+/* This tests whether the client omits signature algorithms marked as insecure,
+ * from the signature_algorithms extension.
+ */
+
+const char *side;
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+#define PRIO "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:" \
+	"+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384"
+/* rsa_pss_rsae_sha384 */
+#define SIGALGS_EXP "\x00\x02\x08\x05"
+
+static int
+ext_callback(void *ctx, unsigned tls_id,
+	     const unsigned char *data, unsigned size)
+{
+	if (tls_id == 13) {	/* signature algorithms */
+		if (size != sizeof(SIGALGS_EXP) - 1) {
+			fail("invalid signature_algorithms length: %u != 4\n",
+			     size);
+		}
+		if (memcmp(data, SIGALGS_EXP, sizeof(SIGALGS_EXP) - 1) != 0) {
+			fail("invalid signature_algorithms\n");
+		}
+	}
+	return 0;
+}
+
+static int
+handshake_callback(gnutls_session_t session, unsigned int htype,
+		   unsigned post, unsigned int incoming,
+		   const gnutls_datum_t *msg)
+{
+	assert(post);
+
+	if (!incoming && htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) {
+		int ret;
+		unsigned pos;
+		gnutls_datum_t mmsg;
+
+		assert(msg->size >= HANDSHAKE_SESSION_ID_POS);
+		pos = HANDSHAKE_SESSION_ID_POS;
+		SKIP8(pos, msg->size);
+		SKIP16(pos, msg->size);
+		SKIP8(pos, msg->size);
+
+		mmsg.data = &msg->data[pos];
+		mmsg.size = msg->size - pos;
+		ret = gnutls_ext_raw_parse(NULL, ext_callback, &mmsg, 0);
+		assert(ret >= 0);
+	}
+	return 0;
+}
+
+void doit(void)
+{
+	int ret;
+	/* Server stuff. */
+	gnutls_certificate_credentials_t serverx509cred;
+	gnutls_session_t server;
+	int sret = GNUTLS_E_AGAIN;
+	/* Client stuff. */
+	gnutls_certificate_credentials_t clientx509cred;
+	gnutls_session_t client;
+	int cret = GNUTLS_E_AGAIN;
+
+	global_init();
+
+	/* General init. */
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(6);
+
+	/* Init server */
+	gnutls_certificate_allocate_credentials(&serverx509cred);
+	gnutls_certificate_set_x509_key_mem(serverx509cred,
+					    &server2_cert, &server2_key,
+					    GNUTLS_X509_FMT_PEM);
+
+	gnutls_init(&server, GNUTLS_SERVER);
+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
+				serverx509cred);
+
+	gnutls_priority_set_direct(server, PRIO, NULL);
+
+	gnutls_transport_set_push_function(server, server_push);
+	gnutls_transport_set_pull_function(server, server_pull);
+	gnutls_transport_set_pull_timeout_function(server,
+						   server_pull_timeout_func);
+	gnutls_transport_set_ptr(server, server);
+
+	/* Init client */
+	ret = gnutls_certificate_allocate_credentials(&clientx509cred);
+	if (ret < 0)
+		exit(1);
+
+	ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca2_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0)
+		exit(1);
+
+	ret = gnutls_init(&client, GNUTLS_CLIENT);
+	if (ret < 0)
+		exit(1);
+
+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
+				clientx509cred);
+	if (ret < 0)
+		exit(1);
+
+	ret = gnutls_priority_set_direct(client, PRIO, NULL);
+	if (ret < 0)
+		exit(1);
+
+	gnutls_transport_set_push_function(client, client_push);
+	gnutls_transport_set_pull_function(client, client_pull);
+	gnutls_transport_set_pull_timeout_function(client,
+						   client_pull_timeout_func);
+	gnutls_transport_set_ptr(client, client);
+
+	gnutls_handshake_set_hook_function(client,
+					   GNUTLS_HANDSHAKE_ANY,
+					   GNUTLS_HOOK_POST,
+					   handshake_callback);
+
+	HANDSHAKE(client, server);
+
+	gnutls_bye(client, GNUTLS_SHUT_RDWR);
+	gnutls_bye(server, GNUTLS_SHUT_RDWR);
+
+	gnutls_deinit(client);
+	gnutls_deinit(server);
+
+	gnutls_certificate_free_credentials(serverx509cred);
+	gnutls_certificate_free_credentials(clientx509cred);
+
+	gnutls_global_deinit();
+
+	reset_buffers();
+}
diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh
--- gnutls-3.7.2/tests/system-override-sig-tls.sh	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh	2021-06-25 17:46:13.000000000 +0200
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+# Copyright (C) 2021 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos, Daiki Ueno
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+TMPFILE=c.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+cat <<_EOF_ > ${TMPFILE}
+[overrides]
+
+insecure-sig = rsa-pss-rsae-sha256
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${builddir}/system-override-sig-tls"
+rc=$?
+rm ${TMPFILE}
+exit $rc
diff -ruN gnutls-3.7.2/tests/system-override-versions-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh
--- gnutls-3.7.2/tests/system-override-versions-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
@@ -0,0 +1,109 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${srcdir=.}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+TMPFILE=config.$$.tmp
+TMPFILE2=log.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+if ! test -x "${SERV}"; then
+	exit 77
+fi
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+enabled-version = tls1.1
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+export GNUTLS_DEBUG_LEVEL=3
+
+"${CLI}" --list|grep Protocols >${TMPFILE2}
+cat ${TMPFILE2}
+if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then
+	echo "Found disabled protocol with --list"
+	exit 1
+fi
+
+PRIO=@SYSTEM:+CIPHER-ALL:+MAC-ALL:+GROUP-ALL
+
+"${CLI}" --priority "$PRIO" --list|grep Protocols >${TMPFILE2}
+cat ${TMPFILE2}
+if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then
+	echo "Found disabled protocol with --list --priority $PRIO"
+	exit 1
+fi
+
+# Try whether a client connection with these protocols will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "$PRIO" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (1)"
+
+kill ${PID}
+wait
+
+# Try whether a server connection with these protocols will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+eval "${GETPORT}"
+launch_server --echo --priority "$PRIO" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+exit 0