diff --git a/.gitignore b/.gitignore
index 0c9a58d..8f73d36 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/gnutls-3.7.2.tar.xz
+SOURCES/gnutls-3.7.3.tar.xz
 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
diff --git a/.gnutls.metadata b/.gnutls.metadata
index 4f8719b..aa8ffa9 100644
--- a/.gnutls.metadata
+++ b/.gnutls.metadata
@@ -1,2 +1,2 @@
-02e12259680b6ad3ec973e0df6bf2cf0c5ef1100 SOURCES/gnutls-3.7.2.tar.xz
+552c337be97d2379ae7233ebf55e949010ef7837 SOURCES/gnutls-3.7.3.tar.xz
 648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
diff --git a/SOURCES/gnutls-3.7.2-config-allowlisting.patch b/SOURCES/gnutls-3.7.2-config-allowlisting.patch
deleted file mode 100644
index 484f053..0000000
--- a/SOURCES/gnutls-3.7.2-config-allowlisting.patch
+++ /dev/null
@@ -1,8352 +0,0 @@
-diff -ruN gnutls-3.7.2/aminclude_static.am gnutls-3.7.2-bootstrapped/aminclude_static.am
---- gnutls-3.7.2/aminclude_static.am	2021-05-29 10:11:18.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/aminclude_static.am	2021-06-28 09:11:35.000000000 +0200
-@@ -1,6 +1,6 @@
- 
- # aminclude_static.am generated automatically by Autoconf
--# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
-+# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
- 
- 
- # Code coverage
-diff -ruN gnutls-3.7.2/AUTHORS gnutls-3.7.2-bootstrapped/AUTHORS
---- gnutls-3.7.2/AUTHORS	2021-05-29 10:22:59.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/AUTHORS	2021-06-28 09:56:13.000000000 +0200
-@@ -37,8 +37,8 @@
- Kevin Cernekee <cernekee at gmail.com>
- Nikolay Sivov <nsivov at codeweavers.com>
- Sahana Prasad <sahana at redhat.com>
--Michael Catanzaro <mcatanzaro at gnome.org>
- Alexander Sosedkin <asosedkin at redhat.com>
-+Michael Catanzaro <mcatanzaro at gnome.org>
- Daniel Lenski <dlenski at gmail.com>
- JonasZhou <JonasZhou at zhaoxin.com>
- Stefan Sørensen <stefan.sorensen at spectralink.com>
-diff -ruN gnutls-3.7.2/ChangeLog gnutls-3.7.2-bootstrapped/ChangeLog
---- gnutls-3.7.2/ChangeLog	2021-05-29 10:23:25.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/ChangeLog	2021-06-28 09:56:40.000000000 +0200
-@@ -1,4 +1,63 @@
- Author: Daiki Ueno <ueno@gnu.org>
-+Date:   Mon Jun 28 07:04:55 2021 +0200
-+
-+    tests: set SH_LOG_COMPILER so sh tests run under $(SHELL)
-+    
-+    This omits the need of setting executable bits on shell script tests.
-+    
-+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
-+
-+Author: Daiki Ueno <ueno@gnu.org>
-+Date:   Thu May 6 12:41:40 2021 +0200
-+
-+    priority: support allowlisting in configuration file
-+    
-+    This adds a new mode of interpreting the [overrides] section.  If
-+    "override-mode" is set to "allowlisting" in the [global] section, all
-+    the algorithms (hashes, signature algorithms, curves, and versions)
-+    are initially marked as insecure/disabled.  Then the user can enable
-+    them by specifying allowlisting keywords such as "secure-hash" in the
-+    [overrides] section.
-+    
-+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
-+    Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
-+
-+Author: Daiki Ueno <ueno@gnu.org>
-+Date:   Wed May 5 16:27:55 2021 +0200
-+
-+    priority: refactor config file parsing
-+    
-+    This adds the following refactoring:
-+    
-+    - avoid side-effects during parsing the config file, by separating
-+      application phase; the parsed configuration can be applied globally
-+      with cfg_apply, after validation
-+    - make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
-+      name
-+    
-+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
-+
-+Author: Daiki Ueno <ueno@gnu.org>
-+Date:   Fri Jun 11 06:58:43 2021 +0200
-+
-+    priority: reflect system wide config when constructing sigalgs
-+    
-+    Otherwise the client would advertise signature algorithms which it
-+    cannot use and cause handshake to fail.
-+    
-+    Reported by Philip Schaten in:
-+    https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html
-+    
-+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
-+
-+Author: Daiki Ueno <ueno@gnu.org>
-+Date:   Wed Jun 9 14:29:11 2021 +0200
-+
-+    p11tool: mention how CKA_IDs of certs are calculated upon --write
-+    
-+    Signed-off-by: Daiki Ueno <ueno@gnu.org>
-+
-+Author: Daiki Ueno <ueno@gnu.org>
- Date:   Sat May 29 07:18:17 2021 +0200
- 
-     Release 3.7.2
-@@ -49224,3 +49283,13 @@
- Date:   Fri Nov 7 10:22:11 2014 +0100
- 
-     doc: corrected values for INSECURE level
-+
-+Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-+Date:   Fri Nov 7 08:55:40 2014 +0100
-+
-+    pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags
-+
-+Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-+Date:   Fri Nov 7 08:44:46 2014 +0100
-+
-+    pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
-diff -ruN gnutls-3.7.2/doc/cha-config.texi gnutls-3.7.2-bootstrapped/doc/cha-config.texi
---- gnutls-3.7.2/doc/cha-config.texi	2021-05-10 16:34:47.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/cha-config.texi	2021-06-28 09:09:14.000000000 +0200
-@@ -74,6 +74,7 @@
- @item @code{insecure-sig-for-cert}: to mark the signature algorithm as insecure when used in certificates.
- @item @code{insecure-sig}: to mark the signature algorithm as insecure for any use.
- @item @code{insecure-hash}: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
-+@item @code{disabled-curve}: to disable the specified elliptic curve.
- @item @code{disabled-version}: to disable the specified TLS versions.
- @item @code{tls-disabled-cipher}: to disable the specified ciphers for use in the TLS or DTLS protocols.
- @item @code{tls-disabled-mac}: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
-@@ -82,11 +83,39 @@
- @end itemize
- 
- Each of the options can be repeated multiple times when multiple values need
--to be disabled.
-+to be disabled or enabled.
- 
- The valid values for the options above can be found in the 'Protocols', 'Digests'
- 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of the output of @code{gnutls-cli --list}.
- 
-+Sometimes the system administrator wants to enable only specific
-+algorithms, despite the library defaults. GnuTLS provides an
-+alternative mode of overriding: allowlisting.
-+
-+In the allowlisting mode, all the algorithms are initially marked as
-+insecure or disabled, and shall be explicitly turned on by the options
-+in the @code{[overrides]} section. Those options are mutually
-+exclusive to the above ones for the blocklisting mode (the default)
-+@itemize
-+@item @code{secure-sig-for-cert}: to mark the signature algorithm as secure when used in certificates.
-+@item @code{secure-sig}: to mark the signature algorithm as secure for any use.
-+@item @code{secure-hash}: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
-+@item @code{enabled-curve}: to enable the specified elliptic curve.
-+@item @code{enabled-version}: to enable the specified TLS versions.
-+@item @code{tls-enabled-cipher}: to enable the specified ciphers for use in the TLS or DTLS protocols.
-+@item @code{tls-enabled-mac}: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
-+@item @code{tls-enabled-group}: to enable the specified group for use in the TLS or DTLS protocols.
-+@item @code{tls-enabled-kx}: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
-+@end itemize
-+
-+The allowlisting mode can be enabled by adding @code{override-mode =
-+allowlist} in the @code{[global]} section.
-+
-+When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
-+
-+@showfuncD{gnutls_ecc_curve_mark_enabled,gnutls_sign_mark_secure,gnutls_digest_mark_secure,gnutls_protocol_mark_enabled}
-+@showfuncD{gnutls_ecc_curve_mark_disabled,gnutls_sign_mark_insecure,gnutls_digest_mark_insecure,gnutls_protocol_mark_disabled}
-+
- @subsection Examples
- 
- The following example marks as insecure all digital signature algorithms
-@@ -120,6 +149,20 @@
- tls-disabled-group = group-ffdhe8192
- @end example
- 
-+The following example demonstrates the use of the allowlisting
-+mode. It disables all the signature algorithms but
-+@code{RSA-SHA256}. Note that the hash algorithm @code{SHA256} also
-+needs to be explicitly enabled.
-+
-+@example
-+[global]
-+override-mode = allowlist
-+
-+[overrides]
-+secure-hash = sha256
-+secure-sig = rsa-sha256
-+@end example
-+
- @node Querying for disabled algorithms and protocols
- @section Querying for disabled algorithms and protocols
- 
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure
---- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1,12 @@
-+
-+
-+
-+
-+@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
-+@var{dig}: is a digest algorithm
-+
-+Mark  @code{dig} as insecure system wide. This only works if the allowlisting mode
-+is used in the configuration file.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short
---- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1 @@
-+@item @var{int} @ref{gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure
---- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1,12 @@
-+
-+
-+
-+
-+@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
-+@var{dig}: is a digest algorithm
-+
-+Invalidate previous system wide setting that marked  @code{dig} as insecure. This
-+only works if the allowlisting mode is used in the configuration file.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short
---- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1 @@
-+@item @var{int} @ref{gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled
---- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1,15 @@
-+
-+
-+
-+
-+@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
-+@var{curve}: is an ECC curve
-+
-+Mark  @code{curve} as disabled system wide. This setting can be reverted with
-+@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
-+uses the allowlisting mode.
-+
-+@strong{Returns:} 0 on success or negative error code otherwise.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short
---- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short	2021-06-28 09:39:51.000000000 +0200
-@@ -0,0 +1 @@
-+@item @var{int} @ref{gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled
---- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1,15 @@
-+
-+
-+
-+
-+@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
-+@var{curve}: is an ECC curve
-+
-+Invalidate previous system wide setting that marked  @code{curve} as disabled. This
-+only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()}  or
-+through the allowlisting mode in the configuration file.
-+
-+@strong{Returns:} 0 on success or negative error code otherwise.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short
---- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short	2021-06-28 09:39:51.000000000 +0200
-@@ -0,0 +1 @@
-+@item @var{int} @ref{gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled
---- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1,10 @@
-+
-+
-+
-+
-+@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
-+@var{version}: is a (gnutls) version number
-+
-+Mark  @code{version} as disabled system wide. This only works if the allowlisting
-+mode is used in the configuration file.
-+@end deftypefun
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short
---- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short	2021-06-28 09:39:51.000000000 +0200
-@@ -0,0 +1 @@
-+@item @var{int} @ref{gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled
---- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1,11 @@
-+
-+
-+
-+
-+@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
-+@var{version}: is a (gnutls) version number
-+
-+Invalidate previous system wide setting that marked  @code{version} as
-+disabled. This only works if the allowlisting mode is used in the
-+configuration file.
-+@end deftypefun
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short
---- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short	2021-06-28 09:39:51.000000000 +0200
-@@ -0,0 +1 @@
-+@item @var{int} @ref{gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure
---- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1,18 @@
-+
-+
-+
-+
-+@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
-+@var{sign}: the sign algorithm
-+
-+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
-+
-+Mark  @code{sign} as insecure system wide. This only works if the
-+allowlisting mode is used in the configuration file.
-+
-+If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
-+and the algorithm was previously considered secure for all purposes,
-+it only marks the algorithm as insecure for the use with certificates.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short
---- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short	2021-06-28 09:39:51.000000000 +0200
-@@ -0,0 +1 @@
-+@item @var{int} @ref{gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure
---- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure	2021-06-28 09:39:50.000000000 +0200
-@@ -0,0 +1,22 @@
-+
-+
-+
-+
-+@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
-+@var{sign}: the sign algorithm
-+
-+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
-+
-+Invalidate previous system wide setting that marked  @code{sign} as
-+insecure. This only works if the algorithm is marked as insecure
-+with @code{gnutls_sign_mark_insecure()}  or through the allowlisting mode
-+in the configuration file.
-+
-+If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
-+it marks it the algorithm as secure for all purposes.
-+If the absence of this flag, it will mark it as
-+"secure, but not for certificates" at most,
-+but it won't restrict anything either.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short
---- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short	2021-06-28 09:39:51.000000000 +0200
-@@ -0,0 +1 @@
-+@item @var{int} @ref{gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
-diff -ruN gnutls-3.7.2/doc/gnutls-api.texi gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi
---- gnutls-3.7.2/doc/gnutls-api.texi	2021-05-29 10:19:28.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi	2021-06-28 09:39:50.000000000 +0200
-@@ -2706,6 +2706,28 @@
- integers indicating the available digests.
- @end deftypefun
- 
-+@subheading gnutls_digest_mark_insecure
-+@anchor{gnutls_digest_mark_insecure}
-+@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
-+@var{dig}: is a digest algorithm
-+
-+Mark  @code{dig} as insecure system wide. This only works if the allowlisting mode
-+is used in the configuration file.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-+
-+@subheading gnutls_digest_mark_secure
-+@anchor{gnutls_digest_mark_secure}
-+@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
-+@var{dig}: is a digest algorithm
-+
-+Invalidate previous system wide setting that marked  @code{dig} as insecure. This
-+only works if the allowlisting mode is used in the configuration file.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-+
- @subheading gnutls_early_cipher_get
- @anchor{gnutls_early_cipher_get}
- @deftypefun {gnutls_cipher_algorithm_t} {gnutls_early_cipher_get} (gnutls_session_t @var{session})
-@@ -2820,6 +2842,34 @@
- integers indicating the available curves.
- @end deftypefun
- 
-+@subheading gnutls_ecc_curve_mark_disabled
-+@anchor{gnutls_ecc_curve_mark_disabled}
-+@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
-+@var{curve}: is an ECC curve
-+
-+Mark  @code{curve} as disabled system wide. This setting can be reverted with
-+@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
-+uses the allowlisting mode.
-+
-+@strong{Returns:} 0 on success or negative error code otherwise.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-+
-+@subheading gnutls_ecc_curve_mark_enabled
-+@anchor{gnutls_ecc_curve_mark_enabled}
-+@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
-+@var{curve}: is an ECC curve
-+
-+Invalidate previous system wide setting that marked  @code{curve} as disabled. This
-+only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()}  or
-+through the allowlisting mode in the configuration file.
-+
-+@strong{Returns:} 0 on success or negative error code otherwise.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-+
- @subheading gnutls_error_is_fatal
- @anchor{gnutls_error_is_fatal}
- @deftypefun {int} {gnutls_error_is_fatal} (int @var{error})
-@@ -5026,6 +5076,25 @@
- indicating the available protocols.
- @end deftypefun
- 
-+@subheading gnutls_protocol_mark_disabled
-+@anchor{gnutls_protocol_mark_disabled}
-+@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
-+@var{version}: is a (gnutls) version number
-+
-+Mark  @code{version} as disabled system wide. This only works if the allowlisting
-+mode is used in the configuration file.
-+@end deftypefun
-+
-+@subheading gnutls_protocol_mark_enabled
-+@anchor{gnutls_protocol_mark_enabled}
-+@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
-+@var{version}: is a (gnutls) version number
-+
-+Invalidate previous system wide setting that marked  @code{version} as
-+disabled. This only works if the allowlisting mode is used in the
-+configuration file.
-+@end deftypefun
-+
- @subheading gnutls_psk_allocate_client_credentials
- @anchor{gnutls_psk_allocate_client_credentials}
- @deftypefun {int} {gnutls_psk_allocate_client_credentials} (gnutls_psk_client_credentials_t *            @var{sc})
-@@ -7027,6 +7096,44 @@
- integers indicating the available ciphers.
- @end deftypefun
- 
-+@subheading gnutls_sign_mark_insecure
-+@anchor{gnutls_sign_mark_insecure}
-+@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
-+@var{sign}: the sign algorithm
-+
-+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
-+
-+Mark  @code{sign} as insecure system wide. This only works if the
-+allowlisting mode is used in the configuration file.
-+
-+If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
-+and the algorithm was previously considered secure for all purposes,
-+it only marks the algorithm as insecure for the use with certificates.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-+
-+@subheading gnutls_sign_mark_secure
-+@anchor{gnutls_sign_mark_secure}
-+@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
-+@var{sign}: the sign algorithm
-+
-+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  or 0
-+
-+Invalidate previous system wide setting that marked  @code{sign} as
-+insecure. This only works if the algorithm is marked as insecure
-+with @code{gnutls_sign_mark_insecure()}  or through the allowlisting mode
-+in the configuration file.
-+
-+If  @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS}  bit set,
-+it marks it the algorithm as secure for all purposes.
-+If the absence of this flag, it will mark it as
-+"secure, but not for certificates" at most,
-+but it won't restrict anything either.
-+
-+@strong{Since:} 3.7.3
-+@end deftypefun
-+
- @subheading gnutls_sign_supports_pk_algorithm
- @anchor{gnutls_sign_supports_pk_algorithm}
- @deftypefun {unsigned} {gnutls_sign_supports_pk_algorithm} (gnutls_sign_algorithm_t @var{sign}, gnutls_pk_algorithm_t @var{pk})
-diff -ruN gnutls-3.7.2/doc/gnutls.html gnutls-3.7.2-bootstrapped/doc/gnutls.html
---- gnutls-3.7.2/doc/gnutls.html	2021-05-29 10:23:25.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/gnutls.html	2021-06-28 09:56:40.000000000 +0200
-@@ -8018,8 +8018,9 @@
- </p><span id="write-option_002e"></span><h4 class="subsubheading">write option.</h4>
- <span id="p11tool-write"></span>
- <p>This is the &ldquo;writes the loaded objects to a pkcs #11 token&rdquo; option.
--It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
--    one of &ndash;load-privkey, &ndash;load-pubkey, &ndash;load-certificate option.
-+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of &ndash;load-privkey, &ndash;load-pubkey, &ndash;load-certificate option.
-+</p>
-+<p>When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
- </p><span id="id-option_002e"></span><h4 class="subsubheading">id option.</h4>
- <span id="p11tool-id"></span>
- <p>This is the &ldquo;sets an id for the write operation&rdquo; option.
-@@ -16992,6 +16993,7 @@
- <li> <code>insecure-sig-for-cert</code>: to mark the signature algorithm as insecure when used in certificates.
- </li><li> <code>insecure-sig</code>: to mark the signature algorithm as insecure for any use.
- </li><li> <code>insecure-hash</code>: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
-+</li><li> <code>disabled-curve</code>: to disable the specified elliptic curve.
- </li><li> <code>disabled-version</code>: to disable the specified TLS versions.
- </li><li> <code>tls-disabled-cipher</code>: to disable the specified ciphers for use in the TLS or DTLS protocols.
- </li><li> <code>tls-disabled-mac</code>: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
-@@ -17000,11 +17002,49 @@
- </li></ul>
- 
- <p>Each of the options can be repeated multiple times when multiple values need
--to be disabled.
-+to be disabled or enabled.
- </p>
- <p>The valid values for the options above can be found in the &rsquo;Protocols&rsquo;, &rsquo;Digests&rsquo;
- &rsquo;PK-signatures&rsquo;, &rsquo;Protocols&rsquo;, &rsquo;Ciphrers&rsquo;, and &rsquo;MACs&rsquo; fields of the output of <code>gnutls-cli --list</code>.
- </p>
-+<p>Sometimes the system administrator wants to enable only specific
-+algorithms, despite the library defaults. GnuTLS provides an
-+alternative mode of overriding: allowlisting.
-+</p>
-+<p>In the allowlisting mode, all the algorithms are initially marked as
-+insecure or disabled, and shall be explicitly turned on by the options
-+in the <code>[overrides]</code> section. Those options are mutually
-+exclusive to the above ones for the blocklisting mode (the default)
-+</p><ul>
-+<li> <code>secure-sig-for-cert</code>: to mark the signature algorithm as secure when used in certificates.
-+</li><li> <code>secure-sig</code>: to mark the signature algorithm as secure for any use.
-+</li><li> <code>secure-hash</code>: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
-+</li><li> <code>enabled-curve</code>: to enable the specified elliptic curve.
-+</li><li> <code>enabled-version</code>: to enable the specified TLS versions.
-+</li><li> <code>tls-enabled-cipher</code>: to enable the specified ciphers for use in the TLS or DTLS protocols.
-+</li><li> <code>tls-enabled-mac</code>: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
-+</li><li> <code>tls-enabled-group</code>: to enable the specified group for use in the TLS or DTLS protocols.
-+</li><li> <code>tls-enabled-kx</code>: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
-+</li></ul>
-+
-+<p>The allowlisting mode can be enabled by adding <code>override-mode =
-+allowlist</code> in the <code>[global]</code> section.
-+</p>
-+<p>When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
-+</p>
-+<dl compact="compact">
-+<dt><code><var>int</var> <a href="#gnutls_005fecc_005fcurve_005fmark_005fenabled">gnutls_ecc_curve_mark_enabled</a> (gnutls_ecc_curve_t <var>curve</var>)</code></dt>
-+<dt><code><var>int</var> <a href="#gnutls_005fsign_005fmark_005fsecure">gnutls_sign_mark_secure</a> (gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</code></dt>
-+<dt><code><var>int</var> <a href="#gnutls_005fdigest_005fmark_005fsecure">gnutls_digest_mark_secure</a> (gnutls_digest_algorithm_t <var>dig</var>)</code></dt>
-+<dt><code><var>int</var> <a href="#gnutls_005fprotocol_005fmark_005fenabled">gnutls_protocol_mark_enabled</a> (gnutls_protocol_t <var>version</var>)</code></dt>
-+</dl>
-+<dl compact="compact">
-+<dt><code><var>int</var> <a href="#gnutls_005fecc_005fcurve_005fmark_005fdisabled">gnutls_ecc_curve_mark_disabled</a> (gnutls_ecc_curve_t <var>curve</var>)</code></dt>
-+<dt><code><var>int</var> <a href="#gnutls_005fsign_005fmark_005finsecure">gnutls_sign_mark_insecure</a> (gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</code></dt>
-+<dt><code><var>int</var> <a href="#gnutls_005fdigest_005fmark_005finsecure">gnutls_digest_mark_insecure</a> (gnutls_digest_algorithm_t <var>dig</var>)</code></dt>
-+<dt><code><var>int</var> <a href="#gnutls_005fprotocol_005fmark_005fdisabled">gnutls_protocol_mark_disabled</a> (gnutls_protocol_t <var>version</var>)</code></dt>
-+</dl>
-+
- <span id="Examples"></span><h4 class="subsection">8.2.1 Examples</h4>
- 
- <p>The following example marks as insecure all digital signature algorithms
-@@ -17038,6 +17078,20 @@
- tls-disabled-group = group-ffdhe8192
- </pre></div>
- 
-+<p>The following example demonstrates the use of the allowlisting
-+mode. It disables all the signature algorithms but
-+<code>RSA-SHA256</code>. Note that the hash algorithm <code>SHA256</code> also
-+needs to be explicitly enabled.
-+</p>
-+<div class="example">
-+<pre class="example">[global]
-+override-mode = allowlist
-+
-+[overrides]
-+secure-hash = sha256
-+secure-sig = rsa-sha256
-+</pre></div>
-+
- <hr>
- <span id="Querying-for-disabled-algorithms-and-protocols"></span><div class="header">
- <p>
-@@ -23658,6 +23712,28 @@
- integers indicating the available digests.
- </p></dd></dl>
- 
-+<span id="gnutls_005fdigest_005fmark_005finsecure-1"></span><h4 class="subheading">gnutls_digest_mark_insecure</h4>
-+<span id="gnutls_005fdigest_005fmark_005finsecure"></span><dl>
-+<dt id="index-gnutls_005fdigest_005fmark_005finsecure">Function: <em>int</em> <strong>gnutls_digest_mark_insecure</strong> <em>(gnutls_digest_algorithm_t <var>dig</var>)</em></dt>
-+<dd><p><var>dig</var>: is a digest algorithm
-+</p>
-+<p>Mark  <code>dig</code> as insecure system wide. This only works if the allowlisting mode
-+is used in the configuration file.
-+</p>
-+<p><strong>Since:</strong> 3.7.3
-+</p></dd></dl>
-+
-+<span id="gnutls_005fdigest_005fmark_005fsecure-1"></span><h4 class="subheading">gnutls_digest_mark_secure</h4>
-+<span id="gnutls_005fdigest_005fmark_005fsecure"></span><dl>
-+<dt id="index-gnutls_005fdigest_005fmark_005fsecure">Function: <em>int</em> <strong>gnutls_digest_mark_secure</strong> <em>(gnutls_digest_algorithm_t <var>dig</var>)</em></dt>
-+<dd><p><var>dig</var>: is a digest algorithm
-+</p>
-+<p>Invalidate previous system wide setting that marked  <code>dig</code> as insecure. This
-+only works if the allowlisting mode is used in the configuration file.
-+</p>
-+<p><strong>Since:</strong> 3.7.3
-+</p></dd></dl>
-+
- <span id="gnutls_005fearly_005fcipher_005fget-1"></span><h4 class="subheading">gnutls_early_cipher_get</h4>
- <span id="gnutls_005fearly_005fcipher_005fget"></span><dl>
- <dt id="index-gnutls_005fearly_005fcipher_005fget">Function: <em>gnutls_cipher_algorithm_t</em> <strong>gnutls_early_cipher_get</strong> <em>(gnutls_session_t <var>session</var>)</em></dt>
-@@ -23772,6 +23848,34 @@
- integers indicating the available curves.
- </p></dd></dl>
- 
-+<span id="gnutls_005fecc_005fcurve_005fmark_005fdisabled-1"></span><h4 class="subheading">gnutls_ecc_curve_mark_disabled</h4>
-+<span id="gnutls_005fecc_005fcurve_005fmark_005fdisabled"></span><dl>
-+<dt id="index-gnutls_005fecc_005fcurve_005fmark_005fdisabled">Function: <em>int</em> <strong>gnutls_ecc_curve_mark_disabled</strong> <em>(gnutls_ecc_curve_t <var>curve</var>)</em></dt>
-+<dd><p><var>curve</var>: is an ECC curve
-+</p>
-+<p>Mark  <code>curve</code> as disabled system wide. This setting can be reverted with
-+<code>gnutls_ecc_curve_mark_enabled()</code> . This only works if the configuration file
-+uses the allowlisting mode.
-+</p>
-+<p><strong>Returns:</strong> 0 on success or negative error code otherwise.
-+</p>
-+<p><strong>Since:</strong> 3.7.3
-+</p></dd></dl>
-+
-+<span id="gnutls_005fecc_005fcurve_005fmark_005fenabled-1"></span><h4 class="subheading">gnutls_ecc_curve_mark_enabled</h4>
-+<span id="gnutls_005fecc_005fcurve_005fmark_005fenabled"></span><dl>
-+<dt id="index-gnutls_005fecc_005fcurve_005fmark_005fenabled">Function: <em>int</em> <strong>gnutls_ecc_curve_mark_enabled</strong> <em>(gnutls_ecc_curve_t <var>curve</var>)</em></dt>
-+<dd><p><var>curve</var>: is an ECC curve
-+</p>
-+<p>Invalidate previous system wide setting that marked  <code>curve</code> as disabled. This
-+only works if the curve is disabled with <code>gnutls_ecc_curve_mark_disabled()</code>  or
-+through the allowlisting mode in the configuration file.
-+</p>
-+<p><strong>Returns:</strong> 0 on success or negative error code otherwise.
-+</p>
-+<p><strong>Since:</strong> 3.7.3
-+</p></dd></dl>
-+
- <span id="gnutls_005ferror_005fis_005ffatal-1"></span><h4 class="subheading">gnutls_error_is_fatal</h4>
- <span id="gnutls_005ferror_005fis_005ffatal"></span><dl>
- <dt id="index-gnutls_005ferror_005fis_005ffatal-1">Function: <em>int</em> <strong>gnutls_error_is_fatal</strong> <em>(int <var>error</var>)</em></dt>
-@@ -25978,6 +26082,25 @@
- indicating the available protocols.
- </p></dd></dl>
- 
-+<span id="gnutls_005fprotocol_005fmark_005fdisabled-1"></span><h4 class="subheading">gnutls_protocol_mark_disabled</h4>
-+<span id="gnutls_005fprotocol_005fmark_005fdisabled"></span><dl>
-+<dt id="index-gnutls_005fprotocol_005fmark_005fdisabled">Function: <em>int</em> <strong>gnutls_protocol_mark_disabled</strong> <em>(gnutls_protocol_t <var>version</var>)</em></dt>
-+<dd><p><var>version</var>: is a (gnutls) version number
-+</p>
-+<p>Mark  <code>version</code> as disabled system wide. This only works if the allowlisting
-+mode is used in the configuration file.
-+</p></dd></dl>
-+
-+<span id="gnutls_005fprotocol_005fmark_005fenabled-1"></span><h4 class="subheading">gnutls_protocol_mark_enabled</h4>
-+<span id="gnutls_005fprotocol_005fmark_005fenabled"></span><dl>
-+<dt id="index-gnutls_005fprotocol_005fmark_005fenabled">Function: <em>int</em> <strong>gnutls_protocol_mark_enabled</strong> <em>(gnutls_protocol_t <var>version</var>)</em></dt>
-+<dd><p><var>version</var>: is a (gnutls) version number
-+</p>
-+<p>Invalidate previous system wide setting that marked  <code>version</code> as
-+disabled. This only works if the allowlisting mode is used in the
-+configuration file.
-+</p></dd></dl>
-+
- <span id="gnutls_005fpsk_005fallocate_005fclient_005fcredentials-1"></span><h4 class="subheading">gnutls_psk_allocate_client_credentials</h4>
- <span id="gnutls_005fpsk_005fallocate_005fclient_005fcredentials"></span><dl>
- <dt id="index-gnutls_005fpsk_005fallocate_005fclient_005fcredentials">Function: <em>int</em> <strong>gnutls_psk_allocate_client_credentials</strong> <em>(gnutls_psk_client_credentials_t *            <var>sc</var>)</em></dt>
-@@ -27979,6 +28102,44 @@
- integers indicating the available ciphers.
- </p></dd></dl>
- 
-+<span id="gnutls_005fsign_005fmark_005finsecure-1"></span><h4 class="subheading">gnutls_sign_mark_insecure</h4>
-+<span id="gnutls_005fsign_005fmark_005finsecure"></span><dl>
-+<dt id="index-gnutls_005fsign_005fmark_005finsecure">Function: <em>int</em> <strong>gnutls_sign_mark_insecure</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</em></dt>
-+<dd><p><var>sign</var>: the sign algorithm
-+</p>
-+<p><var>flags</var>: <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  or 0
-+</p>
-+<p>Mark  <code>sign</code> as insecure system wide. This only works if the
-+allowlisting mode is used in the configuration file.
-+</p>
-+<p>If  <code>flags</code> has <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  bit set,
-+and the algorithm was previously considered secure for all purposes,
-+it only marks the algorithm as insecure for the use with certificates.
-+</p>
-+<p><strong>Since:</strong> 3.7.3
-+</p></dd></dl>
-+
-+<span id="gnutls_005fsign_005fmark_005fsecure-1"></span><h4 class="subheading">gnutls_sign_mark_secure</h4>
-+<span id="gnutls_005fsign_005fmark_005fsecure"></span><dl>
-+<dt id="index-gnutls_005fsign_005fmark_005fsecure">Function: <em>int</em> <strong>gnutls_sign_mark_secure</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</em></dt>
-+<dd><p><var>sign</var>: the sign algorithm
-+</p>
-+<p><var>flags</var>: <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  or 0
-+</p>
-+<p>Invalidate previous system wide setting that marked  <code>sign</code> as
-+insecure. This only works if the algorithm is marked as insecure
-+with <code>gnutls_sign_mark_insecure()</code>  or through the allowlisting mode
-+in the configuration file.
-+</p>
-+<p>If  <code>flags</code> has <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code>  bit set,
-+it marks it the algorithm as secure for all purposes.
-+If the absence of this flag, it will mark it as
-+&quot;secure, but not for certificates&quot; at most,
-+but it won&rsquo;t restrict anything either.
-+</p>
-+<p><strong>Since:</strong> 3.7.3
-+</p></dd></dl>
-+
- <span id="gnutls_005fsign_005fsupports_005fpk_005falgorithm-1"></span><h4 class="subheading">gnutls_sign_supports_pk_algorithm</h4>
- <span id="gnutls_005fsign_005fsupports_005fpk_005falgorithm"></span><dl>
- <dt id="index-gnutls_005fsign_005fsupports_005fpk_005falgorithm">Function: <em>unsigned</em> <strong>gnutls_sign_supports_pk_algorithm</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, gnutls_pk_algorithm_t <var>pk</var>)</em></dt>
-@@ -45743,6 +45904,8 @@
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fget_005fname"><code>gnutls_digest_get_name</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fget_005foid"><code>gnutls_digest_get_oid</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005flist"><code>gnutls_digest_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-+<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fmark_005finsecure"><code>gnutls_digest_mark_insecure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-+<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fmark_005fsecure"><code>gnutls_digest_mark_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fcookie_005fsend"><code>gnutls_dtls_cookie_send</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fcookie_005fverify"><code>gnutls_dtls_cookie_verify</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fget_005fdata_005fmtu"><code>gnutls_dtls_get_data_mtu</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
-@@ -45762,6 +45925,8 @@
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fget_005fpk"><code>gnutls_ecc_curve_get_pk</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fget_005fsize"><code>gnutls_ecc_curve_get_size</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005flist"><code>gnutls_ecc_curve_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-+<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fmark_005fdisabled"><code>gnutls_ecc_curve_mark_disabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-+<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fmark_005fenabled"><code>gnutls_ecc_curve_mark_enabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005fber_005fdigest_005finfo"><code>gnutls_encode_ber_digest_info</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005fgost_005frs_005fvalue"><code>gnutls_encode_gost_rs_value</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005frs_005fvalue"><code>gnutls_encode_rs_value</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
-@@ -46151,6 +46316,8 @@
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fget_005fname"><code>gnutls_protocol_get_name</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fget_005fversion"><code>gnutls_protocol_get_version</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005flist"><code>gnutls_protocol_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-+<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fmark_005fdisabled"><code>gnutls_protocol_mark_disabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-+<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fmark_005fenabled"><code>gnutls_protocol_mark_enabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fallocate_005fclient_005fcredentials"><code>gnutls_psk_allocate_client_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fallocate_005fserver_005fcredentials"><code>gnutls_psk_allocate_server_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fclient_005fget_005fhint"><code>gnutls_psk_client_get_hint</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-@@ -46325,6 +46492,8 @@
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fis_005fsecure"><code>gnutls_sign_is_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fis_005fsecure2"><code>gnutls_sign_is_secure2</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005flist"><code>gnutls_sign_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-+<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fmark_005finsecure"><code>gnutls_sign_mark_insecure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-+<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fmark_005fsecure"><code>gnutls_sign_mark_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fsupports_005fpk_005falgorithm"><code>gnutls_sign_supports_pk_algorithm</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fsrp_005fallocate_005fclient_005fcredentials"><code>gnutls_srp_allocate_client_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
- <tr><td></td><td valign="top"><a href="#index-gnutls_005fsrp_005fallocate_005fserver_005fcredentials"><code>gnutls_srp_allocate_server_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-diff -ruN gnutls-3.7.2/doc/gnutls.info gnutls-3.7.2-bootstrapped/doc/gnutls.info
---- gnutls-3.7.2/doc/gnutls.info	2021-05-29 10:23:25.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info	2021-06-28 09:56:40.000000000 +0200
-@@ -29,12 +29,12 @@
- 
- Indirect:
- gnutls.info-1: 1291
--gnutls.info-2: 322163
--gnutls.info-3: 605942
--gnutls.info-4: 1147244
--gnutls.info-5: 1463965
--gnutls.info-6: 1515571
--gnutls.info-7: 1896190
-+gnutls.info-2: 322461
-+gnutls.info-3: 606240
-+gnutls.info-4: 1153831
-+gnutls.info-5: 1470552
-+gnutls.info-6: 1522158
-+gnutls.info-7: 1903361
- 
- Tag Table:
- (Indirect)
-@@ -324,1507 +324,1515 @@
- Ref: p11tool set-id312425
- Ref: p11tool set-label312850
- Ref: p11tool write313198
--Ref: p11tool id313462
--Ref: p11tool mark-wrap313719
--Ref: p11tool mark-trusted313966
--Ref: p11tool mark-distrusted314330
--Ref: p11tool mark-decrypt314784
--Ref: p11tool mark-sign315061
--Ref: p11tool mark-ca315338
--Ref: p11tool mark-private315611
--Ref: p11tool ca315909
--Ref: p11tool private316043
--Ref: p11tool secret-key316198
--Ref: p11tool other-options316361
--Ref: p11tool debug316463
--Ref: p11tool so-login316604
--Ref: p11tool admin-login316848
--Ref: p11tool test-sign316989
--Ref: p11tool sign-params317283
--Ref: p11tool hash317623
--Ref: p11tool generate-random317919
--Ref: p11tool inder318093
--Ref: p11tool inraw318318
--Ref: p11tool outder318444
--Ref: p11tool outraw318696
--Ref: p11tool provider318829
--Ref: p11tool provider-opts319038
--Ref: p11tool batch319311
--Ref: p11tool exit status319464
--Ref: p11tool See Also319694
--Ref: p11tool Examples319742
--Node: Trusted Platform Module322163
--Ref: Trusted Platform Module-Footnote-1323956
--Ref: Trusted Platform Module-Footnote-2324004
--Node: Keys in TPM324061
--Node: Key generation325545
--Node: Using keys327813
--Node: tpmtool Invocation331458
--Ref: tpmtool usage331884
--Ref: tpmtool debug335196
--Ref: tpmtool generate-rsa335337
--Ref: tpmtool user335608
--Ref: tpmtool system335967
--Ref: tpmtool test-sign336321
--Ref: tpmtool sec-param336604
--Ref: tpmtool inder336930
--Ref: tpmtool outder337231
--Ref: tpmtool srk-well-known337450
--Ref: tpmtool exit status337606
--Ref: tpmtool See Also337836
--Ref: tpmtool Examples337897
--Node: How to use GnuTLS in applications338514
--Node: Introduction to the library339083
--Node: General idea339682
--Ref: fig-gnutls-design340531
--Ref: General idea-Footnote-1341836
--Node: Error handling341881
--Node: Common types344108
--Node: Debugging and auditing345442
--Ref: tab:environment346313
--Node: Thread safety349180
--Ref: Thread safety-Footnote-1351326
--Node: Running in a sandbox351538
--Node: Sessions and fork352932
--Node: Callback functions353484
--Node: Preparation354452
--Node: Headers354871
--Node: Initialization355160
--Ref: Initialization-Footnote-1356154
--Node: Version check356447
--Node: Building the source357322
--Node: Session initialization359433
--Ref: gnutls_init_flags_t360910
--Node: Associating the credentials367923
--Ref: tab:key-exchange-cred368699
--Node: Certificate credentials369830
--Node: Raw public-key credentials385415
--Node: SRP credentials386715
--Node: PSK credentials391613
--Node: Anonymous credentials395548
--Node: Setting up the transport layer396394
--Node: Asynchronous operation405947
--Node: Reducing round-trips410248
--Node: Zero-roundtrip mode413688
--Node: Anti-replay protection415893
--Node: DTLS sessions419538
--Ref: DTLS sessions-Footnote-1421842
--Node: DTLS and SCTP421919
--Node: TLS handshake422939
--Node: Data transfer and termination426857
--Node: Buffered data transfer435999
--Node: Handling alerts437800
--Node: Priority Strings441182
--Ref: tab:prio-keywords443782
--Ref: tab:prio-algorithms450860
--Ref: tab:prio-special1456290
--Ref: tab:prio-special2460137
--Ref: Priority Strings-Footnote-1466758
--Node: Selecting cryptographic key sizes466980
--Ref: tab:key-sizes467629
--Node: Advanced topics472378
--Node: Virtual hosts and credentials472876
--Node: Session resumption476201
--Node: Certificate verification484108
--Ref: dane_verify_status_t493829
--Node: TLS 1.2 re-authentication494234
--Node: TLS 1.3 re-authentication and re-key499091
--Node: Parameter generation500750
--Node: Deriving keys for other applications/protocols503397
--Node: Channel Bindings506627
--Node: Interoperability508166
--Node: Compatibility with the OpenSSL library509484
--Node: GnuTLS application examples510211
--Ref: examples510430
--Node: Client examples510723
--Node: Client example with X.509 certificate support511250
--Ref: ex-verify511488
--Node: Datagram TLS client example516532
--Node: Client using a smart card with TLS520937
--Ref: ex-pkcs11-client521174
--Node: Client with Resume capability example526469
--Ref: ex-resume-client526753
--Node: Client example with SSH-style certificate verification531940
--Node: Server examples536147
--Node: Echo server with X.509 authentication536501
--Node: DTLS echo server with X.509 authentication544225
--Node: More advanced client and servers558636
--Node: Client example with anonymous authentication559493
--Node: Using a callback to select the certificate to use563417
--Node: Obtaining session information569800
--Node: Advanced certificate verification example574013
--Ref: ex-verify2574289
--Node: Client example with PSK authentication579719
--Node: Client example with SRP authentication584085
--Node: Legacy client example with X.509 certificate support588369
--Ref: ex-verify-legacy588686
--Node: Client example in C++594639
--Node: Echo server with PSK authentication597211
--Node: Echo server with SRP authentication605942
--Node: Echo server with anonymous authentication612860
--Node: Helper functions for TCP connections618188
--Node: Helper functions for UDP connections619780
--Node: OCSP example621685
--Ref: Generate OCSP request621868
--Node: Miscellaneous examples631475
--Node: Checking for an alert631801
--Node: X.509 certificate parsing example633250
--Ref: ex-x509-info633507
--Node: Listing the ciphersuites in a priority string637536
--Node: PKCS12 structure generation example639853
--Node: System-wide configuration of the library644058
--Node: Application-specific priority strings645885
--Node: Disabling algorithms and protocols647333
--Node: Querying for disabled algorithms and protocols650217
--Node: Overriding the parameter verification profile651339
--Node: Overriding the default priority string652341
--Node: Using GnuTLS as a cryptographic library652958
--Ref: Using GnuTLS as a cryptographic library-Footnote-1653814
--Node: Symmetric algorithms653871
--Ref: gnutls_cipher_algorithm_t654631
--Ref: Symmetric algorithms-Footnote-1663061
--Node: Public key algorithms663146
--Node: Cryptographic Message Syntax / PKCS7667868
--Ref: gnutls_pkcs7_sign_flags671307
--Node: Hash and MAC functions672775
--Ref: gnutls_mac_algorithm_t673387
--Ref: gnutls_digest_algorithm_t676759
--Node: Random number generation677810
--Ref: gnutls_rnd_level_t678172
--Node: Overriding algorithms679279
--Node: Other included programs685597
--Node: gnutls-cli Invocation686168
--Ref: gnutls-cli usage686730
--Ref: gnutls-cli debug694480
--Ref: gnutls-cli tofu694621
--Ref: gnutls-cli strict-tofu695084
--Ref: gnutls-cli dane695486
--Ref: gnutls-cli local-dns695829
--Ref: gnutls-cli ca-verification696144
--Ref: gnutls-cli ocsp696499
--Ref: gnutls-cli resume696741
--Ref: gnutls-cli rehandshake696887
--Ref: gnutls-cli sni-hostname697054
--Ref: gnutls-cli verify-hostname697580
--Ref: gnutls-cli starttls697813
--Ref: gnutls-cli app-proto697997
--Ref: gnutls-cli starttls-proto698159
--Ref: gnutls-cli save-ocsp-multi698670
--Ref: gnutls-cli dh-bits699127
--Ref: gnutls-cli priority699478
--Ref: gnutls-cli rawpkkeyfile699856
--Ref: gnutls-cli rawpkfile700313
--Ref: gnutls-cli ranges700854
--Ref: gnutls-cli benchmark-ciphers701104
--Ref: gnutls-cli benchmark-tls-ciphers701422
--Ref: gnutls-cli list701741
--Ref: gnutls-cli priority-list702108
--Ref: gnutls-cli noticket702354
--Ref: gnutls-cli alpn702515
--Ref: gnutls-cli disable-extensions702824
--Ref: gnutls-cli single-key-share703056
--Ref: gnutls-cli post-handshake-auth703272
--Ref: gnutls-cli inline-commands703469
--Ref: gnutls-cli inline-commands-prefix703789
--Ref: gnutls-cli provider704192
--Ref: gnutls-cli logfile704389
--Ref: gnutls-cli waitresumption704746
--Ref: gnutls-cli ca-auto-retrieve705003
--Ref: gnutls-cli exit status705407
--Ref: gnutls-cli See Also705643
--Ref: gnutls-cli Examples705720
--Node: gnutls-serv Invocation709927
--Ref: gnutls-serv usage710404
--Ref: gnutls-serv debug715924
--Ref: gnutls-serv sni-hostname716065
--Ref: gnutls-serv alpn716397
--Ref: gnutls-serv require-client-cert716684
--Ref: gnutls-serv verify-client-cert716928
--Ref: gnutls-serv heartbeat717157
--Ref: gnutls-serv priority717308
--Ref: gnutls-serv x509keyfile717677
--Ref: gnutls-serv x509certfile718194
--Ref: gnutls-serv x509dsakeyfile718711
--Ref: gnutls-serv x509dsacertfile718875
--Ref: gnutls-serv x509ecckeyfile719042
--Ref: gnutls-serv x509ecccertfile719204
--Ref: gnutls-serv rawpkkeyfile719371
--Ref: gnutls-serv rawpkfile720190
--Ref: gnutls-serv ocsp-response721045
--Ref: gnutls-serv ignore-ocsp-response-errors721362
--Ref: gnutls-serv list721609
--Ref: gnutls-serv provider721847
--Ref: gnutls-serv exit status722044
--Ref: gnutls-serv See Also722282
--Ref: gnutls-serv Examples722360
--Node: gnutls-cli-debug Invocation727668
--Ref: gnutls-cli-debug usage728490
--Ref: gnutls-cli-debug debug730745
--Ref: gnutls-cli-debug app-proto730886
--Ref: gnutls-cli-debug starttls-proto731054
--Ref: gnutls-cli-debug exit status731433
--Ref: gnutls-cli-debug See Also731681
--Ref: gnutls-cli-debug Examples731764
--Node: Internal architecture of GnuTLS735261
--Node: The TLS Protocol735867
--Ref: fig-client-server736343
--Node: TLS Handshake Protocol736433
--Ref: fig-gnutls-handshake736875
--Ref: fig-gnutls-handshake-sequence737384
--Node: TLS Authentication Methods737482
--Ref: TLS Authentication Methods-Footnote-1739786
--Node: TLS Hello Extension Handling739852
--Node: Cryptographic Backend752954
--Ref: fig-crypto-layers753637
--Ref: Cryptographic Backend-Footnote-1756919
--Ref: Cryptographic Backend-Footnote-2757004
--Node: Random Number Generators-internals757112
--Node: FIPS140-2 mode764476
--Ref: gnutls_fips_mode_t767112
--Node: Upgrading from previous versions769259
--Node: Support783253
--Node: Getting help783501
--Node: Commercial Support784089
--Node: Bug Reports784360
--Node: Contributing785724
--Node: Certification787750
--Node: Error codes788214
--Node: Supported ciphersuites812847
--Ref: ciphersuites813020
--Node: API reference828064
--Node: Core TLS API828474
--Ref: gnutls_alert_get828701
--Ref: gnutls_alert_get_name829320
--Ref: gnutls_alert_get_strname829705
--Ref: gnutls_alert_send830040
--Ref: gnutls_alert_send_appropriate830918
--Ref: gnutls_alert_set_read_function831885
--Ref: gnutls_alpn_get_selected_protocol832269
--Ref: gnutls_alpn_set_protocols832933
--Ref: gnutls_anon_allocate_client_credentials833770
--Ref: gnutls_anon_allocate_server_credentials834155
--Ref: gnutls_anon_free_client_credentials834532
--Ref: gnutls_anon_free_server_credentials834821
--Ref: gnutls_anon_set_params_function835102
--Ref: gnutls_anon_set_server_dh_params835778
--Ref: gnutls_anon_set_server_known_dh_params836438
--Ref: gnutls_anon_set_server_params_function837347
--Ref: gnutls_anti_replay_deinit838010
--Ref: gnutls_anti_replay_enable838324
--Ref: gnutls_anti_replay_init838672
--Ref: gnutls_anti_replay_set_add_function839200
--Ref: gnutls_anti_replay_set_ptr840218
--Ref: gnutls_anti_replay_set_window840553
--Ref: gnutls_auth_client_get_type841321
--Ref: gnutls_auth_get_type841948
--Ref: gnutls_auth_server_get_type842760
--Ref: gnutls_base64_decode2843389
--Ref: gnutls_base64_encode2843945
--Ref: gnutls_buffer_append_data844565
--Ref: gnutls_bye844963
--Ref: gnutls_certificate_activation_time_peers846564
--Ref: gnutls_certificate_allocate_credentials846982
--Ref: gnutls_certificate_client_get_request_status847379
--Ref: gnutls_certificate_expiration_time_peers847787
--Ref: gnutls_certificate_free_ca_names848191
--Ref: gnutls_certificate_free_cas848860
--Ref: gnutls_certificate_free_credentials849263
--Ref: gnutls_certificate_free_crls849697
--Ref: gnutls_certificate_free_keys849997
--Ref: gnutls_certificate_get_crt_raw850431
--Ref: gnutls_certificate_get_issuer851502
--Ref: gnutls_certificate_get_ocsp_expiration852585
--Ref: gnutls_certificate_get_ours853756
--Ref: gnutls_certificate_get_peers854586
--Ref: gnutls_certificate_get_peers_subkey_id855709
--Ref: gnutls_certificate_get_verify_flags856065
--Ref: gnutls_certificate_get_x509_crt856478
--Ref: gnutls_certificate_get_x509_key858122
--Ref: gnutls_certificate_send_x509_rdn_sequence859437
--Ref: gnutls_certificate_server_set_request860144
--Ref: gnutls_certificate_set_dh_params860934
--Ref: gnutls_certificate_set_flags861753
--Ref: gnutls_certificate_set_known_dh_params862278
--Ref: gnutls_certificate_set_ocsp_status_request_file863206
--Ref: gnutls_certificate_set_ocsp_status_request_file2865112
--Ref: gnutls_certificate_set_ocsp_status_request_function866630
--Ref: gnutls_certificate_set_ocsp_status_request_function2868118
--Ref: gnutls_certificate_set_ocsp_status_request_mem870084
--Ref: gnutls_certificate_set_params_function871859
--Ref: gnutls_certificate_set_pin_function872556
--Ref: gnutls_certificate_set_rawpk_key_file873209
--Ref: gnutls_certificate_set_rawpk_key_mem876513
--Ref: gnutls_certificate_set_retrieve_function879660
--Ref: gnutls_certificate_set_verify_flags881790
--Ref: gnutls_certificate_set_verify_function882283
--Ref: gnutls_certificate_set_verify_limits883347
--Ref: gnutls_certificate_set_x509_crl884028
--Ref: gnutls_certificate_set_x509_crl_file884856
--Ref: gnutls_certificate_set_x509_crl_mem885637
--Ref: gnutls_certificate_set_x509_key886414
--Ref: gnutls_certificate_set_x509_key_file888082
--Ref: gnutls_certificate_set_x509_key_file2890318
--Ref: gnutls_certificate_set_x509_key_mem892852
--Ref: gnutls_certificate_set_x509_key_mem2894500
--Ref: gnutls_certificate_set_x509_simple_pkcs12_file896313
--Ref: gnutls_certificate_set_x509_simple_pkcs12_mem898443
--Ref: gnutls_certificate_set_x509_system_trust900543
--Ref: gnutls_certificate_set_x509_trust901113
--Ref: gnutls_certificate_set_x509_trust_dir902093
--Ref: gnutls_certificate_set_x509_trust_file902831
--Ref: gnutls_certificate_set_x509_trust_mem904007
--Ref: gnutls_certificate_type_get904950
--Ref: gnutls_certificate_type_get2905797
--Ref: gnutls_certificate_type_get_id907182
--Ref: gnutls_certificate_type_get_name907579
--Ref: gnutls_certificate_type_list907962
--Ref: gnutls_certificate_verification_status_print908316
--Ref: gnutls_certificate_verify_peers909074
--Ref: gnutls_certificate_verify_peers2911870
--Ref: gnutls_certificate_verify_peers3913785
--Ref: gnutls_check_version916095
--Ref: gnutls_cipher_get916837
--Ref: gnutls_cipher_get_id917142
--Ref: gnutls_cipher_get_key_size917524
--Ref: gnutls_cipher_get_name917888
--Ref: gnutls_cipher_list918235
--Ref: gnutls_cipher_suite_get_name918795
--Ref: gnutls_cipher_suite_info919663
--Ref: gnutls_credentials_clear920846
--Ref: gnutls_credentials_get921074
--Ref: gnutls_credentials_set922029
--Ref: gnutls_db_check_entry923393
--Ref: gnutls_db_check_entry_expire_time923850
--Ref: gnutls_db_check_entry_time924256
--Ref: gnutls_db_get_default_cache_expiration924647
--Ref: gnutls_db_get_ptr924842
--Ref: gnutls_db_remove_session925154
--Ref: gnutls_db_set_cache_expiration925691
--Ref: gnutls_db_set_ptr926112
--Ref: gnutls_db_set_remove_function926447
--Ref: gnutls_db_set_retrieve_function926950
--Ref: gnutls_db_set_store_function927636
--Ref: gnutls_deinit928103
--Ref: gnutls_dh_get_group928442
--Ref: gnutls_dh_get_peers_public_bits929294
--Ref: gnutls_dh_get_prime_bits929738
--Ref: gnutls_dh_get_pubkey930378
--Ref: gnutls_dh_get_secret_bits931076
--Ref: gnutls_dh_params_cpy931508
--Ref: gnutls_dh_params_deinit932016
--Ref: gnutls_dh_params_export2_pkcs3932257
--Ref: gnutls_dh_params_export_pkcs3933078
--Ref: gnutls_dh_params_export_raw934097
--Ref: gnutls_dh_params_generate2934850
--Ref: gnutls_dh_params_import_dsa936104
--Ref: gnutls_dh_params_import_pkcs3936581
--Ref: gnutls_dh_params_import_raw937320
--Ref: gnutls_dh_params_import_raw2937950
--Ref: gnutls_dh_params_import_raw3938664
--Ref: gnutls_dh_params_init939364
--Ref: gnutls_dh_set_prime_bits939695
--Ref: gnutls_digest_get_id940798
--Ref: gnutls_digest_get_name941224
--Ref: gnutls_digest_get_oid941570
--Ref: gnutls_digest_list941961
--Ref: gnutls_early_cipher_get942332
--Ref: gnutls_early_prf_hash_get942705
--Ref: gnutls_ecc_curve_get943123
--Ref: gnutls_ecc_curve_get_id943524
--Ref: gnutls_ecc_curve_get_name943905
--Ref: gnutls_ecc_curve_get_oid944239
--Ref: gnutls_ecc_curve_get_pk944584
--Ref: gnutls_ecc_curve_get_size944888
--Ref: gnutls_ecc_curve_list945117
--Ref: gnutls_error_is_fatal945440
--Ref: gnutls_error_to_alert946242
--Ref: gnutls_est_record_overhead_size946974
--Ref: gnutls_ext_get_current_msg947882
--Ref: gnutls_ext_get_data948573
--Ref: gnutls_ext_get_name949088
--Ref: gnutls_ext_get_name2949406
--Ref: gnutls_ext_raw_parse949916
--Ref: gnutls_ext_register951066
--Ref: gnutls_ext_set_data952701
--Ref: gnutls_fingerprint953212
--Ref: gnutls_fips140_mode_enabled954218
--Ref: gnutls_fips140_set_mode954772
--Ref: gnutls_get_system_config_file955825
--Ref: gnutls_global_deinit956201
--Ref: gnutls_global_init956651
--Ref: gnutls_global_set_audit_log_function957926
--Ref: gnutls_global_set_log_function958633
--Ref: gnutls_global_set_log_level959141
--Ref: gnutls_global_set_mutex959629
--Ref: gnutls_global_set_time_function960731
--Ref: gnutls_gost_paramset_get_name961168
--Ref: gnutls_gost_paramset_get_oid961544
--Ref: gnutls_group_get961921
--Ref: gnutls_group_get_id962291
--Ref: gnutls_group_get_name962638
--Ref: gnutls_group_list962958
--Ref: gnutls_handshake963280
--Ref: gnutls_handshake_description_get_name965385
--Ref: gnutls_handshake_get_last_in965773
--Ref: gnutls_handshake_get_last_out966398
--Ref: gnutls_handshake_set_hook_function967030
--Ref: gnutls_handshake_set_max_packet_length968422
--Ref: gnutls_handshake_set_post_client_hello_function969207
--Ref: gnutls_handshake_set_private_extensions970533
--Ref: gnutls_handshake_set_random971212
--Ref: gnutls_handshake_set_read_function971932
--Ref: gnutls_handshake_set_secret_function972333
--Ref: gnutls_handshake_set_timeout972712
--Ref: gnutls_handshake_write973402
--Ref: gnutls_heartbeat_allowed974103
--Ref: gnutls_heartbeat_enable974577
--Ref: gnutls_heartbeat_get_timeout975415
--Ref: gnutls_heartbeat_ping975954
--Ref: gnutls_heartbeat_pong977086
--Ref: gnutls_heartbeat_set_timeouts977493
--Ref: gnutls_hex2bin978264
--Ref: gnutls_hex_decode978983
--Ref: gnutls_hex_decode2979709
--Ref: gnutls_hex_encode980138
--Ref: gnutls_hex_encode2980735
--Ref: gnutls_idna_map981250
--Ref: gnutls_idna_reverse_map982380
--Ref: gnutls_init983145
--Ref: gnutls_key_generate983973
--Ref: gnutls_kx_get984390
--Ref: gnutls_kx_get_id984976
--Ref: gnutls_kx_get_name985320
--Ref: gnutls_kx_list985665
--Ref: gnutls_load_file985993
--Ref: gnutls_mac_get986765
--Ref: gnutls_mac_get_id987070
--Ref: gnutls_mac_get_key_size987483
--Ref: gnutls_mac_get_name987820
--Ref: gnutls_mac_list988139
--Ref: gnutls_memcmp988527
--Ref: gnutls_memset989087
--Ref: gnutls_ocsp_status_request_enable_client989481
--Ref: gnutls_ocsp_status_request_get990492
--Ref: gnutls_ocsp_status_request_get2991154
--Ref: gnutls_ocsp_status_request_is_checked992149
--Ref: gnutls_oid_to_digest993537
--Ref: gnutls_oid_to_ecc_curve993946
--Ref: gnutls_oid_to_gost_paramset994272
--Ref: gnutls_oid_to_mac994683
--Ref: gnutls_oid_to_pk995096
--Ref: gnutls_oid_to_sign995468
--Ref: gnutls_openpgp_send_cert995872
--Ref: gnutls_packet_deinit996174
--Ref: gnutls_packet_get996448
--Ref: gnutls_pem_base64_decode996953
--Ref: gnutls_pem_base64_decode2997808
--Ref: gnutls_pem_base64_encode998803
--Ref: gnutls_pem_base64_encode2999632
--Ref: gnutls_perror1000568
--Ref: gnutls_pk_algorithm_get_name1000864
--Ref: gnutls_pk_bits_to_sec_param1001220
--Ref: gnutls_pk_get_id1001694
--Ref: gnutls_pk_get_name1002212
--Ref: gnutls_pk_get_oid1002580
--Ref: gnutls_pk_list1002979
--Ref: gnutls_pk_to_sign1003312
--Ref: gnutls_prf1003723
--Ref: gnutls_prf_early1005718
--Ref: gnutls_prf_hash_get1007373
--Ref: gnutls_prf_raw1007905
--Ref: gnutls_prf_rfc57051009789
--Ref: gnutls_priority_certificate_type_list1011466
--Ref: gnutls_priority_certificate_type_list21012162
--Ref: gnutls_priority_cipher_list1012778
--Ref: gnutls_priority_deinit1013165
--Ref: gnutls_priority_ecc_curve_list1013408
--Ref: gnutls_priority_get_cipher_suite_index1013940
--Ref: gnutls_priority_group_list1014856
--Ref: gnutls_priority_init1015237
--Ref: gnutls_priority_init21016317
--Ref: gnutls_priority_kx_list1020691
--Ref: gnutls_priority_mac_list1021096
--Ref: gnutls_priority_protocol_list1021501
--Ref: gnutls_priority_set1021903
--Ref: gnutls_priority_set_direct1022558
--Ref: gnutls_priority_sign_list1023491
--Ref: gnutls_priority_string_list1023907
--Ref: gnutls_protocol_get_id1024539
--Ref: gnutls_protocol_get_name1024855
--Ref: gnutls_protocol_get_version1025214
--Ref: gnutls_protocol_list1025512
--Ref: gnutls_psk_allocate_client_credentials1025882
--Ref: gnutls_psk_allocate_server_credentials1026302
--Ref: gnutls_psk_client_get_hint1026698
--Ref: gnutls_psk_free_client_credentials1027325
--Ref: gnutls_psk_free_server_credentials1027608
--Ref: gnutls_psk_server_get_username1027883
--Ref: gnutls_psk_server_get_username21028590
--Ref: gnutls_psk_set_client_credentials1029284
--Ref: gnutls_psk_set_client_credentials21030307
--Ref: gnutls_psk_set_client_credentials_function1031087
--Ref: gnutls_psk_set_client_credentials_function21032090
--Ref: gnutls_psk_set_params_function1033247
--Ref: gnutls_psk_set_server_credentials_file1033927
--Ref: gnutls_psk_set_server_credentials_function1034788
--Ref: gnutls_psk_set_server_credentials_function21035742
--Ref: gnutls_psk_set_server_credentials_hint1036865
--Ref: gnutls_psk_set_server_dh_params1037489
--Ref: gnutls_psk_set_server_known_dh_params1038174
--Ref: gnutls_psk_set_server_params_function1039071
--Ref: gnutls_random_art1039712
--Ref: gnutls_range_split1040574
--Ref: gnutls_reauth1041656
--Ref: gnutls_record_can_use_length_hiding1043758
--Ref: gnutls_record_check_corked1044509
--Ref: gnutls_record_check_pending1044892
--Ref: gnutls_record_cork1045303
--Ref: gnutls_record_disable_padding1045717
--Ref: gnutls_record_discard_queued1046325
--Ref: gnutls_record_get_direction1046942
--Ref: gnutls_record_get_max_early_data_size1047923
--Ref: gnutls_record_get_max_size1048475
--Ref: gnutls_record_get_state1048842
--Ref: gnutls_record_overhead_size1049864
--Ref: gnutls_record_recv1050251
--Ref: gnutls_record_recv_early_data1051701
--Ref: gnutls_record_recv_packet1052763
--Ref: gnutls_record_recv_seq1053642
--Ref: gnutls_record_send1054628
--Ref: gnutls_record_send21056686
--Ref: gnutls_record_send_early_data1057838
--Ref: gnutls_record_send_range1058894
--Ref: gnutls_record_set_max_early_data_size1060073
--Ref: gnutls_record_set_max_recv_size1060719
--Ref: gnutls_record_set_max_size1061423
--Ref: gnutls_record_set_state1062602
--Ref: gnutls_record_set_timeout1063260
--Ref: gnutls_record_uncork1063861
--Ref: gnutls_rehandshake1064801
--Ref: gnutls_safe_renegotiation_status1066583
--Ref: gnutls_sec_param_get_name1066998
--Ref: gnutls_sec_param_to_pk_bits1067372
--Ref: gnutls_sec_param_to_symmetric_bits1068042
--Ref: gnutls_server_name_get1068426
--Ref: gnutls_server_name_set1069898
--Ref: gnutls_session_channel_binding1071056
--Ref: gnutls_session_enable_compatibility_mode1071774
--Ref: gnutls_session_etm_status1072481
--Ref: gnutls_session_ext_master_secret_status1072884
--Ref: gnutls_session_ext_register1073375
--Ref: gnutls_session_force_valid1075637
--Ref: gnutls_session_get_data1076058
--Ref: gnutls_session_get_data21076718
--Ref: gnutls_session_get_desc1078991
--Ref: gnutls_session_get_flags1079513
--Ref: gnutls_session_get_id1080051
--Ref: gnutls_session_get_id21081574
--Ref: gnutls_session_get_keylog_function1083044
--Ref: gnutls_session_get_master_secret1083451
--Ref: gnutls_session_get_ptr1083935
--Ref: gnutls_session_get_random1084330
--Ref: gnutls_session_get_verify_cert_status1084951
--Ref: gnutls_session_is_resumed1085624
--Ref: gnutls_session_key_update1085994
--Ref: gnutls_session_resumption_requested1086942
--Ref: gnutls_session_set_data1087324
--Ref: gnutls_session_set_id1088165
--Ref: gnutls_session_set_keylog_function1088840
--Ref: gnutls_session_set_premaster1089239
--Ref: gnutls_session_set_ptr1090334
--Ref: gnutls_session_set_verify_cert1090734
--Ref: gnutls_session_set_verify_cert21092078
--Ref: gnutls_session_set_verify_function1093262
--Ref: gnutls_session_supplemental_register1094374
--Ref: gnutls_session_ticket_enable_client1095632
--Ref: gnutls_session_ticket_enable_server1096125
--Ref: gnutls_session_ticket_key_generate1096919
--Ref: gnutls_session_ticket_send1097347
--Ref: gnutls_set_default_priority1097931
--Ref: gnutls_set_default_priority_append1099016
--Ref: gnutls_sign_algorithm_get1100358
--Ref: gnutls_sign_algorithm_get_client1100801
--Ref: gnutls_sign_algorithm_get_requested1101268
--Ref: gnutls_sign_get_hash_algorithm1102295
--Ref: gnutls_sign_get_id1102707
--Ref: gnutls_sign_get_name1103070
--Ref: gnutls_sign_get_oid1103402
--Ref: gnutls_sign_get_pk_algorithm1103788
--Ref: gnutls_sign_is_secure1104395
--Ref: gnutls_sign_is_secure21104665
--Ref: gnutls_sign_list1105001
--Ref: gnutls_sign_supports_pk_algorithm1105361
--Ref: gnutls_srp_allocate_client_credentials1105945
--Ref: gnutls_srp_allocate_server_credentials1106346
--Ref: gnutls_srp_base64_decode1106719
--Ref: gnutls_srp_base64_decode21107424
--Ref: gnutls_srp_base64_encode1108092
--Ref: gnutls_srp_base64_encode21108893
--Ref: gnutls_srp_free_client_credentials1109624
--Ref: gnutls_srp_free_server_credentials1109907
--Ref: gnutls_srp_server_get_username1110182
--Ref: gnutls_srp_set_client_credentials1110636
--Ref: gnutls_srp_set_client_credentials_function1111526
--Ref: gnutls_srp_set_prime_bits1112773
--Ref: gnutls_srp_set_server_credentials_file1113458
--Ref: gnutls_srp_set_server_credentials_function1114184
--Ref: gnutls_srp_set_server_fake_salt_seed1115899
--Ref: gnutls_srp_verifier1117402
--Ref: gnutls_srtp_get_keys1118330
--Ref: gnutls_srtp_get_mki1119724
--Ref: gnutls_srtp_get_profile_id1120293
--Ref: gnutls_srtp_get_profile_name1120751
--Ref: gnutls_srtp_get_selected_profile1121172
--Ref: gnutls_srtp_set_mki1121616
--Ref: gnutls_srtp_set_profile1122065
--Ref: gnutls_srtp_set_profile_direct1122597
--Ref: gnutls_store_commitment1123320
--Ref: gnutls_store_pubkey1124619
--Ref: gnutls_strerror1126406
--Ref: gnutls_strerror_name1126891
--Ref: gnutls_supplemental_get_name1127360
--Ref: gnutls_supplemental_recv1127782
--Ref: gnutls_supplemental_register1128252
--Ref: gnutls_supplemental_send1129364
--Ref: gnutls_system_recv_timeout1129809
--Ref: gnutls_tdb_deinit1130551
--Ref: gnutls_tdb_init1130766
--Ref: gnutls_tdb_set_store_commitment_func1131125
--Ref: gnutls_tdb_set_store_func1131806
--Ref: gnutls_tdb_set_verify_func1132395
--Ref: gnutls_transport_get_int1133139
--Ref: gnutls_transport_get_int21133547
--Ref: gnutls_transport_get_ptr1134050
--Ref: gnutls_transport_get_ptr21134466
--Ref: gnutls_transport_set_errno1135000
--Ref: gnutls_transport_set_errno_function1135987
--Ref: gnutls_transport_set_int1136524
--Ref: gnutls_transport_set_int21137078
--Ref: gnutls_transport_set_ptr1137807
--Ref: gnutls_transport_set_ptr21138220
--Ref: gnutls_transport_set_pull_function1138864
--Ref: gnutls_transport_set_pull_timeout_function1139644
--Ref: gnutls_transport_set_push_function1141347
--Ref: gnutls_transport_set_vec_push_function1142192
--Ref: gnutls_url_is_supported1142888
--Ref: gnutls_utf8_password_normalize1143308
--Ref: gnutls_verify_stored_pubkey1144097
--Node: Datagram TLS API1147244
--Ref: gnutls_dtls_cookie_send1147520
--Ref: gnutls_dtls_cookie_verify1148775
--Ref: gnutls_dtls_get_data_mtu1149719
--Ref: gnutls_dtls_get_mtu1150162
--Ref: gnutls_dtls_get_timeout1150605
--Ref: gnutls_dtls_prestate_set1151148
--Ref: gnutls_dtls_set_data_mtu1151732
--Ref: gnutls_dtls_set_mtu1152706
--Ref: gnutls_dtls_set_timeouts1153313
--Ref: gnutls_record_get_discarded1154317
--Node: X509 certificate API1154591
--Ref: gnutls_certificate_get_trust_list1154940
--Ref: gnutls_certificate_set_trust_list1155588
--Ref: gnutls_certificate_verification_profile_get_id1156363
--Ref: gnutls_certificate_verification_profile_get_name1156910
--Ref: gnutls_pkcs8_info1157293
--Ref: gnutls_pkcs_schema_get_name1158811
--Ref: gnutls_pkcs_schema_get_oid1159216
--Ref: gnutls_session_set_verify_output_function1159643
--Ref: gnutls_subject_alt_names_deinit1160800
--Ref: gnutls_subject_alt_names_get1161079
--Ref: gnutls_subject_alt_names_init1162089
--Ref: gnutls_subject_alt_names_set1162469
--Ref: gnutls_x509_aia_deinit1163288
--Ref: gnutls_x509_aia_get1163522
--Ref: gnutls_x509_aia_init1164681
--Ref: gnutls_x509_aia_set1165016
--Ref: gnutls_x509_aki_deinit1165811
--Ref: gnutls_x509_aki_get_cert_issuer1166075
--Ref: gnutls_x509_aki_get_id1167141
--Ref: gnutls_x509_aki_init1167680
--Ref: gnutls_x509_aki_set_cert_issuer1168029
--Ref: gnutls_x509_aki_set_id1169144
--Ref: gnutls_x509_cidr_to_rfc52801169573
--Ref: gnutls_x509_crl_check_issuer1170471
--Ref: gnutls_x509_crl_deinit1170919
--Ref: gnutls_x509_crl_dist_points_deinit1171151
--Ref: gnutls_x509_crl_dist_points_get1171446
--Ref: gnutls_x509_crl_dist_points_init1172420
--Ref: gnutls_x509_crl_dist_points_set1172816
--Ref: gnutls_x509_crl_export1173519
--Ref: gnutls_x509_crl_export21174402
--Ref: gnutls_x509_crl_get_authority_key_gn_serial1175122
--Ref: gnutls_x509_crl_get_authority_key_id1176436
--Ref: gnutls_x509_crl_get_crt_count1177499
--Ref: gnutls_x509_crl_get_crt_serial1177857
--Ref: gnutls_x509_crl_get_dn_oid1178761
--Ref: gnutls_x509_crl_get_extension_data1179567
--Ref: gnutls_x509_crl_get_extension_data21180684
--Ref: gnutls_x509_crl_get_extension_info1181563
--Ref: gnutls_x509_crl_get_extension_oid1182827
--Ref: gnutls_x509_crl_get_issuer_dn1183679
--Ref: gnutls_x509_crl_get_issuer_dn21184680
--Ref: gnutls_x509_crl_get_issuer_dn31185514
--Ref: gnutls_x509_crl_get_issuer_dn_by_oid1186492
--Ref: gnutls_x509_crl_get_next_update1188003
--Ref: gnutls_x509_crl_get_number1188437
--Ref: gnutls_x509_crl_get_raw_issuer_dn1189162
--Ref: gnutls_x509_crl_get_signature1189616
--Ref: gnutls_x509_crl_get_signature_algorithm1190163
--Ref: gnutls_x509_crl_get_signature_oid1190725
--Ref: gnutls_x509_crl_get_this_update1191386
--Ref: gnutls_x509_crl_get_version1191711
--Ref: gnutls_x509_crl_import1192019
--Ref: gnutls_x509_crl_init1192643
--Ref: gnutls_x509_crl_iter_crt_serial1193232
--Ref: gnutls_x509_crl_iter_deinit1194378
--Ref: gnutls_x509_crl_list_import1194623
--Ref: gnutls_x509_crl_list_import21195625
--Ref: gnutls_x509_crl_print1196491
--Ref: gnutls_x509_crl_set_authority_key_id1197140
--Ref: gnutls_x509_crl_set_crt1197793
--Ref: gnutls_x509_crl_set_crt_serial1198366
--Ref: gnutls_x509_crl_set_next_update1198998
--Ref: gnutls_x509_crl_set_number1199615
--Ref: gnutls_x509_crl_set_this_update1200192
--Ref: gnutls_x509_crl_set_version1200596
--Ref: gnutls_x509_crl_sign1201139
--Ref: gnutls_x509_crl_sign21201832
--Ref: gnutls_x509_crl_verify1203068
--Ref: gnutls_x509_crq_deinit1204312
--Ref: gnutls_x509_crq_export1204550
--Ref: gnutls_x509_crq_export21205547
--Ref: gnutls_x509_crq_get_attribute_by_oid1206321
--Ref: gnutls_x509_crq_get_attribute_data1207346
--Ref: gnutls_x509_crq_get_attribute_info1208458
--Ref: gnutls_x509_crq_get_basic_constraints1209655
--Ref: gnutls_x509_crq_get_challenge_password1210908
--Ref: gnutls_x509_crq_get_dn1211520
--Ref: gnutls_x509_crq_get_dn21212469
--Ref: gnutls_x509_crq_get_dn31213326
--Ref: gnutls_x509_crq_get_dn_by_oid1214334
--Ref: gnutls_x509_crq_get_dn_oid1215795
--Ref: gnutls_x509_crq_get_extension_by_oid1216582
--Ref: gnutls_x509_crq_get_extension_by_oid21217739
--Ref: gnutls_x509_crq_get_extension_data1218821
--Ref: gnutls_x509_crq_get_extension_data21219951
--Ref: gnutls_x509_crq_get_extension_info1220830
--Ref: gnutls_x509_crq_get_key_id1222091
--Ref: gnutls_x509_crq_get_key_purpose_oid1223158
--Ref: gnutls_x509_crq_get_key_rsa_raw1224173
--Ref: gnutls_x509_crq_get_key_usage1224797
--Ref: gnutls_x509_crq_get_pk_algorithm1225883
--Ref: gnutls_x509_crq_get_pk_oid1226604
--Ref: gnutls_x509_crq_get_private_key_usage_period1227261
--Ref: gnutls_x509_crq_get_signature_algorithm1227976
--Ref: gnutls_x509_crq_get_signature_oid1228615
--Ref: gnutls_x509_crq_get_spki1229276
--Ref: gnutls_x509_crq_get_subject_alt_name1229836
--Ref: gnutls_x509_crq_get_subject_alt_othername_oid1231394
--Ref: gnutls_x509_crq_get_tlsfeatures1232874
--Ref: gnutls_x509_crq_get_version1234003
--Ref: gnutls_x509_crq_import1234349
--Ref: gnutls_x509_crq_init1235031
--Ref: gnutls_x509_crq_print1235379
--Ref: gnutls_x509_crq_set_attribute_by_oid1236035
--Ref: gnutls_x509_crq_set_basic_constraints1236900
--Ref: gnutls_x509_crq_set_challenge_password1237644
--Ref: gnutls_x509_crq_set_dn1238095
--Ref: gnutls_x509_crq_set_dn_by_oid1238713
--Ref: gnutls_x509_crq_set_extension_by_oid1239843
--Ref: gnutls_x509_crq_set_key1240622
--Ref: gnutls_x509_crq_set_key_purpose_oid1241085
--Ref: gnutls_x509_crq_set_key_rsa_raw1241865
--Ref: gnutls_x509_crq_set_key_usage1242441
--Ref: gnutls_x509_crq_set_private_key_usage_period1242945
--Ref: gnutls_x509_crq_set_spki1243450
--Ref: gnutls_x509_crq_set_subject_alt_name1244321
--Ref: gnutls_x509_crq_set_subject_alt_othername1245147
--Ref: gnutls_x509_crq_set_tlsfeatures1245985
--Ref: gnutls_x509_crq_set_version1246535
--Ref: gnutls_x509_crq_sign1247020
--Ref: gnutls_x509_crq_sign21247791
--Ref: gnutls_x509_crq_verify1249123
--Ref: gnutls_x509_crt_check_email1249716
--Ref: gnutls_x509_crt_check_hostname1250244
--Ref: gnutls_x509_crt_check_hostname21250956
--Ref: gnutls_x509_crt_check_ip1252707
--Ref: gnutls_x509_crt_check_issuer1253321
--Ref: gnutls_x509_crt_check_key_purpose1254059
--Ref: gnutls_x509_crt_check_revocation1254753
--Ref: gnutls_x509_crt_cpy_crl_dist_points1255402
--Ref: gnutls_x509_crt_deinit1255991
--Ref: gnutls_x509_crt_equals1256209
--Ref: gnutls_x509_crt_equals21256591
--Ref: gnutls_x509_crt_export1257015
--Ref: gnutls_x509_crt_export21257926
--Ref: gnutls_x509_crt_get_activation_time1258624
--Ref: gnutls_x509_crt_get_authority_info_access1259002
--Ref: gnutls_x509_crt_get_authority_key_gn_serial1262476
--Ref: gnutls_x509_crt_get_authority_key_id1263917
--Ref: gnutls_x509_crt_get_basic_constraints1265048
--Ref: gnutls_x509_crt_get_ca_status1266262
--Ref: gnutls_x509_crt_get_crl_dist_points1267261
--Ref: gnutls_x509_crt_get_dn1268586
--Ref: gnutls_x509_crt_get_dn21269781
--Ref: gnutls_x509_crt_get_dn31270590
--Ref: gnutls_x509_crt_get_dn_by_oid1271550
--Ref: gnutls_x509_crt_get_dn_oid1273319
--Ref: gnutls_x509_crt_get_expiration_time1274347
--Ref: gnutls_x509_crt_get_extension_by_oid1274713
--Ref: gnutls_x509_crt_get_extension_by_oid21275840
--Ref: gnutls_x509_crt_get_extension_data1276913
--Ref: gnutls_x509_crt_get_extension_data21278002
--Ref: gnutls_x509_crt_get_extension_info1278867
--Ref: gnutls_x509_crt_get_extension_oid1280279
--Ref: gnutls_x509_crt_get_fingerprint1281242
--Ref: gnutls_x509_crt_get_inhibit_anypolicy1282130
--Ref: gnutls_x509_crt_get_issuer1283099
--Ref: gnutls_x509_crt_get_issuer_alt_name1283737
--Ref: gnutls_x509_crt_get_issuer_alt_name21285537
--Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1287119
--Ref: gnutls_x509_crt_get_issuer_dn1288768
--Ref: gnutls_x509_crt_get_issuer_dn21289889
--Ref: gnutls_x509_crt_get_issuer_dn31290736
--Ref: gnutls_x509_crt_get_issuer_dn_by_oid1291727
--Ref: gnutls_x509_crt_get_issuer_dn_oid1293514
--Ref: gnutls_x509_crt_get_issuer_unique_id1294550
--Ref: gnutls_x509_crt_get_key_id1295645
--Ref: gnutls_x509_crt_get_key_purpose_oid1296668
--Ref: gnutls_x509_crt_get_key_usage1297829
--Ref: gnutls_x509_crt_get_name_constraints1298889
--Ref: gnutls_x509_crt_get_pk_algorithm1300297
--Ref: gnutls_x509_crt_get_pk_dsa_raw1301086
--Ref: gnutls_x509_crt_get_pk_ecc_raw1301754
--Ref: gnutls_x509_crt_get_pk_gost_raw1302567
--Ref: gnutls_x509_crt_get_pk_oid1303411
--Ref: gnutls_x509_crt_get_pk_rsa_raw1304037
--Ref: gnutls_x509_crt_get_policy1304615
--Ref: gnutls_x509_crt_get_private_key_usage_period1305561
--Ref: gnutls_x509_crt_get_proxy1306313
--Ref: gnutls_x509_crt_get_raw_dn1307334
--Ref: gnutls_x509_crt_get_raw_issuer_dn1307927
--Ref: gnutls_x509_crt_get_serial1308506
--Ref: gnutls_x509_crt_get_signature1309246
--Ref: gnutls_x509_crt_get_signature_algorithm1309801
--Ref: gnutls_x509_crt_get_signature_oid1310414
--Ref: gnutls_x509_crt_get_spki1311072
--Ref: gnutls_x509_crt_get_subject1311558
--Ref: gnutls_x509_crt_get_subject_alt_name1312201
--Ref: gnutls_x509_crt_get_subject_alt_name21313960
--Ref: gnutls_x509_crt_get_subject_alt_othername_oid1315525
--Ref: gnutls_x509_crt_get_subject_key_id1317165
--Ref: gnutls_x509_crt_get_subject_unique_id1317997
--Ref: gnutls_x509_crt_get_tlsfeatures1319082
--Ref: gnutls_x509_crt_get_version1320194
--Ref: gnutls_x509_crt_import1320521
--Ref: gnutls_x509_crt_import_url1321222
--Ref: gnutls_x509_crt_init1321943
--Ref: gnutls_x509_crt_list_import1322290
--Ref: gnutls_x509_crt_list_import21323657
--Ref: gnutls_x509_crt_list_import_url1324729
--Ref: gnutls_x509_crt_list_verify1325953
--Ref: gnutls_x509_crt_print1327533
--Ref: gnutls_x509_crt_set_activation_time1328425
--Ref: gnutls_x509_crt_set_authority_info_access1328892
--Ref: gnutls_x509_crt_set_authority_key_id1329787
--Ref: gnutls_x509_crt_set_basic_constraints1330369
--Ref: gnutls_x509_crt_set_ca_status1331068
--Ref: gnutls_x509_crt_set_crl_dist_points1331666
--Ref: gnutls_x509_crt_set_crl_dist_points21332318
--Ref: gnutls_x509_crt_set_crq1333017
--Ref: gnutls_x509_crt_set_crq_extension_by_oid1333734
--Ref: gnutls_x509_crt_set_crq_extensions1334370
--Ref: gnutls_x509_crt_set_dn1334836
--Ref: gnutls_x509_crt_set_dn_by_oid1335719
--Ref: gnutls_x509_crt_set_expiration_time1336836
--Ref: gnutls_x509_crt_set_extension_by_oid1337381
--Ref: gnutls_x509_crt_set_flags1338156
--Ref: gnutls_x509_crt_set_inhibit_anypolicy1338664
--Ref: gnutls_x509_crt_set_issuer_alt_name1339174
--Ref: gnutls_x509_crt_set_issuer_alt_othername1340196
--Ref: gnutls_x509_crt_set_issuer_dn1341172
--Ref: gnutls_x509_crt_set_issuer_dn_by_oid1341811
--Ref: gnutls_x509_crt_set_issuer_unique_id1343090
--Ref: gnutls_x509_crt_set_key1343595
--Ref: gnutls_x509_crt_set_key_purpose_oid1344175
--Ref: gnutls_x509_crt_set_key_usage1344943
--Ref: gnutls_x509_crt_set_name_constraints1345402
--Ref: gnutls_x509_crt_set_pin_function1346024
--Ref: gnutls_x509_crt_set_policy1346692
--Ref: gnutls_x509_crt_set_private_key_usage_period1347545
--Ref: gnutls_x509_crt_set_proxy1348052
--Ref: gnutls_x509_crt_set_proxy_dn1348866
--Ref: gnutls_x509_crt_set_serial1349885
--Ref: gnutls_x509_crt_set_spki1350945
--Ref: gnutls_x509_crt_set_subject_alt_name1351800
--Ref: gnutls_x509_crt_set_subject_alt_othername1353040
--Ref: gnutls_x509_crt_set_subject_alternative_name1354048
--Ref: gnutls_x509_crt_set_subject_key_id1354946
--Ref: gnutls_x509_crt_set_subject_unique_id1355466
--Ref: gnutls_x509_crt_set_tlsfeatures1355989
--Ref: gnutls_x509_crt_set_version1356513
--Ref: gnutls_x509_crt_sign1357336
--Ref: gnutls_x509_crt_sign21358031
--Ref: gnutls_x509_crt_verify1359264
--Ref: gnutls_x509_crt_verify_data21360313
--Ref: gnutls_x509_dn_deinit1361317
--Ref: gnutls_x509_dn_export1361579
--Ref: gnutls_x509_dn_export21362473
--Ref: gnutls_x509_dn_get_rdn_ava1363134
--Ref: gnutls_x509_dn_get_str1364166
--Ref: gnutls_x509_dn_get_str21364762
--Ref: gnutls_x509_dn_import1365624
--Ref: gnutls_x509_dn_init1366240
--Ref: gnutls_x509_dn_oid_known1366661
--Ref: gnutls_x509_dn_oid_name1367330
--Ref: gnutls_x509_dn_set_str1367859
--Ref: gnutls_x509_ext_deinit1368458
--Ref: gnutls_x509_ext_export_aia1368702
--Ref: gnutls_x509_ext_export_authority_key_id1369296
--Ref: gnutls_x509_ext_export_basic_constraints1369952
--Ref: gnutls_x509_ext_export_crl_dist_points1370649
--Ref: gnutls_x509_ext_export_inhibit_anypolicy1371317
--Ref: gnutls_x509_ext_export_key_purposes1371985
--Ref: gnutls_x509_ext_export_key_usage1372604
--Ref: gnutls_x509_ext_export_name_constraints1373220
--Ref: gnutls_x509_ext_export_policies1373861
--Ref: gnutls_x509_ext_export_private_key_usage_period1374524
--Ref: gnutls_x509_ext_export_proxy1375189
--Ref: gnutls_x509_ext_export_subject_alt_names1376175
--Ref: gnutls_x509_ext_export_subject_key_id1376824
--Ref: gnutls_x509_ext_export_tlsfeatures1377446
--Ref: gnutls_x509_ext_import_aia1378064
--Ref: gnutls_x509_ext_import_authority_key_id1378769
--Ref: gnutls_x509_ext_import_basic_constraints1379437
--Ref: gnutls_x509_ext_import_crl_dist_points1380063
--Ref: gnutls_x509_ext_import_inhibit_anypolicy1380691
--Ref: gnutls_x509_ext_import_key_purposes1381606
--Ref: gnutls_x509_ext_import_key_usage1382240
--Ref: gnutls_x509_ext_import_name_constraints1383256
--Ref: gnutls_x509_ext_import_policies1384594
--Ref: gnutls_x509_ext_import_private_key_usage_period1385201
--Ref: gnutls_x509_ext_import_proxy1385816
--Ref: gnutls_x509_ext_import_subject_alt_names1386902
--Ref: gnutls_x509_ext_import_subject_key_id1387660
--Ref: gnutls_x509_ext_import_tlsfeatures1388295
--Ref: gnutls_x509_ext_print1389187
--Ref: gnutls_x509_key_purpose_deinit1389898
--Ref: gnutls_x509_key_purpose_get1390152
--Ref: gnutls_x509_key_purpose_init1390880
--Ref: gnutls_x509_key_purpose_set1391241
--Ref: gnutls_x509_name_constraints_add_excluded1391696
--Ref: gnutls_x509_name_constraints_add_permitted1392637
--Ref: gnutls_x509_name_constraints_check1393512
--Ref: gnutls_x509_name_constraints_check_crt1394349
--Ref: gnutls_x509_name_constraints_deinit1395219
--Ref: gnutls_x509_name_constraints_get_excluded1395519
--Ref: gnutls_x509_name_constraints_get_permitted1396590
--Ref: gnutls_x509_name_constraints_init1397644
--Ref: gnutls_x509_othername_to_virtual1398027
--Ref: gnutls_x509_policies_deinit1398646
--Ref: gnutls_x509_policies_get1398926
--Ref: gnutls_x509_policies_init1399712
--Ref: gnutls_x509_policies_set1400077
--Ref: gnutls_x509_policy_release1400544
--Ref: gnutls_x509_privkey_cpy1400908
--Ref: gnutls_x509_privkey_deinit1401378
--Ref: gnutls_x509_privkey_export1401619
--Ref: gnutls_x509_privkey_export21402654
--Ref: gnutls_x509_privkey_export2_pkcs81403532
--Ref: gnutls_x509_privkey_export_dsa_raw1404808
--Ref: gnutls_x509_privkey_export_ecc_raw1405548
--Ref: gnutls_x509_privkey_export_gost_raw1406431
--Ref: gnutls_x509_privkey_export_pkcs81407516
--Ref: gnutls_x509_privkey_export_rsa_raw1409021
--Ref: gnutls_x509_privkey_export_rsa_raw21409882
--Ref: gnutls_x509_privkey_fix1410868
--Ref: gnutls_x509_privkey_generate1411253
--Ref: gnutls_x509_privkey_generate21412778
--Ref: gnutls_x509_privkey_get_key_id1414937
--Ref: gnutls_x509_privkey_get_pk_algorithm1415956
--Ref: gnutls_x509_privkey_get_pk_algorithm21416384
--Ref: gnutls_x509_privkey_get_seed1416875
--Ref: gnutls_x509_privkey_get_spki1417699
--Ref: gnutls_x509_privkey_import1418234
--Ref: gnutls_x509_privkey_import21419029
--Ref: gnutls_x509_privkey_import_dsa_raw1420102
--Ref: gnutls_x509_privkey_import_ecc_raw1420834
--Ref: gnutls_x509_privkey_import_gost_raw1421650
--Ref: gnutls_x509_privkey_import_openssl1422926
--Ref: gnutls_x509_privkey_import_pkcs81423800
--Ref: gnutls_x509_privkey_import_rsa_raw1425247
--Ref: gnutls_x509_privkey_import_rsa_raw21426101
--Ref: gnutls_x509_privkey_init1427097
--Ref: gnutls_x509_privkey_sec_param1427442
--Ref: gnutls_x509_privkey_set_flags1427861
--Ref: gnutls_x509_privkey_set_pin_function1428411
--Ref: gnutls_x509_privkey_set_spki1429029
--Ref: gnutls_x509_privkey_sign_data1429576
--Ref: gnutls_x509_privkey_verify_params1430797
--Ref: gnutls_x509_privkey_verify_seed1431133
--Ref: gnutls_x509_rdn_get1431962
--Ref: gnutls_x509_rdn_get21432780
--Ref: gnutls_x509_rdn_get_by_oid1433688
--Ref: gnutls_x509_rdn_get_oid1434670
--Ref: gnutls_x509_spki_deinit1435415
--Ref: gnutls_x509_spki_get_rsa_pss_params1435697
--Ref: gnutls_x509_spki_init1436258
--Ref: gnutls_x509_spki_set_rsa_pss_params1436774
--Ref: gnutls_x509_tlsfeatures_add1437287
--Ref: gnutls_x509_tlsfeatures_check_crt1437743
--Ref: gnutls_x509_tlsfeatures_deinit1438343
--Ref: gnutls_x509_tlsfeatures_get1438621
--Ref: gnutls_x509_tlsfeatures_init1439181
--Ref: gnutls_x509_trust_list_add_cas1439566
--Ref: gnutls_x509_trust_list_add_crls1440751
--Ref: gnutls_x509_trust_list_add_named_crt1442129
--Ref: gnutls_x509_trust_list_add_system_trust1443344
--Ref: gnutls_x509_trust_list_add_trust_dir1444106
--Ref: gnutls_x509_trust_list_add_trust_file1444969
--Ref: gnutls_x509_trust_list_add_trust_mem1446116
--Ref: gnutls_x509_trust_list_deinit1447035
--Ref: gnutls_x509_trust_list_get_issuer1447661
--Ref: gnutls_x509_trust_list_get_issuer_by_dn1448711
--Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1449440
--Ref: gnutls_x509_trust_list_get_ptr1450248
--Ref: gnutls_x509_trust_list_init1450761
--Ref: gnutls_x509_trust_list_iter_deinit1451266
--Ref: gnutls_x509_trust_list_iter_get_ca1451575
--Ref: gnutls_x509_trust_list_remove_cas1452755
--Ref: gnutls_x509_trust_list_remove_trust_file1453610
--Ref: gnutls_x509_trust_list_remove_trust_mem1454311
--Ref: gnutls_x509_trust_list_set_getissuer_function1454969
--Ref: gnutls_x509_trust_list_set_ptr1456602
--Ref: gnutls_x509_trust_list_verify_crt1457140
--Ref: gnutls_x509_trust_list_verify_crt21458303
--Ref: gnutls_x509_trust_list_verify_named_crt1461237
--Node: PKCS 7 API1463965
--Ref: gnutls_pkcs7_add_attr1464261
--Ref: gnutls_pkcs7_attrs_deinit1465067
--Ref: gnutls_pkcs7_deinit1465302
--Ref: gnutls_pkcs7_delete_crl1465507
--Ref: gnutls_pkcs7_delete_crt1465936
--Ref: gnutls_pkcs7_export1466382
--Ref: gnutls_pkcs7_export21467282
--Ref: gnutls_pkcs7_get_attr1467943
--Ref: gnutls_pkcs7_get_crl_count1468830
--Ref: gnutls_pkcs7_get_crl_raw1469178
--Ref: gnutls_pkcs7_get_crl_raw21469953
--Ref: gnutls_pkcs7_get_crt_count1470584
--Ref: gnutls_pkcs7_get_crt_raw1470959
--Ref: gnutls_pkcs7_get_crt_raw21471859
--Ref: gnutls_pkcs7_get_embedded_data1472713
--Ref: gnutls_pkcs7_get_embedded_data_oid1473713
--Ref: gnutls_pkcs7_get_signature_count1474273
--Ref: gnutls_pkcs7_get_signature_info1474680
--Ref: gnutls_pkcs7_import1475353
--Ref: gnutls_pkcs7_init1475974
--Ref: gnutls_pkcs7_print1476398
--Ref: gnutls_pkcs7_print_signature_info1477143
--Ref: gnutls_pkcs7_set_crl1477948
--Ref: gnutls_pkcs7_set_crl_raw1478349
--Ref: gnutls_pkcs7_set_crt1478739
--Ref: gnutls_pkcs7_set_crt_raw1479223
--Ref: gnutls_pkcs7_sign1479636
--Ref: gnutls_pkcs7_signature_info_deinit1481075
--Ref: gnutls_pkcs7_verify1481428
--Ref: gnutls_pkcs7_verify_direct1482593
--Node: OCSP API1484053
--Ref: gnutls_ocsp_req_add_cert1484337
--Ref: gnutls_ocsp_req_add_cert_id1485297
--Ref: gnutls_ocsp_req_deinit1486617
--Ref: gnutls_ocsp_req_export1486834
--Ref: gnutls_ocsp_req_get_cert_id1487259
--Ref: gnutls_ocsp_req_get_extension1488851
--Ref: gnutls_ocsp_req_get_nonce1490267
--Ref: gnutls_ocsp_req_get_version1490921
--Ref: gnutls_ocsp_req_import1491308
--Ref: gnutls_ocsp_req_init1491804
--Ref: gnutls_ocsp_req_print1492132
--Ref: gnutls_ocsp_req_randomize_nonce1492868
--Ref: gnutls_ocsp_req_set_extension1493301
--Ref: gnutls_ocsp_req_set_nonce1493985
--Ref: gnutls_ocsp_resp_check_crt1494572
--Ref: gnutls_ocsp_resp_deinit1495156
--Ref: gnutls_ocsp_resp_export1495380
--Ref: gnutls_ocsp_resp_export21495806
--Ref: gnutls_ocsp_resp_get_certs1496326
--Ref: gnutls_ocsp_resp_get_extension1497451
--Ref: gnutls_ocsp_resp_get_nonce1498875
--Ref: gnutls_ocsp_resp_get_produced1499541
--Ref: gnutls_ocsp_resp_get_responder1499888
--Ref: gnutls_ocsp_resp_get_responder21500993
--Ref: gnutls_ocsp_resp_get_responder_raw_id1502256
--Ref: gnutls_ocsp_resp_get_response1503087
--Ref: gnutls_ocsp_resp_get_signature1504313
--Ref: gnutls_ocsp_resp_get_signature_algorithm1504802
--Ref: gnutls_ocsp_resp_get_single1505280
--Ref: gnutls_ocsp_resp_get_status1507222
--Ref: gnutls_ocsp_resp_get_version1507651
--Ref: gnutls_ocsp_resp_import1508059
--Ref: gnutls_ocsp_resp_import21508627
--Ref: gnutls_ocsp_resp_init1509255
--Ref: gnutls_ocsp_resp_list_import21509604
--Ref: gnutls_ocsp_resp_print1510795
--Ref: gnutls_ocsp_resp_verify1511521
--Ref: gnutls_ocsp_resp_verify_direct1513138
--Node: PKCS 12 API1515571
--Ref: gnutls_pkcs12_bag_decrypt1515861
--Ref: gnutls_pkcs12_bag_deinit1516293
--Ref: gnutls_pkcs12_bag_enc_info1516531
--Ref: gnutls_pkcs12_bag_encrypt1517904
--Ref: gnutls_pkcs12_bag_get_count1518409
--Ref: gnutls_pkcs12_bag_get_data1518720
--Ref: gnutls_pkcs12_bag_get_friendly_name1519326
--Ref: gnutls_pkcs12_bag_get_key_id1519963
--Ref: gnutls_pkcs12_bag_get_type1520582
--Ref: gnutls_pkcs12_bag_init1520952
--Ref: gnutls_pkcs12_bag_set_crl1521410
--Ref: gnutls_pkcs12_bag_set_crt1521843
--Ref: gnutls_pkcs12_bag_set_data1522289
--Ref: gnutls_pkcs12_bag_set_friendly_name1522760
--Ref: gnutls_pkcs12_bag_set_key_id1523444
--Ref: gnutls_pkcs12_bag_set_privkey1524118
--Ref: gnutls_pkcs12_deinit1524774
--Ref: gnutls_pkcs12_export1524976
--Ref: gnutls_pkcs12_export21525883
--Ref: gnutls_pkcs12_generate_mac1526559
--Ref: gnutls_pkcs12_generate_mac21526950
--Ref: gnutls_pkcs12_get_bag1527394
--Ref: gnutls_pkcs12_import1527980
--Ref: gnutls_pkcs12_init1528701
--Ref: gnutls_pkcs12_mac_info1529134
--Ref: gnutls_pkcs12_set_bag1530443
--Ref: gnutls_pkcs12_simple_parse1530849
--Ref: gnutls_pkcs12_verify_mac1533530
--Node: PKCS 11 API1533886
--Ref: gnutls_pkcs11_add_provider1534215
--Ref: gnutls_pkcs11_copy_attached_extension1534960
--Ref: gnutls_pkcs11_copy_pubkey1535819
--Ref: gnutls_pkcs11_copy_secret_key1536852
--Ref: gnutls_pkcs11_copy_x509_crt1537577
--Ref: gnutls_pkcs11_copy_x509_crt21538225
--Ref: gnutls_pkcs11_copy_x509_privkey1539193
--Ref: gnutls_pkcs11_copy_x509_privkey21540010
--Ref: gnutls_pkcs11_crt_is_known1540955
--Ref: gnutls_pkcs11_deinit1542091
--Ref: gnutls_pkcs11_delete_url1542408
--Ref: gnutls_pkcs11_get_pin_function1542924
--Ref: gnutls_pkcs11_get_raw_issuer1543307
--Ref: gnutls_pkcs11_get_raw_issuer_by_dn1544217
--Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1545256
--Ref: gnutls_pkcs11_init1546367
--Ref: gnutls_pkcs11_obj_deinit1547409
--Ref: gnutls_pkcs11_obj_export1547655
--Ref: gnutls_pkcs11_obj_export21548500
--Ref: gnutls_pkcs11_obj_export31549097
--Ref: gnutls_pkcs11_obj_export_url1549770
--Ref: gnutls_pkcs11_obj_flags_get_str1550297
--Ref: gnutls_pkcs11_obj_get_exts1550776
--Ref: gnutls_pkcs11_obj_get_flags1551712
--Ref: gnutls_pkcs11_obj_get_info1552249
--Ref: gnutls_pkcs11_obj_get_ptr1553513
--Ref: gnutls_pkcs11_obj_get_type1554422
--Ref: gnutls_pkcs11_obj_import_url1554772
--Ref: gnutls_pkcs11_obj_init1555692
--Ref: gnutls_pkcs11_obj_list_import_url31556077
--Ref: gnutls_pkcs11_obj_list_import_url41558018
--Ref: gnutls_pkcs11_obj_set_info1559694
--Ref: gnutls_pkcs11_obj_set_pin_function1560473
--Ref: gnutls_pkcs11_privkey_cpy1560984
--Ref: gnutls_pkcs11_privkey_deinit1561485
--Ref: gnutls_pkcs11_privkey_export_pubkey1561748
--Ref: gnutls_pkcs11_privkey_export_url1562552
--Ref: gnutls_pkcs11_privkey_generate1563062
--Ref: gnutls_pkcs11_privkey_generate21563734
--Ref: gnutls_pkcs11_privkey_generate31564964
--Ref: gnutls_pkcs11_privkey_get_info1566474
--Ref: gnutls_pkcs11_privkey_get_pk_algorithm1567356
--Ref: gnutls_pkcs11_privkey_import_url1567887
--Ref: gnutls_pkcs11_privkey_init1568588
--Ref: gnutls_pkcs11_privkey_set_pin_function1569303
--Ref: gnutls_pkcs11_privkey_status1569823
--Ref: gnutls_pkcs11_reinit1570199
--Ref: gnutls_pkcs11_set_pin_function1570759
--Ref: gnutls_pkcs11_set_token_function1571249
--Ref: gnutls_pkcs11_token_check_mechanism1571667
--Ref: gnutls_pkcs11_token_get_flags1572424
--Ref: gnutls_pkcs11_token_get_info1572966
--Ref: gnutls_pkcs11_token_get_mechanism1573989
--Ref: gnutls_pkcs11_token_get_ptr1574602
--Ref: gnutls_pkcs11_token_get_random1575301
--Ref: gnutls_pkcs11_token_get_url1575932
--Ref: gnutls_pkcs11_token_init1576600
--Ref: gnutls_pkcs11_token_set_pin1577238
--Ref: gnutls_pkcs11_type_get_name1578078
--Ref: gnutls_x509_crt_import_pkcs111578567
--Ref: gnutls_x509_crt_list_import_pkcs111579089
--Node: TPM API1579698
--Ref: gnutls_tpm_get_registered1579977
--Ref: gnutls_tpm_key_list_deinit1580370
--Ref: gnutls_tpm_key_list_get_url1580638
--Ref: gnutls_tpm_privkey_delete1581291
--Ref: gnutls_tpm_privkey_generate1581729
--Node: Abstract key API1583079
--Ref: gnutls_certificate_set_key1583400
--Ref: gnutls_certificate_set_retrieve_function21585536
--Ref: gnutls_certificate_set_retrieve_function31587786
--Ref: gnutls_pcert_deinit1590646
--Ref: gnutls_pcert_export_openpgp1590891
--Ref: gnutls_pcert_export_x5091591240
--Ref: gnutls_pcert_import_openpgp1591890
--Ref: gnutls_pcert_import_openpgp_raw1592289
--Ref: gnutls_pcert_import_rawpk1592858
--Ref: gnutls_pcert_import_rawpk_raw1593711
--Ref: gnutls_pcert_import_x5091594960
--Ref: gnutls_pcert_import_x509_list1595557
--Ref: gnutls_pcert_import_x509_raw1596747
--Ref: gnutls_pcert_list_import_x509_file1597453
--Ref: gnutls_pcert_list_import_x509_raw1598885
--Ref: gnutls_privkey_decrypt_data1600219
--Ref: gnutls_privkey_decrypt_data21600867
--Ref: gnutls_privkey_deinit1601692
--Ref: gnutls_privkey_export_dsa_raw1601941
--Ref: gnutls_privkey_export_dsa_raw21602671
--Ref: gnutls_privkey_export_ecc_raw1603477
--Ref: gnutls_privkey_export_ecc_raw21604339
--Ref: gnutls_privkey_export_gost_raw21605281
--Ref: gnutls_privkey_export_openpgp1606415
--Ref: gnutls_privkey_export_pkcs111606767
--Ref: gnutls_privkey_export_rsa_raw1607379
--Ref: gnutls_privkey_export_rsa_raw21608410
--Ref: gnutls_privkey_export_x5091609456
--Ref: gnutls_privkey_generate1610104
--Ref: gnutls_privkey_generate21611595
--Ref: gnutls_privkey_get_pk_algorithm1613723
--Ref: gnutls_privkey_get_seed1614337
--Ref: gnutls_privkey_get_spki1615136
--Ref: gnutls_privkey_get_type1615716
--Ref: gnutls_privkey_import_dsa_raw1616205
--Ref: gnutls_privkey_import_ecc_raw1616917
--Ref: gnutls_privkey_import_ext1617730
--Ref: gnutls_privkey_import_ext21618880
--Ref: gnutls_privkey_import_ext31620237
--Ref: gnutls_privkey_import_ext41621851
--Ref: gnutls_privkey_import_gost_raw1624611
--Ref: gnutls_privkey_import_openpgp1625819
--Ref: gnutls_privkey_import_openpgp_raw1626228
--Ref: gnutls_privkey_import_pkcs111626817
--Ref: gnutls_privkey_import_pkcs11_url1627575
--Ref: gnutls_privkey_import_rsa_raw1628024
--Ref: gnutls_privkey_import_tpm_raw1629020
--Ref: gnutls_privkey_import_tpm_url1629887
--Ref: gnutls_privkey_import_url1630990
--Ref: gnutls_privkey_import_x5091631537
--Ref: gnutls_privkey_import_x509_raw1632285
--Ref: gnutls_privkey_init1633064
--Ref: gnutls_privkey_set_flags1633982
--Ref: gnutls_privkey_set_pin_function1634507
--Ref: gnutls_privkey_set_spki1635077
--Ref: gnutls_privkey_sign_data1635650
--Ref: gnutls_privkey_sign_data21636670
--Ref: gnutls_privkey_sign_hash1637568
--Ref: gnutls_privkey_sign_hash21639005
--Ref: gnutls_privkey_status1640271
--Ref: gnutls_privkey_verify_params1640815
--Ref: gnutls_privkey_verify_seed1641177
--Ref: gnutls_pubkey_deinit1641889
--Ref: gnutls_pubkey_encrypt_data1642129
--Ref: gnutls_pubkey_export1642771
--Ref: gnutls_pubkey_export21643785
--Ref: gnutls_pubkey_export_dsa_raw1644558
--Ref: gnutls_pubkey_export_dsa_raw21645370
--Ref: gnutls_pubkey_export_ecc_raw1646254
--Ref: gnutls_pubkey_export_ecc_raw21647153
--Ref: gnutls_pubkey_export_ecc_x9621648132
--Ref: gnutls_pubkey_export_gost_raw21648791
--Ref: gnutls_pubkey_export_rsa_raw1649935
--Ref: gnutls_pubkey_export_rsa_raw21650632
--Ref: gnutls_pubkey_get_key_id1651393
--Ref: gnutls_pubkey_get_key_usage1652418
--Ref: gnutls_pubkey_get_openpgp_key_id1652915
--Ref: gnutls_pubkey_get_pk_algorithm1653554
--Ref: gnutls_pubkey_get_preferred_hash_algorithm1654202
--Ref: gnutls_pubkey_get_spki1655143
--Ref: gnutls_pubkey_import1655711
--Ref: gnutls_pubkey_import_dsa_raw1656395
--Ref: gnutls_pubkey_import_ecc_raw1657056
--Ref: gnutls_pubkey_import_ecc_x9621657824
--Ref: gnutls_pubkey_import_gost_raw1658460
--Ref: gnutls_pubkey_import_openpgp1659607
--Ref: gnutls_pubkey_import_openpgp_raw1659999
--Ref: gnutls_pubkey_import_pkcs111660568
--Ref: gnutls_pubkey_import_privkey1661110
--Ref: gnutls_pubkey_import_rsa_raw1661812
--Ref: gnutls_pubkey_import_tpm_raw1662336
--Ref: gnutls_pubkey_import_tpm_url1663113
--Ref: gnutls_pubkey_import_url1664005
--Ref: gnutls_pubkey_import_x5091664478
--Ref: gnutls_pubkey_import_x509_crq1664978
--Ref: gnutls_pubkey_import_x509_raw1665481
--Ref: gnutls_pubkey_init1666058
--Ref: gnutls_pubkey_print1666387
--Ref: gnutls_pubkey_set_key_usage1667121
--Ref: gnutls_pubkey_set_pin_function1667690
--Ref: gnutls_pubkey_set_spki1668255
--Ref: gnutls_pubkey_verify_data21668826
--Ref: gnutls_pubkey_verify_hash21669734
--Ref: gnutls_pubkey_verify_params1670858
--Ref: gnutls_register_custom_url1671216
--Ref: gnutls_system_key_add_x5091672154
--Ref: gnutls_system_key_delete1672899
--Ref: gnutls_system_key_iter_deinit1673323
--Ref: gnutls_system_key_iter_get_info1673591
--Ref: gnutls_x509_crl_privkey_sign1674865
--Ref: gnutls_x509_crq_privkey_sign1676134
--Ref: gnutls_x509_crq_set_pubkey1677496
--Ref: gnutls_x509_crt_privkey_sign1678004
--Ref: gnutls_x509_crt_set_pubkey1679247
--Node: Socket specific API1679700
--Ref: gnutls_transport_set_fastopen1679993
--Node: DANE API1681539
--Ref: dane_cert_type_name1681913
--Ref: dane_cert_usage_name1682203
--Ref: dane_match_type_name1682515
--Ref: dane_query_data1682798
--Ref: dane_query_deinit1683477
--Ref: dane_query_entries1683682
--Ref: dane_query_status1683924
--Ref: dane_query_tlsa1684218
--Ref: dane_query_to_raw_tlsa1684809
--Ref: dane_raw_tlsa1686151
--Ref: dane_state_deinit1687228
--Ref: dane_state_init1687420
--Ref: dane_state_set_dlv_file1687934
--Ref: dane_strerror1688235
--Ref: dane_verification_status_print1688734
--Ref: dane_verify_crt1689328
--Ref: dane_verify_crt_raw1691515
--Ref: dane_verify_session_crt1692748
--Node: Cryptographic API1694150
--Ref: gnutls_aead_cipher_decrypt1694651
--Ref: gnutls_aead_cipher_decryptv21696030
--Ref: gnutls_aead_cipher_deinit1696955
--Ref: gnutls_aead_cipher_encrypt1697283
--Ref: gnutls_aead_cipher_encryptv1698392
--Ref: gnutls_aead_cipher_encryptv21699540
--Ref: gnutls_aead_cipher_init1700468
--Ref: gnutls_cipher_add_auth1701134
--Ref: gnutls_cipher_decrypt1701714
--Ref: gnutls_cipher_decrypt21702338
--Ref: gnutls_cipher_deinit1703264
--Ref: gnutls_cipher_encrypt1703543
--Ref: gnutls_cipher_encrypt21704003
--Ref: gnutls_cipher_get_block_size1704780
--Ref: gnutls_cipher_get_iv_size1705060
--Ref: gnutls_cipher_get_tag_size1705542
--Ref: gnutls_cipher_init1705948
--Ref: gnutls_cipher_set_iv1706678
--Ref: gnutls_cipher_tag1707023
--Ref: gnutls_crypto_register_aead_cipher1707525
--Ref: gnutls_crypto_register_cipher1709129
--Ref: gnutls_crypto_register_digest1710910
--Ref: gnutls_crypto_register_mac1712134
--Ref: gnutls_decode_ber_digest_info1713562
--Ref: gnutls_decode_gost_rs_value1714361
--Ref: gnutls_decode_rs_value1715161
--Ref: gnutls_encode_ber_digest_info1715946
--Ref: gnutls_encode_gost_rs_value1716590
--Ref: gnutls_encode_rs_value1717336
--Ref: gnutls_hash1717956
--Ref: gnutls_hash_copy1718387
--Ref: gnutls_hash_deinit1718904
--Ref: gnutls_hash_fast1719232
--Ref: gnutls_hash_get_len1719749
--Ref: gnutls_hash_init1720082
--Ref: gnutls_hash_output1720618
--Ref: gnutls_hkdf_expand1720950
--Ref: gnutls_hkdf_extract1721653
--Ref: gnutls_hmac1722196
--Ref: gnutls_hmac_copy1722627
--Ref: gnutls_hmac_deinit1723108
--Ref: gnutls_hmac_fast1723435
--Ref: gnutls_hmac_get_key_size1724159
--Ref: gnutls_hmac_get_len1724620
--Ref: gnutls_hmac_init1724950
--Ref: gnutls_hmac_output1725733
--Ref: gnutls_hmac_set_nonce1726068
--Ref: gnutls_mac_get_nonce_size1726435
--Ref: gnutls_pbkdf21726751
--Ref: gnutls_rnd1727384
--Ref: gnutls_rnd_refresh1728022
--Node: Compatibility API1728308
--Ref: gnutls_compression_get1728650
--Ref: gnutls_compression_get_id1729002
--Ref: gnutls_compression_get_name1729366
--Ref: gnutls_compression_list1729748
--Ref: gnutls_global_set_mem_functions1730080
--Ref: gnutls_openpgp_privkey_sign_hash1731455
--Ref: gnutls_priority_compression_list1731884
--Ref: gnutls_x509_crt_get_preferred_hash_algorithm1732336
--Ref: gnutls_x509_privkey_sign_hash1733217
--Node: Copying Information1734087
--Node: Bibliography1759264
--Ref: CBCATT1759403
--Ref: GPGH1759581
--Ref: GUTPKI1759704
--Ref: PRNGATTACKS1759879
--Ref: KEYPIN1760079
--Ref: NISTSP800571760254
--Ref: RFC74131760502
--Ref: RFC79181760669
--Ref: RFC61251760846
--Ref: RFC76851761187
--Ref: RFC76131761362
--Ref: RFC22461761610
--Ref: RFC60831761771
--Ref: RFC44181762008
--Ref: RFC46801762175
--Ref: RFC76331762333
--Ref: RFC79191762505
--Ref: RFC45141762709
--Ref: RFC43461762913
--Ref: RFC43471763063
--Ref: RFC52461763230
--Ref: RFC24401763381
--Ref: RFC48801763563
--Ref: RFC42111763757
--Ref: RFC28171763951
--Ref: RFC28181764104
--Ref: RFC29451764218
--Ref: RFC73011764368
--Ref: RFC29861764588
--Ref: PKIX1764777
--Ref: RFC37491765040
--Ref: RFC38201765206
--Ref: RFC65201765449
--Ref: RFC57461765688
--Ref: RFC52801765897
--Ref: TLSTKT1766164
--Ref: PKCS121766396
--Ref: PKCS111766537
--Ref: RESCORLA1766683
--Ref: SELKEY1766779
--Ref: SSL31766938
--Ref: STEVENS1767129
--Ref: TLSEXT1767237
--Ref: TLSPGP1767454
--Ref: TLSSRP1767619
--Ref: TLSPSK1767816
--Ref: TOMSRP1767985
--Ref: WEGER1768098
--Ref: ECRYPT1768290
--Ref: RFC50561768495
--Ref: RFC57641768648
--Ref: RFC59291768936
--Ref: PKCS11URI1769079
--Ref: TPMURI1769215
--Ref: ANDERSON1769409
--Ref: RFC48211769555
--Ref: RFC25601769708
--Ref: RIVESTCRL1769902
--Node: Function and Data Index1770263
--Node: Concept Index1896190
-+Ref: p11tool id313760
-+Ref: p11tool mark-wrap314017
-+Ref: p11tool mark-trusted314264
-+Ref: p11tool mark-distrusted314628
-+Ref: p11tool mark-decrypt315082
-+Ref: p11tool mark-sign315359
-+Ref: p11tool mark-ca315636
-+Ref: p11tool mark-private315909
-+Ref: p11tool ca316207
-+Ref: p11tool private316341
-+Ref: p11tool secret-key316496
-+Ref: p11tool other-options316659
-+Ref: p11tool debug316761
-+Ref: p11tool so-login316902
-+Ref: p11tool admin-login317146
-+Ref: p11tool test-sign317287
-+Ref: p11tool sign-params317581
-+Ref: p11tool hash317921
-+Ref: p11tool generate-random318217
-+Ref: p11tool inder318391
-+Ref: p11tool inraw318616
-+Ref: p11tool outder318742
-+Ref: p11tool outraw318994
-+Ref: p11tool provider319127
-+Ref: p11tool provider-opts319336
-+Ref: p11tool batch319609
-+Ref: p11tool exit status319762
-+Ref: p11tool See Also319992
-+Ref: p11tool Examples320040
-+Node: Trusted Platform Module322461
-+Ref: Trusted Platform Module-Footnote-1324254
-+Ref: Trusted Platform Module-Footnote-2324302
-+Node: Keys in TPM324359
-+Node: Key generation325843
-+Node: Using keys328111
-+Node: tpmtool Invocation331756
-+Ref: tpmtool usage332182
-+Ref: tpmtool debug335494
-+Ref: tpmtool generate-rsa335635
-+Ref: tpmtool user335906
-+Ref: tpmtool system336265
-+Ref: tpmtool test-sign336619
-+Ref: tpmtool sec-param336902
-+Ref: tpmtool inder337228
-+Ref: tpmtool outder337529
-+Ref: tpmtool srk-well-known337748
-+Ref: tpmtool exit status337904
-+Ref: tpmtool See Also338134
-+Ref: tpmtool Examples338195
-+Node: How to use GnuTLS in applications338812
-+Node: Introduction to the library339381
-+Node: General idea339980
-+Ref: fig-gnutls-design340829
-+Ref: General idea-Footnote-1342134
-+Node: Error handling342179
-+Node: Common types344406
-+Node: Debugging and auditing345740
-+Ref: tab:environment346611
-+Node: Thread safety349478
-+Ref: Thread safety-Footnote-1351624
-+Node: Running in a sandbox351836
-+Node: Sessions and fork353230
-+Node: Callback functions353782
-+Node: Preparation354750
-+Node: Headers355169
-+Node: Initialization355458
-+Ref: Initialization-Footnote-1356452
-+Node: Version check356745
-+Node: Building the source357620
-+Node: Session initialization359731
-+Ref: gnutls_init_flags_t361208
-+Node: Associating the credentials368221
-+Ref: tab:key-exchange-cred368997
-+Node: Certificate credentials370128
-+Node: Raw public-key credentials385713
-+Node: SRP credentials387013
-+Node: PSK credentials391911
-+Node: Anonymous credentials395846
-+Node: Setting up the transport layer396692
-+Node: Asynchronous operation406245
-+Node: Reducing round-trips410546
-+Node: Zero-roundtrip mode413986
-+Node: Anti-replay protection416191
-+Node: DTLS sessions419836
-+Ref: DTLS sessions-Footnote-1422140
-+Node: DTLS and SCTP422217
-+Node: TLS handshake423237
-+Node: Data transfer and termination427155
-+Node: Buffered data transfer436297
-+Node: Handling alerts438098
-+Node: Priority Strings441480
-+Ref: tab:prio-keywords444080
-+Ref: tab:prio-algorithms451158
-+Ref: tab:prio-special1456588
-+Ref: tab:prio-special2460435
-+Ref: Priority Strings-Footnote-1467056
-+Node: Selecting cryptographic key sizes467278
-+Ref: tab:key-sizes467927
-+Node: Advanced topics472676
-+Node: Virtual hosts and credentials473174
-+Node: Session resumption476499
-+Node: Certificate verification484406
-+Ref: dane_verify_status_t494127
-+Node: TLS 1.2 re-authentication494532
-+Node: TLS 1.3 re-authentication and re-key499389
-+Node: Parameter generation501048
-+Node: Deriving keys for other applications/protocols503695
-+Node: Channel Bindings506925
-+Node: Interoperability508464
-+Node: Compatibility with the OpenSSL library509782
-+Node: GnuTLS application examples510509
-+Ref: examples510728
-+Node: Client examples511021
-+Node: Client example with X.509 certificate support511548
-+Ref: ex-verify511786
-+Node: Datagram TLS client example516830
-+Node: Client using a smart card with TLS521235
-+Ref: ex-pkcs11-client521472
-+Node: Client with Resume capability example526767
-+Ref: ex-resume-client527051
-+Node: Client example with SSH-style certificate verification532238
-+Node: Server examples536445
-+Node: Echo server with X.509 authentication536799
-+Node: DTLS echo server with X.509 authentication544523
-+Node: More advanced client and servers558934
-+Node: Client example with anonymous authentication559791
-+Node: Using a callback to select the certificate to use563715
-+Node: Obtaining session information570098
-+Node: Advanced certificate verification example574311
-+Ref: ex-verify2574587
-+Node: Client example with PSK authentication580017
-+Node: Client example with SRP authentication584383
-+Node: Legacy client example with X.509 certificate support588667
-+Ref: ex-verify-legacy588984
-+Node: Client example in C++594937
-+Node: Echo server with PSK authentication597509
-+Node: Echo server with SRP authentication606240
-+Node: Echo server with anonymous authentication613158
-+Node: Helper functions for TCP connections618486
-+Node: Helper functions for UDP connections620078
-+Node: OCSP example621983
-+Ref: Generate OCSP request622166
-+Node: Miscellaneous examples631773
-+Node: Checking for an alert632099
-+Node: X.509 certificate parsing example633548
-+Ref: ex-x509-info633805
-+Node: Listing the ciphersuites in a priority string637834
-+Node: PKCS12 structure generation example640151
-+Node: System-wide configuration of the library644356
-+Node: Application-specific priority strings646183
-+Node: Disabling algorithms and protocols647631
-+Node: Querying for disabled algorithms and protocols653128
-+Node: Overriding the parameter verification profile654250
-+Node: Overriding the default priority string655252
-+Node: Using GnuTLS as a cryptographic library655869
-+Ref: Using GnuTLS as a cryptographic library-Footnote-1656725
-+Node: Symmetric algorithms656782
-+Ref: gnutls_cipher_algorithm_t657542
-+Ref: Symmetric algorithms-Footnote-1665972
-+Node: Public key algorithms666057
-+Node: Cryptographic Message Syntax / PKCS7670779
-+Ref: gnutls_pkcs7_sign_flags674218
-+Node: Hash and MAC functions675686
-+Ref: gnutls_mac_algorithm_t676298
-+Ref: gnutls_digest_algorithm_t679670
-+Node: Random number generation680721
-+Ref: gnutls_rnd_level_t681083
-+Node: Overriding algorithms682190
-+Node: Other included programs688508
-+Node: gnutls-cli Invocation689079
-+Ref: gnutls-cli usage689641
-+Ref: gnutls-cli debug697391
-+Ref: gnutls-cli tofu697532
-+Ref: gnutls-cli strict-tofu697995
-+Ref: gnutls-cli dane698397
-+Ref: gnutls-cli local-dns698740
-+Ref: gnutls-cli ca-verification699055
-+Ref: gnutls-cli ocsp699410
-+Ref: gnutls-cli resume699652
-+Ref: gnutls-cli rehandshake699798
-+Ref: gnutls-cli sni-hostname699965
-+Ref: gnutls-cli verify-hostname700491
-+Ref: gnutls-cli starttls700724
-+Ref: gnutls-cli app-proto700908
-+Ref: gnutls-cli starttls-proto701070
-+Ref: gnutls-cli save-ocsp-multi701581
-+Ref: gnutls-cli dh-bits702038
-+Ref: gnutls-cli priority702389
-+Ref: gnutls-cli rawpkkeyfile702767
-+Ref: gnutls-cli rawpkfile703224
-+Ref: gnutls-cli ranges703765
-+Ref: gnutls-cli benchmark-ciphers704015
-+Ref: gnutls-cli benchmark-tls-ciphers704333
-+Ref: gnutls-cli list704652
-+Ref: gnutls-cli priority-list705019
-+Ref: gnutls-cli noticket705265
-+Ref: gnutls-cli alpn705426
-+Ref: gnutls-cli disable-extensions705735
-+Ref: gnutls-cli single-key-share705967
-+Ref: gnutls-cli post-handshake-auth706183
-+Ref: gnutls-cli inline-commands706380
-+Ref: gnutls-cli inline-commands-prefix706700
-+Ref: gnutls-cli provider707103
-+Ref: gnutls-cli logfile707300
-+Ref: gnutls-cli waitresumption707657
-+Ref: gnutls-cli ca-auto-retrieve707914
-+Ref: gnutls-cli exit status708318
-+Ref: gnutls-cli See Also708554
-+Ref: gnutls-cli Examples708631
-+Node: gnutls-serv Invocation712838
-+Ref: gnutls-serv usage713315
-+Ref: gnutls-serv debug718835
-+Ref: gnutls-serv sni-hostname718976
-+Ref: gnutls-serv alpn719308
-+Ref: gnutls-serv require-client-cert719595
-+Ref: gnutls-serv verify-client-cert719839
-+Ref: gnutls-serv heartbeat720068
-+Ref: gnutls-serv priority720219
-+Ref: gnutls-serv x509keyfile720588
-+Ref: gnutls-serv x509certfile721105
-+Ref: gnutls-serv x509dsakeyfile721622
-+Ref: gnutls-serv x509dsacertfile721786
-+Ref: gnutls-serv x509ecckeyfile721953
-+Ref: gnutls-serv x509ecccertfile722115
-+Ref: gnutls-serv rawpkkeyfile722282
-+Ref: gnutls-serv rawpkfile723101
-+Ref: gnutls-serv ocsp-response723956
-+Ref: gnutls-serv ignore-ocsp-response-errors724273
-+Ref: gnutls-serv list724520
-+Ref: gnutls-serv provider724758
-+Ref: gnutls-serv exit status724955
-+Ref: gnutls-serv See Also725193
-+Ref: gnutls-serv Examples725271
-+Node: gnutls-cli-debug Invocation730579
-+Ref: gnutls-cli-debug usage731401
-+Ref: gnutls-cli-debug debug733656
-+Ref: gnutls-cli-debug app-proto733797
-+Ref: gnutls-cli-debug starttls-proto733965
-+Ref: gnutls-cli-debug exit status734344
-+Ref: gnutls-cli-debug See Also734592
-+Ref: gnutls-cli-debug Examples734675
-+Node: Internal architecture of GnuTLS738172
-+Node: The TLS Protocol738778
-+Ref: fig-client-server739254
-+Node: TLS Handshake Protocol739344
-+Ref: fig-gnutls-handshake739786
-+Ref: fig-gnutls-handshake-sequence740295
-+Node: TLS Authentication Methods740393
-+Ref: TLS Authentication Methods-Footnote-1742697
-+Node: TLS Hello Extension Handling742763
-+Node: Cryptographic Backend755865
-+Ref: fig-crypto-layers756548
-+Ref: Cryptographic Backend-Footnote-1759830
-+Ref: Cryptographic Backend-Footnote-2759915
-+Node: Random Number Generators-internals760023
-+Node: FIPS140-2 mode767387
-+Ref: gnutls_fips_mode_t770023
-+Node: Upgrading from previous versions772170
-+Node: Support786164
-+Node: Getting help786412
-+Node: Commercial Support787000
-+Node: Bug Reports787271
-+Node: Contributing788635
-+Node: Certification790661
-+Node: Error codes791125
-+Node: Supported ciphersuites815758
-+Ref: ciphersuites815931
-+Node: API reference830975
-+Node: Core TLS API831385
-+Ref: gnutls_alert_get831612
-+Ref: gnutls_alert_get_name832231
-+Ref: gnutls_alert_get_strname832616
-+Ref: gnutls_alert_send832951
-+Ref: gnutls_alert_send_appropriate833829
-+Ref: gnutls_alert_set_read_function834796
-+Ref: gnutls_alpn_get_selected_protocol835180
-+Ref: gnutls_alpn_set_protocols835844
-+Ref: gnutls_anon_allocate_client_credentials836681
-+Ref: gnutls_anon_allocate_server_credentials837066
-+Ref: gnutls_anon_free_client_credentials837443
-+Ref: gnutls_anon_free_server_credentials837732
-+Ref: gnutls_anon_set_params_function838013
-+Ref: gnutls_anon_set_server_dh_params838689
-+Ref: gnutls_anon_set_server_known_dh_params839349
-+Ref: gnutls_anon_set_server_params_function840258
-+Ref: gnutls_anti_replay_deinit840921
-+Ref: gnutls_anti_replay_enable841235
-+Ref: gnutls_anti_replay_init841583
-+Ref: gnutls_anti_replay_set_add_function842111
-+Ref: gnutls_anti_replay_set_ptr843129
-+Ref: gnutls_anti_replay_set_window843464
-+Ref: gnutls_auth_client_get_type844232
-+Ref: gnutls_auth_get_type844859
-+Ref: gnutls_auth_server_get_type845671
-+Ref: gnutls_base64_decode2846300
-+Ref: gnutls_base64_encode2846856
-+Ref: gnutls_buffer_append_data847476
-+Ref: gnutls_bye847874
-+Ref: gnutls_certificate_activation_time_peers849475
-+Ref: gnutls_certificate_allocate_credentials849893
-+Ref: gnutls_certificate_client_get_request_status850290
-+Ref: gnutls_certificate_expiration_time_peers850698
-+Ref: gnutls_certificate_free_ca_names851102
-+Ref: gnutls_certificate_free_cas851771
-+Ref: gnutls_certificate_free_credentials852174
-+Ref: gnutls_certificate_free_crls852608
-+Ref: gnutls_certificate_free_keys852908
-+Ref: gnutls_certificate_get_crt_raw853342
-+Ref: gnutls_certificate_get_issuer854413
-+Ref: gnutls_certificate_get_ocsp_expiration855496
-+Ref: gnutls_certificate_get_ours856667
-+Ref: gnutls_certificate_get_peers857497
-+Ref: gnutls_certificate_get_peers_subkey_id858620
-+Ref: gnutls_certificate_get_verify_flags858976
-+Ref: gnutls_certificate_get_x509_crt859389
-+Ref: gnutls_certificate_get_x509_key861033
-+Ref: gnutls_certificate_send_x509_rdn_sequence862348
-+Ref: gnutls_certificate_server_set_request863055
-+Ref: gnutls_certificate_set_dh_params863845
-+Ref: gnutls_certificate_set_flags864664
-+Ref: gnutls_certificate_set_known_dh_params865189
-+Ref: gnutls_certificate_set_ocsp_status_request_file866117
-+Ref: gnutls_certificate_set_ocsp_status_request_file2868023
-+Ref: gnutls_certificate_set_ocsp_status_request_function869541
-+Ref: gnutls_certificate_set_ocsp_status_request_function2871029
-+Ref: gnutls_certificate_set_ocsp_status_request_mem872995
-+Ref: gnutls_certificate_set_params_function874770
-+Ref: gnutls_certificate_set_pin_function875467
-+Ref: gnutls_certificate_set_rawpk_key_file876120
-+Ref: gnutls_certificate_set_rawpk_key_mem879424
-+Ref: gnutls_certificate_set_retrieve_function882571
-+Ref: gnutls_certificate_set_verify_flags884701
-+Ref: gnutls_certificate_set_verify_function885194
-+Ref: gnutls_certificate_set_verify_limits886258
-+Ref: gnutls_certificate_set_x509_crl886939
-+Ref: gnutls_certificate_set_x509_crl_file887767
-+Ref: gnutls_certificate_set_x509_crl_mem888548
-+Ref: gnutls_certificate_set_x509_key889325
-+Ref: gnutls_certificate_set_x509_key_file890993
-+Ref: gnutls_certificate_set_x509_key_file2893229
-+Ref: gnutls_certificate_set_x509_key_mem895763
-+Ref: gnutls_certificate_set_x509_key_mem2897411
-+Ref: gnutls_certificate_set_x509_simple_pkcs12_file899224
-+Ref: gnutls_certificate_set_x509_simple_pkcs12_mem901354
-+Ref: gnutls_certificate_set_x509_system_trust903454
-+Ref: gnutls_certificate_set_x509_trust904024
-+Ref: gnutls_certificate_set_x509_trust_dir905004
-+Ref: gnutls_certificate_set_x509_trust_file905742
-+Ref: gnutls_certificate_set_x509_trust_mem906918
-+Ref: gnutls_certificate_type_get907861
-+Ref: gnutls_certificate_type_get2908708
-+Ref: gnutls_certificate_type_get_id910093
-+Ref: gnutls_certificate_type_get_name910490
-+Ref: gnutls_certificate_type_list910873
-+Ref: gnutls_certificate_verification_status_print911227
-+Ref: gnutls_certificate_verify_peers911985
-+Ref: gnutls_certificate_verify_peers2914781
-+Ref: gnutls_certificate_verify_peers3916696
-+Ref: gnutls_check_version919006
-+Ref: gnutls_cipher_get919748
-+Ref: gnutls_cipher_get_id920053
-+Ref: gnutls_cipher_get_key_size920435
-+Ref: gnutls_cipher_get_name920799
-+Ref: gnutls_cipher_list921146
-+Ref: gnutls_cipher_suite_get_name921706
-+Ref: gnutls_cipher_suite_info922574
-+Ref: gnutls_credentials_clear923757
-+Ref: gnutls_credentials_get923985
-+Ref: gnutls_credentials_set924940
-+Ref: gnutls_db_check_entry926304
-+Ref: gnutls_db_check_entry_expire_time926761
-+Ref: gnutls_db_check_entry_time927167
-+Ref: gnutls_db_get_default_cache_expiration927558
-+Ref: gnutls_db_get_ptr927753
-+Ref: gnutls_db_remove_session928065
-+Ref: gnutls_db_set_cache_expiration928602
-+Ref: gnutls_db_set_ptr929023
-+Ref: gnutls_db_set_remove_function929358
-+Ref: gnutls_db_set_retrieve_function929861
-+Ref: gnutls_db_set_store_function930547
-+Ref: gnutls_deinit931014
-+Ref: gnutls_dh_get_group931353
-+Ref: gnutls_dh_get_peers_public_bits932205
-+Ref: gnutls_dh_get_prime_bits932649
-+Ref: gnutls_dh_get_pubkey933289
-+Ref: gnutls_dh_get_secret_bits933987
-+Ref: gnutls_dh_params_cpy934419
-+Ref: gnutls_dh_params_deinit934927
-+Ref: gnutls_dh_params_export2_pkcs3935168
-+Ref: gnutls_dh_params_export_pkcs3935989
-+Ref: gnutls_dh_params_export_raw937008
-+Ref: gnutls_dh_params_generate2937761
-+Ref: gnutls_dh_params_import_dsa939015
-+Ref: gnutls_dh_params_import_pkcs3939492
-+Ref: gnutls_dh_params_import_raw940231
-+Ref: gnutls_dh_params_import_raw2940861
-+Ref: gnutls_dh_params_import_raw3941575
-+Ref: gnutls_dh_params_init942275
-+Ref: gnutls_dh_set_prime_bits942606
-+Ref: gnutls_digest_get_id943709
-+Ref: gnutls_digest_get_name944135
-+Ref: gnutls_digest_get_oid944481
-+Ref: gnutls_digest_list944872
-+Ref: gnutls_digest_mark_insecure945251
-+Ref: gnutls_digest_mark_secure945570
-+Ref: gnutls_early_cipher_get945923
-+Ref: gnutls_early_prf_hash_get946296
-+Ref: gnutls_ecc_curve_get946714
-+Ref: gnutls_ecc_curve_get_id947115
-+Ref: gnutls_ecc_curve_get_name947496
-+Ref: gnutls_ecc_curve_get_oid947830
-+Ref: gnutls_ecc_curve_get_pk948175
-+Ref: gnutls_ecc_curve_get_size948479
-+Ref: gnutls_ecc_curve_list948708
-+Ref: gnutls_ecc_curve_mark_disabled949049
-+Ref: gnutls_ecc_curve_mark_enabled949506
-+Ref: gnutls_error_is_fatal949986
-+Ref: gnutls_error_to_alert950788
-+Ref: gnutls_est_record_overhead_size951520
-+Ref: gnutls_ext_get_current_msg952428
-+Ref: gnutls_ext_get_data953119
-+Ref: gnutls_ext_get_name953634
-+Ref: gnutls_ext_get_name2953952
-+Ref: gnutls_ext_raw_parse954462
-+Ref: gnutls_ext_register955612
-+Ref: gnutls_ext_set_data957247
-+Ref: gnutls_fingerprint957758
-+Ref: gnutls_fips140_mode_enabled958764
-+Ref: gnutls_fips140_set_mode959318
-+Ref: gnutls_get_system_config_file960371
-+Ref: gnutls_global_deinit960747
-+Ref: gnutls_global_init961197
-+Ref: gnutls_global_set_audit_log_function962472
-+Ref: gnutls_global_set_log_function963179
-+Ref: gnutls_global_set_log_level963687
-+Ref: gnutls_global_set_mutex964175
-+Ref: gnutls_global_set_time_function965277
-+Ref: gnutls_gost_paramset_get_name965714
-+Ref: gnutls_gost_paramset_get_oid966090
-+Ref: gnutls_group_get966467
-+Ref: gnutls_group_get_id966837
-+Ref: gnutls_group_get_name967184
-+Ref: gnutls_group_list967504
-+Ref: gnutls_handshake967826
-+Ref: gnutls_handshake_description_get_name969931
-+Ref: gnutls_handshake_get_last_in970319
-+Ref: gnutls_handshake_get_last_out970944
-+Ref: gnutls_handshake_set_hook_function971576
-+Ref: gnutls_handshake_set_max_packet_length972968
-+Ref: gnutls_handshake_set_post_client_hello_function973753
-+Ref: gnutls_handshake_set_private_extensions975079
-+Ref: gnutls_handshake_set_random975758
-+Ref: gnutls_handshake_set_read_function976478
-+Ref: gnutls_handshake_set_secret_function976879
-+Ref: gnutls_handshake_set_timeout977258
-+Ref: gnutls_handshake_write977948
-+Ref: gnutls_heartbeat_allowed978649
-+Ref: gnutls_heartbeat_enable979123
-+Ref: gnutls_heartbeat_get_timeout979961
-+Ref: gnutls_heartbeat_ping980500
-+Ref: gnutls_heartbeat_pong981632
-+Ref: gnutls_heartbeat_set_timeouts982039
-+Ref: gnutls_hex2bin982810
-+Ref: gnutls_hex_decode983529
-+Ref: gnutls_hex_decode2984255
-+Ref: gnutls_hex_encode984684
-+Ref: gnutls_hex_encode2985281
-+Ref: gnutls_idna_map985796
-+Ref: gnutls_idna_reverse_map986926
-+Ref: gnutls_init987691
-+Ref: gnutls_key_generate988519
-+Ref: gnutls_kx_get988936
-+Ref: gnutls_kx_get_id989522
-+Ref: gnutls_kx_get_name989866
-+Ref: gnutls_kx_list990211
-+Ref: gnutls_load_file990539
-+Ref: gnutls_mac_get991311
-+Ref: gnutls_mac_get_id991616
-+Ref: gnutls_mac_get_key_size992029
-+Ref: gnutls_mac_get_name992366
-+Ref: gnutls_mac_list992685
-+Ref: gnutls_memcmp993073
-+Ref: gnutls_memset993633
-+Ref: gnutls_ocsp_status_request_enable_client994027
-+Ref: gnutls_ocsp_status_request_get995038
-+Ref: gnutls_ocsp_status_request_get2995700
-+Ref: gnutls_ocsp_status_request_is_checked996695
-+Ref: gnutls_oid_to_digest998083
-+Ref: gnutls_oid_to_ecc_curve998492
-+Ref: gnutls_oid_to_gost_paramset998818
-+Ref: gnutls_oid_to_mac999229
-+Ref: gnutls_oid_to_pk999642
-+Ref: gnutls_oid_to_sign1000014
-+Ref: gnutls_openpgp_send_cert1000418
-+Ref: gnutls_packet_deinit1000720
-+Ref: gnutls_packet_get1000994
-+Ref: gnutls_pem_base64_decode1001499
-+Ref: gnutls_pem_base64_decode21002354
-+Ref: gnutls_pem_base64_encode1003349
-+Ref: gnutls_pem_base64_encode21004178
-+Ref: gnutls_perror1005114
-+Ref: gnutls_pk_algorithm_get_name1005410
-+Ref: gnutls_pk_bits_to_sec_param1005766
-+Ref: gnutls_pk_get_id1006240
-+Ref: gnutls_pk_get_name1006758
-+Ref: gnutls_pk_get_oid1007126
-+Ref: gnutls_pk_list1007525
-+Ref: gnutls_pk_to_sign1007858
-+Ref: gnutls_prf1008269
-+Ref: gnutls_prf_early1010264
-+Ref: gnutls_prf_hash_get1011919
-+Ref: gnutls_prf_raw1012451
-+Ref: gnutls_prf_rfc57051014335
-+Ref: gnutls_priority_certificate_type_list1016012
-+Ref: gnutls_priority_certificate_type_list21016708
-+Ref: gnutls_priority_cipher_list1017324
-+Ref: gnutls_priority_deinit1017711
-+Ref: gnutls_priority_ecc_curve_list1017954
-+Ref: gnutls_priority_get_cipher_suite_index1018486
-+Ref: gnutls_priority_group_list1019402
-+Ref: gnutls_priority_init1019783
-+Ref: gnutls_priority_init21020863
-+Ref: gnutls_priority_kx_list1025237
-+Ref: gnutls_priority_mac_list1025642
-+Ref: gnutls_priority_protocol_list1026047
-+Ref: gnutls_priority_set1026449
-+Ref: gnutls_priority_set_direct1027104
-+Ref: gnutls_priority_sign_list1028037
-+Ref: gnutls_priority_string_list1028453
-+Ref: gnutls_protocol_get_id1029085
-+Ref: gnutls_protocol_get_name1029401
-+Ref: gnutls_protocol_get_version1029760
-+Ref: gnutls_protocol_list1030058
-+Ref: gnutls_protocol_mark_disabled1030410
-+Ref: gnutls_protocol_mark_enabled1030727
-+Ref: gnutls_psk_allocate_client_credentials1031103
-+Ref: gnutls_psk_allocate_server_credentials1031523
-+Ref: gnutls_psk_client_get_hint1031919
-+Ref: gnutls_psk_free_client_credentials1032546
-+Ref: gnutls_psk_free_server_credentials1032829
-+Ref: gnutls_psk_server_get_username1033104
-+Ref: gnutls_psk_server_get_username21033811
-+Ref: gnutls_psk_set_client_credentials1034505
-+Ref: gnutls_psk_set_client_credentials21035528
-+Ref: gnutls_psk_set_client_credentials_function1036308
-+Ref: gnutls_psk_set_client_credentials_function21037311
-+Ref: gnutls_psk_set_params_function1038468
-+Ref: gnutls_psk_set_server_credentials_file1039148
-+Ref: gnutls_psk_set_server_credentials_function1040009
-+Ref: gnutls_psk_set_server_credentials_function21040963
-+Ref: gnutls_psk_set_server_credentials_hint1042086
-+Ref: gnutls_psk_set_server_dh_params1042710
-+Ref: gnutls_psk_set_server_known_dh_params1043395
-+Ref: gnutls_psk_set_server_params_function1044292
-+Ref: gnutls_random_art1044933
-+Ref: gnutls_range_split1045795
-+Ref: gnutls_reauth1046877
-+Ref: gnutls_record_can_use_length_hiding1048979
-+Ref: gnutls_record_check_corked1049730
-+Ref: gnutls_record_check_pending1050113
-+Ref: gnutls_record_cork1050524
-+Ref: gnutls_record_disable_padding1050938
-+Ref: gnutls_record_discard_queued1051546
-+Ref: gnutls_record_get_direction1052163
-+Ref: gnutls_record_get_max_early_data_size1053144
-+Ref: gnutls_record_get_max_size1053696
-+Ref: gnutls_record_get_state1054063
-+Ref: gnutls_record_overhead_size1055085
-+Ref: gnutls_record_recv1055472
-+Ref: gnutls_record_recv_early_data1056922
-+Ref: gnutls_record_recv_packet1057984
-+Ref: gnutls_record_recv_seq1058863
-+Ref: gnutls_record_send1059849
-+Ref: gnutls_record_send21061907
-+Ref: gnutls_record_send_early_data1063059
-+Ref: gnutls_record_send_range1064115
-+Ref: gnutls_record_set_max_early_data_size1065294
-+Ref: gnutls_record_set_max_recv_size1065940
-+Ref: gnutls_record_set_max_size1066644
-+Ref: gnutls_record_set_state1067823
-+Ref: gnutls_record_set_timeout1068481
-+Ref: gnutls_record_uncork1069082
-+Ref: gnutls_rehandshake1070022
-+Ref: gnutls_safe_renegotiation_status1071804
-+Ref: gnutls_sec_param_get_name1072219
-+Ref: gnutls_sec_param_to_pk_bits1072593
-+Ref: gnutls_sec_param_to_symmetric_bits1073263
-+Ref: gnutls_server_name_get1073647
-+Ref: gnutls_server_name_set1075119
-+Ref: gnutls_session_channel_binding1076277
-+Ref: gnutls_session_enable_compatibility_mode1076995
-+Ref: gnutls_session_etm_status1077702
-+Ref: gnutls_session_ext_master_secret_status1078105
-+Ref: gnutls_session_ext_register1078596
-+Ref: gnutls_session_force_valid1080858
-+Ref: gnutls_session_get_data1081279
-+Ref: gnutls_session_get_data21081939
-+Ref: gnutls_session_get_desc1084212
-+Ref: gnutls_session_get_flags1084734
-+Ref: gnutls_session_get_id1085272
-+Ref: gnutls_session_get_id21086795
-+Ref: gnutls_session_get_keylog_function1088265
-+Ref: gnutls_session_get_master_secret1088672
-+Ref: gnutls_session_get_ptr1089156
-+Ref: gnutls_session_get_random1089551
-+Ref: gnutls_session_get_verify_cert_status1090172
-+Ref: gnutls_session_is_resumed1090845
-+Ref: gnutls_session_key_update1091215
-+Ref: gnutls_session_resumption_requested1092163
-+Ref: gnutls_session_set_data1092545
-+Ref: gnutls_session_set_id1093386
-+Ref: gnutls_session_set_keylog_function1094061
-+Ref: gnutls_session_set_premaster1094460
-+Ref: gnutls_session_set_ptr1095555
-+Ref: gnutls_session_set_verify_cert1095955
-+Ref: gnutls_session_set_verify_cert21097299
-+Ref: gnutls_session_set_verify_function1098483
-+Ref: gnutls_session_supplemental_register1099595
-+Ref: gnutls_session_ticket_enable_client1100853
-+Ref: gnutls_session_ticket_enable_server1101346
-+Ref: gnutls_session_ticket_key_generate1102140
-+Ref: gnutls_session_ticket_send1102568
-+Ref: gnutls_set_default_priority1103152
-+Ref: gnutls_set_default_priority_append1104237
-+Ref: gnutls_sign_algorithm_get1105579
-+Ref: gnutls_sign_algorithm_get_client1106022
-+Ref: gnutls_sign_algorithm_get_requested1106489
-+Ref: gnutls_sign_get_hash_algorithm1107516
-+Ref: gnutls_sign_get_id1107928
-+Ref: gnutls_sign_get_name1108291
-+Ref: gnutls_sign_get_oid1108623
-+Ref: gnutls_sign_get_pk_algorithm1109009
-+Ref: gnutls_sign_is_secure1109616
-+Ref: gnutls_sign_is_secure21109886
-+Ref: gnutls_sign_list1110222
-+Ref: gnutls_sign_mark_insecure1110566
-+Ref: gnutls_sign_mark_secure1111163
-+Ref: gnutls_sign_supports_pk_algorithm1111948
-+Ref: gnutls_srp_allocate_client_credentials1112532
-+Ref: gnutls_srp_allocate_server_credentials1112933
-+Ref: gnutls_srp_base64_decode1113306
-+Ref: gnutls_srp_base64_decode21114011
-+Ref: gnutls_srp_base64_encode1114679
-+Ref: gnutls_srp_base64_encode21115480
-+Ref: gnutls_srp_free_client_credentials1116211
-+Ref: gnutls_srp_free_server_credentials1116494
-+Ref: gnutls_srp_server_get_username1116769
-+Ref: gnutls_srp_set_client_credentials1117223
-+Ref: gnutls_srp_set_client_credentials_function1118113
-+Ref: gnutls_srp_set_prime_bits1119360
-+Ref: gnutls_srp_set_server_credentials_file1120045
-+Ref: gnutls_srp_set_server_credentials_function1120771
-+Ref: gnutls_srp_set_server_fake_salt_seed1122486
-+Ref: gnutls_srp_verifier1123989
-+Ref: gnutls_srtp_get_keys1124917
-+Ref: gnutls_srtp_get_mki1126311
-+Ref: gnutls_srtp_get_profile_id1126880
-+Ref: gnutls_srtp_get_profile_name1127338
-+Ref: gnutls_srtp_get_selected_profile1127759
-+Ref: gnutls_srtp_set_mki1128203
-+Ref: gnutls_srtp_set_profile1128652
-+Ref: gnutls_srtp_set_profile_direct1129184
-+Ref: gnutls_store_commitment1129907
-+Ref: gnutls_store_pubkey1131206
-+Ref: gnutls_strerror1132993
-+Ref: gnutls_strerror_name1133478
-+Ref: gnutls_supplemental_get_name1133947
-+Ref: gnutls_supplemental_recv1134369
-+Ref: gnutls_supplemental_register1134839
-+Ref: gnutls_supplemental_send1135951
-+Ref: gnutls_system_recv_timeout1136396
-+Ref: gnutls_tdb_deinit1137138
-+Ref: gnutls_tdb_init1137353
-+Ref: gnutls_tdb_set_store_commitment_func1137712
-+Ref: gnutls_tdb_set_store_func1138393
-+Ref: gnutls_tdb_set_verify_func1138982
-+Ref: gnutls_transport_get_int1139726
-+Ref: gnutls_transport_get_int21140134
-+Ref: gnutls_transport_get_ptr1140637
-+Ref: gnutls_transport_get_ptr21141053
-+Ref: gnutls_transport_set_errno1141587
-+Ref: gnutls_transport_set_errno_function1142574
-+Ref: gnutls_transport_set_int1143111
-+Ref: gnutls_transport_set_int21143665
-+Ref: gnutls_transport_set_ptr1144394
-+Ref: gnutls_transport_set_ptr21144807
-+Ref: gnutls_transport_set_pull_function1145451
-+Ref: gnutls_transport_set_pull_timeout_function1146231
-+Ref: gnutls_transport_set_push_function1147934
-+Ref: gnutls_transport_set_vec_push_function1148779
-+Ref: gnutls_url_is_supported1149475
-+Ref: gnutls_utf8_password_normalize1149895
-+Ref: gnutls_verify_stored_pubkey1150684
-+Node: Datagram TLS API1153831
-+Ref: gnutls_dtls_cookie_send1154107
-+Ref: gnutls_dtls_cookie_verify1155362
-+Ref: gnutls_dtls_get_data_mtu1156306
-+Ref: gnutls_dtls_get_mtu1156749
-+Ref: gnutls_dtls_get_timeout1157192
-+Ref: gnutls_dtls_prestate_set1157735
-+Ref: gnutls_dtls_set_data_mtu1158319
-+Ref: gnutls_dtls_set_mtu1159293
-+Ref: gnutls_dtls_set_timeouts1159900
-+Ref: gnutls_record_get_discarded1160904
-+Node: X509 certificate API1161178
-+Ref: gnutls_certificate_get_trust_list1161527
-+Ref: gnutls_certificate_set_trust_list1162175
-+Ref: gnutls_certificate_verification_profile_get_id1162950
-+Ref: gnutls_certificate_verification_profile_get_name1163497
-+Ref: gnutls_pkcs8_info1163880
-+Ref: gnutls_pkcs_schema_get_name1165398
-+Ref: gnutls_pkcs_schema_get_oid1165803
-+Ref: gnutls_session_set_verify_output_function1166230
-+Ref: gnutls_subject_alt_names_deinit1167387
-+Ref: gnutls_subject_alt_names_get1167666
-+Ref: gnutls_subject_alt_names_init1168676
-+Ref: gnutls_subject_alt_names_set1169056
-+Ref: gnutls_x509_aia_deinit1169875
-+Ref: gnutls_x509_aia_get1170109
-+Ref: gnutls_x509_aia_init1171268
-+Ref: gnutls_x509_aia_set1171603
-+Ref: gnutls_x509_aki_deinit1172398
-+Ref: gnutls_x509_aki_get_cert_issuer1172662
-+Ref: gnutls_x509_aki_get_id1173728
-+Ref: gnutls_x509_aki_init1174267
-+Ref: gnutls_x509_aki_set_cert_issuer1174616
-+Ref: gnutls_x509_aki_set_id1175731
-+Ref: gnutls_x509_cidr_to_rfc52801176160
-+Ref: gnutls_x509_crl_check_issuer1177058
-+Ref: gnutls_x509_crl_deinit1177506
-+Ref: gnutls_x509_crl_dist_points_deinit1177738
-+Ref: gnutls_x509_crl_dist_points_get1178033
-+Ref: gnutls_x509_crl_dist_points_init1179007
-+Ref: gnutls_x509_crl_dist_points_set1179403
-+Ref: gnutls_x509_crl_export1180106
-+Ref: gnutls_x509_crl_export21180989
-+Ref: gnutls_x509_crl_get_authority_key_gn_serial1181709
-+Ref: gnutls_x509_crl_get_authority_key_id1183023
-+Ref: gnutls_x509_crl_get_crt_count1184086
-+Ref: gnutls_x509_crl_get_crt_serial1184444
-+Ref: gnutls_x509_crl_get_dn_oid1185348
-+Ref: gnutls_x509_crl_get_extension_data1186154
-+Ref: gnutls_x509_crl_get_extension_data21187271
-+Ref: gnutls_x509_crl_get_extension_info1188150
-+Ref: gnutls_x509_crl_get_extension_oid1189414
-+Ref: gnutls_x509_crl_get_issuer_dn1190266
-+Ref: gnutls_x509_crl_get_issuer_dn21191267
-+Ref: gnutls_x509_crl_get_issuer_dn31192101
-+Ref: gnutls_x509_crl_get_issuer_dn_by_oid1193079
-+Ref: gnutls_x509_crl_get_next_update1194590
-+Ref: gnutls_x509_crl_get_number1195024
-+Ref: gnutls_x509_crl_get_raw_issuer_dn1195749
-+Ref: gnutls_x509_crl_get_signature1196203
-+Ref: gnutls_x509_crl_get_signature_algorithm1196750
-+Ref: gnutls_x509_crl_get_signature_oid1197312
-+Ref: gnutls_x509_crl_get_this_update1197973
-+Ref: gnutls_x509_crl_get_version1198298
-+Ref: gnutls_x509_crl_import1198606
-+Ref: gnutls_x509_crl_init1199230
-+Ref: gnutls_x509_crl_iter_crt_serial1199819
-+Ref: gnutls_x509_crl_iter_deinit1200965
-+Ref: gnutls_x509_crl_list_import1201210
-+Ref: gnutls_x509_crl_list_import21202212
-+Ref: gnutls_x509_crl_print1203078
-+Ref: gnutls_x509_crl_set_authority_key_id1203727
-+Ref: gnutls_x509_crl_set_crt1204380
-+Ref: gnutls_x509_crl_set_crt_serial1204953
-+Ref: gnutls_x509_crl_set_next_update1205585
-+Ref: gnutls_x509_crl_set_number1206202
-+Ref: gnutls_x509_crl_set_this_update1206779
-+Ref: gnutls_x509_crl_set_version1207183
-+Ref: gnutls_x509_crl_sign1207726
-+Ref: gnutls_x509_crl_sign21208419
-+Ref: gnutls_x509_crl_verify1209655
-+Ref: gnutls_x509_crq_deinit1210899
-+Ref: gnutls_x509_crq_export1211137
-+Ref: gnutls_x509_crq_export21212134
-+Ref: gnutls_x509_crq_get_attribute_by_oid1212908
-+Ref: gnutls_x509_crq_get_attribute_data1213933
-+Ref: gnutls_x509_crq_get_attribute_info1215045
-+Ref: gnutls_x509_crq_get_basic_constraints1216242
-+Ref: gnutls_x509_crq_get_challenge_password1217495
-+Ref: gnutls_x509_crq_get_dn1218107
-+Ref: gnutls_x509_crq_get_dn21219056
-+Ref: gnutls_x509_crq_get_dn31219913
-+Ref: gnutls_x509_crq_get_dn_by_oid1220921
-+Ref: gnutls_x509_crq_get_dn_oid1222382
-+Ref: gnutls_x509_crq_get_extension_by_oid1223169
-+Ref: gnutls_x509_crq_get_extension_by_oid21224326
-+Ref: gnutls_x509_crq_get_extension_data1225408
-+Ref: gnutls_x509_crq_get_extension_data21226538
-+Ref: gnutls_x509_crq_get_extension_info1227417
-+Ref: gnutls_x509_crq_get_key_id1228678
-+Ref: gnutls_x509_crq_get_key_purpose_oid1229745
-+Ref: gnutls_x509_crq_get_key_rsa_raw1230760
-+Ref: gnutls_x509_crq_get_key_usage1231384
-+Ref: gnutls_x509_crq_get_pk_algorithm1232470
-+Ref: gnutls_x509_crq_get_pk_oid1233191
-+Ref: gnutls_x509_crq_get_private_key_usage_period1233848
-+Ref: gnutls_x509_crq_get_signature_algorithm1234563
-+Ref: gnutls_x509_crq_get_signature_oid1235202
-+Ref: gnutls_x509_crq_get_spki1235863
-+Ref: gnutls_x509_crq_get_subject_alt_name1236423
-+Ref: gnutls_x509_crq_get_subject_alt_othername_oid1237981
-+Ref: gnutls_x509_crq_get_tlsfeatures1239461
-+Ref: gnutls_x509_crq_get_version1240590
-+Ref: gnutls_x509_crq_import1240936
-+Ref: gnutls_x509_crq_init1241618
-+Ref: gnutls_x509_crq_print1241966
-+Ref: gnutls_x509_crq_set_attribute_by_oid1242622
-+Ref: gnutls_x509_crq_set_basic_constraints1243487
-+Ref: gnutls_x509_crq_set_challenge_password1244231
-+Ref: gnutls_x509_crq_set_dn1244682
-+Ref: gnutls_x509_crq_set_dn_by_oid1245300
-+Ref: gnutls_x509_crq_set_extension_by_oid1246430
-+Ref: gnutls_x509_crq_set_key1247209
-+Ref: gnutls_x509_crq_set_key_purpose_oid1247672
-+Ref: gnutls_x509_crq_set_key_rsa_raw1248452
-+Ref: gnutls_x509_crq_set_key_usage1249028
-+Ref: gnutls_x509_crq_set_private_key_usage_period1249532
-+Ref: gnutls_x509_crq_set_spki1250037
-+Ref: gnutls_x509_crq_set_subject_alt_name1250908
-+Ref: gnutls_x509_crq_set_subject_alt_othername1251734
-+Ref: gnutls_x509_crq_set_tlsfeatures1252572
-+Ref: gnutls_x509_crq_set_version1253122
-+Ref: gnutls_x509_crq_sign1253607
-+Ref: gnutls_x509_crq_sign21254378
-+Ref: gnutls_x509_crq_verify1255710
-+Ref: gnutls_x509_crt_check_email1256303
-+Ref: gnutls_x509_crt_check_hostname1256831
-+Ref: gnutls_x509_crt_check_hostname21257543
-+Ref: gnutls_x509_crt_check_ip1259294
-+Ref: gnutls_x509_crt_check_issuer1259908
-+Ref: gnutls_x509_crt_check_key_purpose1260646
-+Ref: gnutls_x509_crt_check_revocation1261340
-+Ref: gnutls_x509_crt_cpy_crl_dist_points1261989
-+Ref: gnutls_x509_crt_deinit1262578
-+Ref: gnutls_x509_crt_equals1262796
-+Ref: gnutls_x509_crt_equals21263178
-+Ref: gnutls_x509_crt_export1263602
-+Ref: gnutls_x509_crt_export21264513
-+Ref: gnutls_x509_crt_get_activation_time1265211
-+Ref: gnutls_x509_crt_get_authority_info_access1265589
-+Ref: gnutls_x509_crt_get_authority_key_gn_serial1269063
-+Ref: gnutls_x509_crt_get_authority_key_id1270504
-+Ref: gnutls_x509_crt_get_basic_constraints1271635
-+Ref: gnutls_x509_crt_get_ca_status1272849
-+Ref: gnutls_x509_crt_get_crl_dist_points1273848
-+Ref: gnutls_x509_crt_get_dn1275173
-+Ref: gnutls_x509_crt_get_dn21276368
-+Ref: gnutls_x509_crt_get_dn31277177
-+Ref: gnutls_x509_crt_get_dn_by_oid1278137
-+Ref: gnutls_x509_crt_get_dn_oid1279906
-+Ref: gnutls_x509_crt_get_expiration_time1280934
-+Ref: gnutls_x509_crt_get_extension_by_oid1281300
-+Ref: gnutls_x509_crt_get_extension_by_oid21282427
-+Ref: gnutls_x509_crt_get_extension_data1283500
-+Ref: gnutls_x509_crt_get_extension_data21284589
-+Ref: gnutls_x509_crt_get_extension_info1285454
-+Ref: gnutls_x509_crt_get_extension_oid1286866
-+Ref: gnutls_x509_crt_get_fingerprint1287829
-+Ref: gnutls_x509_crt_get_inhibit_anypolicy1288717
-+Ref: gnutls_x509_crt_get_issuer1289686
-+Ref: gnutls_x509_crt_get_issuer_alt_name1290324
-+Ref: gnutls_x509_crt_get_issuer_alt_name21292124
-+Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1293706
-+Ref: gnutls_x509_crt_get_issuer_dn1295355
-+Ref: gnutls_x509_crt_get_issuer_dn21296476
-+Ref: gnutls_x509_crt_get_issuer_dn31297323
-+Ref: gnutls_x509_crt_get_issuer_dn_by_oid1298314
-+Ref: gnutls_x509_crt_get_issuer_dn_oid1300101
-+Ref: gnutls_x509_crt_get_issuer_unique_id1301137
-+Ref: gnutls_x509_crt_get_key_id1302232
-+Ref: gnutls_x509_crt_get_key_purpose_oid1303255
-+Ref: gnutls_x509_crt_get_key_usage1304416
-+Ref: gnutls_x509_crt_get_name_constraints1305476
-+Ref: gnutls_x509_crt_get_pk_algorithm1306884
-+Ref: gnutls_x509_crt_get_pk_dsa_raw1307673
-+Ref: gnutls_x509_crt_get_pk_ecc_raw1308341
-+Ref: gnutls_x509_crt_get_pk_gost_raw1309154
-+Ref: gnutls_x509_crt_get_pk_oid1309998
-+Ref: gnutls_x509_crt_get_pk_rsa_raw1310624
-+Ref: gnutls_x509_crt_get_policy1311202
-+Ref: gnutls_x509_crt_get_private_key_usage_period1312148
-+Ref: gnutls_x509_crt_get_proxy1312900
-+Ref: gnutls_x509_crt_get_raw_dn1313921
-+Ref: gnutls_x509_crt_get_raw_issuer_dn1314514
-+Ref: gnutls_x509_crt_get_serial1315093
-+Ref: gnutls_x509_crt_get_signature1315833
-+Ref: gnutls_x509_crt_get_signature_algorithm1316388
-+Ref: gnutls_x509_crt_get_signature_oid1317001
-+Ref: gnutls_x509_crt_get_spki1317659
-+Ref: gnutls_x509_crt_get_subject1318145
-+Ref: gnutls_x509_crt_get_subject_alt_name1318788
-+Ref: gnutls_x509_crt_get_subject_alt_name21320547
-+Ref: gnutls_x509_crt_get_subject_alt_othername_oid1322112
-+Ref: gnutls_x509_crt_get_subject_key_id1323752
-+Ref: gnutls_x509_crt_get_subject_unique_id1324584
-+Ref: gnutls_x509_crt_get_tlsfeatures1325669
-+Ref: gnutls_x509_crt_get_version1326781
-+Ref: gnutls_x509_crt_import1327108
-+Ref: gnutls_x509_crt_import_url1327809
-+Ref: gnutls_x509_crt_init1328530
-+Ref: gnutls_x509_crt_list_import1328877
-+Ref: gnutls_x509_crt_list_import21330244
-+Ref: gnutls_x509_crt_list_import_url1331316
-+Ref: gnutls_x509_crt_list_verify1332540
-+Ref: gnutls_x509_crt_print1334120
-+Ref: gnutls_x509_crt_set_activation_time1335012
-+Ref: gnutls_x509_crt_set_authority_info_access1335479
-+Ref: gnutls_x509_crt_set_authority_key_id1336374
-+Ref: gnutls_x509_crt_set_basic_constraints1336956
-+Ref: gnutls_x509_crt_set_ca_status1337655
-+Ref: gnutls_x509_crt_set_crl_dist_points1338253
-+Ref: gnutls_x509_crt_set_crl_dist_points21338905
-+Ref: gnutls_x509_crt_set_crq1339604
-+Ref: gnutls_x509_crt_set_crq_extension_by_oid1340321
-+Ref: gnutls_x509_crt_set_crq_extensions1340957
-+Ref: gnutls_x509_crt_set_dn1341423
-+Ref: gnutls_x509_crt_set_dn_by_oid1342306
-+Ref: gnutls_x509_crt_set_expiration_time1343423
-+Ref: gnutls_x509_crt_set_extension_by_oid1343968
-+Ref: gnutls_x509_crt_set_flags1344743
-+Ref: gnutls_x509_crt_set_inhibit_anypolicy1345251
-+Ref: gnutls_x509_crt_set_issuer_alt_name1345761
-+Ref: gnutls_x509_crt_set_issuer_alt_othername1346783
-+Ref: gnutls_x509_crt_set_issuer_dn1347759
-+Ref: gnutls_x509_crt_set_issuer_dn_by_oid1348398
-+Ref: gnutls_x509_crt_set_issuer_unique_id1349677
-+Ref: gnutls_x509_crt_set_key1350182
-+Ref: gnutls_x509_crt_set_key_purpose_oid1350762
-+Ref: gnutls_x509_crt_set_key_usage1351530
-+Ref: gnutls_x509_crt_set_name_constraints1351989
-+Ref: gnutls_x509_crt_set_pin_function1352611
-+Ref: gnutls_x509_crt_set_policy1353279
-+Ref: gnutls_x509_crt_set_private_key_usage_period1354132
-+Ref: gnutls_x509_crt_set_proxy1354639
-+Ref: gnutls_x509_crt_set_proxy_dn1355453
-+Ref: gnutls_x509_crt_set_serial1356472
-+Ref: gnutls_x509_crt_set_spki1357532
-+Ref: gnutls_x509_crt_set_subject_alt_name1358387
-+Ref: gnutls_x509_crt_set_subject_alt_othername1359627
-+Ref: gnutls_x509_crt_set_subject_alternative_name1360635
-+Ref: gnutls_x509_crt_set_subject_key_id1361533
-+Ref: gnutls_x509_crt_set_subject_unique_id1362053
-+Ref: gnutls_x509_crt_set_tlsfeatures1362576
-+Ref: gnutls_x509_crt_set_version1363100
-+Ref: gnutls_x509_crt_sign1363923
-+Ref: gnutls_x509_crt_sign21364618
-+Ref: gnutls_x509_crt_verify1365851
-+Ref: gnutls_x509_crt_verify_data21366900
-+Ref: gnutls_x509_dn_deinit1367904
-+Ref: gnutls_x509_dn_export1368166
-+Ref: gnutls_x509_dn_export21369060
-+Ref: gnutls_x509_dn_get_rdn_ava1369721
-+Ref: gnutls_x509_dn_get_str1370753
-+Ref: gnutls_x509_dn_get_str21371349
-+Ref: gnutls_x509_dn_import1372211
-+Ref: gnutls_x509_dn_init1372827
-+Ref: gnutls_x509_dn_oid_known1373248
-+Ref: gnutls_x509_dn_oid_name1373917
-+Ref: gnutls_x509_dn_set_str1374446
-+Ref: gnutls_x509_ext_deinit1375045
-+Ref: gnutls_x509_ext_export_aia1375289
-+Ref: gnutls_x509_ext_export_authority_key_id1375883
-+Ref: gnutls_x509_ext_export_basic_constraints1376539
-+Ref: gnutls_x509_ext_export_crl_dist_points1377236
-+Ref: gnutls_x509_ext_export_inhibit_anypolicy1377904
-+Ref: gnutls_x509_ext_export_key_purposes1378572
-+Ref: gnutls_x509_ext_export_key_usage1379191
-+Ref: gnutls_x509_ext_export_name_constraints1379807
-+Ref: gnutls_x509_ext_export_policies1380448
-+Ref: gnutls_x509_ext_export_private_key_usage_period1381111
-+Ref: gnutls_x509_ext_export_proxy1381776
-+Ref: gnutls_x509_ext_export_subject_alt_names1382762
-+Ref: gnutls_x509_ext_export_subject_key_id1383411
-+Ref: gnutls_x509_ext_export_tlsfeatures1384033
-+Ref: gnutls_x509_ext_import_aia1384651
-+Ref: gnutls_x509_ext_import_authority_key_id1385356
-+Ref: gnutls_x509_ext_import_basic_constraints1386024
-+Ref: gnutls_x509_ext_import_crl_dist_points1386650
-+Ref: gnutls_x509_ext_import_inhibit_anypolicy1387278
-+Ref: gnutls_x509_ext_import_key_purposes1388193
-+Ref: gnutls_x509_ext_import_key_usage1388827
-+Ref: gnutls_x509_ext_import_name_constraints1389843
-+Ref: gnutls_x509_ext_import_policies1391181
-+Ref: gnutls_x509_ext_import_private_key_usage_period1391788
-+Ref: gnutls_x509_ext_import_proxy1392403
-+Ref: gnutls_x509_ext_import_subject_alt_names1393489
-+Ref: gnutls_x509_ext_import_subject_key_id1394247
-+Ref: gnutls_x509_ext_import_tlsfeatures1394882
-+Ref: gnutls_x509_ext_print1395774
-+Ref: gnutls_x509_key_purpose_deinit1396485
-+Ref: gnutls_x509_key_purpose_get1396739
-+Ref: gnutls_x509_key_purpose_init1397467
-+Ref: gnutls_x509_key_purpose_set1397828
-+Ref: gnutls_x509_name_constraints_add_excluded1398283
-+Ref: gnutls_x509_name_constraints_add_permitted1399224
-+Ref: gnutls_x509_name_constraints_check1400099
-+Ref: gnutls_x509_name_constraints_check_crt1400936
-+Ref: gnutls_x509_name_constraints_deinit1401806
-+Ref: gnutls_x509_name_constraints_get_excluded1402106
-+Ref: gnutls_x509_name_constraints_get_permitted1403177
-+Ref: gnutls_x509_name_constraints_init1404231
-+Ref: gnutls_x509_othername_to_virtual1404614
-+Ref: gnutls_x509_policies_deinit1405233
-+Ref: gnutls_x509_policies_get1405513
-+Ref: gnutls_x509_policies_init1406299
-+Ref: gnutls_x509_policies_set1406664
-+Ref: gnutls_x509_policy_release1407131
-+Ref: gnutls_x509_privkey_cpy1407495
-+Ref: gnutls_x509_privkey_deinit1407965
-+Ref: gnutls_x509_privkey_export1408206
-+Ref: gnutls_x509_privkey_export21409241
-+Ref: gnutls_x509_privkey_export2_pkcs81410119
-+Ref: gnutls_x509_privkey_export_dsa_raw1411395
-+Ref: gnutls_x509_privkey_export_ecc_raw1412135
-+Ref: gnutls_x509_privkey_export_gost_raw1413018
-+Ref: gnutls_x509_privkey_export_pkcs81414103
-+Ref: gnutls_x509_privkey_export_rsa_raw1415608
-+Ref: gnutls_x509_privkey_export_rsa_raw21416469
-+Ref: gnutls_x509_privkey_fix1417455
-+Ref: gnutls_x509_privkey_generate1417840
-+Ref: gnutls_x509_privkey_generate21419365
-+Ref: gnutls_x509_privkey_get_key_id1421524
-+Ref: gnutls_x509_privkey_get_pk_algorithm1422543
-+Ref: gnutls_x509_privkey_get_pk_algorithm21422971
-+Ref: gnutls_x509_privkey_get_seed1423462
-+Ref: gnutls_x509_privkey_get_spki1424286
-+Ref: gnutls_x509_privkey_import1424821
-+Ref: gnutls_x509_privkey_import21425616
-+Ref: gnutls_x509_privkey_import_dsa_raw1426689
-+Ref: gnutls_x509_privkey_import_ecc_raw1427421
-+Ref: gnutls_x509_privkey_import_gost_raw1428237
-+Ref: gnutls_x509_privkey_import_openssl1429513
-+Ref: gnutls_x509_privkey_import_pkcs81430387
-+Ref: gnutls_x509_privkey_import_rsa_raw1431834
-+Ref: gnutls_x509_privkey_import_rsa_raw21432688
-+Ref: gnutls_x509_privkey_init1433684
-+Ref: gnutls_x509_privkey_sec_param1434029
-+Ref: gnutls_x509_privkey_set_flags1434448
-+Ref: gnutls_x509_privkey_set_pin_function1434998
-+Ref: gnutls_x509_privkey_set_spki1435616
-+Ref: gnutls_x509_privkey_sign_data1436163
-+Ref: gnutls_x509_privkey_verify_params1437384
-+Ref: gnutls_x509_privkey_verify_seed1437720
-+Ref: gnutls_x509_rdn_get1438549
-+Ref: gnutls_x509_rdn_get21439367
-+Ref: gnutls_x509_rdn_get_by_oid1440275
-+Ref: gnutls_x509_rdn_get_oid1441257
-+Ref: gnutls_x509_spki_deinit1442002
-+Ref: gnutls_x509_spki_get_rsa_pss_params1442284
-+Ref: gnutls_x509_spki_init1442845
-+Ref: gnutls_x509_spki_set_rsa_pss_params1443361
-+Ref: gnutls_x509_tlsfeatures_add1443874
-+Ref: gnutls_x509_tlsfeatures_check_crt1444330
-+Ref: gnutls_x509_tlsfeatures_deinit1444930
-+Ref: gnutls_x509_tlsfeatures_get1445208
-+Ref: gnutls_x509_tlsfeatures_init1445768
-+Ref: gnutls_x509_trust_list_add_cas1446153
-+Ref: gnutls_x509_trust_list_add_crls1447338
-+Ref: gnutls_x509_trust_list_add_named_crt1448716
-+Ref: gnutls_x509_trust_list_add_system_trust1449931
-+Ref: gnutls_x509_trust_list_add_trust_dir1450693
-+Ref: gnutls_x509_trust_list_add_trust_file1451556
-+Ref: gnutls_x509_trust_list_add_trust_mem1452703
-+Ref: gnutls_x509_trust_list_deinit1453622
-+Ref: gnutls_x509_trust_list_get_issuer1454248
-+Ref: gnutls_x509_trust_list_get_issuer_by_dn1455298
-+Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1456027
-+Ref: gnutls_x509_trust_list_get_ptr1456835
-+Ref: gnutls_x509_trust_list_init1457348
-+Ref: gnutls_x509_trust_list_iter_deinit1457853
-+Ref: gnutls_x509_trust_list_iter_get_ca1458162
-+Ref: gnutls_x509_trust_list_remove_cas1459342
-+Ref: gnutls_x509_trust_list_remove_trust_file1460197
-+Ref: gnutls_x509_trust_list_remove_trust_mem1460898
-+Ref: gnutls_x509_trust_list_set_getissuer_function1461556
-+Ref: gnutls_x509_trust_list_set_ptr1463189
-+Ref: gnutls_x509_trust_list_verify_crt1463727
-+Ref: gnutls_x509_trust_list_verify_crt21464890
-+Ref: gnutls_x509_trust_list_verify_named_crt1467824
-+Node: PKCS 7 API1470552
-+Ref: gnutls_pkcs7_add_attr1470848
-+Ref: gnutls_pkcs7_attrs_deinit1471654
-+Ref: gnutls_pkcs7_deinit1471889
-+Ref: gnutls_pkcs7_delete_crl1472094
-+Ref: gnutls_pkcs7_delete_crt1472523
-+Ref: gnutls_pkcs7_export1472969
-+Ref: gnutls_pkcs7_export21473869
-+Ref: gnutls_pkcs7_get_attr1474530
-+Ref: gnutls_pkcs7_get_crl_count1475417
-+Ref: gnutls_pkcs7_get_crl_raw1475765
-+Ref: gnutls_pkcs7_get_crl_raw21476540
-+Ref: gnutls_pkcs7_get_crt_count1477171
-+Ref: gnutls_pkcs7_get_crt_raw1477546
-+Ref: gnutls_pkcs7_get_crt_raw21478446
-+Ref: gnutls_pkcs7_get_embedded_data1479300
-+Ref: gnutls_pkcs7_get_embedded_data_oid1480300
-+Ref: gnutls_pkcs7_get_signature_count1480860
-+Ref: gnutls_pkcs7_get_signature_info1481267
-+Ref: gnutls_pkcs7_import1481940
-+Ref: gnutls_pkcs7_init1482561
-+Ref: gnutls_pkcs7_print1482985
-+Ref: gnutls_pkcs7_print_signature_info1483730
-+Ref: gnutls_pkcs7_set_crl1484535
-+Ref: gnutls_pkcs7_set_crl_raw1484936
-+Ref: gnutls_pkcs7_set_crt1485326
-+Ref: gnutls_pkcs7_set_crt_raw1485810
-+Ref: gnutls_pkcs7_sign1486223
-+Ref: gnutls_pkcs7_signature_info_deinit1487662
-+Ref: gnutls_pkcs7_verify1488015
-+Ref: gnutls_pkcs7_verify_direct1489180
-+Node: OCSP API1490640
-+Ref: gnutls_ocsp_req_add_cert1490924
-+Ref: gnutls_ocsp_req_add_cert_id1491884
-+Ref: gnutls_ocsp_req_deinit1493204
-+Ref: gnutls_ocsp_req_export1493421
-+Ref: gnutls_ocsp_req_get_cert_id1493846
-+Ref: gnutls_ocsp_req_get_extension1495438
-+Ref: gnutls_ocsp_req_get_nonce1496854
-+Ref: gnutls_ocsp_req_get_version1497508
-+Ref: gnutls_ocsp_req_import1497895
-+Ref: gnutls_ocsp_req_init1498391
-+Ref: gnutls_ocsp_req_print1498719
-+Ref: gnutls_ocsp_req_randomize_nonce1499455
-+Ref: gnutls_ocsp_req_set_extension1499888
-+Ref: gnutls_ocsp_req_set_nonce1500572
-+Ref: gnutls_ocsp_resp_check_crt1501159
-+Ref: gnutls_ocsp_resp_deinit1501743
-+Ref: gnutls_ocsp_resp_export1501967
-+Ref: gnutls_ocsp_resp_export21502393
-+Ref: gnutls_ocsp_resp_get_certs1502913
-+Ref: gnutls_ocsp_resp_get_extension1504038
-+Ref: gnutls_ocsp_resp_get_nonce1505462
-+Ref: gnutls_ocsp_resp_get_produced1506128
-+Ref: gnutls_ocsp_resp_get_responder1506475
-+Ref: gnutls_ocsp_resp_get_responder21507580
-+Ref: gnutls_ocsp_resp_get_responder_raw_id1508843
-+Ref: gnutls_ocsp_resp_get_response1509674
-+Ref: gnutls_ocsp_resp_get_signature1510900
-+Ref: gnutls_ocsp_resp_get_signature_algorithm1511389
-+Ref: gnutls_ocsp_resp_get_single1511867
-+Ref: gnutls_ocsp_resp_get_status1513809
-+Ref: gnutls_ocsp_resp_get_version1514238
-+Ref: gnutls_ocsp_resp_import1514646
-+Ref: gnutls_ocsp_resp_import21515214
-+Ref: gnutls_ocsp_resp_init1515842
-+Ref: gnutls_ocsp_resp_list_import21516191
-+Ref: gnutls_ocsp_resp_print1517382
-+Ref: gnutls_ocsp_resp_verify1518108
-+Ref: gnutls_ocsp_resp_verify_direct1519725
-+Node: PKCS 12 API1522158
-+Ref: gnutls_pkcs12_bag_decrypt1522448
-+Ref: gnutls_pkcs12_bag_deinit1522880
-+Ref: gnutls_pkcs12_bag_enc_info1523118
-+Ref: gnutls_pkcs12_bag_encrypt1524491
-+Ref: gnutls_pkcs12_bag_get_count1524996
-+Ref: gnutls_pkcs12_bag_get_data1525307
-+Ref: gnutls_pkcs12_bag_get_friendly_name1525913
-+Ref: gnutls_pkcs12_bag_get_key_id1526550
-+Ref: gnutls_pkcs12_bag_get_type1527169
-+Ref: gnutls_pkcs12_bag_init1527539
-+Ref: gnutls_pkcs12_bag_set_crl1527997
-+Ref: gnutls_pkcs12_bag_set_crt1528430
-+Ref: gnutls_pkcs12_bag_set_data1528876
-+Ref: gnutls_pkcs12_bag_set_friendly_name1529347
-+Ref: gnutls_pkcs12_bag_set_key_id1530031
-+Ref: gnutls_pkcs12_bag_set_privkey1530705
-+Ref: gnutls_pkcs12_deinit1531361
-+Ref: gnutls_pkcs12_export1531563
-+Ref: gnutls_pkcs12_export21532470
-+Ref: gnutls_pkcs12_generate_mac1533146
-+Ref: gnutls_pkcs12_generate_mac21533537
-+Ref: gnutls_pkcs12_get_bag1533981
-+Ref: gnutls_pkcs12_import1534567
-+Ref: gnutls_pkcs12_init1535288
-+Ref: gnutls_pkcs12_mac_info1535721
-+Ref: gnutls_pkcs12_set_bag1537030
-+Ref: gnutls_pkcs12_simple_parse1537436
-+Ref: gnutls_pkcs12_verify_mac1540117
-+Node: PKCS 11 API1540473
-+Ref: gnutls_pkcs11_add_provider1540802
-+Ref: gnutls_pkcs11_copy_attached_extension1541547
-+Ref: gnutls_pkcs11_copy_pubkey1542406
-+Ref: gnutls_pkcs11_copy_secret_key1543439
-+Ref: gnutls_pkcs11_copy_x509_crt1544164
-+Ref: gnutls_pkcs11_copy_x509_crt21544812
-+Ref: gnutls_pkcs11_copy_x509_privkey1545780
-+Ref: gnutls_pkcs11_copy_x509_privkey21546597
-+Ref: gnutls_pkcs11_crt_is_known1547542
-+Ref: gnutls_pkcs11_deinit1548678
-+Ref: gnutls_pkcs11_delete_url1548995
-+Ref: gnutls_pkcs11_get_pin_function1549511
-+Ref: gnutls_pkcs11_get_raw_issuer1549894
-+Ref: gnutls_pkcs11_get_raw_issuer_by_dn1550804
-+Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1551843
-+Ref: gnutls_pkcs11_init1552954
-+Ref: gnutls_pkcs11_obj_deinit1553996
-+Ref: gnutls_pkcs11_obj_export1554242
-+Ref: gnutls_pkcs11_obj_export21555087
-+Ref: gnutls_pkcs11_obj_export31555684
-+Ref: gnutls_pkcs11_obj_export_url1556357
-+Ref: gnutls_pkcs11_obj_flags_get_str1556884
-+Ref: gnutls_pkcs11_obj_get_exts1557363
-+Ref: gnutls_pkcs11_obj_get_flags1558299
-+Ref: gnutls_pkcs11_obj_get_info1558836
-+Ref: gnutls_pkcs11_obj_get_ptr1560100
-+Ref: gnutls_pkcs11_obj_get_type1561009
-+Ref: gnutls_pkcs11_obj_import_url1561359
-+Ref: gnutls_pkcs11_obj_init1562279
-+Ref: gnutls_pkcs11_obj_list_import_url31562664
-+Ref: gnutls_pkcs11_obj_list_import_url41564605
-+Ref: gnutls_pkcs11_obj_set_info1566281
-+Ref: gnutls_pkcs11_obj_set_pin_function1567060
-+Ref: gnutls_pkcs11_privkey_cpy1567571
-+Ref: gnutls_pkcs11_privkey_deinit1568072
-+Ref: gnutls_pkcs11_privkey_export_pubkey1568335
-+Ref: gnutls_pkcs11_privkey_export_url1569139
-+Ref: gnutls_pkcs11_privkey_generate1569649
-+Ref: gnutls_pkcs11_privkey_generate21570321
-+Ref: gnutls_pkcs11_privkey_generate31571551
-+Ref: gnutls_pkcs11_privkey_get_info1573061
-+Ref: gnutls_pkcs11_privkey_get_pk_algorithm1573943
-+Ref: gnutls_pkcs11_privkey_import_url1574474
-+Ref: gnutls_pkcs11_privkey_init1575175
-+Ref: gnutls_pkcs11_privkey_set_pin_function1575890
-+Ref: gnutls_pkcs11_privkey_status1576410
-+Ref: gnutls_pkcs11_reinit1576786
-+Ref: gnutls_pkcs11_set_pin_function1577346
-+Ref: gnutls_pkcs11_set_token_function1577836
-+Ref: gnutls_pkcs11_token_check_mechanism1578254
-+Ref: gnutls_pkcs11_token_get_flags1579011
-+Ref: gnutls_pkcs11_token_get_info1579553
-+Ref: gnutls_pkcs11_token_get_mechanism1580576
-+Ref: gnutls_pkcs11_token_get_ptr1581189
-+Ref: gnutls_pkcs11_token_get_random1581888
-+Ref: gnutls_pkcs11_token_get_url1582519
-+Ref: gnutls_pkcs11_token_init1583187
-+Ref: gnutls_pkcs11_token_set_pin1583825
-+Ref: gnutls_pkcs11_type_get_name1584665
-+Ref: gnutls_x509_crt_import_pkcs111585154
-+Ref: gnutls_x509_crt_list_import_pkcs111585676
-+Node: TPM API1586285
-+Ref: gnutls_tpm_get_registered1586564
-+Ref: gnutls_tpm_key_list_deinit1586957
-+Ref: gnutls_tpm_key_list_get_url1587225
-+Ref: gnutls_tpm_privkey_delete1587878
-+Ref: gnutls_tpm_privkey_generate1588316
-+Node: Abstract key API1589666
-+Ref: gnutls_certificate_set_key1589987
-+Ref: gnutls_certificate_set_retrieve_function21592123
-+Ref: gnutls_certificate_set_retrieve_function31594373
-+Ref: gnutls_pcert_deinit1597233
-+Ref: gnutls_pcert_export_openpgp1597478
-+Ref: gnutls_pcert_export_x5091597827
-+Ref: gnutls_pcert_import_openpgp1598477
-+Ref: gnutls_pcert_import_openpgp_raw1598876
-+Ref: gnutls_pcert_import_rawpk1599445
-+Ref: gnutls_pcert_import_rawpk_raw1600298
-+Ref: gnutls_pcert_import_x5091601547
-+Ref: gnutls_pcert_import_x509_list1602144
-+Ref: gnutls_pcert_import_x509_raw1603334
-+Ref: gnutls_pcert_list_import_x509_file1604040
-+Ref: gnutls_pcert_list_import_x509_raw1605472
-+Ref: gnutls_privkey_decrypt_data1606806
-+Ref: gnutls_privkey_decrypt_data21607454
-+Ref: gnutls_privkey_deinit1608279
-+Ref: gnutls_privkey_export_dsa_raw1608528
-+Ref: gnutls_privkey_export_dsa_raw21609258
-+Ref: gnutls_privkey_export_ecc_raw1610064
-+Ref: gnutls_privkey_export_ecc_raw21610926
-+Ref: gnutls_privkey_export_gost_raw21611868
-+Ref: gnutls_privkey_export_openpgp1613002
-+Ref: gnutls_privkey_export_pkcs111613354
-+Ref: gnutls_privkey_export_rsa_raw1613966
-+Ref: gnutls_privkey_export_rsa_raw21614997
-+Ref: gnutls_privkey_export_x5091616043
-+Ref: gnutls_privkey_generate1616691
-+Ref: gnutls_privkey_generate21618182
-+Ref: gnutls_privkey_get_pk_algorithm1620310
-+Ref: gnutls_privkey_get_seed1620924
-+Ref: gnutls_privkey_get_spki1621723
-+Ref: gnutls_privkey_get_type1622303
-+Ref: gnutls_privkey_import_dsa_raw1622792
-+Ref: gnutls_privkey_import_ecc_raw1623504
-+Ref: gnutls_privkey_import_ext1624317
-+Ref: gnutls_privkey_import_ext21625467
-+Ref: gnutls_privkey_import_ext31626824
-+Ref: gnutls_privkey_import_ext41628438
-+Ref: gnutls_privkey_import_gost_raw1631198
-+Ref: gnutls_privkey_import_openpgp1632406
-+Ref: gnutls_privkey_import_openpgp_raw1632815
-+Ref: gnutls_privkey_import_pkcs111633404
-+Ref: gnutls_privkey_import_pkcs11_url1634162
-+Ref: gnutls_privkey_import_rsa_raw1634611
-+Ref: gnutls_privkey_import_tpm_raw1635607
-+Ref: gnutls_privkey_import_tpm_url1636474
-+Ref: gnutls_privkey_import_url1637577
-+Ref: gnutls_privkey_import_x5091638124
-+Ref: gnutls_privkey_import_x509_raw1638872
-+Ref: gnutls_privkey_init1639651
-+Ref: gnutls_privkey_set_flags1640569
-+Ref: gnutls_privkey_set_pin_function1641094
-+Ref: gnutls_privkey_set_spki1641664
-+Ref: gnutls_privkey_sign_data1642237
-+Ref: gnutls_privkey_sign_data21643257
-+Ref: gnutls_privkey_sign_hash1644155
-+Ref: gnutls_privkey_sign_hash21645592
-+Ref: gnutls_privkey_status1646858
-+Ref: gnutls_privkey_verify_params1647402
-+Ref: gnutls_privkey_verify_seed1647764
-+Ref: gnutls_pubkey_deinit1648476
-+Ref: gnutls_pubkey_encrypt_data1648716
-+Ref: gnutls_pubkey_export1649358
-+Ref: gnutls_pubkey_export21650372
-+Ref: gnutls_pubkey_export_dsa_raw1651145
-+Ref: gnutls_pubkey_export_dsa_raw21651957
-+Ref: gnutls_pubkey_export_ecc_raw1652841
-+Ref: gnutls_pubkey_export_ecc_raw21653740
-+Ref: gnutls_pubkey_export_ecc_x9621654719
-+Ref: gnutls_pubkey_export_gost_raw21655378
-+Ref: gnutls_pubkey_export_rsa_raw1656522
-+Ref: gnutls_pubkey_export_rsa_raw21657219
-+Ref: gnutls_pubkey_get_key_id1657980
-+Ref: gnutls_pubkey_get_key_usage1659005
-+Ref: gnutls_pubkey_get_openpgp_key_id1659502
-+Ref: gnutls_pubkey_get_pk_algorithm1660141
-+Ref: gnutls_pubkey_get_preferred_hash_algorithm1660789
-+Ref: gnutls_pubkey_get_spki1661730
-+Ref: gnutls_pubkey_import1662298
-+Ref: gnutls_pubkey_import_dsa_raw1662982
-+Ref: gnutls_pubkey_import_ecc_raw1663643
-+Ref: gnutls_pubkey_import_ecc_x9621664411
-+Ref: gnutls_pubkey_import_gost_raw1665047
-+Ref: gnutls_pubkey_import_openpgp1666194
-+Ref: gnutls_pubkey_import_openpgp_raw1666586
-+Ref: gnutls_pubkey_import_pkcs111667155
-+Ref: gnutls_pubkey_import_privkey1667697
-+Ref: gnutls_pubkey_import_rsa_raw1668399
-+Ref: gnutls_pubkey_import_tpm_raw1668923
-+Ref: gnutls_pubkey_import_tpm_url1669700
-+Ref: gnutls_pubkey_import_url1670592
-+Ref: gnutls_pubkey_import_x5091671065
-+Ref: gnutls_pubkey_import_x509_crq1671565
-+Ref: gnutls_pubkey_import_x509_raw1672068
-+Ref: gnutls_pubkey_init1672645
-+Ref: gnutls_pubkey_print1672974
-+Ref: gnutls_pubkey_set_key_usage1673708
-+Ref: gnutls_pubkey_set_pin_function1674277
-+Ref: gnutls_pubkey_set_spki1674842
-+Ref: gnutls_pubkey_verify_data21675413
-+Ref: gnutls_pubkey_verify_hash21676321
-+Ref: gnutls_pubkey_verify_params1677445
-+Ref: gnutls_register_custom_url1677803
-+Ref: gnutls_system_key_add_x5091678741
-+Ref: gnutls_system_key_delete1679486
-+Ref: gnutls_system_key_iter_deinit1679910
-+Ref: gnutls_system_key_iter_get_info1680178
-+Ref: gnutls_x509_crl_privkey_sign1681452
-+Ref: gnutls_x509_crq_privkey_sign1682721
-+Ref: gnutls_x509_crq_set_pubkey1684083
-+Ref: gnutls_x509_crt_privkey_sign1684591
-+Ref: gnutls_x509_crt_set_pubkey1685834
-+Node: Socket specific API1686287
-+Ref: gnutls_transport_set_fastopen1686580
-+Node: DANE API1688126
-+Ref: dane_cert_type_name1688500
-+Ref: dane_cert_usage_name1688790
-+Ref: dane_match_type_name1689102
-+Ref: dane_query_data1689385
-+Ref: dane_query_deinit1690064
-+Ref: dane_query_entries1690269
-+Ref: dane_query_status1690511
-+Ref: dane_query_tlsa1690805
-+Ref: dane_query_to_raw_tlsa1691396
-+Ref: dane_raw_tlsa1692738
-+Ref: dane_state_deinit1693815
-+Ref: dane_state_init1694007
-+Ref: dane_state_set_dlv_file1694521
-+Ref: dane_strerror1694822
-+Ref: dane_verification_status_print1695321
-+Ref: dane_verify_crt1695915
-+Ref: dane_verify_crt_raw1698102
-+Ref: dane_verify_session_crt1699335
-+Node: Cryptographic API1700737
-+Ref: gnutls_aead_cipher_decrypt1701238
-+Ref: gnutls_aead_cipher_decryptv21702617
-+Ref: gnutls_aead_cipher_deinit1703542
-+Ref: gnutls_aead_cipher_encrypt1703870
-+Ref: gnutls_aead_cipher_encryptv1704979
-+Ref: gnutls_aead_cipher_encryptv21706127
-+Ref: gnutls_aead_cipher_init1707055
-+Ref: gnutls_cipher_add_auth1707721
-+Ref: gnutls_cipher_decrypt1708301
-+Ref: gnutls_cipher_decrypt21708925
-+Ref: gnutls_cipher_deinit1709851
-+Ref: gnutls_cipher_encrypt1710130
-+Ref: gnutls_cipher_encrypt21710590
-+Ref: gnutls_cipher_get_block_size1711367
-+Ref: gnutls_cipher_get_iv_size1711647
-+Ref: gnutls_cipher_get_tag_size1712129
-+Ref: gnutls_cipher_init1712535
-+Ref: gnutls_cipher_set_iv1713265
-+Ref: gnutls_cipher_tag1713610
-+Ref: gnutls_crypto_register_aead_cipher1714112
-+Ref: gnutls_crypto_register_cipher1715716
-+Ref: gnutls_crypto_register_digest1717497
-+Ref: gnutls_crypto_register_mac1718721
-+Ref: gnutls_decode_ber_digest_info1720149
-+Ref: gnutls_decode_gost_rs_value1720948
-+Ref: gnutls_decode_rs_value1721748
-+Ref: gnutls_encode_ber_digest_info1722533
-+Ref: gnutls_encode_gost_rs_value1723177
-+Ref: gnutls_encode_rs_value1723923
-+Ref: gnutls_hash1724543
-+Ref: gnutls_hash_copy1724974
-+Ref: gnutls_hash_deinit1725491
-+Ref: gnutls_hash_fast1725819
-+Ref: gnutls_hash_get_len1726336
-+Ref: gnutls_hash_init1726669
-+Ref: gnutls_hash_output1727205
-+Ref: gnutls_hkdf_expand1727537
-+Ref: gnutls_hkdf_extract1728240
-+Ref: gnutls_hmac1728783
-+Ref: gnutls_hmac_copy1729214
-+Ref: gnutls_hmac_deinit1729695
-+Ref: gnutls_hmac_fast1730022
-+Ref: gnutls_hmac_get_key_size1730746
-+Ref: gnutls_hmac_get_len1731207
-+Ref: gnutls_hmac_init1731537
-+Ref: gnutls_hmac_output1732320
-+Ref: gnutls_hmac_set_nonce1732655
-+Ref: gnutls_mac_get_nonce_size1733022
-+Ref: gnutls_pbkdf21733338
-+Ref: gnutls_rnd1733971
-+Ref: gnutls_rnd_refresh1734609
-+Node: Compatibility API1734895
-+Ref: gnutls_compression_get1735237
-+Ref: gnutls_compression_get_id1735589
-+Ref: gnutls_compression_get_name1735953
-+Ref: gnutls_compression_list1736335
-+Ref: gnutls_global_set_mem_functions1736667
-+Ref: gnutls_openpgp_privkey_sign_hash1738042
-+Ref: gnutls_priority_compression_list1738471
-+Ref: gnutls_x509_crt_get_preferred_hash_algorithm1738923
-+Ref: gnutls_x509_privkey_sign_hash1739804
-+Node: Copying Information1740674
-+Node: Bibliography1765851
-+Ref: CBCATT1765990
-+Ref: GPGH1766168
-+Ref: GUTPKI1766291
-+Ref: PRNGATTACKS1766466
-+Ref: KEYPIN1766666
-+Ref: NISTSP800571766841
-+Ref: RFC74131767089
-+Ref: RFC79181767256
-+Ref: RFC61251767433
-+Ref: RFC76851767774
-+Ref: RFC76131767949
-+Ref: RFC22461768197
-+Ref: RFC60831768358
-+Ref: RFC44181768595
-+Ref: RFC46801768762
-+Ref: RFC76331768920
-+Ref: RFC79191769092
-+Ref: RFC45141769296
-+Ref: RFC43461769500
-+Ref: RFC43471769650
-+Ref: RFC52461769817
-+Ref: RFC24401769968
-+Ref: RFC48801770150
-+Ref: RFC42111770344
-+Ref: RFC28171770538
-+Ref: RFC28181770691
-+Ref: RFC29451770805
-+Ref: RFC73011770955
-+Ref: RFC29861771175
-+Ref: PKIX1771364
-+Ref: RFC37491771627
-+Ref: RFC38201771793
-+Ref: RFC65201772036
-+Ref: RFC57461772275
-+Ref: RFC52801772484
-+Ref: TLSTKT1772751
-+Ref: PKCS121772983
-+Ref: PKCS111773124
-+Ref: RESCORLA1773270
-+Ref: SELKEY1773366
-+Ref: SSL31773525
-+Ref: STEVENS1773716
-+Ref: TLSEXT1773824
-+Ref: TLSPGP1774041
-+Ref: TLSSRP1774206
-+Ref: TLSPSK1774403
-+Ref: TOMSRP1774572
-+Ref: WEGER1774685
-+Ref: ECRYPT1774877
-+Ref: RFC50561775082
-+Ref: RFC57641775235
-+Ref: RFC59291775523
-+Ref: PKCS11URI1775666
-+Ref: TPMURI1775802
-+Ref: ANDERSON1775996
-+Ref: RFC48211776142
-+Ref: RFC25601776295
-+Ref: RIVESTCRL1776489
-+Node: Function and Data Index1776850
-+Node: Concept Index1903361
- 
- End Tag Table
- 
-diff -ruN gnutls-3.7.2/doc/gnutls.info-1 gnutls-3.7.2-bootstrapped/doc/gnutls.info-1
---- gnutls-3.7.2/doc/gnutls.info-1	2021-05-29 10:19:34.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-1	2021-06-28 09:39:56.000000000 +0200
-@@ -7426,6 +7426,12 @@
- to a token.  Must be combined with one of -load-privkey, -load-pubkey,
- -load-certificate option.
- 
-+When writing a certificate object, its CKA_ID is set to the same CKA_ID
-+of the corresponding public key, if it exists on the token; otherwise it
-+will be derived from the X.509 Subject Key Identifier of the
-+certificate.  If this behavior is undesired, write the public key to the
-+token beforehand.
-+
- id option.
- ..........
- 
-diff -ruN gnutls-3.7.2/doc/gnutls.info-3 gnutls-3.7.2-bootstrapped/doc/gnutls.info-3
---- gnutls-3.7.2/doc/gnutls.info-3	2021-05-29 10:19:36.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-3	2021-06-28 09:39:58.000000000 +0200
-@@ -1350,6 +1350,7 @@
-    * 'insecure-hash': to mark the hash algorithm as insecure for digital
-      signature use (provides a more generic way to disable digital
-      signatures for broken hash algorithms).
-+   * 'disabled-curve': to disable the specified elliptic curve.
-    * 'disabled-version': to disable the specified TLS versions.
-    * 'tls-disabled-cipher': to disable the specified ciphers for use in
-      the TLS or DTLS protocols.
-@@ -1362,12 +1363,54 @@
-      earlier).
- 
- Each of the options can be repeated multiple times when multiple values
--need to be disabled.
-+need to be disabled or enabled.
- 
- The valid values for the options above can be found in the 'Protocols',
- 'Digests' 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of
- the output of 'gnutls-cli --list'.
- 
-+Sometimes the system administrator wants to enable only specific
-+algorithms, despite the library defaults.  GnuTLS provides an
-+alternative mode of overriding: allowlisting.
-+
-+In the allowlisting mode, all the algorithms are initially marked as
-+insecure or disabled, and shall be explicitly turned on by the options
-+in the '[overrides]' section.  Those options are mutually exclusive to
-+the above ones for the blocklisting mode (the default)
-+   * 'secure-sig-for-cert': to mark the signature algorithm as secure
-+     when used in certificates.
-+   * 'secure-sig': to mark the signature algorithm as secure for any
-+     use.
-+   * 'secure-hash': to mark the hash algorithm as secure for digital
-+     signature use (provides a more generic way to enable digital
-+     signatures for broken hash algorithms).
-+   * 'enabled-curve': to enable the specified elliptic curve.
-+   * 'enabled-version': to enable the specified TLS versions.
-+   * 'tls-enabled-cipher': to enable the specified ciphers for use in
-+     the TLS or DTLS protocols.
-+   * 'tls-enabled-mac': to enable the specified MAC algorithms for use
-+     in the TLS or DTLS protocols.
-+   * 'tls-enabled-group': to enable the specified group for use in the
-+     TLS or DTLS protocols.
-+   * 'tls-enabled-kx': to enable the specified key exchange algorithms
-+     for use in the TLS or DTLS protocols (applies to TLS1.2 or
-+     earlier).
-+
-+The allowlisting mode can be enabled by adding 'override-mode =
-+allowlist' in the '[global]' section.
-+
-+When the allowlisting mode is in effect, it is also possible for the
-+applications to modify the setting through the API.
-+
-+'INT *note gnutls_ecc_curve_mark_enabled:: (gnutls_ecc_curve_t CURVE)'
-+'INT *note gnutls_sign_mark_secure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)'
-+'INT *note gnutls_digest_mark_secure:: (gnutls_digest_algorithm_t DIG)'
-+'INT *note gnutls_protocol_mark_enabled:: (gnutls_protocol_t VERSION)'
-+'INT *note gnutls_ecc_curve_mark_disabled:: (gnutls_ecc_curve_t CURVE)'
-+'INT *note gnutls_sign_mark_insecure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)'
-+'INT *note gnutls_digest_mark_insecure:: (gnutls_digest_algorithm_t DIG)'
-+'INT *note gnutls_protocol_mark_disabled:: (gnutls_protocol_t VERSION)'
-+
- 8.2.1 Examples
- --------------
- 
-@@ -1396,6 +1439,17 @@
-      tls-disabled-mac = sha1
-      tls-disabled-group = group-ffdhe8192
- 
-+The following example demonstrates the use of the allowlisting mode.  It
-+disables all the signature algorithms but 'RSA-SHA256'.  Note that the
-+hash algorithm 'SHA256' also needs to be explicitly enabled.
-+
-+     [global]
-+     override-mode = allowlist
-+
-+     [overrides]
-+     secure-hash = sha256
-+     secure-sig = rsa-sha256
-+
- 
- File: gnutls.info,  Node: Querying for disabled algorithms and protocols,  Next: Overriding the parameter verification profile,  Prev: Disabling algorithms and protocols,  Up: System-wide configuration of the library
- 
-@@ -8538,6 +8592,31 @@
-      'gnutls_digest_algorithm_t' integers indicating the available
-      digests.
- 
-+gnutls_digest_mark_insecure
-+---------------------------
-+
-+ -- Function: int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t
-+          DIG)
-+     DIG: is a digest algorithm
-+
-+     Mark 'dig' as insecure system wide.  This only works if the
-+     allowlisting mode is used in the configuration file.
-+
-+     *Since:* 3.7.3
-+
-+gnutls_digest_mark_secure
-+-------------------------
-+
-+ -- Function: int gnutls_digest_mark_secure (gnutls_digest_algorithm_t
-+          DIG)
-+     DIG: is a digest algorithm
-+
-+     Invalidate previous system wide setting that marked 'dig' as
-+     insecure.  This only works if the allowlisting mode is used in the
-+     configuration file.
-+
-+     *Since:* 3.7.3
-+
- gnutls_early_cipher_get
- -----------------------
- 
-@@ -8657,6 +8736,37 @@
-      *Returns:* Return a (0)-terminated list of 'gnutls_ecc_curve_t'
-      integers indicating the available curves.
- 
-+gnutls_ecc_curve_mark_disabled
-+------------------------------
-+
-+ -- Function: int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t
-+          CURVE)
-+     CURVE: is an ECC curve
-+
-+     Mark 'curve' as disabled system wide.  This setting can be reverted
-+     with 'gnutls_ecc_curve_mark_enabled()' .  This only works if the
-+     configuration file uses the allowlisting mode.
-+
-+     *Returns:* 0 on success or negative error code otherwise.
-+
-+     *Since:* 3.7.3
-+
-+gnutls_ecc_curve_mark_enabled
-+-----------------------------
-+
-+ -- Function: int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t
-+          CURVE)
-+     CURVE: is an ECC curve
-+
-+     Invalidate previous system wide setting that marked 'curve' as
-+     disabled.  This only works if the curve is disabled with
-+     'gnutls_ecc_curve_mark_disabled()' or through the allowlisting mode
-+     in the configuration file.
-+
-+     *Returns:* 0 on success or negative error code otherwise.
-+
-+     *Since:* 3.7.3
-+
- gnutls_error_is_fatal
- ---------------------
- 
-@@ -11047,6 +11157,27 @@
-      *Returns:* a (0)-terminated list of 'gnutls_protocol_t' integers
-      indicating the available protocols.
- 
-+gnutls_protocol_mark_disabled
-+-----------------------------
-+
-+ -- Function: int gnutls_protocol_mark_disabled (gnutls_protocol_t
-+          VERSION)
-+     VERSION: is a (gnutls) version number
-+
-+     Mark 'version' as disabled system wide.  This only works if the
-+     allowlisting mode is used in the configuration file.
-+
-+gnutls_protocol_mark_enabled
-+----------------------------
-+
-+ -- Function: int gnutls_protocol_mark_enabled (gnutls_protocol_t
-+          VERSION)
-+     VERSION: is a (gnutls) version number
-+
-+     Invalidate previous system wide setting that marked 'version' as
-+     disabled.  This only works if the allowlisting mode is used in the
-+     configuration file.
-+
- gnutls_psk_allocate_client_credentials
- --------------------------------------
- 
-@@ -13235,6 +13366,45 @@
-      *Returns:* a (0)-terminated list of 'gnutls_sign_algorithm_t'
-      integers indicating the available ciphers.
- 
-+gnutls_sign_mark_insecure
-+-------------------------
-+
-+ -- Function: int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t
-+          SIGN, unsigned FLAGS)
-+     SIGN: the sign algorithm
-+
-+     FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0
-+
-+     Mark 'sign' as insecure system wide.  This only works if the
-+     allowlisting mode is used in the configuration file.
-+
-+     If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, and the
-+     algorithm was previously considered secure for all purposes, it
-+     only marks the algorithm as insecure for the use with certificates.
-+
-+     *Since:* 3.7.3
-+
-+gnutls_sign_mark_secure
-+-----------------------
-+
-+ -- Function: int gnutls_sign_mark_secure (gnutls_sign_algorithm_t SIGN,
-+          unsigned FLAGS)
-+     SIGN: the sign algorithm
-+
-+     FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0
-+
-+     Invalidate previous system wide setting that marked 'sign' as
-+     insecure.  This only works if the algorithm is marked as insecure
-+     with 'gnutls_sign_mark_insecure()' or through the allowlisting mode
-+     in the configuration file.
-+
-+     If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, it
-+     marks it the algorithm as secure for all purposes.  If the absence
-+     of this flag, it will mark it as "secure, but not for certificates"
-+     at most, but it won't restrict anything either.
-+
-+     *Since:* 3.7.3
-+
- gnutls_sign_supports_pk_algorithm
- ---------------------------------
- 
-diff -ruN gnutls-3.7.2/doc/gnutls.info-6 gnutls-3.7.2-bootstrapped/doc/gnutls.info-6
---- gnutls-3.7.2/doc/gnutls.info-6	2021-05-29 10:19:38.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-6	2021-06-28 09:40:00.000000000 +0200
-@@ -7847,6 +7847,8 @@
- * gnutls_digest_get_name:                Core TLS API.       (line 3005)
- * gnutls_digest_get_oid:                 Core TLS API.       (line 3017)
- * gnutls_digest_list:                    Core TLS API.       (line 3032)
-+* gnutls_digest_mark_insecure:           Core TLS API.       (line 3046)
-+* gnutls_digest_mark_secure:             Core TLS API.       (line 3058)
- * gnutls_dtls_cookie_send:               Datagram TLS API.   (line   11)
- * gnutls_dtls_cookie_verify:             Datagram TLS API.   (line   45)
- * gnutls_dtls_get_data_mtu:              Datagram TLS API.   (line   74)
-@@ -7858,71 +7860,73 @@
- * gnutls_dtls_set_data_mtu:              Datagram TLS API.   (line  139)
- * gnutls_dtls_set_mtu:                   Datagram TLS API.   (line  165)
- * gnutls_dtls_set_timeouts:              Datagram TLS API.   (line  182)
--* gnutls_early_cipher_get:               Core TLS API.       (line 3046)
--* gnutls_early_prf_hash_get:             Core TLS API.       (line 3060)
--* gnutls_ecc_curve_get:                  Core TLS API.       (line 3075)
--* gnutls_ecc_curve_get_id:               Core TLS API.       (line 3089)
--* gnutls_ecc_curve_get_name:             Core TLS API.       (line 3103)
--* gnutls_ecc_curve_get_oid:              Core TLS API.       (line 3117)
--* gnutls_ecc_curve_get_pk:               Core TLS API.       (line 3131)
--* gnutls_ecc_curve_get_size:             Core TLS API.       (line 3143)
--* gnutls_ecc_curve_list:                 Core TLS API.       (line 3153)
-+* gnutls_early_cipher_get:               Core TLS API.       (line 3071)
-+* gnutls_early_prf_hash_get:             Core TLS API.       (line 3085)
-+* gnutls_ecc_curve_get:                  Core TLS API.       (line 3100)
-+* gnutls_ecc_curve_get_id:               Core TLS API.       (line 3114)
-+* gnutls_ecc_curve_get_name:             Core TLS API.       (line 3128)
-+* gnutls_ecc_curve_get_oid:              Core TLS API.       (line 3142)
-+* gnutls_ecc_curve_get_pk:               Core TLS API.       (line 3156)
-+* gnutls_ecc_curve_get_size:             Core TLS API.       (line 3168)
-+* gnutls_ecc_curve_list:                 Core TLS API.       (line 3178)
-+* gnutls_ecc_curve_mark_disabled:        Core TLS API.       (line 3190)
-+* gnutls_ecc_curve_mark_enabled:         Core TLS API.       (line 3205)
- * gnutls_encode_ber_digest_info:         Cryptographic API.  (line  689)
- * gnutls_encode_gost_rs_value:           Cryptographic API.  (line  709)
- * gnutls_encode_rs_value:                Cryptographic API.  (line  732)
- * gnutls_error_is_fatal:                 Data transfer and termination.
-                                                              (line   82)
--* gnutls_error_is_fatal <1>:             Core TLS API.       (line 3165)
-+* gnutls_error_is_fatal <1>:             Core TLS API.       (line 3221)
- * gnutls_error_to_alert:                 Handling alerts.    (line   66)
--* gnutls_error_to_alert <1>:             Core TLS API.       (line 3185)
--* gnutls_est_record_overhead_size:       Core TLS API.       (line 3204)
--* gnutls_ext_get_current_msg:            Core TLS API.       (line 3231)
--* gnutls_ext_get_data:                   Core TLS API.       (line 3249)
--* gnutls_ext_get_name:                   Core TLS API.       (line 3268)
--* gnutls_ext_get_name2:                  Core TLS API.       (line 3279)
--* gnutls_ext_raw_parse:                  Core TLS API.       (line 3296)
--* gnutls_ext_register:                   Core TLS API.       (line 3327)
--* gnutls_ext_set_data:                   Core TLS API.       (line 3374)
--* gnutls_fingerprint:                    Core TLS API.       (line 3391)
--* gnutls_fips140_mode_enabled:           Core TLS API.       (line 3418)
--* gnutls_fips140_set_mode:               Core TLS API.       (line 3436)
-+* gnutls_error_to_alert <1>:             Core TLS API.       (line 3241)
-+* gnutls_est_record_overhead_size:       Core TLS API.       (line 3260)
-+* gnutls_ext_get_current_msg:            Core TLS API.       (line 3287)
-+* gnutls_ext_get_data:                   Core TLS API.       (line 3305)
-+* gnutls_ext_get_name:                   Core TLS API.       (line 3324)
-+* gnutls_ext_get_name2:                  Core TLS API.       (line 3335)
-+* gnutls_ext_raw_parse:                  Core TLS API.       (line 3352)
-+* gnutls_ext_register:                   Core TLS API.       (line 3383)
-+* gnutls_ext_set_data:                   Core TLS API.       (line 3430)
-+* gnutls_fingerprint:                    Core TLS API.       (line 3447)
-+* gnutls_fips140_mode_enabled:           Core TLS API.       (line 3474)
-+* gnutls_fips140_set_mode:               Core TLS API.       (line 3492)
- * gnutls_get_system_config_file:         System-wide configuration of the library.
-                                                              (line   24)
--* gnutls_get_system_config_file <1>:     Core TLS API.       (line 3462)
--* gnutls_global_deinit:                  Core TLS API.       (line 3476)
--* gnutls_global_init:                    Core TLS API.       (line 3489)
-+* gnutls_get_system_config_file <1>:     Core TLS API.       (line 3518)
-+* gnutls_global_deinit:                  Core TLS API.       (line 3532)
-+* gnutls_global_init:                    Core TLS API.       (line 3545)
- * gnutls_global_set_audit_log_function:  Debugging and auditing.
-                                                              (line   64)
--* gnutls_global_set_audit_log_function <1>: Core TLS API.    (line 3518)
--* gnutls_global_set_log_function:        Core TLS API.       (line 3537)
--* gnutls_global_set_log_level:           Core TLS API.       (line 3552)
-+* gnutls_global_set_audit_log_function <1>: Core TLS API.    (line 3574)
-+* gnutls_global_set_log_function:        Core TLS API.       (line 3593)
-+* gnutls_global_set_log_level:           Core TLS API.       (line 3608)
- * gnutls_global_set_mem_functions:       Compatibility API.  (line   60)
--* gnutls_global_set_mutex:               Core TLS API.       (line 3565)
--* gnutls_global_set_time_function:       Core TLS API.       (line 3594)
--* gnutls_gost_paramset_get_name:         Core TLS API.       (line 3608)
--* gnutls_gost_paramset_get_oid:          Core TLS API.       (line 3622)
--* gnutls_group_get:                      Core TLS API.       (line 3636)
--* gnutls_group_get_id:                   Core TLS API.       (line 3649)
--* gnutls_group_get_name:                 Core TLS API.       (line 3662)
--* gnutls_group_list:                     Core TLS API.       (line 3675)
-+* gnutls_global_set_mutex:               Core TLS API.       (line 3621)
-+* gnutls_global_set_time_function:       Core TLS API.       (line 3650)
-+* gnutls_gost_paramset_get_name:         Core TLS API.       (line 3664)
-+* gnutls_gost_paramset_get_oid:          Core TLS API.       (line 3678)
-+* gnutls_group_get:                      Core TLS API.       (line 3692)
-+* gnutls_group_get_id:                   Core TLS API.       (line 3705)
-+* gnutls_group_get_name:                 Core TLS API.       (line 3718)
-+* gnutls_group_list:                     Core TLS API.       (line 3731)
- * gnutls_handshake:                      TLS handshake.      (line   10)
--* gnutls_handshake <1>:                  Core TLS API.       (line 3689)
--* gnutls_handshake_description_get_name: Core TLS API.       (line 3732)
--* gnutls_handshake_get_last_in:          Core TLS API.       (line 3744)
--* gnutls_handshake_get_last_out:         Core TLS API.       (line 3761)
-+* gnutls_handshake <1>:                  Core TLS API.       (line 3745)
-+* gnutls_handshake_description_get_name: Core TLS API.       (line 3788)
-+* gnutls_handshake_get_last_in:          Core TLS API.       (line 3800)
-+* gnutls_handshake_get_last_out:         Core TLS API.       (line 3817)
- * gnutls_handshake_set_hook_function:    Virtual hosts and credentials.
-                                                              (line   56)
--* gnutls_handshake_set_hook_function <1>: Core TLS API.      (line 3778)
--* gnutls_handshake_set_max_packet_length: Core TLS API.      (line 3815)
-+* gnutls_handshake_set_hook_function <1>: Core TLS API.      (line 3834)
-+* gnutls_handshake_set_max_packet_length: Core TLS API.      (line 3871)
- * gnutls_handshake_set_post_client_hello_function: Core TLS API.
--                                                             (line 3836)
--* gnutls_handshake_set_private_extensions: Core TLS API.     (line 3867)
--* gnutls_handshake_set_random:           Core TLS API.       (line 3886)
--* gnutls_handshake_set_read_function:    Core TLS API.       (line 3908)
--* gnutls_handshake_set_secret_function:  Core TLS API.       (line 3922)
-+                                                             (line 3892)
-+* gnutls_handshake_set_private_extensions: Core TLS API.     (line 3923)
-+* gnutls_handshake_set_random:           Core TLS API.       (line 3942)
-+* gnutls_handshake_set_read_function:    Core TLS API.       (line 3964)
-+* gnutls_handshake_set_secret_function:  Core TLS API.       (line 3978)
- * gnutls_handshake_set_timeout:          TLS handshake.      (line   50)
--* gnutls_handshake_set_timeout <1>:      Core TLS API.       (line 3936)
--* gnutls_handshake_write:                Core TLS API.       (line 3956)
-+* gnutls_handshake_set_timeout <1>:      Core TLS API.       (line 3992)
-+* gnutls_handshake_write:                Core TLS API.       (line 4012)
- * gnutls_hash:                           Cryptographic API.  (line  753)
- * gnutls_hash_copy:                      Cryptographic API.  (line  771)
- * gnutls_hash_deinit:                    Cryptographic API.  (line  787)
-@@ -7930,17 +7934,17 @@
- * gnutls_hash_get_len:                   Cryptographic API.  (line  821)
- * gnutls_hash_init:                      Cryptographic API.  (line  835)
- * gnutls_hash_output:                    Cryptographic API.  (line  853)
--* gnutls_heartbeat_allowed:              Core TLS API.       (line 3977)
--* gnutls_heartbeat_enable:               Core TLS API.       (line 3994)
--* gnutls_heartbeat_get_timeout:          Core TLS API.       (line 4018)
--* gnutls_heartbeat_ping:                 Core TLS API.       (line 4034)
--* gnutls_heartbeat_pong:                 Core TLS API.       (line 4066)
--* gnutls_heartbeat_set_timeouts:         Core TLS API.       (line 4082)
--* gnutls_hex2bin:                        Core TLS API.       (line 4104)
--* gnutls_hex_decode:                     Core TLS API.       (line 4127)
--* gnutls_hex_decode2:                    Core TLS API.       (line 4149)
--* gnutls_hex_encode:                     Core TLS API.       (line 4164)
--* gnutls_hex_encode2:                    Core TLS API.       (line 4183)
-+* gnutls_heartbeat_allowed:              Core TLS API.       (line 4033)
-+* gnutls_heartbeat_enable:               Core TLS API.       (line 4050)
-+* gnutls_heartbeat_get_timeout:          Core TLS API.       (line 4074)
-+* gnutls_heartbeat_ping:                 Core TLS API.       (line 4090)
-+* gnutls_heartbeat_pong:                 Core TLS API.       (line 4122)
-+* gnutls_heartbeat_set_timeouts:         Core TLS API.       (line 4138)
-+* gnutls_hex2bin:                        Core TLS API.       (line 4160)
-+* gnutls_hex_decode:                     Core TLS API.       (line 4183)
-+* gnutls_hex_decode2:                    Core TLS API.       (line 4205)
-+* gnutls_hex_encode:                     Core TLS API.       (line 4220)
-+* gnutls_hex_encode2:                    Core TLS API.       (line 4239)
- * gnutls_hkdf_expand:                    Cryptographic API.  (line  867)
- * gnutls_hkdf_extract:                   Cryptographic API.  (line  891)
- * gnutls_hmac:                           Cryptographic API.  (line  912)
-@@ -7952,25 +7956,25 @@
- * gnutls_hmac_init:                      Cryptographic API.  (line 1015)
- * gnutls_hmac_output:                    Cryptographic API.  (line 1041)
- * gnutls_hmac_set_nonce:                 Cryptographic API.  (line 1055)
--* gnutls_idna_map:                       Core TLS API.       (line 4201)
--* gnutls_idna_reverse_map:               Core TLS API.       (line 4232)
-+* gnutls_idna_map:                       Core TLS API.       (line 4257)
-+* gnutls_idna_reverse_map:               Core TLS API.       (line 4288)
- * gnutls_init:                           Session initialization.
-                                                              (line   14)
--* gnutls_init <1>:                       Core TLS API.       (line 4258)
--* gnutls_key_generate:                   Core TLS API.       (line 4281)
--* gnutls_kx_get:                         Core TLS API.       (line 4298)
--* gnutls_kx_get_id:                      Core TLS API.       (line 4315)
--* gnutls_kx_get_name:                    Core TLS API.       (line 4327)
--* gnutls_kx_list:                        Core TLS API.       (line 4339)
--* gnutls_load_file:                      Core TLS API.       (line 4351)
--* gnutls_mac_get:                        Core TLS API.       (line 4374)
--* gnutls_mac_get_id:                     Core TLS API.       (line 4386)
--* gnutls_mac_get_key_size:               Core TLS API.       (line 4399)
--* gnutls_mac_get_name:                   Core TLS API.       (line 4411)
-+* gnutls_init <1>:                       Core TLS API.       (line 4314)
-+* gnutls_key_generate:                   Core TLS API.       (line 4337)
-+* gnutls_kx_get:                         Core TLS API.       (line 4354)
-+* gnutls_kx_get_id:                      Core TLS API.       (line 4371)
-+* gnutls_kx_get_name:                    Core TLS API.       (line 4383)
-+* gnutls_kx_list:                        Core TLS API.       (line 4395)
-+* gnutls_load_file:                      Core TLS API.       (line 4407)
-+* gnutls_mac_get:                        Core TLS API.       (line 4430)
-+* gnutls_mac_get_id:                     Core TLS API.       (line 4442)
-+* gnutls_mac_get_key_size:               Core TLS API.       (line 4455)
-+* gnutls_mac_get_name:                   Core TLS API.       (line 4467)
- * gnutls_mac_get_nonce_size:             Cryptographic API.  (line 1070)
--* gnutls_mac_list:                       Core TLS API.       (line 4423)
--* gnutls_memcmp:                         Core TLS API.       (line 4435)
--* gnutls_memset:                         Core TLS API.       (line 4456)
-+* gnutls_mac_list:                       Core TLS API.       (line 4479)
-+* gnutls_memcmp:                         Core TLS API.       (line 4491)
-+* gnutls_memset:                         Core TLS API.       (line 4512)
- * gnutls_ocsp_req_add_cert:              OCSP API.           (line   12)
- * gnutls_ocsp_req_add_cert_id:           OCSP API.           (line   36)
- * gnutls_ocsp_req_deinit:                OCSP API.           (line   69)
-@@ -8011,20 +8015,20 @@
- * gnutls_ocsp_resp_print:                OCSP API.           (line  757)
- * gnutls_ocsp_resp_verify:               OCSP API.           (line  780)
- * gnutls_ocsp_resp_verify_direct:        OCSP API.           (line  818)
--* gnutls_ocsp_status_request_enable_client: Core TLS API.    (line 4471)
--* gnutls_ocsp_status_request_get:        Core TLS API.       (line 4499)
--* gnutls_ocsp_status_request_get2:       Core TLS API.       (line 4518)
--* gnutls_ocsp_status_request_is_checked: Core TLS API.       (line 4544)
--* gnutls_oid_to_digest:                  Core TLS API.       (line 4578)
--* gnutls_oid_to_ecc_curve:               Core TLS API.       (line 4593)
--* gnutls_oid_to_gost_paramset:           Core TLS API.       (line 4605)
--* gnutls_oid_to_mac:                     Core TLS API.       (line 4620)
--* gnutls_oid_to_pk:                      Core TLS API.       (line 4635)
--* gnutls_oid_to_sign:                    Core TLS API.       (line 4649)
-+* gnutls_ocsp_status_request_enable_client: Core TLS API.    (line 4527)
-+* gnutls_ocsp_status_request_get:        Core TLS API.       (line 4555)
-+* gnutls_ocsp_status_request_get2:       Core TLS API.       (line 4574)
-+* gnutls_ocsp_status_request_is_checked: Core TLS API.       (line 4600)
-+* gnutls_oid_to_digest:                  Core TLS API.       (line 4634)
-+* gnutls_oid_to_ecc_curve:               Core TLS API.       (line 4649)
-+* gnutls_oid_to_gost_paramset:           Core TLS API.       (line 4661)
-+* gnutls_oid_to_mac:                     Core TLS API.       (line 4676)
-+* gnutls_oid_to_pk:                      Core TLS API.       (line 4691)
-+* gnutls_oid_to_sign:                    Core TLS API.       (line 4705)
- * gnutls_openpgp_privkey_sign_hash:      Compatibility API.  (line   95)
--* gnutls_openpgp_send_cert:              Core TLS API.       (line 4664)
--* gnutls_packet_deinit:                  Core TLS API.       (line 4677)
--* gnutls_packet_get:                     Core TLS API.       (line 4688)
-+* gnutls_openpgp_send_cert:              Core TLS API.       (line 4720)
-+* gnutls_packet_deinit:                  Core TLS API.       (line 4733)
-+* gnutls_packet_get:                     Core TLS API.       (line 4744)
- * gnutls_pbkdf2:                         Cryptographic API.  (line 1083)
- * gnutls_pcert_deinit:                   Abstract key API.   (line  176)
- * gnutls_pcert_export_openpgp:           Abstract key API.   (line  186)
-@@ -8038,11 +8042,11 @@
- * gnutls_pcert_import_x509_raw:          Abstract key API.   (line  370)
- * gnutls_pcert_list_import_x509_file:    Abstract key API.   (line  393)
- * gnutls_pcert_list_import_x509_raw:     Abstract key API.   (line  430)
--* gnutls_pem_base64_decode:              Core TLS API.       (line 4706)
--* gnutls_pem_base64_decode2:             Core TLS API.       (line 4730)
--* gnutls_pem_base64_encode:              Core TLS API.       (line 4758)
--* gnutls_pem_base64_encode2:             Core TLS API.       (line 4781)
--* gnutls_perror:                         Core TLS API.       (line 4809)
-+* gnutls_pem_base64_decode:              Core TLS API.       (line 4762)
-+* gnutls_pem_base64_decode2:             Core TLS API.       (line 4786)
-+* gnutls_pem_base64_encode:              Core TLS API.       (line 4814)
-+* gnutls_pem_base64_encode2:             Core TLS API.       (line 4837)
-+* gnutls_perror:                         Core TLS API.       (line 4865)
- * gnutls_pkcs11_add_provider:            PKCS11 Manual Initialization.
-                                                              (line   13)
- * gnutls_pkcs11_add_provider <1>:        PKCS 11 API.        (line   12)
-@@ -8183,39 +8187,39 @@
-                                                              (line  122)
- * gnutls_pkcs_schema_get_oid:            X509 certificate API.
-                                                              (line  137)
--* gnutls_pk_algorithm_get_name:          Core TLS API.       (line 4818)
-+* gnutls_pk_algorithm_get_name:          Core TLS API.       (line 4874)
- * gnutls_pk_bits_to_sec_param:           Selecting cryptographic key sizes.
-                                                              (line   91)
--* gnutls_pk_bits_to_sec_param <1>:       Core TLS API.       (line 4830)
--* gnutls_pk_get_id:                      Core TLS API.       (line 4847)
--* gnutls_pk_get_name:                    Core TLS API.       (line 4862)
--* gnutls_pk_get_oid:                     Core TLS API.       (line 4876)
--* gnutls_pk_list:                        Core TLS API.       (line 4891)
--* gnutls_pk_to_sign:                     Core TLS API.       (line 4905)
--* gnutls_prf:                            Core TLS API.       (line 4920)
--* gnutls_prf_early:                      Core TLS API.       (line 4970)
--* gnutls_prf_hash_get:                   Core TLS API.       (line 5015)
--* gnutls_prf_raw:                        Core TLS API.       (line 5032)
-+* gnutls_pk_bits_to_sec_param <1>:       Core TLS API.       (line 4886)
-+* gnutls_pk_get_id:                      Core TLS API.       (line 4903)
-+* gnutls_pk_get_name:                    Core TLS API.       (line 4918)
-+* gnutls_pk_get_oid:                     Core TLS API.       (line 4932)
-+* gnutls_pk_list:                        Core TLS API.       (line 4947)
-+* gnutls_pk_to_sign:                     Core TLS API.       (line 4961)
-+* gnutls_prf:                            Core TLS API.       (line 4976)
-+* gnutls_prf_early:                      Core TLS API.       (line 5026)
-+* gnutls_prf_hash_get:                   Core TLS API.       (line 5071)
-+* gnutls_prf_raw:                        Core TLS API.       (line 5088)
- * gnutls_prf_rfc5705:                    Deriving keys for other applications/protocols.
-                                                              (line   16)
--* gnutls_prf_rfc5705 <1>:                Core TLS API.       (line 5077)
--* gnutls_priority_certificate_type_list: Core TLS API.       (line 5124)
--* gnutls_priority_certificate_type_list2: Core TLS API.      (line 5145)
--* gnutls_priority_cipher_list:           Core TLS API.       (line 5165)
-+* gnutls_prf_rfc5705 <1>:                Core TLS API.       (line 5133)
-+* gnutls_priority_certificate_type_list: Core TLS API.       (line 5180)
-+* gnutls_priority_certificate_type_list2: Core TLS API.      (line 5201)
-+* gnutls_priority_cipher_list:           Core TLS API.       (line 5221)
- * gnutls_priority_compression_list:      Compatibility API.  (line  111)
--* gnutls_priority_deinit:                Core TLS API.       (line 5180)
--* gnutls_priority_ecc_curve_list:        Core TLS API.       (line 5189)
--* gnutls_priority_get_cipher_suite_index: Core TLS API.      (line 5207)
--* gnutls_priority_group_list:            Core TLS API.       (line 5232)
--* gnutls_priority_init:                  Core TLS API.       (line 5247)
--* gnutls_priority_init2:                 Core TLS API.       (line 5275)
--* gnutls_priority_kx_list:               Core TLS API.       (line 5383)
--* gnutls_priority_mac_list:              Core TLS API.       (line 5399)
--* gnutls_priority_protocol_list:         Core TLS API.       (line 5414)
--* gnutls_priority_set:                   Core TLS API.       (line 5430)
--* gnutls_priority_set_direct:            Core TLS API.       (line 5448)
--* gnutls_priority_sign_list:             Core TLS API.       (line 5472)
--* gnutls_priority_string_list:           Core TLS API.       (line 5488)
-+* gnutls_priority_deinit:                Core TLS API.       (line 5236)
-+* gnutls_priority_ecc_curve_list:        Core TLS API.       (line 5245)
-+* gnutls_priority_get_cipher_suite_index: Core TLS API.      (line 5263)
-+* gnutls_priority_group_list:            Core TLS API.       (line 5288)
-+* gnutls_priority_init:                  Core TLS API.       (line 5303)
-+* gnutls_priority_init2:                 Core TLS API.       (line 5331)
-+* gnutls_priority_kx_list:               Core TLS API.       (line 5439)
-+* gnutls_priority_mac_list:              Core TLS API.       (line 5455)
-+* gnutls_priority_protocol_list:         Core TLS API.       (line 5470)
-+* gnutls_priority_set:                   Core TLS API.       (line 5486)
-+* gnutls_priority_set_direct:            Core TLS API.       (line 5504)
-+* gnutls_priority_sign_list:             Core TLS API.       (line 5528)
-+* gnutls_priority_string_list:           Core TLS API.       (line 5544)
- * gnutls_privkey_decrypt_data:           Operations.         (line  144)
- * gnutls_privkey_decrypt_data <1>:       Abstract key API.   (line  465)
- * gnutls_privkey_decrypt_data2:          Abstract key API.   (line  488)
-@@ -8275,33 +8279,35 @@
- * gnutls_privkey_status:                 Abstract key API.   (line 1705)
- * gnutls_privkey_verify_params:          Abstract key API.   (line 1721)
- * gnutls_privkey_verify_seed:            Abstract key API.   (line 1734)
--* gnutls_protocol_get_id:                Core TLS API.       (line 5508)
--* gnutls_protocol_get_name:              Core TLS API.       (line 5520)
--* gnutls_protocol_get_version:           Core TLS API.       (line 5532)
--* gnutls_protocol_list:                  Core TLS API.       (line 5543)
--* gnutls_psk_allocate_client_credentials: Core TLS API.      (line 5555)
--* gnutls_psk_allocate_server_credentials: Core TLS API.      (line 5567)
--* gnutls_psk_client_get_hint:            Core TLS API.       (line 5579)
--* gnutls_psk_free_client_credentials:    Core TLS API.       (line 5598)
--* gnutls_psk_free_server_credentials:    Core TLS API.       (line 5607)
--* gnutls_psk_server_get_username:        Core TLS API.       (line 5616)
--* gnutls_psk_server_get_username2:       Core TLS API.       (line 5636)
--* gnutls_psk_set_client_credentials:     Core TLS API.       (line 5657)
--* gnutls_psk_set_client_credentials2:    Core TLS API.       (line 5683)
-+* gnutls_protocol_get_id:                Core TLS API.       (line 5564)
-+* gnutls_protocol_get_name:              Core TLS API.       (line 5576)
-+* gnutls_protocol_get_version:           Core TLS API.       (line 5588)
-+* gnutls_protocol_list:                  Core TLS API.       (line 5599)
-+* gnutls_protocol_mark_disabled:         Core TLS API.       (line 5611)
-+* gnutls_protocol_mark_enabled:          Core TLS API.       (line 5621)
-+* gnutls_psk_allocate_client_credentials: Core TLS API.      (line 5632)
-+* gnutls_psk_allocate_server_credentials: Core TLS API.      (line 5644)
-+* gnutls_psk_client_get_hint:            Core TLS API.       (line 5656)
-+* gnutls_psk_free_client_credentials:    Core TLS API.       (line 5675)
-+* gnutls_psk_free_server_credentials:    Core TLS API.       (line 5684)
-+* gnutls_psk_server_get_username:        Core TLS API.       (line 5693)
-+* gnutls_psk_server_get_username2:       Core TLS API.       (line 5713)
-+* gnutls_psk_set_client_credentials:     Core TLS API.       (line 5734)
-+* gnutls_psk_set_client_credentials2:    Core TLS API.       (line 5760)
- * gnutls_psk_set_client_credentials_function: PSK credentials.
-                                                              (line   22)
- * gnutls_psk_set_client_credentials_function <1>: Core TLS API.
--                                                             (line 5706)
--* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5731)
--* gnutls_psk_set_params_function:        Core TLS API.       (line 5760)
-+                                                             (line 5783)
-+* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5808)
-+* gnutls_psk_set_params_function:        Core TLS API.       (line 5837)
- * gnutls_psk_set_server_credentials_file: PSK credentials.   (line   59)
--* gnutls_psk_set_server_credentials_file <1>: Core TLS API.  (line 5778)
--* gnutls_psk_set_server_credentials_function: Core TLS API.  (line 5800)
--* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5825)
--* gnutls_psk_set_server_credentials_hint: Core TLS API.      (line 5854)
--* gnutls_psk_set_server_dh_params:       Core TLS API.       (line 5873)
--* gnutls_psk_set_server_known_dh_params: Core TLS API.       (line 5891)
--* gnutls_psk_set_server_params_function: Core TLS API.       (line 5915)
-+* gnutls_psk_set_server_credentials_file <1>: Core TLS API.  (line 5855)
-+* gnutls_psk_set_server_credentials_function: Core TLS API.  (line 5877)
-+* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5902)
-+* gnutls_psk_set_server_credentials_hint: Core TLS API.      (line 5931)
-+* gnutls_psk_set_server_dh_params:       Core TLS API.       (line 5950)
-+* gnutls_psk_set_server_known_dh_params: Core TLS API.       (line 5968)
-+* gnutls_psk_set_server_params_function: Core TLS API.       (line 5992)
- * gnutls_pubkey_deinit:                  Abstract key API.   (line 1758)
- * gnutls_pubkey_encrypt_data:            Operations.         (line   60)
- * gnutls_pubkey_encrypt_data <1>:        Abstract key API.   (line 1768)
-@@ -8351,169 +8357,171 @@
- * gnutls_pubkey_verify_hash2:            Operations.         (line   33)
- * gnutls_pubkey_verify_hash2 <1>:        Abstract key API.   (line 2681)
- * gnutls_pubkey_verify_params:           Abstract key API.   (line 2711)
--* gnutls_random_art:                     Core TLS API.       (line 5933)
--* gnutls_range_split:                    Core TLS API.       (line 5960)
--* gnutls_reauth:                         Core TLS API.       (line 5986)
--* gnutls_record_can_use_length_hiding:   Core TLS API.       (line 6032)
--* gnutls_record_check_corked:            Core TLS API.       (line 6050)
-+* gnutls_random_art:                     Core TLS API.       (line 6010)
-+* gnutls_range_split:                    Core TLS API.       (line 6037)
-+* gnutls_reauth:                         Core TLS API.       (line 6063)
-+* gnutls_record_can_use_length_hiding:   Core TLS API.       (line 6109)
-+* gnutls_record_check_corked:            Core TLS API.       (line 6127)
- * gnutls_record_check_pending:           Data transfer and termination.
-                                                              (line  138)
--* gnutls_record_check_pending <1>:       Core TLS API.       (line 6064)
-+* gnutls_record_check_pending <1>:       Core TLS API.       (line 6141)
- * gnutls_record_cork:                    Buffered data transfer.
-                                                              (line   12)
--* gnutls_record_cork <1>:                Core TLS API.       (line 6077)
--* gnutls_record_disable_padding:         Core TLS API.       (line 6091)
--* gnutls_record_discard_queued:          Core TLS API.       (line 6106)
-+* gnutls_record_cork <1>:                Core TLS API.       (line 6154)
-+* gnutls_record_disable_padding:         Core TLS API.       (line 6168)
-+* gnutls_record_discard_queued:          Core TLS API.       (line 6183)
- * gnutls_record_get_direction:           Asynchronous operation.
-                                                              (line   65)
--* gnutls_record_get_direction <1>:       Core TLS API.       (line 6125)
-+* gnutls_record_get_direction <1>:       Core TLS API.       (line 6202)
- * gnutls_record_get_discarded:           Datagram TLS API.   (line  209)
--* gnutls_record_get_max_early_data_size: Core TLS API.       (line 6148)
--* gnutls_record_get_max_size:            Core TLS API.       (line 6164)
--* gnutls_record_get_state:               Core TLS API.       (line 6176)
--* gnutls_record_overhead_size:           Core TLS API.       (line 6207)
-+* gnutls_record_get_max_early_data_size: Core TLS API.       (line 6225)
-+* gnutls_record_get_max_size:            Core TLS API.       (line 6241)
-+* gnutls_record_get_state:               Core TLS API.       (line 6253)
-+* gnutls_record_overhead_size:           Core TLS API.       (line 6284)
- * gnutls_record_recv:                    Data transfer and termination.
-                                                              (line   53)
--* gnutls_record_recv <1>:                Core TLS API.       (line 6220)
--* gnutls_record_recv_early_data:         Core TLS API.       (line 6252)
--* gnutls_record_recv_packet:             Core TLS API.       (line 6280)
-+* gnutls_record_recv <1>:                Core TLS API.       (line 6297)
-+* gnutls_record_recv_early_data:         Core TLS API.       (line 6329)
-+* gnutls_record_recv_packet:             Core TLS API.       (line 6357)
- * gnutls_record_recv_seq:                Data transfer and termination.
-                                                              (line  108)
--* gnutls_record_recv_seq <1>:            Core TLS API.       (line 6304)
-+* gnutls_record_recv_seq <1>:            Core TLS API.       (line 6381)
- * gnutls_record_send:                    Data transfer and termination.
-                                                              (line   12)
--* gnutls_record_send <1>:                Core TLS API.       (line 6331)
-+* gnutls_record_send <1>:                Core TLS API.       (line 6408)
- * gnutls_record_send2:                   On Record Padding.  (line   23)
--* gnutls_record_send2 <1>:               Core TLS API.       (line 6375)
--* gnutls_record_send_early_data:         Core TLS API.       (line 6408)
--* gnutls_record_send_range:              Core TLS API.       (line 6436)
--* gnutls_record_set_max_early_data_size: Core TLS API.       (line 6465)
--* gnutls_record_set_max_recv_size:       Core TLS API.       (line 6484)
--* gnutls_record_set_max_size:            Core TLS API.       (line 6506)
--* gnutls_record_set_state:               Core TLS API.       (line 6535)
--* gnutls_record_set_timeout:             Core TLS API.       (line 6556)
-+* gnutls_record_send2 <1>:               Core TLS API.       (line 6452)
-+* gnutls_record_send_early_data:         Core TLS API.       (line 6485)
-+* gnutls_record_send_range:              Core TLS API.       (line 6513)
-+* gnutls_record_set_max_early_data_size: Core TLS API.       (line 6542)
-+* gnutls_record_set_max_recv_size:       Core TLS API.       (line 6561)
-+* gnutls_record_set_max_size:            Core TLS API.       (line 6583)
-+* gnutls_record_set_state:               Core TLS API.       (line 6612)
-+* gnutls_record_set_timeout:             Core TLS API.       (line 6633)
- * gnutls_record_uncork:                  Buffered data transfer.
-                                                              (line   23)
--* gnutls_record_uncork <1>:              Core TLS API.       (line 6575)
-+* gnutls_record_uncork <1>:              Core TLS API.       (line 6652)
- * gnutls_register_custom_url:            Application-specific keys.
-                                                              (line   69)
- * gnutls_register_custom_url <1>:        Abstract key API.   (line 2724)
- * gnutls_rehandshake:                    TLS 1.2 re-authentication.
-                                                              (line   70)
--* gnutls_rehandshake <1>:                Core TLS API.       (line 6600)
-+* gnutls_rehandshake <1>:                Core TLS API.       (line 6677)
- * gnutls_rnd:                            Random number generation.
-                                                              (line   21)
- * gnutls_rnd <1>:                        Cryptographic API.  (line 1108)
- * gnutls_rnd_refresh:                    Cryptographic API.  (line 1130)
- * gnutls_safe_renegotiation_status:      TLS 1.2 re-authentication.
-                                                              (line   44)
--* gnutls_safe_renegotiation_status <1>:  Core TLS API.       (line 6640)
--* gnutls_sec_param_get_name:             Core TLS API.       (line 6655)
-+* gnutls_safe_renegotiation_status <1>:  Core TLS API.       (line 6717)
-+* gnutls_sec_param_get_name:             Core TLS API.       (line 6732)
- * gnutls_sec_param_to_pk_bits:           Selecting cryptographic key sizes.
-                                                              (line   75)
--* gnutls_sec_param_to_pk_bits <1>:       Core TLS API.       (line 6669)
--* gnutls_sec_param_to_symmetric_bits:    Core TLS API.       (line 6688)
--* gnutls_server_name_get:                Core TLS API.       (line 6702)
--* gnutls_server_name_set:                Core TLS API.       (line 6741)
--* gnutls_session_channel_binding:        Core TLS API.       (line 6772)
--* gnutls_session_enable_compatibility_mode: Core TLS API.    (line 6793)
--* gnutls_session_etm_status:             Core TLS API.       (line 6813)
--* gnutls_session_ext_master_secret_status: Core TLS API.     (line 6826)
--* gnutls_session_ext_register:           Core TLS API.       (line 6840)
--* gnutls_session_force_valid:            Core TLS API.       (line 6896)
--* gnutls_session_get_data:               Core TLS API.       (line 6907)
--* gnutls_session_get_data2:              Core TLS API.       (line 6927)
--* gnutls_session_get_desc:               Core TLS API.       (line 6975)
--* gnutls_session_get_flags:              Core TLS API.       (line 6992)
--* gnutls_session_get_id:                 Core TLS API.       (line 7011)
-+* gnutls_sec_param_to_pk_bits <1>:       Core TLS API.       (line 6746)
-+* gnutls_sec_param_to_symmetric_bits:    Core TLS API.       (line 6765)
-+* gnutls_server_name_get:                Core TLS API.       (line 6779)
-+* gnutls_server_name_set:                Core TLS API.       (line 6818)
-+* gnutls_session_channel_binding:        Core TLS API.       (line 6849)
-+* gnutls_session_enable_compatibility_mode: Core TLS API.    (line 6870)
-+* gnutls_session_etm_status:             Core TLS API.       (line 6890)
-+* gnutls_session_ext_master_secret_status: Core TLS API.     (line 6903)
-+* gnutls_session_ext_register:           Core TLS API.       (line 6917)
-+* gnutls_session_force_valid:            Core TLS API.       (line 6973)
-+* gnutls_session_get_data:               Core TLS API.       (line 6984)
-+* gnutls_session_get_data2:              Core TLS API.       (line 7004)
-+* gnutls_session_get_desc:               Core TLS API.       (line 7052)
-+* gnutls_session_get_flags:              Core TLS API.       (line 7069)
-+* gnutls_session_get_id:                 Core TLS API.       (line 7088)
- * gnutls_session_get_id2:                Session resumption. (line   49)
--* gnutls_session_get_id2 <1>:            Core TLS API.       (line 7045)
--* gnutls_session_get_keylog_function:    Core TLS API.       (line 7078)
--* gnutls_session_get_master_secret:      Core TLS API.       (line 7092)
--* gnutls_session_get_ptr:                Core TLS API.       (line 7108)
--* gnutls_session_get_random:             Core TLS API.       (line 7120)
--* gnutls_session_get_verify_cert_status: Core TLS API.       (line 7140)
-+* gnutls_session_get_id2 <1>:            Core TLS API.       (line 7122)
-+* gnutls_session_get_keylog_function:    Core TLS API.       (line 7155)
-+* gnutls_session_get_master_secret:      Core TLS API.       (line 7169)
-+* gnutls_session_get_ptr:                Core TLS API.       (line 7185)
-+* gnutls_session_get_random:             Core TLS API.       (line 7197)
-+* gnutls_session_get_verify_cert_status: Core TLS API.       (line 7217)
- * gnutls_session_is_resumed:             Session resumption. (line   40)
--* gnutls_session_is_resumed <1>:         Core TLS API.       (line 7160)
--* gnutls_session_key_update:             Core TLS API.       (line 7172)
-+* gnutls_session_is_resumed <1>:         Core TLS API.       (line 7237)
-+* gnutls_session_key_update:             Core TLS API.       (line 7249)
- * gnutls_session_resumption_requested:   Session resumption. (line  150)
--* gnutls_session_resumption_requested <1>: Core TLS API.     (line 7199)
--* gnutls_session_set_data:               Core TLS API.       (line 7212)
--* gnutls_session_set_id:                 Core TLS API.       (line 7235)
--* gnutls_session_set_keylog_function:    Core TLS API.       (line 7256)
--* gnutls_session_set_premaster:          Core TLS API.       (line 7270)
--* gnutls_session_set_ptr:                Core TLS API.       (line 7305)
-+* gnutls_session_resumption_requested <1>: Core TLS API.     (line 7276)
-+* gnutls_session_set_data:               Core TLS API.       (line 7289)
-+* gnutls_session_set_id:                 Core TLS API.       (line 7312)
-+* gnutls_session_set_keylog_function:    Core TLS API.       (line 7333)
-+* gnutls_session_set_premaster:          Core TLS API.       (line 7347)
-+* gnutls_session_set_ptr:                Core TLS API.       (line 7382)
- * gnutls_session_set_verify_cert:        Certificate credentials.
-                                                              (line  267)
--* gnutls_session_set_verify_cert <1>:    Core TLS API.       (line 7318)
--* gnutls_session_set_verify_cert2:       Core TLS API.       (line 7351)
--* gnutls_session_set_verify_function:    Core TLS API.       (line 7383)
-+* gnutls_session_set_verify_cert <1>:    Core TLS API.       (line 7395)
-+* gnutls_session_set_verify_cert2:       Core TLS API.       (line 7428)
-+* gnutls_session_set_verify_function:    Core TLS API.       (line 7460)
- * gnutls_session_set_verify_output_function: X509 certificate API.
-                                                              (line  152)
--* gnutls_session_supplemental_register:  Core TLS API.       (line 7412)
--* gnutls_session_ticket_enable_client:   Core TLS API.       (line 7448)
-+* gnutls_session_supplemental_register:  Core TLS API.       (line 7489)
-+* gnutls_session_ticket_enable_client:   Core TLS API.       (line 7525)
- * gnutls_session_ticket_enable_server:   Session resumption. (line  117)
--* gnutls_session_ticket_enable_server <1>: Core TLS API.     (line 7464)
-+* gnutls_session_ticket_enable_server <1>: Core TLS API.     (line 7541)
- * gnutls_session_ticket_key_generate:    Session resumption. (line  137)
--* gnutls_session_ticket_key_generate <1>: Core TLS API.      (line 7487)
-+* gnutls_session_ticket_key_generate <1>: Core TLS API.      (line 7564)
- * gnutls_session_ticket_send:            Session resumption. (line  170)
--* gnutls_session_ticket_send <1>:        Core TLS API.       (line 7503)
--* gnutls_set_default_priority:           Core TLS API.       (line 7521)
--* gnutls_set_default_priority_append:    Core TLS API.       (line 7547)
--* gnutls_sign_algorithm_get:             Core TLS API.       (line 7583)
--* gnutls_sign_algorithm_get_client:      Core TLS API.       (line 7597)
--* gnutls_sign_algorithm_get_requested:   Core TLS API.       (line 7612)
--* gnutls_sign_get_hash_algorithm:        Core TLS API.       (line 7639)
--* gnutls_sign_get_id:                    Core TLS API.       (line 7654)
--* gnutls_sign_get_name:                  Core TLS API.       (line 7666)
--* gnutls_sign_get_oid:                   Core TLS API.       (line 7678)
--* gnutls_sign_get_pk_algorithm:          Core TLS API.       (line 7692)
--* gnutls_sign_is_secure:                 Core TLS API.       (line 7710)
--* gnutls_sign_is_secure2:                Core TLS API.       (line 7720)
--* gnutls_sign_list:                      Core TLS API.       (line 7732)
--* gnutls_sign_supports_pk_algorithm:     Core TLS API.       (line 7743)
--* gnutls_srp_allocate_client_credentials: Core TLS API.      (line 7761)
--* gnutls_srp_allocate_server_credentials: Core TLS API.      (line 7773)
--* gnutls_srp_base64_decode:              Core TLS API.       (line 7785)
--* gnutls_srp_base64_decode2:             Core TLS API.       (line 7807)
--* gnutls_srp_base64_encode:              Core TLS API.       (line 7827)
--* gnutls_srp_base64_encode2:             Core TLS API.       (line 7849)
--* gnutls_srp_free_client_credentials:    Core TLS API.       (line 7870)
--* gnutls_srp_free_server_credentials:    Core TLS API.       (line 7879)
--* gnutls_srp_server_get_username:        Core TLS API.       (line 7888)
--* gnutls_srp_set_client_credentials:     Core TLS API.       (line 7901)
-+* gnutls_session_ticket_send <1>:        Core TLS API.       (line 7580)
-+* gnutls_set_default_priority:           Core TLS API.       (line 7598)
-+* gnutls_set_default_priority_append:    Core TLS API.       (line 7624)
-+* gnutls_sign_algorithm_get:             Core TLS API.       (line 7660)
-+* gnutls_sign_algorithm_get_client:      Core TLS API.       (line 7674)
-+* gnutls_sign_algorithm_get_requested:   Core TLS API.       (line 7689)
-+* gnutls_sign_get_hash_algorithm:        Core TLS API.       (line 7716)
-+* gnutls_sign_get_id:                    Core TLS API.       (line 7731)
-+* gnutls_sign_get_name:                  Core TLS API.       (line 7743)
-+* gnutls_sign_get_oid:                   Core TLS API.       (line 7755)
-+* gnutls_sign_get_pk_algorithm:          Core TLS API.       (line 7769)
-+* gnutls_sign_is_secure:                 Core TLS API.       (line 7787)
-+* gnutls_sign_is_secure2:                Core TLS API.       (line 7797)
-+* gnutls_sign_list:                      Core TLS API.       (line 7809)
-+* gnutls_sign_mark_insecure:             Core TLS API.       (line 7820)
-+* gnutls_sign_mark_secure:               Core TLS API.       (line 7838)
-+* gnutls_sign_supports_pk_algorithm:     Core TLS API.       (line 7859)
-+* gnutls_srp_allocate_client_credentials: Core TLS API.      (line 7877)
-+* gnutls_srp_allocate_server_credentials: Core TLS API.      (line 7889)
-+* gnutls_srp_base64_decode:              Core TLS API.       (line 7901)
-+* gnutls_srp_base64_decode2:             Core TLS API.       (line 7923)
-+* gnutls_srp_base64_encode:              Core TLS API.       (line 7943)
-+* gnutls_srp_base64_encode2:             Core TLS API.       (line 7965)
-+* gnutls_srp_free_client_credentials:    Core TLS API.       (line 7986)
-+* gnutls_srp_free_server_credentials:    Core TLS API.       (line 7995)
-+* gnutls_srp_server_get_username:        Core TLS API.       (line 8004)
-+* gnutls_srp_set_client_credentials:     Core TLS API.       (line 8017)
- * gnutls_srp_set_client_credentials_function: SRP credentials.
-                                                              (line   19)
- * gnutls_srp_set_client_credentials_function <1>: Core TLS API.
--                                                             (line 7924)
--* gnutls_srp_set_prime_bits:             Core TLS API.       (line 7957)
-+                                                             (line 8040)
-+* gnutls_srp_set_prime_bits:             Core TLS API.       (line 8073)
- * gnutls_srp_set_server_credentials_file: SRP credentials.   (line   56)
--* gnutls_srp_set_server_credentials_file <1>: Core TLS API.  (line 7978)
-+* gnutls_srp_set_server_credentials_file <1>: Core TLS API.  (line 8094)
- * gnutls_srp_set_server_credentials_function: SRP credentials.
-                                                              (line   72)
- * gnutls_srp_set_server_credentials_function <1>: Core TLS API.
--                                                             (line 7997)
--* gnutls_srp_set_server_fake_salt_seed:  Core TLS API.       (line 8035)
-+                                                             (line 8113)
-+* gnutls_srp_set_server_fake_salt_seed:  Core TLS API.       (line 8151)
- * gnutls_srp_verifier:                   Authentication using SRP.
-                                                              (line   45)
--* gnutls_srp_verifier <1>:               Core TLS API.       (line 8072)
-+* gnutls_srp_verifier <1>:               Core TLS API.       (line 8188)
- * gnutls_srtp_get_keys:                  SRTP.               (line   31)
--* gnutls_srtp_get_keys <1>:              Core TLS API.       (line 8101)
--* gnutls_srtp_get_mki:                   Core TLS API.       (line 8139)
--* gnutls_srtp_get_profile_id:            Core TLS API.       (line 8157)
--* gnutls_srtp_get_profile_name:          Core TLS API.       (line 8173)
--* gnutls_srtp_get_selected_profile:      Core TLS API.       (line 8188)
--* gnutls_srtp_set_mki:                   Core TLS API.       (line 8204)
--* gnutls_srtp_set_profile:               Core TLS API.       (line 8221)
--* gnutls_srtp_set_profile_direct:        Core TLS API.       (line 8238)
-+* gnutls_srtp_get_keys <1>:              Core TLS API.       (line 8217)
-+* gnutls_srtp_get_mki:                   Core TLS API.       (line 8255)
-+* gnutls_srtp_get_profile_id:            Core TLS API.       (line 8273)
-+* gnutls_srtp_get_profile_name:          Core TLS API.       (line 8289)
-+* gnutls_srtp_get_selected_profile:      Core TLS API.       (line 8304)
-+* gnutls_srtp_set_mki:                   Core TLS API.       (line 8320)
-+* gnutls_srtp_set_profile:               Core TLS API.       (line 8337)
-+* gnutls_srtp_set_profile_direct:        Core TLS API.       (line 8354)
- * gnutls_store_commitment:               Certificate verification.
-                                                              (line  115)
--* gnutls_store_commitment <1>:           Core TLS API.       (line 8259)
-+* gnutls_store_commitment <1>:           Core TLS API.       (line 8375)
- * gnutls_store_pubkey:                   Certificate verification.
-                                                              (line   64)
--* gnutls_store_pubkey <1>:               Core TLS API.       (line 8299)
--* gnutls_strerror:                       Core TLS API.       (line 8348)
--* gnutls_strerror_name:                  Core TLS API.       (line 8362)
-+* gnutls_store_pubkey <1>:               Core TLS API.       (line 8415)
-+* gnutls_strerror:                       Core TLS API.       (line 8464)
-+* gnutls_strerror_name:                  Core TLS API.       (line 8478)
- * gnutls_subject_alt_names_deinit:       X509 certificate API.
-                                                              (line  181)
- * gnutls_subject_alt_names_get:          X509 certificate API.
-@@ -8522,22 +8530,22 @@
-                                                              (line  221)
- * gnutls_subject_alt_names_set:          X509 certificate API.
-                                                              (line  235)
--* gnutls_supplemental_get_name:          Core TLS API.       (line 8377)
--* gnutls_supplemental_recv:              Core TLS API.       (line 8390)
--* gnutls_supplemental_register:          Core TLS API.       (line 8405)
--* gnutls_supplemental_send:              Core TLS API.       (line 8436)
-+* gnutls_supplemental_get_name:          Core TLS API.       (line 8493)
-+* gnutls_supplemental_recv:              Core TLS API.       (line 8506)
-+* gnutls_supplemental_register:          Core TLS API.       (line 8521)
-+* gnutls_supplemental_send:              Core TLS API.       (line 8552)
- * gnutls_system_key_add_x509:            Abstract key API.   (line 2750)
- * gnutls_system_key_delete:              Abstract key API.   (line 2776)
- * gnutls_system_key_iter_deinit:         Abstract key API.   (line 2792)
- * gnutls_system_key_iter_get_info:       Application-specific keys.
-                                                              (line   20)
- * gnutls_system_key_iter_get_info <1>:   Abstract key API.   (line 2803)
--* gnutls_system_recv_timeout:            Core TLS API.       (line 8450)
--* gnutls_tdb_deinit:                     Core TLS API.       (line 8473)
--* gnutls_tdb_init:                       Core TLS API.       (line 8482)
--* gnutls_tdb_set_store_commitment_func:  Core TLS API.       (line 8493)
--* gnutls_tdb_set_store_func:             Core TLS API.       (line 8513)
--* gnutls_tdb_set_verify_func:            Core TLS API.       (line 8532)
-+* gnutls_system_recv_timeout:            Core TLS API.       (line 8566)
-+* gnutls_tdb_deinit:                     Core TLS API.       (line 8589)
-+* gnutls_tdb_init:                       Core TLS API.       (line 8598)
-+* gnutls_tdb_set_store_commitment_func:  Core TLS API.       (line 8609)
-+* gnutls_tdb_set_store_func:             Core TLS API.       (line 8629)
-+* gnutls_tdb_set_verify_func:            Core TLS API.       (line 8648)
- * gnutls_tpm_get_registered:             TPM API.            (line   12)
- * gnutls_tpm_key_list_deinit:            TPM API.            (line   27)
- * gnutls_tpm_key_list_get_url:           TPM API.            (line   38)
-@@ -8546,44 +8554,44 @@
- * gnutls_tpm_privkey_delete <2>:         TPM API.            (line   60)
- * gnutls_tpm_privkey_generate:           Key generation.     (line    9)
- * gnutls_tpm_privkey_generate <1>:       TPM API.            (line   76)
--* gnutls_transport_get_int:              Core TLS API.       (line 8554)
--* gnutls_transport_get_int2:             Core TLS API.       (line 8568)
--* gnutls_transport_get_ptr:              Core TLS API.       (line 8585)
--* gnutls_transport_get_ptr2:             Core TLS API.       (line 8598)
-+* gnutls_transport_get_int:              Core TLS API.       (line 8670)
-+* gnutls_transport_get_int2:             Core TLS API.       (line 8684)
-+* gnutls_transport_get_ptr:              Core TLS API.       (line 8701)
-+* gnutls_transport_get_ptr2:             Core TLS API.       (line 8714)
- * gnutls_transport_set_errno:            Setting up the transport layer.
-                                                              (line  116)
--* gnutls_transport_set_errno <1>:        Core TLS API.       (line 8614)
--* gnutls_transport_set_errno_function:   Core TLS API.       (line 8637)
-+* gnutls_transport_set_errno <1>:        Core TLS API.       (line 8730)
-+* gnutls_transport_set_errno_function:   Core TLS API.       (line 8753)
- * gnutls_transport_set_fastopen:         Reducing round-trips.
-                                                              (line   22)
- * gnutls_transport_set_fastopen <1>:     Socket specific API.
-                                                              (line   11)
--* gnutls_transport_set_int:              Core TLS API.       (line 8655)
--* gnutls_transport_set_int2:             Core TLS API.       (line 8673)
--* gnutls_transport_set_ptr:              Core TLS API.       (line 8695)
--* gnutls_transport_set_ptr2:             Core TLS API.       (line 8708)
-+* gnutls_transport_set_int:              Core TLS API.       (line 8771)
-+* gnutls_transport_set_int2:             Core TLS API.       (line 8789)
-+* gnutls_transport_set_ptr:              Core TLS API.       (line 8811)
-+* gnutls_transport_set_ptr2:             Core TLS API.       (line 8824)
- * gnutls_transport_set_pull_function:    Setting up the transport layer.
-                                                              (line   56)
--* gnutls_transport_set_pull_function <1>: Core TLS API.      (line 8725)
-+* gnutls_transport_set_pull_function <1>: Core TLS API.      (line 8841)
- * gnutls_transport_set_pull_timeout_function: Setting up the transport layer.
-                                                              (line   71)
- * gnutls_transport_set_pull_timeout_function <1>: Setting up the transport layer.
-                                                              (line  156)
- * gnutls_transport_set_pull_timeout_function <2>: Core TLS API.
--                                                             (line 8743)
-+                                                             (line 8859)
- * gnutls_transport_set_push_function:    Setting up the transport layer.
-                                                              (line   23)
--* gnutls_transport_set_push_function <1>: Core TLS API.      (line 8783)
-+* gnutls_transport_set_push_function <1>: Core TLS API.      (line 8899)
- * gnutls_transport_set_vec_push_function: Setting up the transport layer.
-                                                              (line   40)
--* gnutls_transport_set_vec_push_function <1>: Core TLS API.  (line 8803)
-+* gnutls_transport_set_vec_push_function <1>: Core TLS API.  (line 8919)
- * gnutls_url_is_supported:               Abstract public keys.
-                                                              (line   57)
--* gnutls_url_is_supported <1>:           Core TLS API.       (line 8822)
--* gnutls_utf8_password_normalize:        Core TLS API.       (line 8836)
-+* gnutls_url_is_supported <1>:           Core TLS API.       (line 8938)
-+* gnutls_utf8_password_normalize:        Core TLS API.       (line 8952)
- * gnutls_verify_stored_pubkey:           Certificate verification.
-                                                              (line   18)
--* gnutls_verify_stored_pubkey <1>:       Core TLS API.       (line 8861)
-+* gnutls_verify_stored_pubkey <1>:       Core TLS API.       (line 8977)
- * gnutls_x509_aia_deinit:                X509 certificate API.
-                                                              (line  262)
- * gnutls_x509_aia_get:                   X509 certificate API.
-diff -ruN gnutls-3.7.2/doc/invoke-p11tool.texi gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi
---- gnutls-3.7.2/doc/invoke-p11tool.texi	2021-05-29 10:19:05.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi	2021-06-28 09:39:25.000000000 +0200
-@@ -403,8 +403,9 @@
- @anchor{p11tool write}
- 
- This is the ``writes the loaded objects to a pkcs #11 token'' option.
--It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
--    one of --load-privkey, --load-pubkey, --load-certificate option.
-+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.
-+
-+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
- @subsubheading id option.
- @anchor{p11tool id}
- 
-diff -ruN gnutls-3.7.2/doc/Makefile.am gnutls-3.7.2-bootstrapped/doc/Makefile.am
---- gnutls-3.7.2/doc/Makefile.am	2021-05-27 08:08:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/Makefile.am	2021-06-28 09:09:14.000000000 +0200
-@@ -974,6 +974,10 @@
- FUNCS += functions/gnutls_digest_get_oid.short
- FUNCS += functions/gnutls_digest_list
- FUNCS += functions/gnutls_digest_list.short
-+FUNCS += functions/gnutls_digest_mark_insecure
-+FUNCS += functions/gnutls_digest_mark_insecure.short
-+FUNCS += functions/gnutls_digest_mark_secure
-+FUNCS += functions/gnutls_digest_mark_secure.short
- FUNCS += functions/gnutls_dtls_cookie_send
- FUNCS += functions/gnutls_dtls_cookie_send.short
- FUNCS += functions/gnutls_dtls_cookie_verify
-@@ -1010,6 +1014,10 @@
- FUNCS += functions/gnutls_ecc_curve_get_size.short
- FUNCS += functions/gnutls_ecc_curve_list
- FUNCS += functions/gnutls_ecc_curve_list.short
-+FUNCS += functions/gnutls_ecc_curve_mark_disabled
-+FUNCS += functions/gnutls_ecc_curve_mark_disabled.short
-+FUNCS += functions/gnutls_ecc_curve_mark_enabled
-+FUNCS += functions/gnutls_ecc_curve_mark_enabled.short
- FUNCS += functions/gnutls_encode_ber_digest_info
- FUNCS += functions/gnutls_encode_ber_digest_info.short
- FUNCS += functions/gnutls_encode_gost_rs_value
-@@ -1730,6 +1738,10 @@
- FUNCS += functions/gnutls_protocol_get_version.short
- FUNCS += functions/gnutls_protocol_list
- FUNCS += functions/gnutls_protocol_list.short
-+FUNCS += functions/gnutls_protocol_mark_disabled
-+FUNCS += functions/gnutls_protocol_mark_disabled.short
-+FUNCS += functions/gnutls_protocol_mark_enabled
-+FUNCS += functions/gnutls_protocol_mark_enabled.short
- FUNCS += functions/gnutls_psk_allocate_client_credentials
- FUNCS += functions/gnutls_psk_allocate_client_credentials.short
- FUNCS += functions/gnutls_psk_allocate_server_credentials
-@@ -2024,6 +2036,10 @@
- FUNCS += functions/gnutls_sign_is_secure2.short
- FUNCS += functions/gnutls_sign_list
- FUNCS += functions/gnutls_sign_list.short
-+FUNCS += functions/gnutls_sign_mark_insecure
-+FUNCS += functions/gnutls_sign_mark_insecure.short
-+FUNCS += functions/gnutls_sign_mark_secure
-+FUNCS += functions/gnutls_sign_mark_secure.short
- FUNCS += functions/gnutls_sign_supports_pk_algorithm
- FUNCS += functions/gnutls_sign_supports_pk_algorithm.short
- FUNCS += functions/gnutls_srp_allocate_client_credentials
-diff -ruN gnutls-3.7.2/doc/Makefile.in gnutls-3.7.2-bootstrapped/doc/Makefile.in
---- gnutls-3.7.2/doc/Makefile.in	2021-05-29 10:11:20.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/Makefile.in	2021-06-28 09:11:37.000000000 +0200
-@@ -2697,6 +2697,10 @@
- 	functions/gnutls_digest_get_oid.short \
- 	functions/gnutls_digest_list \
- 	functions/gnutls_digest_list.short \
-+	functions/gnutls_digest_mark_insecure \
-+	functions/gnutls_digest_mark_insecure.short \
-+	functions/gnutls_digest_mark_secure \
-+	functions/gnutls_digest_mark_secure.short \
- 	functions/gnutls_dtls_cookie_send \
- 	functions/gnutls_dtls_cookie_send.short \
- 	functions/gnutls_dtls_cookie_verify \
-@@ -2733,6 +2737,10 @@
- 	functions/gnutls_ecc_curve_get_size.short \
- 	functions/gnutls_ecc_curve_list \
- 	functions/gnutls_ecc_curve_list.short \
-+	functions/gnutls_ecc_curve_mark_disabled \
-+	functions/gnutls_ecc_curve_mark_disabled.short \
-+	functions/gnutls_ecc_curve_mark_enabled \
-+	functions/gnutls_ecc_curve_mark_enabled.short \
- 	functions/gnutls_encode_ber_digest_info \
- 	functions/gnutls_encode_ber_digest_info.short \
- 	functions/gnutls_encode_gost_rs_value \
-@@ -3403,6 +3411,10 @@
- 	functions/gnutls_protocol_get_version.short \
- 	functions/gnutls_protocol_list \
- 	functions/gnutls_protocol_list.short \
-+	functions/gnutls_protocol_mark_disabled \
-+	functions/gnutls_protocol_mark_disabled.short \
-+	functions/gnutls_protocol_mark_enabled \
-+	functions/gnutls_protocol_mark_enabled.short \
- 	functions/gnutls_psk_allocate_client_credentials \
- 	functions/gnutls_psk_allocate_client_credentials.short \
- 	functions/gnutls_psk_allocate_server_credentials \
-@@ -3692,6 +3704,10 @@
- 	functions/gnutls_sign_is_secure2 \
- 	functions/gnutls_sign_is_secure2.short \
- 	functions/gnutls_sign_list functions/gnutls_sign_list.short \
-+	functions/gnutls_sign_mark_insecure \
-+	functions/gnutls_sign_mark_insecure.short \
-+	functions/gnutls_sign_mark_secure \
-+	functions/gnutls_sign_mark_secure.short \
- 	functions/gnutls_sign_supports_pk_algorithm \
- 	functions/gnutls_sign_supports_pk_algorithm.short \
- 	functions/gnutls_srp_allocate_client_credentials \
-diff -ruN gnutls-3.7.2/doc/manpages/certtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1
---- gnutls-3.7.2/doc/manpages/certtool.1	2021-05-29 10:15:21.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1	2021-06-28 09:35:22.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH certtool 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH certtool 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/manpages/danetool.1 gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1
---- gnutls-3.7.2/doc/manpages/danetool.1	2021-05-29 10:15:24.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1	2021-06-28 09:35:24.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH danetool 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH danetool 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1
---- gnutls-3.7.2/doc/manpages/gnutls-cli.1	2021-05-29 10:15:21.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1	2021-06-28 09:35:22.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH gnutls-cli 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH gnutls-cli 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1
---- gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1	2021-05-29 10:15:21.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1	2021-06-28 09:35:22.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH gnutls-cli-debug 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH gnutls-cli-debug 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3
---- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3	2021-06-28 09:35:39.000000000 +0200
-@@ -0,0 +1,36 @@
-+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
-+.TH "gnutls_digest_mark_insecure" 3 "3.7.2" "gnutls" "gnutls"
-+.SH NAME
-+gnutls_digest_mark_insecure \- API function
-+.SH SYNOPSIS
-+.B #include <gnutls/gnutls.h>
-+.sp
-+.BI "int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t " dig ");"
-+.SH ARGUMENTS
-+.IP "gnutls_digest_algorithm_t dig" 12
-+is a digest algorithm
-+.SH "DESCRIPTION"
-+Mark  \fIdig\fP as insecure system wide. This only works if the allowlisting mode
-+is used in the configuration file.
-+.SH "SINCE"
-+3.7.3
-+.SH "REPORTING BUGS"
-+Report bugs to <bugs@gnutls.org>.
-+.br
-+Home page: https://www.gnutls.org
-+
-+.SH COPYRIGHT
-+Copyright \(co 2001- Free Software Foundation, Inc., and others.
-+.br
-+Copying and distribution of this file, with or without modification,
-+are permitted in any medium without royalty provided the copyright
-+notice and this notice are preserved.
-+.SH "SEE ALSO"
-+The full documentation for
-+.B gnutls
-+is maintained as a Texinfo manual.
-+If the /usr/share/doc/gnutls/
-+directory does not contain the HTML form visit
-+.B
-+.IP https://www.gnutls.org/manual/
-+.PP
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3
---- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3	2021-06-28 09:35:39.000000000 +0200
-@@ -0,0 +1,36 @@
-+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
-+.TH "gnutls_digest_mark_secure" 3 "3.7.2" "gnutls" "gnutls"
-+.SH NAME
-+gnutls_digest_mark_secure \- API function
-+.SH SYNOPSIS
-+.B #include <gnutls/gnutls.h>
-+.sp
-+.BI "int gnutls_digest_mark_secure(gnutls_digest_algorithm_t " dig ");"
-+.SH ARGUMENTS
-+.IP "gnutls_digest_algorithm_t dig" 12
-+is a digest algorithm
-+.SH "DESCRIPTION"
-+Invalidate previous system wide setting that marked  \fIdig\fP as insecure. This
-+only works if the allowlisting mode is used in the configuration file.
-+.SH "SINCE"
-+3.7.3
-+.SH "REPORTING BUGS"
-+Report bugs to <bugs@gnutls.org>.
-+.br
-+Home page: https://www.gnutls.org
-+
-+.SH COPYRIGHT
-+Copyright \(co 2001- Free Software Foundation, Inc., and others.
-+.br
-+Copying and distribution of this file, with or without modification,
-+are permitted in any medium without royalty provided the copyright
-+notice and this notice are preserved.
-+.SH "SEE ALSO"
-+The full documentation for
-+.B gnutls
-+is maintained as a Texinfo manual.
-+If the /usr/share/doc/gnutls/
-+directory does not contain the HTML form visit
-+.B
-+.IP https://www.gnutls.org/manual/
-+.PP
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3
---- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3	2021-06-28 09:35:38.000000000 +0200
-@@ -0,0 +1,39 @@
-+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
-+.TH "gnutls_ecc_curve_mark_disabled" 3 "3.7.2" "gnutls" "gnutls"
-+.SH NAME
-+gnutls_ecc_curve_mark_disabled \- API function
-+.SH SYNOPSIS
-+.B #include <gnutls/gnutls.h>
-+.sp
-+.BI "int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t " curve ");"
-+.SH ARGUMENTS
-+.IP "gnutls_ecc_curve_t curve" 12
-+is an ECC curve
-+.SH "DESCRIPTION"
-+Mark  \fIcurve\fP as disabled system wide. This setting can be reverted with
-+\fBgnutls_ecc_curve_mark_enabled()\fP. This only works if the configuration file
-+uses the allowlisting mode.
-+.SH "RETURNS"
-+0 on success or negative error code otherwise.
-+.SH "SINCE"
-+3.7.3
-+.SH "REPORTING BUGS"
-+Report bugs to <bugs@gnutls.org>.
-+.br
-+Home page: https://www.gnutls.org
-+
-+.SH COPYRIGHT
-+Copyright \(co 2001- Free Software Foundation, Inc., and others.
-+.br
-+Copying and distribution of this file, with or without modification,
-+are permitted in any medium without royalty provided the copyright
-+notice and this notice are preserved.
-+.SH "SEE ALSO"
-+The full documentation for
-+.B gnutls
-+is maintained as a Texinfo manual.
-+If the /usr/share/doc/gnutls/
-+directory does not contain the HTML form visit
-+.B
-+.IP https://www.gnutls.org/manual/
-+.PP
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3
---- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3	2021-06-28 09:35:39.000000000 +0200
-@@ -0,0 +1,39 @@
-+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
-+.TH "gnutls_ecc_curve_mark_enabled" 3 "3.7.2" "gnutls" "gnutls"
-+.SH NAME
-+gnutls_ecc_curve_mark_enabled \- API function
-+.SH SYNOPSIS
-+.B #include <gnutls/gnutls.h>
-+.sp
-+.BI "int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t " curve ");"
-+.SH ARGUMENTS
-+.IP "gnutls_ecc_curve_t curve" 12
-+is an ECC curve
-+.SH "DESCRIPTION"
-+Invalidate previous system wide setting that marked  \fIcurve\fP as disabled. This
-+only works if the curve is disabled with \fBgnutls_ecc_curve_mark_disabled()\fP or
-+through the allowlisting mode in the configuration file.
-+.SH "RETURNS"
-+0 on success or negative error code otherwise.
-+.SH "SINCE"
-+3.7.3
-+.SH "REPORTING BUGS"
-+Report bugs to <bugs@gnutls.org>.
-+.br
-+Home page: https://www.gnutls.org
-+
-+.SH COPYRIGHT
-+Copyright \(co 2001- Free Software Foundation, Inc., and others.
-+.br
-+Copying and distribution of this file, with or without modification,
-+are permitted in any medium without royalty provided the copyright
-+notice and this notice are preserved.
-+.SH "SEE ALSO"
-+The full documentation for
-+.B gnutls
-+is maintained as a Texinfo manual.
-+If the /usr/share/doc/gnutls/
-+directory does not contain the HTML form visit
-+.B
-+.IP https://www.gnutls.org/manual/
-+.PP
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3
---- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3	2021-06-28 09:35:39.000000000 +0200
-@@ -0,0 +1,34 @@
-+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
-+.TH "gnutls_protocol_mark_disabled" 3 "3.7.2" "gnutls" "gnutls"
-+.SH NAME
-+gnutls_protocol_mark_disabled \- API function
-+.SH SYNOPSIS
-+.B #include <gnutls/gnutls.h>
-+.sp
-+.BI "int gnutls_protocol_mark_disabled(gnutls_protocol_t " version ");"
-+.SH ARGUMENTS
-+.IP "gnutls_protocol_t version" 12
-+is a (gnutls) version number
-+.SH "DESCRIPTION"
-+Mark  \fIversion\fP as disabled system wide. This only works if the allowlisting
-+mode is used in the configuration file.
-+.SH "REPORTING BUGS"
-+Report bugs to <bugs@gnutls.org>.
-+.br
-+Home page: https://www.gnutls.org
-+
-+.SH COPYRIGHT
-+Copyright \(co 2001- Free Software Foundation, Inc., and others.
-+.br
-+Copying and distribution of this file, with or without modification,
-+are permitted in any medium without royalty provided the copyright
-+notice and this notice are preserved.
-+.SH "SEE ALSO"
-+The full documentation for
-+.B gnutls
-+is maintained as a Texinfo manual.
-+If the /usr/share/doc/gnutls/
-+directory does not contain the HTML form visit
-+.B
-+.IP https://www.gnutls.org/manual/
-+.PP
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3
---- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3	2021-06-28 09:35:40.000000000 +0200
-@@ -0,0 +1,35 @@
-+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
-+.TH "gnutls_protocol_mark_enabled" 3 "3.7.2" "gnutls" "gnutls"
-+.SH NAME
-+gnutls_protocol_mark_enabled \- API function
-+.SH SYNOPSIS
-+.B #include <gnutls/gnutls.h>
-+.sp
-+.BI "int gnutls_protocol_mark_enabled(gnutls_protocol_t " version ");"
-+.SH ARGUMENTS
-+.IP "gnutls_protocol_t version" 12
-+is a (gnutls) version number
-+.SH "DESCRIPTION"
-+Invalidate previous system wide setting that marked  \fIversion\fP as
-+disabled. This only works if the allowlisting mode is used in the
-+configuration file.
-+.SH "REPORTING BUGS"
-+Report bugs to <bugs@gnutls.org>.
-+.br
-+Home page: https://www.gnutls.org
-+
-+.SH COPYRIGHT
-+Copyright \(co 2001- Free Software Foundation, Inc., and others.
-+.br
-+Copying and distribution of this file, with or without modification,
-+are permitted in any medium without royalty provided the copyright
-+notice and this notice are preserved.
-+.SH "SEE ALSO"
-+The full documentation for
-+.B gnutls
-+is maintained as a Texinfo manual.
-+If the /usr/share/doc/gnutls/
-+directory does not contain the HTML form visit
-+.B
-+.IP https://www.gnutls.org/manual/
-+.PP
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls-serv.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1
---- gnutls-3.7.2/doc/manpages/gnutls-serv.1	2021-05-29 10:15:21.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1	2021-06-28 09:35:22.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH gnutls-serv 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH gnutls-serv 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3
---- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3	2021-06-28 09:35:39.000000000 +0200
-@@ -0,0 +1,42 @@
-+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
-+.TH "gnutls_sign_mark_insecure" 3 "3.7.2" "gnutls" "gnutls"
-+.SH NAME
-+gnutls_sign_mark_insecure \- API function
-+.SH SYNOPSIS
-+.B #include <gnutls/gnutls.h>
-+.sp
-+.BI "int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");"
-+.SH ARGUMENTS
-+.IP "gnutls_sign_algorithm_t sign" 12
-+the sign algorithm
-+.IP "unsigned flags" 12
-+\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0
-+.SH "DESCRIPTION"
-+Mark  \fIsign\fP as insecure system wide. This only works if the
-+allowlisting mode is used in the configuration file.
-+
-+If  \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set,
-+and the algorithm was previously considered secure for all purposes,
-+it only marks the algorithm as insecure for the use with certificates.
-+.SH "SINCE"
-+3.7.3
-+.SH "REPORTING BUGS"
-+Report bugs to <bugs@gnutls.org>.
-+.br
-+Home page: https://www.gnutls.org
-+
-+.SH COPYRIGHT
-+Copyright \(co 2001- Free Software Foundation, Inc., and others.
-+.br
-+Copying and distribution of this file, with or without modification,
-+are permitted in any medium without royalty provided the copyright
-+notice and this notice are preserved.
-+.SH "SEE ALSO"
-+The full documentation for
-+.B gnutls
-+is maintained as a Texinfo manual.
-+If the /usr/share/doc/gnutls/
-+directory does not contain the HTML form visit
-+.B
-+.IP https://www.gnutls.org/manual/
-+.PP
-diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3
---- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3	2021-06-28 09:35:39.000000000 +0200
-@@ -0,0 +1,46 @@
-+.\" DO NOT MODIFY THIS FILE!  It was generated by gdoc.
-+.TH "gnutls_sign_mark_secure" 3 "3.7.2" "gnutls" "gnutls"
-+.SH NAME
-+gnutls_sign_mark_secure \- API function
-+.SH SYNOPSIS
-+.B #include <gnutls/gnutls.h>
-+.sp
-+.BI "int gnutls_sign_mark_secure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");"
-+.SH ARGUMENTS
-+.IP "gnutls_sign_algorithm_t sign" 12
-+the sign algorithm
-+.IP "unsigned flags" 12
-+\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0
-+.SH "DESCRIPTION"
-+Invalidate previous system wide setting that marked  \fIsign\fP as
-+insecure. This only works if the algorithm is marked as insecure
-+with \fBgnutls_sign_mark_insecure()\fP or through the allowlisting mode
-+in the configuration file.
-+
-+If  \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set,
-+it marks it the algorithm as secure for all purposes.
-+If the absence of this flag, it will mark it as
-+"secure, but not for certificates" at most,
-+but it won't restrict anything either.
-+.SH "SINCE"
-+3.7.3
-+.SH "REPORTING BUGS"
-+Report bugs to <bugs@gnutls.org>.
-+.br
-+Home page: https://www.gnutls.org
-+
-+.SH COPYRIGHT
-+Copyright \(co 2001- Free Software Foundation, Inc., and others.
-+.br
-+Copying and distribution of this file, with or without modification,
-+are permitted in any medium without royalty provided the copyright
-+notice and this notice are preserved.
-+.SH "SEE ALSO"
-+The full documentation for
-+.B gnutls
-+is maintained as a Texinfo manual.
-+If the /usr/share/doc/gnutls/
-+directory does not contain the HTML form visit
-+.B
-+.IP https://www.gnutls.org/manual/
-+.PP
-diff -ruN gnutls-3.7.2/doc/manpages/Makefile.am gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am
---- gnutls-3.7.2/doc/manpages/Makefile.am	2021-05-27 08:08:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am	2021-06-28 09:09:14.000000000 +0200
-@@ -289,6 +289,8 @@
- APIMANS += gnutls_digest_get_name.3
- APIMANS += gnutls_digest_get_oid.3
- APIMANS += gnutls_digest_list.3
-+APIMANS += gnutls_digest_mark_insecure.3
-+APIMANS += gnutls_digest_mark_secure.3
- APIMANS += gnutls_dtls_cookie_send.3
- APIMANS += gnutls_dtls_cookie_verify.3
- APIMANS += gnutls_dtls_get_data_mtu.3
-@@ -307,6 +309,8 @@
- APIMANS += gnutls_ecc_curve_get_pk.3
- APIMANS += gnutls_ecc_curve_get_size.3
- APIMANS += gnutls_ecc_curve_list.3
-+APIMANS += gnutls_ecc_curve_mark_disabled.3
-+APIMANS += gnutls_ecc_curve_mark_enabled.3
- APIMANS += gnutls_encode_ber_digest_info.3
- APIMANS += gnutls_encode_gost_rs_value.3
- APIMANS += gnutls_encode_rs_value.3
-@@ -667,6 +671,8 @@
- APIMANS += gnutls_protocol_get_name.3
- APIMANS += gnutls_protocol_get_version.3
- APIMANS += gnutls_protocol_list.3
-+APIMANS += gnutls_protocol_mark_disabled.3
-+APIMANS += gnutls_protocol_mark_enabled.3
- APIMANS += gnutls_psk_allocate_client_credentials.3
- APIMANS += gnutls_psk_allocate_server_credentials.3
- APIMANS += gnutls_psk_client_get_hint.3
-@@ -814,6 +820,8 @@
- APIMANS += gnutls_sign_is_secure.3
- APIMANS += gnutls_sign_is_secure2.3
- APIMANS += gnutls_sign_list.3
-+APIMANS += gnutls_sign_mark_insecure.3
-+APIMANS += gnutls_sign_mark_secure.3
- APIMANS += gnutls_sign_supports_pk_algorithm.3
- APIMANS += gnutls_srp_allocate_client_credentials.3
- APIMANS += gnutls_srp_allocate_server_credentials.3
-diff -ruN gnutls-3.7.2/doc/manpages/Makefile.in gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in
---- gnutls-3.7.2/doc/manpages/Makefile.in	2021-05-29 10:11:21.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in	2021-06-28 09:11:38.000000000 +0200
-@@ -2185,6 +2185,7 @@
- 	gnutls_dh_params_init.3 gnutls_dh_set_prime_bits.3 \
- 	gnutls_digest_get_id.3 gnutls_digest_get_name.3 \
- 	gnutls_digest_get_oid.3 gnutls_digest_list.3 \
-+	gnutls_digest_mark_insecure.3 gnutls_digest_mark_secure.3 \
- 	gnutls_dtls_cookie_send.3 gnutls_dtls_cookie_verify.3 \
- 	gnutls_dtls_get_data_mtu.3 gnutls_dtls_get_mtu.3 \
- 	gnutls_dtls_get_timeout.3 gnutls_dtls_prestate_set.3 \
-@@ -2194,6 +2195,8 @@
- 	gnutls_ecc_curve_get_id.3 gnutls_ecc_curve_get_name.3 \
- 	gnutls_ecc_curve_get_oid.3 gnutls_ecc_curve_get_pk.3 \
- 	gnutls_ecc_curve_get_size.3 gnutls_ecc_curve_list.3 \
-+	gnutls_ecc_curve_mark_disabled.3 \
-+	gnutls_ecc_curve_mark_enabled.3 \
- 	gnutls_encode_ber_digest_info.3 gnutls_encode_gost_rs_value.3 \
- 	gnutls_encode_rs_value.3 gnutls_error_is_fatal.3 \
- 	gnutls_error_to_alert.3 gnutls_est_record_overhead_size.3 \
-@@ -2399,7 +2402,8 @@
- 	gnutls_privkey_status.3 gnutls_privkey_verify_params.3 \
- 	gnutls_privkey_verify_seed.3 gnutls_protocol_get_id.3 \
- 	gnutls_protocol_get_name.3 gnutls_protocol_get_version.3 \
--	gnutls_protocol_list.3 \
-+	gnutls_protocol_list.3 gnutls_protocol_mark_disabled.3 \
-+	gnutls_protocol_mark_enabled.3 \
- 	gnutls_psk_allocate_client_credentials.3 \
- 	gnutls_psk_allocate_server_credentials.3 \
- 	gnutls_psk_client_get_hint.3 \
-@@ -2498,6 +2502,7 @@
- 	gnutls_sign_get_name.3 gnutls_sign_get_oid.3 \
- 	gnutls_sign_get_pk_algorithm.3 gnutls_sign_is_secure.3 \
- 	gnutls_sign_is_secure2.3 gnutls_sign_list.3 \
-+	gnutls_sign_mark_insecure.3 gnutls_sign_mark_secure.3 \
- 	gnutls_sign_supports_pk_algorithm.3 \
- 	gnutls_srp_allocate_client_credentials.3 \
- 	gnutls_srp_allocate_server_credentials.3 \
-diff -ruN gnutls-3.7.2/doc/manpages/ocsptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1
---- gnutls-3.7.2/doc/manpages/ocsptool.1	2021-05-29 10:15:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1	2021-06-28 09:35:23.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH ocsptool 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH ocsptool 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/manpages/p11tool.1 gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1
---- gnutls-3.7.2/doc/manpages/p11tool.1	2021-05-29 10:15:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1	2021-06-28 09:35:23.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH p11tool 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH p11tool 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-@@ -230,8 +230,9 @@
- .NOP \f\*[B-Font]\-\-write\f[]
- Writes the loaded objects to a PKCS #11 token.
- .sp
--It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
--    one of \--load-privkey, \--load-pubkey, \--load-certificate option.
-+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option.
-+.sp
-+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
- .TP
- .NOP \f\*[B-Font]\-\-delete\f[]
- Deletes the objects matching the given PKCS #11 URL.
-diff -ruN gnutls-3.7.2/doc/manpages/psktool.1 gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1
---- gnutls-3.7.2/doc/manpages/psktool.1	2021-05-29 10:15:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1	2021-06-28 09:35:23.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH psktool 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH psktool 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/manpages/srptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1
---- gnutls-3.7.2/doc/manpages/srptool.1	2021-05-29 10:15:24.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1	2021-06-28 09:35:24.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH srptool 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH srptool 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/manpages/tpmtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1
---- gnutls-3.7.2/doc/manpages/tpmtool.1	2021-05-29 10:15:23.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1	2021-06-28 09:35:23.000000000 +0200
-@@ -10,7 +10,7 @@
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
--.TH tpmtool 1 "29 May 2021" "3.7.2" "User Commands"
-+.TH tpmtool 1 "28 Jun 2021" "3.7.2" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
-diff -ruN gnutls-3.7.2/doc/reference/gnutls-sections.txt gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt
---- gnutls-3.7.2/doc/reference/gnutls-sections.txt	2021-05-29 10:23:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt	2021-06-28 09:56:37.000000000 +0200
-@@ -267,6 +267,8 @@
- encipher_type
- GNUTLS_SIGN_FLAG_TLS13_OK
- GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE
-+GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE
-+GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE
- gnutls_sign_entry_st
- gnutls_ecc_curve_entry_st
- MAX_ECC_CURVE_SIZE
-@@ -1486,6 +1488,14 @@
- gnutls_sign_algorithm_get_requested
- gnutls_cipher_get_name
- gnutls_oid_to_digest
-+gnutls_ecc_curve_mark_disabled
-+gnutls_ecc_curve_mark_enabled
-+gnutls_sign_mark_insecure
-+gnutls_sign_mark_secure
-+gnutls_digest_mark_insecure
-+gnutls_digest_mark_secure
-+gnutls_protocol_mark_disabled
-+gnutls_protocol_mark_enabled
- gnutls_error_is_fatal
- gnutls_perror
- gnutls_strerror
-@@ -2268,6 +2278,8 @@
- gnutls_group_entry_st
- GNUTLS_MAC_FLAG_PREIMAGE_INSECURE
- GNUTLS_MAC_FLAG_CONTINUOUS_MAC
-+GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE
-+GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE
- mac_entry_st
- version_entry_st
- sign_algorithm_st
-diff -ruN gnutls-3.7.2/lib/algorithms/ecc.c gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c
---- gnutls-3.7.2/lib/algorithms/ecc.c	2021-05-10 16:34:47.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c	2021-06-28 09:09:14.000000000 +0200
-@@ -351,13 +351,83 @@
- 	return ret;
- }
- 
--int _gnutls_ecc_curve_mark_disabled(const char *name)
-+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
-+int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve)
- {
- 	gnutls_ecc_curve_entry_st *p;
- 
- 	for(p = ecc_curves; p->name != NULL; p++) {
--		if (c_strcasecmp(p->name, name) == 0) {
--			p->supported = 0;
-+		if (p->id == curve) {
-+			p->supported = false;
-+			return 0;
-+		}
-+	}
-+
-+	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+}
-+
-+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
-+void _gnutls_ecc_curve_mark_disabled_all(void)
-+{
-+	gnutls_ecc_curve_entry_st *p;
-+
-+	for(p = ecc_curves; p->name != NULL; p++) {
-+		p->supported = false;
-+		p->supported_revertible = true;
-+	}
-+}
-+
-+/**
-+ * gnutls_ecc_curve_mark_enabled:
-+ * @curve: is an ECC curve
-+ *
-+ * Mark @curve as disabled system wide. This setting can be reverted with
-+ * gnutls_ecc_curve_mark_enabled(). This only works if the configuration file
-+ * uses the allowlisting mode.
-+ *
-+ * Returns: 0 on success or negative error code otherwise.
-+ *
-+ * Since: 3.7.3
-+ */
-+int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve)
-+{
-+	gnutls_ecc_curve_entry_st *p;
-+
-+	for(p = ecc_curves; p->name != NULL; p++) {
-+		if (p->id == curve) {
-+			if (!p->supported_revertible) {
-+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+			}
-+			p->supported = false;
-+			return 0;
-+		}
-+	}
-+
-+	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+}
-+
-+/**
-+ * gnutls_ecc_curve_mark_enabled:
-+ * @curve: is an ECC curve
-+ *
-+ * Invalidate previous system wide setting that marked @curve as disabled. This
-+ * only works if the curve is disabled with gnutls_ecc_curve_mark_disabled() or
-+ * through the allowlisting mode in the configuration file.
-+ *
-+ * Returns: 0 on success or negative error code otherwise.
-+ *
-+ * Since: 3.7.3
-+ */
-+int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve)
-+{
-+	gnutls_ecc_curve_entry_st *p;
-+
-+	for(p = ecc_curves; p->name != NULL; p++) {
-+		if (p->id == curve) {
-+			if (!p->supported_revertible) {
-+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+			}
-+			p->supported = true;
- 			return 0;
- 		}
- 	}
-diff -ruN gnutls-3.7.2/lib/algorithms/groups.c gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c
---- gnutls-3.7.2/lib/algorithms/groups.c	2021-04-19 09:28:28.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c	2021-06-28 09:09:14.000000000 +0200
-@@ -276,6 +276,24 @@
- 	return ret;
- }
- 
-+
-+/* Similar to gnutls_group_get_id, except that it does not check if
-+ * the curve is supported.
-+ */
-+gnutls_group_t _gnutls_group_get_id(const char *name)
-+{
-+	gnutls_group_t ret = GNUTLS_GROUP_INVALID;
-+
-+	GNUTLS_GROUP_LOOP(
-+		if (c_strcasecmp(p->name, name) == 0) {
-+			ret = p->id;
-+			break;
-+		}
-+	);
-+
-+	return ret;
-+}
-+
- /**
-  * gnutls_group_get_name:
-  * @group: is an element from %gnutls_group_t
-diff -ruN gnutls-3.7.2/lib/algorithms/mac.c gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c
---- gnutls-3.7.2/lib/algorithms/mac.c	2021-05-27 08:08:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c	2021-06-28 09:09:14.000000000 +0200
-@@ -291,13 +291,56 @@
- 	return ret;
- }
- 
--int _gnutls_digest_mark_insecure(const char *name)
-+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
-+int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig)
- {
- #ifndef DISABLE_SYSTEM_CONFIG
- 	mac_entry_st *p;
- 
- 	for(p = hash_algorithms; p->name != NULL; p++) {
--		if (p->oid != NULL && c_strcasecmp(p->name, name) == 0) {
-+		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
-+			p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
-+			return 0;
-+		}
-+	}
-+
-+#endif
-+	return GNUTLS_E_INVALID_REQUEST;
-+}
-+
-+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
-+void _gnutls_digest_mark_insecure_all(void)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	mac_entry_st *p;
-+
-+	for(p = hash_algorithms; p->name != NULL; p++) {
-+		p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE |
-+			GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
-+	}
-+
-+#endif
-+}
-+
-+/**
-+ * gnutls_digest_mark_insecure:
-+ * @dig: is a digest algorithm
-+ *
-+ * Mark @dig as insecure system wide. This only works if the allowlisting mode
-+ * is used in the configuration file.
-+ *
-+ * Since: 3.7.3
-+ */
-+int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	mac_entry_st *p;
-+
-+	for(p = hash_algorithms; p->name != NULL; p++) {
-+		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
-+			if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) {
-+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+			}
- 			p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
- 			return 0;
- 		}
-@@ -307,6 +350,34 @@
- 	return GNUTLS_E_INVALID_REQUEST;
- }
- 
-+/**
-+ * gnutls_digest_mark_secure:
-+ * @dig: is a digest algorithm
-+ *
-+ * Invalidate previous system wide setting that marked @dig as insecure. This
-+ * only works if the allowlisting mode is used in the configuration file.
-+ *
-+ * Since: 3.7.3
-+ */
-+int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	mac_entry_st *p;
-+
-+	for(p = hash_algorithms; p->name != NULL; p++) {
-+		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
-+			if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) {
-+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+			}
-+			p->flags &= ~GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
-+			return 0;
-+		}
-+	}
-+
-+#endif
-+	return GNUTLS_E_INVALID_REQUEST;
-+}
-+
- unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig)
- {
- 	const mac_entry_st *p;
-@@ -320,6 +391,21 @@
- 	return 1;
- }
- 
-+bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig,	unsigned flags)
-+{
-+	const mac_entry_st *p;
-+
-+	for(p = hash_algorithms; p->name != NULL; p++) {
-+		if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
-+			return (p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE &&
-+				!(flags & GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE &&
-+				  p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE));
-+		}
-+	}
-+
-+	return true;
-+}
-+
- /**
-  * gnutls_mac_get_id:
-  * @name: is a MAC algorithm name
-diff -ruN gnutls-3.7.2/lib/algorithms/protocols.c gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c
---- gnutls-3.7.2/lib/algorithms/protocols.c	2021-05-10 16:34:47.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c	2021-06-28 09:09:14.000000000 +0200
-@@ -198,14 +198,82 @@
- 	return 0;
- }
- 
--int _gnutls_version_mark_disabled(const char *name)
-+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
-+int _gnutls_version_mark_disabled(gnutls_protocol_t version)
- {
- #ifndef DISABLE_SYSTEM_CONFIG
- 	version_entry_st *p;
- 
- 	for (p = sup_versions; p->name != NULL; p++)
--		if (c_strcasecmp(p->name, name) == 0) {
--			p->supported = 0;
-+		if (p->id == version) {
-+			p->supported = false;
-+			return 0;
-+		}
-+
-+#endif
-+	return GNUTLS_E_INVALID_REQUEST;
-+}
-+
-+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
-+void _gnutls_version_mark_disabled_all(void)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	version_entry_st *p;
-+
-+	for (p = sup_versions; p->name != NULL; p++) {
-+		p->supported = false;
-+		p->supported_revertible = true;
-+	}
-+
-+#endif
-+}
-+
-+/**
-+ * gnutls_protocol_mark_disabled:
-+ * @version: is a (gnutls) version number
-+ *
-+ * Mark @version as disabled system wide. This only works if the allowlisting
-+ * mode is used in the configuration file.
-+ *
-+ */
-+int gnutls_protocol_mark_disabled(gnutls_protocol_t version)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	version_entry_st *p;
-+
-+	for (p = sup_versions; p->name != NULL; p++)
-+		if (p->id == version) {
-+			if (!p->supported_revertible) {
-+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+			}
-+			p->supported = false;
-+			return 0;
-+		}
-+
-+#endif
-+	return GNUTLS_E_INVALID_REQUEST;
-+}
-+
-+/**
-+ * gnutls_protocol_mark_enabled:
-+ * @version: is a (gnutls) version number
-+ *
-+ * Invalidate previous system wide setting that marked @version as
-+ * disabled. This only works if the allowlisting mode is used in the
-+ * configuration file.
-+ *
-+ */
-+int gnutls_protocol_mark_enabled(gnutls_protocol_t version)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	version_entry_st *p;
-+
-+	for (p = sup_versions; p->name != NULL; p++)
-+		if (p->id == version) {
-+			if (!p->supported_revertible) {
-+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+			}
-+			p->supported = true;
- 			return 0;
- 		}
- 
-@@ -469,6 +537,25 @@
- 	return supported_protocols;
- }
- 
-+/* Return all versions, including non-supported ones.
-+ */
-+const gnutls_protocol_t *_gnutls_protocol_list(void)
-+{
-+	const version_entry_st *p;
-+	static gnutls_protocol_t protocols[MAX_ALGOS] = { 0 };
-+
-+	if (protocols[0] == 0) {
-+		int i = 0;
-+
-+		for (p = sup_versions; p->name != NULL; p++) {
-+			protocols[i++] = p->id;
-+		}
-+		protocols[i++] = 0;
-+	}
-+
-+	return protocols;
-+}
-+
- /* Returns a version number given the major and minor numbers.
-  */
- gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor)
-diff -ruN gnutls-3.7.2/lib/algorithms/sign.c gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c
---- gnutls-3.7.2/lib/algorithms/sign.c	2021-05-10 16:34:47.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c	2021-06-28 09:09:14.000000000 +0200
-@@ -453,16 +453,23 @@
- 
- bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags)
- {
--	if (se->hash != GNUTLS_DIG_UNKNOWN && _gnutls_digest_is_insecure(se->hash))
--		return gnutls_assert_val(0);
-+	if (se->hash != GNUTLS_DIG_UNKNOWN &&
-+	    _gnutls_digest_is_insecure2(se->hash,
-+					flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE ?
-+					GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE :
-+					0)) {
-+		return gnutls_assert_val(false);
-+	}
- 
--	if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS)
--		return (se->slevel==_SECURE)?1:0;
--	else
--		return (se->slevel==_SECURE || se->slevel == _INSECURE_FOR_CERTS)?1:0;
-+	return (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS ?
-+		se->slevel == _SECURE :
-+		(se->slevel == _SECURE || se->slevel == _INSECURE_FOR_CERTS)) ||
-+		(flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE &&
-+		 se->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE);
- }
- 
--int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t level)
-+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
-+int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, hash_security_level_t level)
- {
- #ifndef DISABLE_SYSTEM_CONFIG
- 	gnutls_sign_entry_st *p;
-@@ -471,11 +478,106 @@
- 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- 
- 	for(p = sign_algorithms; p->name != NULL; p++) {
--		if (c_strcasecmp(p->name, name) == 0) {
-+		if (p->id && p->id == sign) {
-+			if (p->slevel < level)
- 				p->slevel = level;
- 			return 0;
- 		}
- 	}
-+#endif
-+	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+}
-+
-+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
-+void _gnutls_sign_mark_insecure_all(hash_security_level_t level)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	gnutls_sign_entry_st *p;
-+
-+	for(p = sign_algorithms; p->name != NULL; p++) {
-+		if (p->slevel < level)
-+			p->slevel = level;
-+		p->flags |= GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE;
-+	}
-+#endif
-+}
-+
-+/**
-+ * gnutls_sign_mark_insecure:
-+ * @sign: the sign algorithm
-+ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0
-+ *
-+ * Mark @sign as insecure system wide. This only works if the
-+ * allowlisting mode is used in the configuration file.
-+ *
-+ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set,
-+ * and the algorithm was previously considered secure for all purposes,
-+ * it only marks the algorithm as insecure for the use with certificates.
-+ *
-+ * Since: 3.7.3
-+ */
-+int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	gnutls_sign_entry_st *p;
-+
-+	for(p = sign_algorithms; p->name != NULL; p++) {
-+		if (p->id && p->id == sign) {
-+			if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) {
-+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+			}
-+			if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) {
-+				if (p->slevel < _INSECURE_FOR_CERTS)
-+					p->slevel = _INSECURE_FOR_CERTS;
-+			} else {
-+				p->slevel = _INSECURE;
-+			}
-+			return 0;
-+		}
-+	}
-+#endif
-+	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+}
-+// TODO: really not sure about the intuitiveness of the interface of this one,
-+//       the flag naming isn't ideal here
-+
-+/**
-+ * gnutls_sign_mark_secure:
-+ * @sign: the sign algorithm
-+ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0
-+ *
-+ * Invalidate previous system wide setting that marked @sign as
-+ * insecure. This only works if the algorithm is marked as insecure
-+ * with gnutls_sign_mark_insecure() or through the allowlisting mode
-+ * in the configuration file.
-+ *
-+ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set,
-+ * it marks it the algorithm as secure for all purposes.
-+ * If the absence of this flag, it will mark it as
-+ * "secure, but not for certificates" at most,
-+ * but it won't restrict anything either.
-+ *
-+ * Since: 3.7.3
-+ */
-+int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags)
-+{
-+#ifndef DISABLE_SYSTEM_CONFIG
-+	gnutls_sign_entry_st *p;
-+
-+	for(p = sign_algorithms; p->name != NULL; p++) {
-+		if (p->id && p->id == sign) {
-+			if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) {
-+				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+			}
-+			if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) {
-+				p->slevel = _SECURE;
-+			} else {
-+				if (p->slevel > _INSECURE_FOR_CERTS)
-+					p->slevel = _INSECURE_FOR_CERTS;
-+			}
-+			return 0;
-+		}
-+	}
- #endif
- 	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- }
-diff -ruN gnutls-3.7.2/lib/algorithms.h gnutls-3.7.2-bootstrapped/lib/algorithms.h
---- gnutls-3.7.2/lib/algorithms.h	2021-05-10 16:34:47.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/algorithms.h	2021-06-28 09:09:14.000000000 +0200
-@@ -345,15 +345,27 @@
- 	_INSECURE
- } hash_security_level_t;
- 
--int _gnutls_ecc_curve_mark_disabled(const char *name);
--int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t);
--int _gnutls_digest_mark_insecure(const char *name);
-+int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve);
-+int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t, hash_security_level_t);
-+int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig);
- unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig);
--int _gnutls_version_mark_disabled(const char *name);
-+bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig,	unsigned flags);
-+const gnutls_protocol_t *_gnutls_protocol_list(void);
-+int _gnutls_version_mark_disabled(gnutls_protocol_t version);
- gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name);
- 
-+/* these functions are for revertible settings, meaning that algorithms marked
-+ * as disabled/insecure with mark_*_all functions can be re-enabled with
-+ * mark_{enabled,secure} functions */
-+void _gnutls_ecc_curve_mark_disabled_all(void);
-+void _gnutls_sign_mark_insecure_all(hash_security_level_t level);
-+void _gnutls_digest_mark_insecure_all(void);
-+void _gnutls_version_mark_disabled_all(void);
-+
- #define GNUTLS_SIGN_FLAG_TLS13_OK	1 /* if it is ok to use under TLS1.3 */
- #define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */
-+#define GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE (1 << 2)
-+#define GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3)
- struct gnutls_sign_entry_st {
- 	const char *name;
- 	const char *oid;
-@@ -448,6 +460,7 @@
- 	unsigned sig_size;	/* the size of curve signatures in bytes (EdDSA) */
- 	unsigned gost_curve;
- 	bool supported;
-+	bool supported_revertible;
- 	gnutls_group_t group;
- } gnutls_ecc_curve_entry_st;
- 
-@@ -459,6 +472,7 @@
- gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t);
- const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num);
- const gnutls_group_entry_st * _gnutls_id_to_group(unsigned id);
-+gnutls_group_t _gnutls_group_get_id(const char *name);
- 
- gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits);
- #define MAX_ECC_CURVE_SIZE 66
-diff -ruN gnutls-3.7.2/lib/gnutls_int.h gnutls-3.7.2-bootstrapped/lib/gnutls_int.h
---- gnutls-3.7.2/lib/gnutls_int.h	2021-05-27 08:08:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/gnutls_int.h	2021-06-28 09:09:14.000000000 +0200
-@@ -662,6 +662,8 @@
- 
- #define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE	1  /* if this algorithm should not be trusted for pre-image attacks */
- #define GNUTLS_MAC_FLAG_CONTINUOUS_MAC		(1 << 1) /* if this MAC should be used in a 'continuous' way in TLS */
-+#define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE	(1 << 2)  /* if this algorithm should not be trusted for pre-image attacks, but can be enabled through API */
-+#define GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE	(1 << 3)  /* when checking with _gnutls_digest_is_insecure2, don't treat revertible setting as fatal */
- /* This structure is used both for MACs and digests
-  */
- typedef struct mac_entry_st {
-@@ -685,6 +687,7 @@
- 	uint8_t minor;		/* defined by the protocol */
- 	transport_t transport;	/* Type of transport, stream or datagram */
- 	bool supported;	/* 0 not supported, > 0 is supported */
-+	bool supported_revertible;
- 	bool explicit_iv;
- 	bool extensions;	/* whether it supports extensions */
- 	bool selectable_sighash;	/* whether signatures can be selected */
-diff -ruN gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in
---- gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in	2021-05-27 08:08:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in	2021-06-28 09:09:14.000000000 +0200
-@@ -1438,6 +1438,16 @@
- 				 gnutls_mac_algorithm_t * mac,
- 				 gnutls_protocol_t * min_version);
- 
-+  /* functions for run-time enablement of algorithms */
-+int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve);
-+int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve);
-+int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags);
-+int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags);
-+int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig);
-+int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig);
-+int gnutls_protocol_mark_disabled(gnutls_protocol_t version);
-+int gnutls_protocol_mark_enabled(gnutls_protocol_t version);
-+
-   /* error functions */
- int gnutls_error_is_fatal(int error) __GNUTLS_CONST__;
- int gnutls_error_to_alert(int err, int *level);
-diff -ruN gnutls-3.7.2/lib/libgnutls.map gnutls-3.7.2-bootstrapped/lib/libgnutls.map
---- gnutls-3.7.2/lib/libgnutls.map	2021-05-29 07:16:27.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/libgnutls.map	2021-06-28 09:09:14.000000000 +0200
-@@ -1355,6 +1355,21 @@
- 	*;
- } GNUTLS_3_7_0;
- 
-+GNUTLS_3_7_3
-+{
-+ global:
-+	gnutls_ecc_curve_mark_disabled;
-+	gnutls_ecc_curve_mark_enabled;
-+	gnutls_sign_mark_insecure;
-+	gnutls_sign_mark_secure;
-+	gnutls_digest_mark_insecure;
-+	gnutls_digest_mark_secure;
-+	gnutls_protocol_mark_disabled;
-+	gnutls_protocol_mark_enabled;
-+ local:
-+	*;
-+} GNUTLS_3_7_2;
-+
- GNUTLS_FIPS140_3_4 {
-   global:
- 	gnutls_cipher_self_test;
-diff -ruN gnutls-3.7.2/lib/priority.c gnutls-3.7.2-bootstrapped/lib/priority.c
---- gnutls-3.7.2/lib/priority.c	2021-05-27 08:08:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/lib/priority.c	2021-06-28 09:09:14.000000000 +0200
-@@ -700,6 +700,7 @@
- #define LEVEL_SUITEB128 "SUITEB128"
- #define LEVEL_SUITEB192 "SUITEB192"
- #define LEVEL_LEGACY "LEGACY"
-+#define LEVEL_SYSTEM "SYSTEM"
- 
- struct priority_groups_st {
- 	const char *name;
-@@ -1001,17 +1002,22 @@
- 
- static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN;
- static name_val_array_t system_wide_priority_strings = NULL;
-+static char *system_wide_priority_string = NULL;
- static unsigned system_wide_priority_strings_init = 0;
- static unsigned system_wide_default_priority_string = 0;
- static unsigned fail_on_invalid_config = 0;
--static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0};
--static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0};
--static unsigned system_wide_disabled_groups[MAX_ALGOS+1] = {0};
--static unsigned system_wide_disabled_kxs[MAX_ALGOS+1] = {0};
-+static bool system_wide_allowlisting;
-+static unsigned system_wide_tls_ciphers[MAX_ALGOS+1] = {0};
-+static unsigned system_wide_tls_macs[MAX_ALGOS+1] = {0};
-+static unsigned system_wide_tls_groups[MAX_ALGOS+1] = {0};
-+static unsigned system_wide_tls_kxs[MAX_ALGOS+1] = {0};
-+static unsigned system_wide_tls_sigs[MAX_ALGOS+1] = {0};
-+static unsigned system_wide_tls_vers[MAX_ALGOS+1] = {0};
- 
- static const char *system_priority_file = SYSTEM_PRIORITY_FILE;
- static time_t system_priority_last_mod = 0;
- 
-+#define GLOBAL_SECTION "global"
- #define CUSTOM_PRIORITY_SECTION "priorities"
- #define OVERRIDES_SECTION "overrides"
- #define MAX_ALGO_NAME 2048
-@@ -1051,108 +1057,479 @@
- 	return out;
- }
- 
--/* This function parses a gnutls configuration file and updates internal
-- * settings accordingly.
-+struct cfg {
-+	bool allowlisting;
-+
-+	name_val_array_t priority_strings;
-+	bool priority_strings_init;
-+	char *default_priority_string;
-+	gnutls_certificate_verification_profiles_t verification_profile;
-+
-+	gnutls_cipher_algorithm_t ciphers[MAX_ALGOS+1];
-+	gnutls_mac_algorithm_t macs[MAX_ALGOS+1];
-+	gnutls_group_t groups[MAX_ALGOS+1];
-+	gnutls_kx_algorithm_t kxs[MAX_ALGOS+1];
-+
-+	gnutls_digest_algorithm_t *hashes;
-+	size_t hashes_size;
-+	gnutls_sign_algorithm_t *sigs;
-+	size_t sigs_size;
-+	gnutls_sign_algorithm_t *sigs_for_cert;
-+	size_t sigs_for_cert_size;
-+	gnutls_protocol_t *versions;
-+	size_t versions_size;
-+	gnutls_ecc_curve_t *curves;
-+	size_t curves_size;
-+};
-+
-+static inline void
-+cfg_deinit(struct cfg *cfg)
-+{
-+	if (cfg->priority_strings) {
-+		_name_val_array_clear(&cfg->priority_strings);
-+	}
-+	cfg->priority_strings_init = false;
-+	gnutls_free(cfg->default_priority_string);
-+	gnutls_free(cfg->hashes);
-+	gnutls_free(cfg->sigs);
-+	gnutls_free(cfg->sigs_for_cert);
-+	gnutls_free(cfg->versions);
-+	gnutls_free(cfg->curves);
-+}
-+
-+static inline int
-+cfg_apply(struct cfg *cfg)
-+{
-+	size_t i;
-+
-+	system_wide_verification_profile = cfg->verification_profile;
-+
-+	if (cfg->priority_strings_init) {
-+		system_wide_priority_strings = cfg->priority_strings;
-+		cfg->priority_strings = NULL;
-+		cfg->priority_strings_init = false;
-+		system_wide_priority_strings_init = 1;
-+	}
-+
-+	if (cfg->default_priority_string) {
-+		_clear_default_system_priority();
-+		_gnutls_default_priority_string = cfg->default_priority_string;
-+		cfg->default_priority_string = NULL;
-+		system_wide_default_priority_string = 1;
-+	}
-+
-+	system_wide_allowlisting = cfg->allowlisting;
-+	memcpy(system_wide_tls_ciphers, cfg->ciphers, sizeof(cfg->ciphers));
-+	memcpy(system_wide_tls_macs, cfg->macs, sizeof(cfg->macs));
-+	memcpy(system_wide_tls_groups, cfg->groups, sizeof(cfg->groups));
-+	memcpy(system_wide_tls_kxs, cfg->kxs, sizeof(cfg->kxs));
-+
-+	if (cfg->allowlisting) {
-+		unsigned tls_sig_sem = 0;
-+		size_t j;
-+
-+		_gnutls_digest_mark_insecure_all();
-+		for (i = 0; i < cfg->hashes_size; i++) {
-+			int ret = gnutls_digest_mark_secure(cfg->hashes[i]);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+		_gnutls_sign_mark_insecure_all(_INSECURE);
-+		for (i = 0; i < cfg->sigs_size; i++) {
-+			int ret = gnutls_sign_mark_secure(cfg->sigs[i], 0);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+		for (i = 0; i < cfg->sigs_for_cert_size; i++) {
-+			int ret = gnutls_sign_mark_secure(cfg->sigs_for_cert[i],
-+							  GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+		_gnutls_version_mark_disabled_all();
-+		for (i = 0, j = 0; i < cfg->versions_size; i++) {
-+			const version_entry_st *vers;
-+			int ret = gnutls_protocol_mark_enabled(cfg->versions[i]);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+			vers = version_to_entry(cfg->versions[i]);
-+			if (vers && vers->supported) {
-+				tls_sig_sem |= vers->tls_sig_sem;
-+				system_wide_tls_vers[j++] = vers->id;
-+			}
-+		}
-+		_gnutls_ecc_curve_mark_disabled_all();
-+		for (i = 0; i < cfg->curves_size; i++) {
-+			int ret = gnutls_ecc_curve_mark_enabled(cfg->curves[i]);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+		for (i = 0, j = 0; i < cfg->sigs_size; i++) {
-+			const gnutls_sign_entry_st *se;
-+
-+			se = _gnutls_sign_to_entry(cfg->sigs[i]);
-+			if (se != NULL && se->aid.tls_sem & tls_sig_sem &&
-+			    _gnutls_sign_is_secure2(se, 0)) {
-+				system_wide_tls_sigs[j++] = se->id;
-+			}
-+		}
-+	} else {
-+		for (i = 0; i < cfg->hashes_size; i++) {
-+			int ret = _gnutls_digest_mark_insecure(cfg->hashes[i]);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+		for (i = 0; i < cfg->sigs_size; i++) {
-+			int ret = _gnutls_sign_mark_insecure(cfg->sigs[i], _INSECURE);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+		for (i = 0; i < cfg->sigs_for_cert_size; i++) {
-+			int ret = _gnutls_sign_mark_insecure(cfg->sigs_for_cert[i], _INSECURE_FOR_CERTS);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+		for (i = 0; i < cfg->versions_size; i++) {
-+			int ret = _gnutls_version_mark_disabled(cfg->versions[i]);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+		for (i = 0; i < cfg->curves_size; i++) {
-+			int ret = _gnutls_ecc_curve_mark_disabled(cfg->curves[i]);
-+			if (unlikely(ret < 0)) {
-+				return ret;
-+			}
-+		}
-+	}
-+
-+	return 0;
-+}
-+
-+/* This function parse the global section of the configuration file.
-+ */
-+static int global_ini_handler(void *ctx, const char *section, const char *name, const char *value)
-+{
-+	char *p;
-+	char str[MAX_ALGO_NAME];
-+	struct cfg *cfg = ctx;
-+
-+	if (section != NULL && c_strcasecmp(section, GLOBAL_SECTION) == 0) {
-+		if (c_strcasecmp(name, "override-mode") == 0) {
-+			p = clear_spaces(value, str);
-+			if (c_strcasecmp(value, "allowlist") == 0) {
-+				cfg->allowlisting = true;
-+			} else if (c_strcasecmp(value, "blocklist") == 0) {
-+				cfg->allowlisting = false;
-+			} else {
-+				_gnutls_debug_log("cfg: unknown override mode %s\n",
-+					p);
-+				if (fail_on_invalid_config)
-+					return 0;
-+			}
-+		} else {
-+			_gnutls_debug_log("unknown parameter %s\n", name);
-+			if (fail_on_invalid_config)
-+				return 0;
-+		}
-+	}
-+
-+	return 1;
-+}
-+
-+static bool
-+override_allowed(struct cfg *cfg, const char *name)
-+{
-+	static const struct {
-+		const char *allowlist_name;
-+		const char *blocklist_name;
-+	} names[] = {
-+		{ "secure-hash", "insecure-hash" },
-+		{ "secure-sig", "insecure-sig" },
-+		{ "secure-sig-for-cert", "insecure-sig-for-cert" },
-+		{ "enabled-version", "disabled-version" },
-+		{ "enabled-curve", "disabled-curve" },
-+		{ "tls-enabled-cipher", "tls-disabled-cipher" },
-+		{ "tls-enabled-group", "tls-disabled-group" },
-+		{ "tls-enabled-kx", "tls-disabled-kx" },
-+		{ "tls-enabled-mac", "tls-disabled-mac" }
-+	};
-+	size_t i;
-+
-+	for (i = 0; i < sizeof(names) / sizeof(names[0]); i++) {
-+		if (c_strcasecmp(name,
-+				 cfg->allowlisting ?
-+				 names[i].blocklist_name :
-+				 names[i].allowlist_name) == 0)
-+			return false;
-+	}
-+
-+	return true;
-+}
-+
-+/* This function parses a gnutls configuration file.  Updating internal settings
-+ * according to the parsed configuration is done by cfg_apply.
-  */
--static int cfg_ini_handler(void *_ctx, const char *section, const char *name, const char *value)
-+static int cfg_ini_handler(void *ctx, const char *section, const char *name, const char *value)
- {
- 	char *p;
--	int ret, type;
-+	int ret;
- 	unsigned i;
- 	char str[MAX_ALGO_NAME];
-+	struct cfg *cfg = ctx;
- 
- 	/* Note that we intentionally overwrite the value above; inih does
- 	 * not use that value after we handle it. */
- 
- 	/* Parse sections */
- 	if (section == NULL || section[0] == 0 || c_strcasecmp(section, CUSTOM_PRIORITY_SECTION)==0) {
--		if (system_wide_priority_strings_init == 0) {
--			_name_val_array_init(&system_wide_priority_strings);
--			system_wide_priority_strings_init = 1;
-+		if (!cfg->priority_strings_init) {
-+			_name_val_array_init(&cfg->priority_strings);
-+			cfg->priority_strings_init = true;
- 		}
- 
- 		_gnutls_debug_log("cfg: adding priority: %s -> %s\n", name, value);
- 
--		ret = _name_val_array_append(&system_wide_priority_strings, name, value);
-+		ret = _name_val_array_append(&cfg->priority_strings, name, value);
- 		if (ret < 0)
- 			return 0;
- 	} else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) {
--		if (c_strcasecmp(name, "default-priority-string")==0) {
--			_clear_default_system_priority();
-+		if (!override_allowed(cfg, name)) {
-+			_gnutls_debug_log("cfg: %s is not allowed in this mode\n",
-+					  name);
-+			if (fail_on_invalid_config)
-+				return 0;
-+		} else if (c_strcasecmp(name, "default-priority-string")==0) {
-+			if (cfg->default_priority_string) {
-+				gnutls_free(cfg->default_priority_string);
-+				cfg->default_priority_string = NULL;
-+			}
- 			p = clear_spaces(value, str);
- 			_gnutls_debug_log("cfg: setting default-priority-string to %s\n", p);
- 			if (strlen(p) > 0) {
--				_gnutls_default_priority_string = gnutls_strdup(p);
--				if (!_gnutls_default_priority_string) {
--					_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
-+				cfg->default_priority_string = gnutls_strdup(p);
-+				if (!cfg->default_priority_string) {
- 					_gnutls_debug_log("cfg: failed setting default-priority-string\n");
- 					return 0;
- 				}
--				system_wide_default_priority_string = 1;
- 			} else {
- 				_gnutls_debug_log("cfg: empty default-priority-string, using default\n");
- 				if (fail_on_invalid_config)
- 					return 0;
- 			}
--		} else if (c_strcasecmp(name, "insecure-hash")==0) {
-+		} else if (c_strcasecmp(name, "insecure-hash") == 0 ||
-+			   c_strcasecmp(name, "secure-hash") == 0) {
-+			gnutls_digest_algorithm_t dig, *tmp;
-+
- 			p = clear_spaces(value, str);
- 
--			_gnutls_debug_log("cfg: marking hash %s as insecure\n",
--					  p);
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: marking hash %s as secure\n",
-+						  p);
-+			} else {
-+				_gnutls_debug_log("cfg: marking hash %s as insecure\n",
-+						  p);
-+			}
- 
--			ret = _gnutls_digest_mark_insecure(p);
--			if (ret < 0) {
-+			dig = gnutls_digest_get_id(p);
-+			if (dig == GNUTLS_DIG_UNKNOWN) {
- 				_gnutls_debug_log("cfg: found unknown hash %s in %s\n",
- 						  p, name);
- 				if (fail_on_invalid_config)
- 					return 0;
-+				goto exit;
-+			}
-+			tmp = _gnutls_reallocarray(cfg->hashes,
-+						   cfg->hashes_size + 1,
-+						   sizeof(gnutls_digest_algorithm_t));
-+			if (!tmp) {
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: failed marking hash %s as secure\n",
-+							  p);
-+				} else {
-+					_gnutls_debug_log("cfg: failed marking hash %s as insecure\n",
-+							  p);
-+				}
-+				if (fail_on_invalid_config)
-+					return 0;
-+				goto exit;
- 			}
--		} else if (c_strcasecmp(name, "insecure-sig")==0 || c_strcasecmp(name, "insecure-sig-for-cert")==0) {
-+
-+			cfg->hashes = tmp;
-+			cfg->hashes[cfg->hashes_size] = dig;
-+			cfg->hashes_size++;
-+		} else if (c_strcasecmp(name, "insecure-sig") == 0 ||
-+			   c_strcasecmp(name, "secure-sig") == 0) {
-+			gnutls_sign_algorithm_t sig, *tmp;
-+
- 			p = clear_spaces(value, str);
- 
--			if (c_strcasecmp(name, "insecure-sig")==0) {
--				type = _INSECURE;
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: marking signature %s as secure\n",
-+						  p);
-+			} else {
- 				_gnutls_debug_log("cfg: marking signature %s as insecure\n",
- 						  p);
-+			}
-+
-+			sig = gnutls_sign_get_id(p);
-+			if (sig == GNUTLS_SIGN_UNKNOWN) {
-+				_gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
-+						  p, name);
-+				if (fail_on_invalid_config)
-+					return 0;
-+				goto exit;
-+			}
-+			tmp = _gnutls_reallocarray(cfg->sigs,
-+						   cfg->sigs_size + 1,
-+						   sizeof(gnutls_sign_algorithm_t));
-+			if (!tmp) {
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: failed marking signature %s as secure\n",
-+							  p);
-+				} else {
-+					_gnutls_debug_log("cfg: failed marking signature %s as insecure\n",
-+							  p);
-+				}
-+				if (fail_on_invalid_config)
-+					return 0;
-+				goto exit;
-+			}
-+
-+			cfg->sigs = tmp;
-+			cfg->sigs[cfg->sigs_size] = sig;
-+			cfg->sigs_size++;
-+		} else if (c_strcasecmp(name, "insecure-sig-for-cert") == 0 ||
-+			   c_strcasecmp(name, "secure-sig-for-cert") == 0) {
-+			gnutls_sign_algorithm_t sig, *tmp;
-+
-+			p = clear_spaces(value, str);
-+
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: marking signature %s as secure for certs\n",
-+						  p);
- 			} else {
- 				_gnutls_debug_log("cfg: marking signature %s as insecure for certs\n",
- 						  p);
--				type = _INSECURE_FOR_CERTS;
- 			}
- 
--			ret = _gnutls_sign_mark_insecure(p, type);
--			if (ret < 0) {
-+			sig = gnutls_sign_get_id(p);
-+			if (sig == GNUTLS_SIGN_UNKNOWN) {
- 				_gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
- 						  p, name);
- 				if (fail_on_invalid_config)
- 					return 0;
-+				goto exit;
-+			}
-+			tmp = _gnutls_reallocarray(cfg->sigs_for_cert,
-+						   cfg->sigs_for_cert_size + 1,
-+						   sizeof(gnutls_sign_algorithm_t));
-+			if (!tmp) {
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: failed marking signature %s as secure for certs\n",
-+							  p);
-+				} else {
-+					_gnutls_debug_log("cfg: failed marking signature %s as insecure for certs\n",
-+							  p);
-+				}
-+				if (fail_on_invalid_config)
-+					return 0;
-+				goto exit;
- 			}
--		} else if (c_strcasecmp(name, "disabled-version")==0) {
-+
-+			cfg->sigs_for_cert = tmp;
-+			cfg->sigs_for_cert[cfg->sigs_for_cert_size] = sig;
-+			cfg->sigs_for_cert_size++;
-+		} else if (c_strcasecmp(name, "disabled-version") == 0 ||
-+			   c_strcasecmp(name, "enabled-version") == 0) {
-+			gnutls_protocol_t prot, *tmp;
-+
- 			p = clear_spaces(value, str);
- 
--			_gnutls_debug_log("cfg: disabling version %s\n",
--					  p);
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: enabling version %s\n",
-+						  p);
-+			} else {
-+				_gnutls_debug_log("cfg: disabling version %s\n",
-+						  p);
-+			}
- 
--			ret = _gnutls_version_mark_disabled(p);
--			if (ret < 0) {
-+			prot = gnutls_protocol_get_id(p);
-+			if (prot == GNUTLS_VERSION_UNKNOWN) {
- 				_gnutls_debug_log("cfg: found unknown version %s in %s\n",
- 						  p, name);
- 				if (fail_on_invalid_config)
- 					return 0;
-+				goto exit;
- 			}
--		} else if (c_strcasecmp(name, "disabled-curve")==0) {
-+			tmp = _gnutls_reallocarray(cfg->versions,
-+						   cfg->versions_size + 1,
-+						   sizeof(gnutls_protocol_t));
-+			if (!tmp) {
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: failed enabling version %s\n",
-+							  p);
-+				} else {
-+					_gnutls_debug_log("cfg: failed disabling version %s\n",
-+							  p);
-+				}
-+				if (fail_on_invalid_config)
-+					return 0;
-+				goto exit;
-+			}
-+
-+			cfg->versions = tmp;
-+			cfg->versions[cfg->versions_size] = prot;
-+			cfg->versions_size++;
-+		} else if (c_strcasecmp(name, "disabled-curve") == 0 ||
-+			   c_strcasecmp(name, "enabled-curve") == 0) {
-+			gnutls_ecc_curve_t curve, *tmp;
-+
- 			p = clear_spaces(value, str);
- 
--			_gnutls_debug_log("cfg: disabling curve %s\n",
--					  p);
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: enabling curve %s\n",
-+						  p);
-+			} else {
-+				_gnutls_debug_log("cfg: disabling curve %s\n",
-+						  p);
-+			}
- 
--			ret = _gnutls_ecc_curve_mark_disabled(p);
--			if (ret < 0) {
-+			curve = gnutls_ecc_curve_get_id(p);
-+			if (curve == GNUTLS_ECC_CURVE_INVALID) {
- 				_gnutls_debug_log("cfg: found unknown curve %s in %s\n",
- 						  p, name);
- 				if (fail_on_invalid_config)
- 					return 0;
-+				goto exit;
-+			}
-+			tmp = _gnutls_reallocarray(cfg->curves,
-+						   cfg->curves_size + 1,
-+						   sizeof(gnutls_ecc_curve_t));
-+			if (!tmp) {
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: failed enabling curve %s\n",
-+							  p);
-+				} else {
-+					_gnutls_debug_log("cfg: failed disabling curve %s\n",
-+							  p);
-+				}
-+				if (fail_on_invalid_config)
-+					return 0;
-+				goto exit;
- 			}
-+
-+			cfg->curves = tmp;
-+			cfg->curves[cfg->curves_size] = curve;
-+			cfg->curves_size++;
- 		} else if (c_strcasecmp(name, "min-verification-profile")==0) {
- 			gnutls_certificate_verification_profiles_t profile;
- 			profile = gnutls_certificate_verification_profile_get_id(value);
-@@ -1162,47 +1539,65 @@
- 						  value, name);
- 				if (fail_on_invalid_config)
- 					return 0;
-+				goto exit;
- 			}
- 
--			system_wide_verification_profile = profile;
--		} else if (c_strcasecmp(name, "tls-disabled-cipher")==0) {
--			unsigned algo;
-+			cfg->verification_profile = profile;
-+		} else if (c_strcasecmp(name, "tls-disabled-cipher") == 0 ||
-+			   c_strcasecmp(name, "tls-enabled-cipher") == 0) {
-+			gnutls_cipher_algorithm_t algo;
- 
- 			p = clear_spaces(value, str);
- 
--			_gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
--					  p);
--
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: enabling cipher %s for TLS\n",
-+						  p);
-+			} else {
-+				_gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
-+						  p);
-+			}
- 
- 			algo = gnutls_cipher_get_id(p);
--			if (algo == 0) {
-+			if (algo == GNUTLS_CIPHER_UNKNOWN) {
- 				_gnutls_debug_log("cfg: unknown algorithm %s listed at %s\n",
- 						  p, name);
- 				if (fail_on_invalid_config)
- 					return 0;
-+				goto exit;
- 			}
- 
- 			i = 0;
--			while (system_wide_disabled_ciphers[i] != 0)
-+			while (cfg->ciphers[i] != 0)
- 				i++;
- 
- 			if (i > MAX_ALGOS-1) {
--				_gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
--						  i, name);
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: too many (%d) enabled ciphers from %s\n",
-+							  i, name);
-+				} else {
-+					_gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
-+							  i, name);
-+				}
- 				if (fail_on_invalid_config)
- 					return 0;
- 				goto exit;
- 			}
--			system_wide_disabled_ciphers[i] = algo;
--			system_wide_disabled_ciphers[i+1] = 0;
-+			cfg->ciphers[i] = algo;
-+			cfg->ciphers[i+1] = 0;
- 
--		} else if (c_strcasecmp(name, "tls-disabled-mac")==0) {
--			unsigned algo;
-+		} else if (c_strcasecmp(name, "tls-disabled-mac") == 0 ||
-+			   c_strcasecmp(name, "tls-enabled-mac") == 0) {
-+			gnutls_mac_algorithm_t algo;
- 
- 			p = clear_spaces(value, str);
- 
--			_gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
--					  p);
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: enabling MAC %s for TLS\n",
-+						  p);
-+			} else {
-+				_gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
-+						  p);
-+			}
- 
- 			algo = gnutls_mac_get_id(p);
- 			if (algo == 0) {
-@@ -1214,30 +1609,41 @@
- 			}
- 
- 			i = 0;
--			while (system_wide_disabled_macs[i] != 0)
-+			while (cfg->macs[i] != 0)
- 				i++;
- 
- 			if (i > MAX_ALGOS-1) {
--				_gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
--						  i, name);
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: too many (%d) enabled MACs from %s\n",
-+							  i, name);
-+				} else {
-+					_gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
-+							  i, name);
-+				}
- 				if (fail_on_invalid_config)
- 					return 0;
- 				goto exit;
- 			}
--			system_wide_disabled_macs[i] = algo;
--			system_wide_disabled_macs[i+1] = 0;
--		} else if (c_strcasecmp(name, "tls-disabled-group")==0) {
--			unsigned algo;
-+			cfg->macs[i] = algo;
-+			cfg->macs[i+1] = 0;
-+		} else if (c_strcasecmp(name, "tls-disabled-group") == 0 ||
-+			   c_strcasecmp(name, "tls-enabled-group") == 0) {
-+			gnutls_group_t algo;
- 
- 			p = clear_spaces(value, str);
- 
--			if (strlen(p) > 6)
--				p += 6; // skip GROUP-
-+			if (c_strncasecmp(p, "GROUP-", 6) == 0)
-+				p += 6;
- 
--			_gnutls_debug_log("cfg: disabling group %s for TLS\n",
--					  p);
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: enabling group %s for TLS\n",
-+						  p);
-+			} else {
-+				_gnutls_debug_log("cfg: disabling group %s for TLS\n",
-+						  p);
-+			}
- 
--			algo = gnutls_group_get_id(p);
-+			algo = _gnutls_group_get_id(p);
- 			if (algo == 0) {
- 				_gnutls_debug_log("cfg: unknown group %s listed at %s\n",
- 						  p, name);
-@@ -1247,25 +1653,36 @@
- 			}
- 
- 			i = 0;
--			while (system_wide_disabled_groups[i] != 0)
-+			while (cfg->groups[i] != 0)
- 				i++;
- 
- 			if (i > MAX_ALGOS-1) {
--				_gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
--						  i, name);
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: too many (%d) enabled groups from %s\n",
-+							  i, name);
-+				} else {
-+					_gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
-+							  i, name);
-+				}
- 				if (fail_on_invalid_config)
- 					return 0;
- 				goto exit;
- 			}
--			system_wide_disabled_groups[i] = algo;
--			system_wide_disabled_groups[i+1] = 0;
--		} else if (c_strcasecmp(name, "tls-disabled-kx")==0) {
-+			cfg->groups[i] = algo;
-+			cfg->groups[i+1] = 0;
-+		} else if (c_strcasecmp(name, "tls-disabled-kx") == 0 ||
-+			   c_strcasecmp(name, "tls-enabled-kx") == 0) {
- 			unsigned algo;
- 
- 			p = clear_spaces(value, str);
- 
--			_gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
--					  p);
-+			if (cfg->allowlisting) {
-+				_gnutls_debug_log("cfg: enabling key exchange %s for TLS\n",
-+						  p);
-+			} else {
-+				_gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
-+						  p);
-+			}
- 
- 			algo = gnutls_kx_get_id(p);
- 			if (algo == 0) {
-@@ -1277,24 +1694,29 @@
- 			}
- 
- 			i = 0;
--			while (system_wide_disabled_kxs[i] != 0)
-+			while (cfg->kxs[i] != 0)
- 				i++;
- 
- 			if (i > MAX_ALGOS-1) {
--				_gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
--						  i, name);
-+				if (cfg->allowlisting) {
-+					_gnutls_debug_log("cfg: too many (%d) enabled key exchanges from %s\n",
-+							  i, name);
-+				} else {
-+					_gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
-+							  i, name);
-+				}
- 				if (fail_on_invalid_config)
- 					return 0;
- 				goto exit;
- 			}
--			system_wide_disabled_kxs[i] = algo;
--			system_wide_disabled_kxs[i+1] = 0;
-+			cfg->kxs[i] = algo;
-+			cfg->kxs[i+1] = 0;
- 		} else {
- 			_gnutls_debug_log("unknown parameter %s\n", name);
- 			if (fail_on_invalid_config)
- 				return 0;
- 		}
--	} else {
-+	} else if (c_strcasecmp(section, GLOBAL_SECTION) != 0) {
- 		_gnutls_debug_log("cfg: unknown section %s\n",
- 				  section);
- 		if (fail_on_invalid_config)
-@@ -1310,6 +1732,7 @@
- 	int ret;
- 	struct stat sb;
- 	FILE *fp;
-+	struct cfg cfg;
- 
- 	if (stat(system_priority_file, &sb) < 0) {
- 		_gnutls_debug_log("cfg: unable to access: %s: %d\n",
-@@ -1327,21 +1750,41 @@
- 	if (system_wide_priority_strings_init != 0)
- 		_name_val_array_clear(&system_wide_priority_strings);
- 
-+	gnutls_free(system_wide_priority_string);
-+	system_wide_priority_string = NULL;
-+
- 	fp = fopen(system_priority_file, "re");
- 	if (fp == NULL) {
- 		_gnutls_debug_log("cfg: unable to open: %s: %d\n",
- 				  system_priority_file, errno);
- 		return;
- 	}
--	ret = ini_parse_file(fp, cfg_ini_handler, NULL);
-+	/* Parsing the configuration file needs to be done in 2 phases: first
-+	 * parsing the [global] section and then the other sections, because the
-+	 * [global] section modifies the parsing behavior.
-+	 */
-+	memset(&cfg, 0, sizeof(cfg));
-+	ret = ini_parse_file(fp, global_ini_handler, &cfg);
-+	if (ret == 0) {
-+		if (fseek(fp, 0L, SEEK_SET) < 0) {
-+			_gnutls_debug_log("cfg: unable to rewind: %s: %d\n",
-+					  system_priority_file, ret);
-+			if (fail_on_invalid_config)
-+				exit(1);
-+		}
-+		ret = ini_parse_file(fp, cfg_ini_handler, &cfg);
-+	}
- 	fclose(fp);
- 	if (ret != 0) {
-+		cfg_deinit(&cfg);
- 		_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
- 				  system_priority_file, ret);
- 		if (fail_on_invalid_config)
- 			exit(1);
- 		return;
- 	}
-+	cfg_apply(&cfg);
-+	cfg_deinit(&cfg);
- 
- 	_gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n",
- 			  system_priority_file,
-@@ -1368,6 +1811,7 @@
- void _gnutls_unload_system_priorities(void)
- {
- 	_name_val_array_clear(&system_wide_priority_strings);
-+	gnutls_free(system_wide_priority_string);
- 	_clear_default_system_priority();
- 	system_priority_last_mod = 0;
- }
-@@ -1391,6 +1835,124 @@
- 		return NULL;
- }
- 
-+static const char *
-+resolve_priorities_from_system_wide_allowlisting(void)
-+{
-+	gnutls_buffer_st buf;
-+	int ret;
-+	size_t i;
-+
-+	if (system_wide_priority_string) {
-+		return system_wide_priority_string;
-+	}
-+
-+	assert(system_wide_allowlisting);
-+
-+	_gnutls_buffer_init(&buf);
-+
-+	ret = _gnutls_buffer_append_str(&buf, "NONE");
-+	if (ret < 0) {
-+		_gnutls_buffer_clear(&buf);
-+		return NULL;
-+	}
-+
-+	for (i = 0; system_wide_tls_kxs[i] != 0; i++) {
-+		ret = _gnutls_buffer_append_str(&buf, ":+");
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+
-+		ret = _gnutls_buffer_append_str(&buf,
-+						gnutls_kx_get_name(system_wide_tls_kxs[i]));
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+	}
-+
-+	for (i = 0; system_wide_tls_groups[i] != 0; i++) {
-+		ret = _gnutls_buffer_append_str(&buf, ":+GROUP-");
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+
-+		ret = _gnutls_buffer_append_str(&buf,
-+						gnutls_group_get_name(system_wide_tls_groups[i]));
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+	}
-+
-+	for (i = 0; system_wide_tls_ciphers[i] != 0; i++) {
-+		ret = _gnutls_buffer_append_str(&buf, ":+");
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+
-+		ret = _gnutls_buffer_append_str(&buf,
-+						gnutls_cipher_get_name(system_wide_tls_ciphers[i]));
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+	}
-+
-+	for (i = 0; system_wide_tls_macs[i] != 0; i++) {
-+		ret = _gnutls_buffer_append_str(&buf, ":+");
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+
-+		ret = _gnutls_buffer_append_str(&buf,
-+						gnutls_mac_get_name(system_wide_tls_macs[i]));
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+	}
-+
-+	for (i = 0; system_wide_tls_sigs[i] != 0; i++) {
-+		ret = _gnutls_buffer_append_str(&buf, ":+SIGN-");
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+
-+		ret = _gnutls_buffer_append_str(&buf,
-+						gnutls_sign_get_name(system_wide_tls_sigs[i]));
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+	}
-+
-+	for (i = 0; system_wide_tls_vers[i] != 0; i++) {
-+		ret = _gnutls_buffer_append_str(&buf, ":+VERS-");
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+
-+		ret = _gnutls_buffer_append_str(&buf,
-+						gnutls_protocol_get_name(system_wide_tls_vers[i]));
-+		if (ret < 0) {
-+			_gnutls_buffer_clear(&buf);
-+			return NULL;
-+		}
-+	}
-+
-+	gnutls_free(system_wide_priority_string);
-+	system_wide_priority_string = gnutls_strdup((char *)buf.data);
-+	_gnutls_buffer_clear(&buf);
-+
-+	return system_wide_priority_string;
-+}
-+
- #define S(str) ((str!=NULL)?str:"")
- 
- /* Returns the new priorities if a priority string prefixed
-@@ -1445,7 +2007,13 @@
- 			 */
- 			_gnutls_update_system_priorities();
- 
--			p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
-+			if (system_wide_allowlisting &&
-+			    ss_len == sizeof(LEVEL_SYSTEM) - 1 &&
-+			    strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) {
-+				p = resolve_priorities_from_system_wide_allowlisting();
-+			} else {
-+				p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
-+			}
- 
- 			_gnutls_debug_log("resolved '%.*s' to '%s', next '%.*s'\n",
- 					  ss_len, ss, S(p), ss_next_len, S(ss_next));
-@@ -1548,48 +2116,52 @@
- 	priority_cache->groups.size = 0;
- 	priority_cache->groups.have_ffdhe = 0;
- 
--	/* disable key exchanges which are globally disabled */
--	z = 0;
--	while (system_wide_disabled_kxs[z] != 0) {
--		for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
--			if (priority_cache->_kx.priorities[i] != system_wide_disabled_kxs[z])
--				priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
--		}
--		priority_cache->_kx.num_priorities = j;
--		z++;
--	}
--
--	/* disable groups which are globally disabled */
--	z = 0;
--	while (system_wide_disabled_groups[z] != 0) {
--		for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
--			if (priority_cache->_supported_ecc.priorities[i] != system_wide_disabled_groups[z])
--				priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
--		}
--		priority_cache->_supported_ecc.num_priorities = j;
--		z++;
--	}
--
--	/* disable ciphers which are globally disabled */
--	z = 0;
--	while (system_wide_disabled_ciphers[z] != 0) {
--		for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
--			if (priority_cache->_cipher.priorities[i] != system_wide_disabled_ciphers[z])
--				priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
--		}
--		priority_cache->_cipher.num_priorities = j;
--		z++;
--	}
--
--	/* disable MACs which are globally disabled */
--	z = 0;
--	while (system_wide_disabled_macs[z] != 0) {
--		for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
--			if (priority_cache->_mac.priorities[i] != system_wide_disabled_macs[z])
--				priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
-+	/* in blocklisting mode, apply system wide disablement of key exchanges,
-+	 * groups, MACs, and ciphers. */
-+	if (!system_wide_allowlisting) {
-+		/* disable key exchanges which are globally disabled */
-+		z = 0;
-+		while (system_wide_tls_kxs[z] != 0) {
-+			for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
-+				if (priority_cache->_kx.priorities[i] != system_wide_tls_kxs[z])
-+					priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
-+			}
-+			priority_cache->_kx.num_priorities = j;
-+			z++;
-+		}
-+
-+		/* disable groups which are globally disabled */
-+		z = 0;
-+		while (system_wide_tls_groups[z] != 0) {
-+			for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
-+				if (priority_cache->_supported_ecc.priorities[i] != system_wide_tls_groups[z])
-+					priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
-+			}
-+			priority_cache->_supported_ecc.num_priorities = j;
-+			z++;
-+		}
-+
-+		/* disable ciphers which are globally disabled */
-+		z = 0;
-+		while (system_wide_tls_ciphers[z] != 0) {
-+			for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
-+				if (priority_cache->_cipher.priorities[i] != system_wide_tls_ciphers[z])
-+					priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
-+			}
-+			priority_cache->_cipher.num_priorities = j;
-+			z++;
-+		}
-+
-+		/* disable MACs which are globally disabled */
-+		z = 0;
-+		while (system_wide_tls_macs[z] != 0) {
-+			for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
-+				if (priority_cache->_mac.priorities[i] != system_wide_tls_macs[z])
-+					priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
-+			}
-+			priority_cache->_mac.num_priorities = j;
-+			z++;
- 		}
--		priority_cache->_mac.num_priorities = j;
--		z++;
- 	}
- 
- 	for (j=0;j<priority_cache->_cipher.num_priorities;j++) {
-@@ -1737,10 +2309,15 @@
- 	for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) {
- 		se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]);
- 		if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) {
--			/* if the signature algorithm semantics are not compatible with
--			 * the protocol's, then skip. */
--			if ((se->aid.tls_sem & tls_sig_sem) == 0)
-+			/* if the signature algorithm semantics is not
-+			 * compatible with the protocol's, or the algorithm is
-+			 * marked as insecure, then skip. */
-+			if ((se->aid.tls_sem & tls_sig_sem) == 0 ||
-+			    !_gnutls_sign_is_secure2(se, system_wide_allowlisting ?
-+						     GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE :
-+						     0)) {
- 				continue;
-+			}
- 			priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se;
- 		}
- 	}
-@@ -2017,6 +2594,9 @@
- 	(*priority_cache)->min_record_version = 1;
- 	gnutls_atomic_init(&(*priority_cache)->usage_cnt);
- 
-+	if (system_wide_allowlisting && !priorities) {
-+		priorities = "@" LEVEL_SYSTEM;
-+	}
- 	if (priorities == NULL) {
- 		priorities = _gnutls_default_priority_string;
- 		resolved_match = 0;
-@@ -2150,7 +2730,7 @@
- 						_supported_groups_gost);
- 				} else {
- 					if ((algo =
--					     gnutls_group_get_id
-+					     _gnutls_group_get_id
- 					     (&broken_list[i][7])) !=
- 					    GNUTLS_GROUP_INVALID)
- 						fn(&(*priority_cache)->
-diff -ruN gnutls-3.7.2/Makefile.in gnutls-3.7.2-bootstrapped/Makefile.in
---- gnutls-3.7.2/Makefile.in	2021-05-29 10:11:20.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/Makefile.in	2021-06-28 09:11:37.000000000 +0200
-@@ -35,7 +35,7 @@
- # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- 
- # aminclude_static.am generated automatically by Autoconf
--# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
-+# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
- VPATH = @srcdir@
- am__is_gnu_make = { \
-   if test -z '$(MAKELEVEL)'; then \
-diff -ruN gnutls-3.7.2/NEWS gnutls-3.7.2-bootstrapped/NEWS
---- gnutls-3.7.2/NEWS	2021-05-29 10:08:56.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/NEWS	2021-06-28 09:09:14.000000000 +0200
-@@ -5,6 +5,23 @@
- Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
- See the end for copying conditions.
- 
-+* Version 3.7.3 (unreleased)
-+
-+** libgnutls: The allowlisting configuration mode has been added to the system-wide
-+   settings. In this mode, all the algorithms are initially marked as insecure
-+   or disabled, while the applications can re-enable them either through the
-+   [overrides] section of the configuration file or the new API (#1172).
-+
-+** API and ABI modifications:
-+gnutls_ecc_curve_mark_disabled: Added.
-+gnutls_ecc_curve_mark_enabled: Added.
-+gnutls_sign_mark_insecure: Added.
-+gnutls_sign_mark_secure: Added.
-+gnutls_digest_mark_insecure: Added.
-+gnutls_digest_mark_secure: Added.
-+gnutls_protocol_mark_disabled: Added.
-+gnutls_protocol_mark_enabled: Added.
-+
- * Version 3.7.2 (released 2021-05-29)
- 
- ** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
-diff -ruN gnutls-3.7.2/po/cs.po gnutls-3.7.2-bootstrapped/po/cs.po
---- gnutls-3.7.2/po/cs.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/cs.po	2021-06-28 09:35:00.000000000 +0200
-@@ -9,7 +9,7 @@
- msgstr ""
- "Project-Id-Version: gnutls 3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2019-06-18 07:01+02:00\n"
- "Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
- "Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
-diff -ruN gnutls-3.7.2/po/de.po gnutls-3.7.2-bootstrapped/po/de.po
---- gnutls-3.7.2/po/de.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/de.po	2021-06-28 09:35:00.000000000 +0200
-@@ -10,7 +10,7 @@
- msgstr ""
- "Project-Id-Version: gnutls 3.2.3\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2019-05-16 20:42+0200\n"
- "Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
- "Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
-diff -ruN gnutls-3.7.2/po/eo.po gnutls-3.7.2-bootstrapped/po/eo.po
---- gnutls-3.7.2/po/eo.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/eo.po	2021-06-28 09:35:00.000000000 +0200
-@@ -7,7 +7,7 @@
- msgstr ""
- "Project-Id-Version: gnutls 3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2019-07-15 13:25-0300\n"
- "Last-Translator: Felipe Castro <fefcas@gmail.com>\n"
- "Language-Team: Esperanto <translation-team-eo@lists.sourceforge.net>\n"
-diff -ruN gnutls-3.7.2/po/es.po gnutls-3.7.2-bootstrapped/po/es.po
---- gnutls-3.7.2/po/es.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/es.po	2021-06-28 09:35:00.000000000 +0200
-@@ -7,7 +7,7 @@
- msgstr ""
- "Project-Id-Version: libgnutls 3.2.3\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2018-05-02 19:11+0200\n"
- "Last-Translator: Francisco Javier Serrador <fserrador@gmail.com>\n"
- "Language-Team: Spanish <es@tp.org.es>\n"
-diff -ruN gnutls-3.7.2/po/fi.po gnutls-3.7.2-bootstrapped/po/fi.po
---- gnutls-3.7.2/po/fi.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/fi.po	2021-06-28 09:35:00.000000000 +0200
-@@ -7,7 +7,7 @@
- msgstr ""
- "Project-Id-Version: libgnutls 3.2.1\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2013-06-19 17:09+0300\n"
- "Last-Translator: Jorma Karvonen <karvonen.jorma@gmail.com>\n"
- "Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
-diff -ruN gnutls-3.7.2/po/fr.po gnutls-3.7.2-bootstrapped/po/fr.po
---- gnutls-3.7.2/po/fr.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/fr.po	2021-06-28 09:35:00.000000000 +0200
-@@ -12,7 +12,7 @@
- msgstr ""
- "Project-Id-Version: gnutls 3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2019-08-12 01:03+0200\n"
- "Last-Translator: Stéphane Aulery <lkppo@free.fr>\n"
- "Language-Team: French <traduc@traduc.org>\n"
-diff -ruN gnutls-3.7.2/po/gnutls.pot gnutls-3.7.2-bootstrapped/po/gnutls.pot
---- gnutls-3.7.2/po/gnutls.pot	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/gnutls.pot	2021-06-28 09:35:00.000000000 +0200
-@@ -8,7 +8,7 @@
- msgstr ""
- "Project-Id-Version: gnutls 3.7.2\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
- "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
- "Language-Team: LANGUAGE <LL@li.org>\n"
-diff -ruN gnutls-3.7.2/po/it.po gnutls-3.7.2-bootstrapped/po/it.po
---- gnutls-3.7.2/po/it.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/it.po	2021-06-28 09:35:00.000000000 +0200
-@@ -8,7 +8,7 @@
- msgstr ""
- "Project-Id-Version: gnutls-3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2019-08-02 11:43+0200\n"
- "Last-Translator: Milo Casagrande <milo@milo.name>\n"
- "Language-Team: Italian <tp@lists.linux.it>\n"
-Binary files gnutls-3.7.2/po/ms.gmo and gnutls-3.7.2-bootstrapped/po/ms.gmo differ
-diff -ruN gnutls-3.7.2/po/ms.po gnutls-3.7.2-bootstrapped/po/ms.po
---- gnutls-3.7.2/po/ms.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/ms.po	2021-06-28 09:35:00.000000000 +0200
-@@ -7,8 +7,8 @@
- msgstr ""
- "Project-Id-Version: gnutls 3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
--"PO-Revision-Date: 2021-04-20 16:03+0800\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
-+"PO-Revision-Date: 2021-06-14 00:17+0800\n"
- "Last-Translator: Sharuzzaman Ahmat Raslan <sharuzzaman@gmail.com>\n"
- "Language-Team: Malay <translation-team-ms@lists.sourceforge.net>\n"
- "Language: ms\n"
-@@ -16,7 +16,7 @@
- "Content-Type: text/plain; charset=utf-8\n"
- "Content-Transfer-Encoding: 8bit\n"
- "X-Bugs: Report translation errors to the Language-Team address.\n"
--"X-Generator: Poedit 2.4.2\n"
-+"X-Generator: Poedit 3.0\n"
- 
- #: lib/alert.c:39
- msgid "Close notify"
-@@ -139,7 +139,7 @@
- #: lib/alert.c:83
- #, fuzzy
- msgid "An extension was expected but was not seen"
--msgstr "')' dijangka\n"
-+msgstr "Sambungan tidak disokong telah dihantar"
- 
- #: lib/alert.c:86
- msgid "No supported application protocol could be negotiated"
-@@ -1224,20 +1224,19 @@
- msgstr "%s\t\t\tnamaLain OID: %.*s\n"
- 
- #: lib/x509/output.c:152
--#, fuzzy, c-format
--#| msgid "\t\t\tXMPP Address: %.*s\n"
-+#, c-format
- msgid "%sXMPP Address: %.*s\n"
--msgstr "\t\t\tAlamat XMPP: %.*s\n"
-+msgstr "%sAlamat XMPP: %.*s\n"
- 
- #: lib/x509/output.c:156
--#, fuzzy, c-format
-+#, c-format
- msgid "%sKRB5Principal: %.*s\n"
--msgstr "%s: %s.\n"
-+msgstr "%sKRB5Principal: %.*s\n"
- 
- #: lib/x509/output.c:160
--#, fuzzy, c-format
-+#, c-format
- msgid "%sUnknown name: "
--msgstr "Nama"
-+msgstr "%sNama tidak diketahui: "
- 
- #: lib/x509/output.c:302
- #, c-format
-@@ -1266,14 +1265,14 @@
- "\t\t\tLambakan Hex: "
- 
- #: lib/x509/output.c:347
--#, fuzzy, c-format
-+#, c-format
- msgid "%s\t\t\tPermitted:\n"
--msgstr "TDB: Tulis tidak dibenarkan"
-+msgstr "%s\t\t\tDibenarkan:\n"
- 
- #: lib/x509/output.c:359
--#, fuzzy, c-format
-+#, c-format
- msgid "%s\t\t\tExcluded:\n"
--msgstr "%s%s: %.*s (%s)\n"
-+msgstr "%s\t\t\tDikecualikan:\n"
- 
- #: lib/x509/output.c:399 lib/x509/output.c:401 lib/x509/output.c:403
- #, c-format
-diff -ruN gnutls-3.7.2/po/nl.po gnutls-3.7.2-bootstrapped/po/nl.po
---- gnutls-3.7.2/po/nl.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/nl.po	2021-06-28 09:35:00.000000000 +0200
-@@ -10,7 +10,7 @@
- msgstr ""
- "Project-Id-Version: libgnutls-3.2.1\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2013-06-13 19:56+0200\n"
- "Last-Translator: Benno Schulenberg <benno@vertaalt.nl>\n"
- "Language-Team: Dutch <vertaling@vrijschrift.org>\n"
-diff -ruN gnutls-3.7.2/po/pl.po gnutls-3.7.2-bootstrapped/po/pl.po
---- gnutls-3.7.2/po/pl.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/pl.po	2021-06-28 09:35:00.000000000 +0200
-@@ -7,7 +7,7 @@
- msgstr ""
- "Project-Id-Version: gnutls-3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2019-06-01 08:22+0200\n"
- "Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
- "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
-diff -ruN gnutls-3.7.2/po/pt_BR.po gnutls-3.7.2-bootstrapped/po/pt_BR.po
---- gnutls-3.7.2/po/pt_BR.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/pt_BR.po	2021-06-28 09:35:00.000000000 +0200
-@@ -7,7 +7,7 @@
- msgstr ""
- "Project-Id-Version: gnutls 3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2019-06-11 03:55-0200\n"
- "Last-Translator: Rafael Fontenelle <rafaelff@gnome.org>\n"
- "Language-Team: Brazilian Portuguese <ldpbr-translation@lists.sourceforge."
-diff -ruN gnutls-3.7.2/po/sr.po gnutls-3.7.2-bootstrapped/po/sr.po
---- gnutls-3.7.2/po/sr.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/sr.po	2021-06-28 09:35:00.000000000 +0200
-@@ -6,7 +6,7 @@
- msgstr ""
- "Project-Id-Version: gnutls-3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2020-08-04 15:21+0200\n"
- "Last-Translator: Мирослав Николић <miroslavnikolic@rocketmail.com>\n"
- "Language-Team: Serbian <(nothing)>\n"
-diff -ruN gnutls-3.7.2/po/sv.po gnutls-3.7.2-bootstrapped/po/sv.po
---- gnutls-3.7.2/po/sv.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/sv.po	2021-06-28 09:35:00.000000000 +0200
-@@ -8,7 +8,7 @@
- msgstr ""
- "Project-Id-Version: libgnutls 3.2.3\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2017-06-22 13:44+0200\n"
- "Last-Translator: Anders Jonsson <anders.jonsson@norsjovallen.se>\n"
- "Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
-diff -ruN gnutls-3.7.2/po/uk.po gnutls-3.7.2-bootstrapped/po/uk.po
---- gnutls-3.7.2/po/uk.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/uk.po	2021-06-28 09:35:00.000000000 +0200
-@@ -8,7 +8,7 @@
- msgstr ""
- "Project-Id-Version: gnutls 3.6.8\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2019-06-06 21:38+0300\n"
- "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
- "Language-Team: Ukrainian <trans-uk@lists.fedoraproject.org>\n"
-diff -ruN gnutls-3.7.2/po/vi.po gnutls-3.7.2-bootstrapped/po/vi.po
---- gnutls-3.7.2/po/vi.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/vi.po	2021-06-28 09:35:00.000000000 +0200
-@@ -8,7 +8,7 @@
- msgstr ""
- "Project-Id-Version: libgnutls-3.2.3\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2013-08-06 07:13+0700\n"
- "Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
- "Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n"
-diff -ruN gnutls-3.7.2/po/zh_CN.po gnutls-3.7.2-bootstrapped/po/zh_CN.po
---- gnutls-3.7.2/po/zh_CN.po	2021-05-29 10:15:00.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/po/zh_CN.po	2021-06-28 09:35:00.000000000 +0200
-@@ -10,7 +10,7 @@
- msgstr ""
- "Project-Id-Version: libgnutls 3.2.3\n"
- "Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
--"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
- "PO-Revision-Date: 2015-11-10 09:47-0500\n"
- "Last-Translator: Mingye Wang (Arthur2e5) <arthur200126@gmail.com>\n"
- "Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
-diff -ruN gnutls-3.7.2/src/p11tool-args.def gnutls-3.7.2-bootstrapped/src/p11tool-args.def
---- gnutls-3.7.2/src/p11tool-args.def	2021-04-19 09:28:28.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/src/p11tool-args.def	2021-06-25 17:46:01.000000000 +0200
-@@ -268,8 +268,9 @@
- flag = {
-     name      = write;
-     descrip   = "Writes the loaded objects to a PKCS #11 token";
--    doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
--    one of --load-privkey, --load-pubkey, --load-certificate option.";
-+    doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.
-+
-+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.";
- };
- 
- flag = {
-diff -ruN gnutls-3.7.2/tests/Makefile.am gnutls-3.7.2-bootstrapped/tests/Makefile.am
---- gnutls-3.7.2/tests/Makefile.am	2021-05-27 08:10:21.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/tests/Makefile.am	2021-06-28 09:09:42.000000000 +0200
-@@ -108,7 +108,7 @@
- libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
- libutils_la_LIBADD = ../lib/libgnutls.la
- 
--indirect_tests = system-override-hash system-override-sig
-+indirect_tests = system-override-hash system-override-sig system-override-sig-tls
- 
- ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
- 	tls13/post-handshake-with-cert tls13/post-handshake-without-cert \
-@@ -509,7 +509,13 @@
- dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
- 	system-override-versions.sh system-override-invalid.sh \
- 	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
--	system-override-kx.sh system-override-default-priority-string.sh
-+	system-override-kx.sh system-override-default-priority-string.sh \
-+	system-override-sig-tls.sh
-+
-+dist_check_SCRIPTS += system-override-sig-allowlist.sh \
-+	system-override-hash-allowlist.sh \
-+	system-override-versions-allowlist.sh \
-+	system-override-curves-allowlist.sh
- endif
- 
- dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh
-@@ -605,6 +611,7 @@
- endif
- 
- TEST_EXTENSIONS = .sh
-+SH_LOG_COMPILER = $(SHELL)
- LOG_COMPILER = $(VALGRIND)
- 
- distclean-local:
-diff -ruN gnutls-3.7.2/tests/Makefile.in gnutls-3.7.2-bootstrapped/tests/Makefile.in
---- gnutls-3.7.2/tests/Makefile.in	2021-05-29 10:11:25.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/tests/Makefile.in	2021-06-28 09:11:42.000000000 +0200
-@@ -191,11 +191,20 @@
- @WINDOWS_FALSE@	gnutls-cli-resume.sh profile-tests.sh \
- @WINDOWS_FALSE@	server-weak-keys.sh
- @WINDOWS_FALSE@am__append_17 = dtls-stress
--@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh system-override-hash.sh \
--@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions.sh system-override-invalid.sh \
--@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
--@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-kx.sh system-override-default-priority-string.sh
--
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-hash.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-invalid.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-profiles.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-tls.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-kx.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-default-priority-string.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-sig-tls.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-sig-allowlist.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-hash-allowlist.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-versions-allowlist.sh \
-+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@	system-override-curves-allowlist.sh
- @WINDOWS_FALSE@am__append_19 = gnutls-cli-self-signed.sh \
- @WINDOWS_FALSE@	gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \
- @WINDOWS_FALSE@	dh-fips-approved.sh
-@@ -662,8 +671,8 @@
- @ENABLE_PKCS11_TRUE@@HAVE_PKCS11_TRUST_STORE_TRUE@@P11KIT_0_23_11_API_TRUE@@WINDOWS_FALSE@	pkcs11/list-objects$(EXEEXT)
- @WINDOWS_FALSE@am__EXEEXT_18 = datefudge-check$(EXEEXT)
- am__EXEEXT_19 = system-override-hash$(EXEEXT) \
--	system-override-sig$(EXEEXT) $(am__EXEEXT_16) $(am__EXEEXT_17) \
--	$(am__EXEEXT_18)
-+	system-override-sig$(EXEEXT) system-override-sig-tls$(EXEEXT) \
-+	$(am__EXEEXT_16) $(am__EXEEXT_17) $(am__EXEEXT_18)
- PROGRAMS = $(noinst_PROGRAMS)
- LTLIBRARIES = $(noinst_LTLIBRARIES)
- @ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock1_la_DEPENDENCIES =  \
-@@ -2366,6 +2375,11 @@
- system_override_sig_LDADD = $(LDADD)
- system_override_sig_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \
- 	$(am__DEPENDENCIES_2)
-+system_override_sig_tls_SOURCES = system-override-sig-tls.c
-+system_override_sig_tls_OBJECTS = system-override-sig-tls.$(OBJEXT)
-+system_override_sig_tls_LDADD = $(LDADD)
-+system_override_sig_tls_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \
-+	libutils.la $(am__DEPENDENCIES_2)
- system_prio_file_SOURCES = system-prio-file.c
- system_prio_file_OBJECTS = system-prio-file.$(OBJEXT)
- system_prio_file_LDADD = $(LDADD)
-@@ -2997,10 +3011,13 @@
- 	system-override-profiles.sh system-override-tls.sh \
- 	system-override-kx.sh \
- 	system-override-default-priority-string.sh \
--	gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
--	gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
--	testpkcs11.sh certtool-pkcs11.sh p11-kit-load.sh danetool.sh \
--	tpmtool_test.sh
-+	system-override-sig-tls.sh system-override-sig-allowlist.sh \
-+	system-override-hash-allowlist.sh \
-+	system-override-versions-allowlist.sh \
-+	system-override-curves-allowlist.sh gnutls-cli-self-signed.sh \
-+	gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \
-+	dh-fips-approved.sh p11-kit-trust.sh testpkcs11.sh \
-+	certtool-pkcs11.sh p11-kit-load.sh danetool.sh tpmtool_test.sh
- AM_V_P = $(am__v_P_@AM_V@)
- am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
- am__v_P_0 = false
-@@ -3216,6 +3233,7 @@
- 	./$(DEPDIR)/status-request.Po ./$(DEPDIR)/str-idna.Po \
- 	./$(DEPDIR)/str-unicode.Po ./$(DEPDIR)/strict-der.Po \
- 	./$(DEPDIR)/system-override-hash.Po \
-+	./$(DEPDIR)/system-override-sig-tls.Po \
- 	./$(DEPDIR)/system-override-sig.Po \
- 	./$(DEPDIR)/system-prio-file.Po ./$(DEPDIR)/time.Po \
- 	./$(DEPDIR)/tls-channel-binding.Po \
-@@ -3522,16 +3540,16 @@
- 	ssl30-server-kx-neg.c status-request.c status-request-ext.c \
- 	status-request-ok.c status-request-revoked.c str-idna.c \
- 	str-unicode.c strict-der.c system-override-hash.c \
--	system-override-sig.c system-prio-file.c time.c \
--	tls-channel-binding.c tls-client-with-seccomp.c \
--	tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \
--	tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \
--	tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \
--	tls-record-size-limit-asym.c tls-session-ext-override.c \
--	tls-session-ext-register.c tls-session-supplemental.c \
--	tls-supplemental.c tls-with-seccomp.c \
--	$(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \
--	tls10-prf.c tls10-server-kx-neg.c \
-+	system-override-sig.c system-override-sig-tls.c \
-+	system-prio-file.c time.c tls-channel-binding.c \
-+	tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \
-+	tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \
-+	tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \
-+	tls-record-size-limit.c tls-record-size-limit-asym.c \
-+	tls-session-ext-override.c tls-session-ext-register.c \
-+	tls-session-supplemental.c tls-supplemental.c \
-+	tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \
-+	tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \
- 	$(tls11_cert_key_exchange_SOURCES) \
- 	$(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \
- 	$(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \
-@@ -3707,16 +3725,16 @@
- 	ssl30-server-kx-neg.c status-request.c status-request-ext.c \
- 	status-request-ok.c status-request-revoked.c str-idna.c \
- 	str-unicode.c strict-der.c system-override-hash.c \
--	system-override-sig.c system-prio-file.c time.c \
--	tls-channel-binding.c tls-client-with-seccomp.c \
--	tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \
--	tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \
--	tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \
--	tls-record-size-limit-asym.c tls-session-ext-override.c \
--	tls-session-ext-register.c tls-session-supplemental.c \
--	tls-supplemental.c tls-with-seccomp.c \
--	$(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \
--	tls10-prf.c tls10-server-kx-neg.c \
-+	system-override-sig.c system-override-sig-tls.c \
-+	system-prio-file.c time.c tls-channel-binding.c \
-+	tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \
-+	tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \
-+	tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \
-+	tls-record-size-limit.c tls-record-size-limit-asym.c \
-+	tls-session-ext-override.c tls-session-ext-register.c \
-+	tls-session-supplemental.c tls-supplemental.c \
-+	tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \
-+	tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \
- 	$(tls11_cert_key_exchange_SOURCES) \
- 	$(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \
- 	$(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \
-@@ -5822,7 +5840,8 @@
- libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
- libutils_la_LIBADD = ../lib/libgnutls.la
- indirect_tests = system-override-hash system-override-sig \
--	$(am__append_17) $(am__append_22) $(am__append_28)
-+	system-override-sig-tls $(am__append_17) $(am__append_22) \
-+	$(am__append_28)
- ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
- 	tls13/post-handshake-with-cert \
- 	tls13/post-handshake-without-cert tls13/cookie tls13/key_share \
-@@ -6115,6 +6134,7 @@
- @ENABLE_CXX_TRUE@@HAVE_CMOCKA_TRUE@	-I$(top_builddir)/gl
- 
- TEST_EXTENSIONS = .sh
-+SH_LOG_COMPILER = $(SHELL)
- LOG_COMPILER = $(VALGRIND)
- all: all-recursive
- 
-@@ -7590,6 +7610,10 @@
- 	@rm -f system-override-sig$(EXEEXT)
- 	$(AM_V_CCLD)$(LINK) $(system_override_sig_OBJECTS) $(system_override_sig_LDADD) $(LIBS)
- 
-+system-override-sig-tls$(EXEEXT): $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_DEPENDENCIES) $(EXTRA_system_override_sig_tls_DEPENDENCIES) 
-+	@rm -f system-override-sig-tls$(EXEEXT)
-+	$(AM_V_CCLD)$(LINK) $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_LDADD) $(LIBS)
-+
- system-prio-file$(EXEEXT): $(system_prio_file_OBJECTS) $(system_prio_file_DEPENDENCIES) $(EXTRA_system_prio_file_DEPENDENCIES) 
- 	@rm -f system-prio-file$(EXEEXT)
- 	$(AM_V_CCLD)$(LINK) $(system_prio_file_OBJECTS) $(system_prio_file_LDADD) $(LIBS)
-@@ -8396,6 +8420,7 @@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str-unicode.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strict-der.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-hash.Po@am__quote@ # am--include-marker
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig-tls.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-prio-file.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/time.Po@am__quote@ # am--include-marker
-@@ -12588,6 +12613,7 @@
- 	-rm -f ./$(DEPDIR)/str-unicode.Po
- 	-rm -f ./$(DEPDIR)/strict-der.Po
- 	-rm -f ./$(DEPDIR)/system-override-hash.Po
-+	-rm -f ./$(DEPDIR)/system-override-sig-tls.Po
- 	-rm -f ./$(DEPDIR)/system-override-sig.Po
- 	-rm -f ./$(DEPDIR)/system-prio-file.Po
- 	-rm -f ./$(DEPDIR)/time.Po
-@@ -13075,6 +13101,7 @@
- 	-rm -f ./$(DEPDIR)/str-unicode.Po
- 	-rm -f ./$(DEPDIR)/strict-der.Po
- 	-rm -f ./$(DEPDIR)/system-override-hash.Po
-+	-rm -f ./$(DEPDIR)/system-override-sig-tls.Po
- 	-rm -f ./$(DEPDIR)/system-override-sig.Po
- 	-rm -f ./$(DEPDIR)/system-prio-file.Po
- 	-rm -f ./$(DEPDIR)/time.Po
-diff -ruN gnutls-3.7.2/tests/suite/Makefile.am gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am
---- gnutls-3.7.2/tests/suite/Makefile.am	2021-05-27 08:08:22.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am	2021-06-28 09:09:42.000000000 +0200
-@@ -115,4 +115,5 @@
- prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
- 
- TEST_EXTENSIONS = .sh
-+SH_LOG_COMPILER = $(SHELL)
- LOG_COMPILER = $(VALGRIND)
-diff -ruN gnutls-3.7.2/tests/suite/Makefile.in gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in
---- gnutls-3.7.2/tests/suite/Makefile.in	2021-05-29 10:11:26.000000000 +0200
-+++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in	2021-06-28 09:11:43.000000000 +0200
-@@ -2351,6 +2351,7 @@
- nodist_check_SCRIPTS = $(scripts_to_test)
- prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
- TEST_EXTENSIONS = .sh
-+SH_LOG_COMPILER = $(SHELL)
- LOG_COMPILER = $(VALGRIND)
- all: all-am
- 
-diff -ruN gnutls-3.7.2/tests/system-override-curves-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh
---- gnutls-3.7.2/tests/system-override-curves-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
-@@ -0,0 +1,113 @@
-+#!/bin/sh
-+
-+# Copyright (C) 2019 Red Hat, Inc.
-+#
-+# Author: Nikos Mavrogiannopoulos
-+#
-+# This file is part of GnuTLS.
-+#
-+# GnuTLS is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 3 of the License, or (at
-+# your option) any later version.
-+#
-+# GnuTLS is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+# General Public License for more details.
-+#
-+# You should have received a copy of the GNU Lesser General Public License
-+# along with this program.  If not, see <https://www.gnu.org/licenses/>
-+
-+: ${srcdir=.}
-+: ${SERV=../src/gnutls-serv${EXEEXT}}
-+: ${CLI=../src/gnutls-cli${EXEEXT}}
-+TMPFILE=config.$$.tmp
-+TMPFILE2=log.$$.tmp
-+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
-+
-+if ! test -x "${SERV}"; then
-+	exit 77
-+fi
-+
-+if ! test -x "${CLI}"; then
-+	exit 77
-+fi
-+
-+if test "${WINDIR}" != ""; then
-+	exit 77
-+fi
-+
-+. "${srcdir}/scripts/common.sh"
-+
-+# This test doesn't work in FIPS mode
-+if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then
-+	exit 77
-+fi
-+
-+# We intentionally add stray spaces and tabs to check our parser
-+cat <<_EOF_ > ${TMPFILE}
-+[global]
-+override-mode = allowlist
-+
-+[overrides]
-+enabled-curve = secp384r1
-+_EOF_
-+
-+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-+export GNUTLS_DEBUG_LEVEL=3
-+
-+"${CLI}" --list|grep ^Groups >${TMPFILE2}
-+cat ${TMPFILE2}
-+if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then
-+	echo "Found disabled curve with --list"
-+	exit 1
-+fi
-+
-+if ! grep -i "SECP384R1" ${TMPFILE2};then
-+	echo "Could not found secp384r1"
-+	exit 1
-+fi
-+
-+# Try whether a client connection with a disabled curve will succeed.
-+
-+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
-+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
-+
-+unset GNUTLS_SYSTEM_PRIORITY_FILE
-+
-+eval "${GETPORT}"
-+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
-+PID=$!
-+wait_server ${PID}
-+
-+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null ||
-+	fail "expected connection to succeed (1)"
-+
-+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-+
-+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
-+	fail "expected connection to fail (2)"
-+
-+kill ${PID}
-+wait
-+
-+# Try whether a server connection with a disabled curve will succeed.
-+
-+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
-+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
-+
-+eval "${GETPORT}"
-+launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1}
-+PID=$!
-+wait_server ${PID}
-+
-+unset GNUTLS_SYSTEM_PRIORITY_FILE
-+
-+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
-+	fail "expected connection to fail (2)"
-+
-+kill ${PID}
-+wait
-+
-+exit 0
-diff -ruN gnutls-3.7.2/tests/system-override-hash-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh
---- gnutls-3.7.2/tests/system-override-hash-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
-@@ -0,0 +1,41 @@
-+#!/bin/sh
-+
-+# Copyright (C) 2019 Nikos Mavrogiannopoulos
-+#
-+# Author: Nikos Mavrogiannopoulos
-+#
-+# This file is part of GnuTLS.
-+#
-+# GnuTLS is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 3 of the License, or (at
-+# your option) any later version.
-+#
-+# GnuTLS is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+# General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with GnuTLS; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-+
-+: ${builddir=.}
-+TMPFILE=c.$$.tmp
-+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
-+
-+cat <<_EOF_ > ${TMPFILE}
-+[global]
-+override-mode = allowlist
-+
-+[overrides]
-+secure-hash = sha384
-+secure-sig = rsa-pss-sha384
-+_EOF_
-+
-+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-+
-+"${builddir}/system-override-hash"
-+rc=$?
-+rm ${TMPFILE}
-+exit $rc
-diff -ruN gnutls-3.7.2/tests/system-override-sig-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh
---- gnutls-3.7.2/tests/system-override-sig-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
-@@ -0,0 +1,43 @@
-+#!/bin/sh
-+
-+# Copyright (C) 2019 Nikos Mavrogiannopoulos
-+#
-+# Author: Nikos Mavrogiannopoulos
-+#
-+# This file is part of GnuTLS.
-+#
-+# GnuTLS is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 3 of the License, or (at
-+# your option) any later version.
-+#
-+# GnuTLS is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+# General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with GnuTLS; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-+
-+: ${builddir=.}
-+TMPFILE=c.$$.tmp
-+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
-+
-+cat <<_EOF_ > ${TMPFILE}
-+[global]
-+override-mode = allowlist
-+
-+[overrides]
-+secure-hash = sha256
-+secure-sig = rsa-sha256
-+secure-hash = sha384
-+secure-sig = rsa-pss-sha384
-+_EOF_
-+
-+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-+
-+"${builddir}/system-override-sig"
-+rc=$?
-+rm ${TMPFILE}
-+exit $rc
-diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.c gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c
---- gnutls-3.7.2/tests/system-override-sig-tls.c	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c	2021-06-25 17:46:13.000000000 +0200
-@@ -0,0 +1,200 @@
-+/*
-+ * Copyright (C) 2015-2021 Red Hat, Inc.
-+ *
-+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * GnuTLS is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GnuTLS is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with GnuTLS; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
-+#include <assert.h>
-+#include <stdbool.h>
-+#include <stdint.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <gnutls/gnutls.h>
-+#include "utils.h"
-+
-+#define SKIP16(pos, total) { \
-+	uint16_t _s; \
-+	if (pos+2 > total) fail("error\n"); \
-+	_s = (msg->data[pos] << 8) | msg->data[pos+1]; \
-+	if ((size_t)(pos+2+_s) > total) fail("error\n"); \
-+	pos += 2+_s; \
-+	}
-+
-+#define SKIP8(pos, total) { \
-+	uint8_t _s; \
-+	if (pos+1 > total) fail("error\n"); \
-+	_s = msg->data[pos]; \
-+	if ((size_t)(pos+1+_s) > total) fail("error\n"); \
-+	pos += 1+_s; \
-+	}
-+
-+#define HANDSHAKE_SESSION_ID_POS 34
-+
-+#include "eagain-common.h"
-+#include "cert-common.h"
-+
-+/* This tests whether the client omits signature algorithms marked as insecure,
-+ * from the signature_algorithms extension.
-+ */
-+
-+const char *side;
-+
-+static void tls_log_func(int level, const char *str)
-+{
-+	fprintf(stderr, "%s|<%d>| %s", side, level, str);
-+}
-+
-+#define PRIO "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:" \
-+	"+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384"
-+/* rsa_pss_rsae_sha384 */
-+#define SIGALGS_EXP "\x00\x02\x08\x05"
-+
-+static int
-+ext_callback(void *ctx, unsigned tls_id,
-+	     const unsigned char *data, unsigned size)
-+{
-+	if (tls_id == 13) {	/* signature algorithms */
-+		if (size != sizeof(SIGALGS_EXP) - 1) {
-+			fail("invalid signature_algorithms length: %u != 4\n",
-+			     size);
-+		}
-+		if (memcmp(data, SIGALGS_EXP, sizeof(SIGALGS_EXP) - 1) != 0) {
-+			fail("invalid signature_algorithms\n");
-+		}
-+	}
-+	return 0;
-+}
-+
-+static int
-+handshake_callback(gnutls_session_t session, unsigned int htype,
-+		   unsigned post, unsigned int incoming,
-+		   const gnutls_datum_t *msg)
-+{
-+	assert(post);
-+
-+	if (!incoming && htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) {
-+		int ret;
-+		unsigned pos;
-+		gnutls_datum_t mmsg;
-+
-+		assert(msg->size >= HANDSHAKE_SESSION_ID_POS);
-+		pos = HANDSHAKE_SESSION_ID_POS;
-+		SKIP8(pos, msg->size);
-+		SKIP16(pos, msg->size);
-+		SKIP8(pos, msg->size);
-+
-+		mmsg.data = &msg->data[pos];
-+		mmsg.size = msg->size - pos;
-+		ret = gnutls_ext_raw_parse(NULL, ext_callback, &mmsg, 0);
-+		assert(ret >= 0);
-+	}
-+	return 0;
-+}
-+
-+void doit(void)
-+{
-+	int ret;
-+	/* Server stuff. */
-+	gnutls_certificate_credentials_t serverx509cred;
-+	gnutls_session_t server;
-+	int sret = GNUTLS_E_AGAIN;
-+	/* Client stuff. */
-+	gnutls_certificate_credentials_t clientx509cred;
-+	gnutls_session_t client;
-+	int cret = GNUTLS_E_AGAIN;
-+
-+	global_init();
-+
-+	/* General init. */
-+	gnutls_global_set_log_function(tls_log_func);
-+	if (debug)
-+		gnutls_global_set_log_level(6);
-+
-+	/* Init server */
-+	gnutls_certificate_allocate_credentials(&serverx509cred);
-+	gnutls_certificate_set_x509_key_mem(serverx509cred,
-+					    &server2_cert, &server2_key,
-+					    GNUTLS_X509_FMT_PEM);
-+
-+	gnutls_init(&server, GNUTLS_SERVER);
-+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
-+				serverx509cred);
-+
-+	gnutls_priority_set_direct(server, PRIO, NULL);
-+
-+	gnutls_transport_set_push_function(server, server_push);
-+	gnutls_transport_set_pull_function(server, server_pull);
-+	gnutls_transport_set_pull_timeout_function(server,
-+						   server_pull_timeout_func);
-+	gnutls_transport_set_ptr(server, server);
-+
-+	/* Init client */
-+	ret = gnutls_certificate_allocate_credentials(&clientx509cred);
-+	if (ret < 0)
-+		exit(1);
-+
-+	ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca2_cert, GNUTLS_X509_FMT_PEM);
-+	if (ret < 0)
-+		exit(1);
-+
-+	ret = gnutls_init(&client, GNUTLS_CLIENT);
-+	if (ret < 0)
-+		exit(1);
-+
-+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
-+				clientx509cred);
-+	if (ret < 0)
-+		exit(1);
-+
-+	ret = gnutls_priority_set_direct(client, PRIO, NULL);
-+	if (ret < 0)
-+		exit(1);
-+
-+	gnutls_transport_set_push_function(client, client_push);
-+	gnutls_transport_set_pull_function(client, client_pull);
-+	gnutls_transport_set_pull_timeout_function(client,
-+						   client_pull_timeout_func);
-+	gnutls_transport_set_ptr(client, client);
-+
-+	gnutls_handshake_set_hook_function(client,
-+					   GNUTLS_HANDSHAKE_ANY,
-+					   GNUTLS_HOOK_POST,
-+					   handshake_callback);
-+
-+	HANDSHAKE(client, server);
-+
-+	gnutls_bye(client, GNUTLS_SHUT_RDWR);
-+	gnutls_bye(server, GNUTLS_SHUT_RDWR);
-+
-+	gnutls_deinit(client);
-+	gnutls_deinit(server);
-+
-+	gnutls_certificate_free_credentials(serverx509cred);
-+	gnutls_certificate_free_credentials(clientx509cred);
-+
-+	gnutls_global_deinit();
-+
-+	reset_buffers();
-+}
-diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh
---- gnutls-3.7.2/tests/system-override-sig-tls.sh	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh	2021-06-25 17:46:13.000000000 +0200
-@@ -0,0 +1,39 @@
-+#!/bin/sh
-+
-+# Copyright (C) 2019 Nikos Mavrogiannopoulos
-+# Copyright (C) 2021 Red Hat, Inc.
-+#
-+# Author: Nikos Mavrogiannopoulos, Daiki Ueno
-+#
-+# This file is part of GnuTLS.
-+#
-+# GnuTLS is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 3 of the License, or (at
-+# your option) any later version.
-+#
-+# GnuTLS is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+# General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with GnuTLS; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-+
-+: ${builddir=.}
-+TMPFILE=c.$$.tmp
-+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
-+
-+cat <<_EOF_ > ${TMPFILE}
-+[overrides]
-+
-+insecure-sig = rsa-pss-rsae-sha256
-+_EOF_
-+
-+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-+
-+"${builddir}/system-override-sig-tls"
-+rc=$?
-+rm ${TMPFILE}
-+exit $rc
-diff -ruN gnutls-3.7.2/tests/system-override-versions-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh
---- gnutls-3.7.2/tests/system-override-versions-allowlist.sh	1970-01-01 01:00:00.000000000 +0100
-+++ gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh	2021-06-28 09:09:14.000000000 +0200
-@@ -0,0 +1,109 @@
-+#!/bin/sh
-+
-+# Copyright (C) 2019 Red Hat, Inc.
-+#
-+# Author: Nikos Mavrogiannopoulos
-+#
-+# This file is part of GnuTLS.
-+#
-+# GnuTLS is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 3 of the License, or (at
-+# your option) any later version.
-+#
-+# GnuTLS is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+# General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with GnuTLS; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-+
-+: ${srcdir=.}
-+: ${SERV=../src/gnutls-serv${EXEEXT}}
-+: ${CLI=../src/gnutls-cli${EXEEXT}}
-+TMPFILE=config.$$.tmp
-+TMPFILE2=log.$$.tmp
-+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
-+
-+if ! test -x "${SERV}"; then
-+	exit 77
-+fi
-+
-+if ! test -x "${CLI}"; then
-+	exit 77
-+fi
-+
-+if test "${WINDIR}" != ""; then
-+	exit 77
-+fi
-+
-+. "${srcdir}/scripts/common.sh"
-+
-+cat <<_EOF_ > ${TMPFILE}
-+[global]
-+override-mode = allowlist
-+
-+[overrides]
-+enabled-version = tls1.1
-+_EOF_
-+
-+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-+export GNUTLS_DEBUG_LEVEL=3
-+
-+"${CLI}" --list|grep Protocols >${TMPFILE2}
-+cat ${TMPFILE2}
-+if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then
-+	echo "Found disabled protocol with --list"
-+	exit 1
-+fi
-+
-+PRIO=@SYSTEM:+CIPHER-ALL:+MAC-ALL:+GROUP-ALL
-+
-+"${CLI}" --priority "$PRIO" --list|grep Protocols >${TMPFILE2}
-+cat ${TMPFILE2}
-+if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then
-+	echo "Found disabled protocol with --list --priority $PRIO"
-+	exit 1
-+fi
-+
-+# Try whether a client connection with these protocols will succeed.
-+
-+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
-+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
-+
-+unset GNUTLS_SYSTEM_PRIORITY_FILE
-+
-+eval "${GETPORT}"
-+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
-+PID=$!
-+wait_server ${PID}
-+
-+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-+
-+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "$PRIO" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
-+	fail "expected connection to fail (1)"
-+
-+kill ${PID}
-+wait
-+
-+# Try whether a server connection with these protocols will succeed.
-+
-+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
-+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
-+
-+eval "${GETPORT}"
-+launch_server --echo --priority "$PRIO" --x509keyfile ${KEY1} --x509certfile ${CERT1}
-+PID=$!
-+wait_server ${PID}
-+
-+unset GNUTLS_SYSTEM_PRIORITY_FILE
-+
-+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
-+	fail "expected connection to fail (2)"
-+
-+kill ${PID}
-+wait
-+
-+exit 0
diff --git a/SOURCES/gnutls-3.7.2-key-share-ecdhx.patch b/SOURCES/gnutls-3.7.2-key-share-ecdhx.patch
deleted file mode 100644
index 21a69a5..0000000
--- a/SOURCES/gnutls-3.7.2-key-share-ecdhx.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Fri, 25 Jun 2021 08:39:12 +0200
-Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when
- advertising
-
-Previously, if both X25519 and X448 groups were enabled in the
-priority string, the client sent both algorithms in a key_share
-extension, while it was only capable of handling one algorithm from
-the same (Edwards curve) category.  This adds an extra check so the
-client should send either X25519 or X448.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/ext/key_share.c     | 24 +++++++++++++++++++++---
- tests/tls13/key_share.c |  3 +++
- 2 files changed, 24 insertions(+), 3 deletions(-)
-
-diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
-index a8c4bb5cf..a4db3af95 100644
---- a/lib/ext/key_share.c
-+++ b/lib/ext/key_share.c
-@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session,
- 	return 0;
- }
- 
-+static inline bool
-+pk_type_is_ecdhx(gnutls_pk_algorithm_t pk)
-+{
-+	return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448;
-+}
-+
-+static inline bool
-+pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b)
-+{
-+	return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b));
-+}
-+
- /* returns data_size or a negative number on failure
-  */
- static int
-@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session,
- 			/* generate key shares for out top-(max_groups) groups
- 			 * if they are of different PK type. */
- 			for (i = 0; i < session->internals.priorities->groups.size; i++) {
-+				unsigned int j;
-+
- 				group = session->internals.priorities->groups.entry[i];
- 
--				if (generated == 1 && group->pk == selected_groups[0])
--					continue;
--				else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0]))
-+				for (j = 0; j < generated; j++) {
-+					if (pk_type_equal(group->pk, selected_groups[j])) {
-+						break;
-+					}
-+				}
-+				if (j < generated) {
- 					continue;
-+				}
- 
- 				selected_groups[generated] = group->pk;
- 
-diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c
-index 7f8f6295c..816a7d9b5 100644
---- a/tests/tls13/key_share.c
-+++ b/tests/tls13/key_share.c
-@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = {
- 	[23] = GNUTLS_GROUP_SECP256R1,
- 	[24] = GNUTLS_GROUP_SECP384R1,
- 	[29] = GNUTLS_GROUP_X25519,
-+	[30] = GNUTLS_GROUP_X448,
- 	[0x100] = GNUTLS_GROUP_FFDHE2048,
- 	[0x101] = GNUTLS_GROUP_FFDHE3072
- };
-@@ -315,11 +316,13 @@ void doit(void)
- 	start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
- 	start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
- 	start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2);
-+	start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2);
- 	start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2);
- 
- 	start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
- 	start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
- 	start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3);
-+	start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3);
- 	start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3);
- 
- 	/* test default behavior */
--- 
-2.31.1
-
diff --git a/SOURCES/gnutls-3.7.2-libopts-covscan.patch b/SOURCES/gnutls-3.7.2-libopts-covscan.patch
deleted file mode 100644
index a85738f..0000000
--- a/SOURCES/gnutls-3.7.2-libopts-covscan.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From de11338de900f5c8840268264bceccbf76cca34f Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 21 Oct 2021 12:19:30 +0200
-Subject: [PATCH 1/2] autoopts: makeshell: use ferror before fclose
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- src/libopts/makeshell.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/libopts/makeshell.c b/src/libopts/makeshell.c
-index b6cb441a..7eb17a1f 100644
---- a/src/libopts/makeshell.c
-+++ b/src/libopts/makeshell.c
-@@ -164,9 +164,8 @@ optionParseShell(tOptions * opts)
- #ifdef HAVE_FCHMOD
-     fchmod(STDOUT_FILENO, 0755);
- #endif
--    fclose(stdout);
- 
--    if (ferror(stdout))
-+    if (ferror(stdout) || fclose(stdout))
-         fserr_exit(opts->pzProgName, zwriting, zstdout_name);
- 
-     AGFREE(script_text);
--- 
-2.31.1
-
-
-From 161097d36b608b615482e42e56a465c9fd740c26 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 21 Oct 2021 12:43:07 +0200
-Subject: [PATCH 2/2] autoopts: load: fix resource leak in error path
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- src/libopts/load.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/src/libopts/load.c b/src/libopts/load.c
-index 3f1ce2e6..ad1c4584 100644
---- a/src/libopts/load.c
-+++ b/src/libopts/load.c
-@@ -219,8 +219,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
-      *  IF we cannot find a directory name separator,
-      *  THEN we do not have a path name to our executable file.
-      */
--    if (pz == NULL)
-+    if (pz == NULL) {
-+        if (path != prg_path)
-+            AGFREE(path);
-         return false;
-+    }
- 
-     fname    += skip;
-     fname_len = strlen(fname) + 1; // + NUL byte
-@@ -230,8 +233,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
-      *  Concatenate the file name to the end of the executable path.
-      *  The result may be either a file or a directory.
-      */
--    if (dir_len + fname_len > (unsigned)b_sz)
-+    if (dir_len + fname_len > (unsigned)b_sz) {
-+        if (path != prg_path)
-+            AGFREE(path);
-         return false;
-+    }
- 
-     memcpy(buf, path, dir_len);
-     memcpy(buf + dir_len, fname, fname_len);
--- 
-2.31.1
-
diff --git a/SOURCES/gnutls-3.7.2-no-explicit-init.patch b/SOURCES/gnutls-3.7.2-no-explicit-init.patch
new file mode 100644
index 0000000..6424174
--- /dev/null
+++ b/SOURCES/gnutls-3.7.2-no-explicit-init.patch
@@ -0,0 +1,32 @@
+From 36a92d984020df16296784a7ad613c9693469d23 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 21 Dec 2021 16:28:09 +0100
+Subject: [PATCH 1/2] Remove GNUTLS_NO_EXPLICIT_INIT compatibility
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ lib/global.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/lib/global.c b/lib/global.c
+index 3731418..1384045 100644
+--- a/lib/global.c
++++ b/lib/global.c
+@@ -500,14 +500,6 @@ static void _CONSTRUCTOR lib_init(void)
+ 			return;
+ 	}
+ 
+-	e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT");
+-	if (e != NULL) {
+-		_gnutls_debug_log("GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n");
+-		ret = atoi(e);
+-		if (ret == 1)
+-			return;
+-	}
+-
+ 	ret = _gnutls_global_init(1);
+ 	if (ret < 0) {
+ 		fprintf(stderr, "Error in GnuTLS initialization: %s\n", gnutls_strerror(ret));
+-- 
+2.31.1
+
diff --git a/SOURCES/gnutls-3.7.2.tar.xz.sig b/SOURCES/gnutls-3.7.2.tar.xz.sig
deleted file mode 100644
index 43636ed..0000000
Binary files a/SOURCES/gnutls-3.7.2.tar.xz.sig and /dev/null differ
diff --git a/SOURCES/gnutls-3.7.3-disable-config-reload.patch b/SOURCES/gnutls-3.7.3-disable-config-reload.patch
new file mode 100644
index 0000000..2fc5c35
--- /dev/null
+++ b/SOURCES/gnutls-3.7.3-disable-config-reload.patch
@@ -0,0 +1,19 @@
+diff --color -ru a/lib/priority.c b/lib/priority.c
+--- a/lib/priority.c	2022-01-14 07:53:21.000000000 +0100
++++ b/lib/priority.c	2022-02-15 09:31:36.388485784 +0100
+@@ -2030,15 +2030,6 @@
+ 		additional++;
+ 	}
+ 
+-	/* Always try to refresh the cached data, to allow it to be
+-	 * updated without restarting all applications.
+-	 */
+-	ret = _gnutls_update_system_priorities();
+-	if (ret < 0) {
+-		_gnutls_debug_log("failed to update system priorities: %s\n",
+-				  gnutls_strerror(ret));
+-	}
+-
+ 	do {
+ 		ss_next = strchr(ss, ',');
+ 		if (ss_next) {
diff --git a/SOURCES/gnutls-3.7.3-fips-pkcs12.patch b/SOURCES/gnutls-3.7.3-fips-pkcs12.patch
new file mode 100644
index 0000000..45a8194
--- /dev/null
+++ b/SOURCES/gnutls-3.7.3-fips-pkcs12.patch
@@ -0,0 +1,471 @@
+From 7d8d8feb502ddb20a0d115fa3f63403c849a7168 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 10 Feb 2022 16:43:08 +0100
+Subject: [PATCH 1/2] pkcs12: mark MAC generation and verification as FIPS
+ non-approved
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/pkcs12.c     | 39 +++++++++++++++++++++++++---
+ tests/pkcs12_encode.c | 59 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 94 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
+index a8f7d8f956..11b9da3ac9 100644
+--- a/lib/x509/pkcs12.c
++++ b/lib/x509/pkcs12.c
+@@ -286,13 +286,26 @@ gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12,
+ 		     gnutls_x509_crt_fmt_t format, void *output_data,
+ 		     size_t * output_data_size)
+ {
++	int ret;
++
+ 	if (pkcs12 == NULL) {
+ 		gnutls_assert();
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 	}
+ 
+-	return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
+-				       output_data, output_data_size);
++	ret = _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
++				      output_data, output_data_size);
++
++	if (ret < 0) {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++	} else {
++		/* PKCS#12 export is always non-approved, because the MAC
++		 * calculation involves non-approved KDF (PKCS#12 KDF) and
++		 * without MAC the protection is insufficient.
++		 */
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
++	}
++	return ret;
+ }
+ 
+ /**
+@@ -317,13 +330,25 @@ int
+ gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12,
+ 		      gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
+ {
++	int ret;
++
+ 	if (pkcs12 == NULL) {
+ 		gnutls_assert();
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 	}
+ 
+-	return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
+-					out);
++	ret = _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
++				       out);
++	if (ret < 0) {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++	} else {
++		/* PKCS#12 export is always non-approved, because the MAC
++		 * calculation involves non-approved KDF (PKCS#12 KDF) and
++		 * without MAC the protection is insufficient.
++		 */
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
++	}
++	return ret;
+ }
+ 
+ static int oid2bag(const char *oid)
+@@ -1025,9 +1050,12 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m
+ 		goto cleanup;
+ 	}
+ 
++	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
++	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 	return 0;
+ 
+       cleanup:
++	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ 	_gnutls_free_datum(&tmp);
+ 	return result;
+ }
+@@ -1203,8 +1231,11 @@ pkcs12_try_gost:
+ 		goto cleanup;
+ 	}
+ 
++	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
++	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 	result = 0;
+  cleanup:
++	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ 	_gnutls_free_datum(&tmp);
+ 	_gnutls_free_datum(&salt);
+ 	return result;
+diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
+index 3b0e84ef13..b8f7d17267 100644
+--- a/tests/pkcs12_encode.c
++++ b/tests/pkcs12_encode.c
+@@ -70,6 +70,29 @@ static void tls_log_func(int level, const char *str)
+ 	fprintf(stderr, "|<%d>| %s", level, str);
+ }
+ 
++#define FIPS_PUSH_CONTEXT() do {					\
++	if (gnutls_fips140_mode_enabled()) {				\
++		ret = gnutls_fips140_push_context(fips_context);	\
++		if (ret < 0) {						\
++			fail("gnutls_fips140_push_context failed\n");	\
++		}							\
++	}								\
++} while (0)
++
++#define FIPS_POP_CONTEXT(state) do {					\
++	if (gnutls_fips140_mode_enabled()) {				\
++		ret = gnutls_fips140_pop_context();			\
++		if (ret < 0) {						\
++			fail("gnutls_fips140_context_pop failed\n");	\
++		}							\
++		fips_state = gnutls_fips140_get_operation_state(fips_context); \
++		if (fips_state != GNUTLS_FIPS140_OP_ ## state) {	\
++			fail("operation state is not " # state " (%d)\n", \
++			     fips_state);				\
++		}							\
++	}								\
++} while (0)
++
+ void doit(void)
+ {
+ 	gnutls_pkcs12_t pkcs12;
+@@ -82,6 +105,8 @@ void doit(void)
+ 	char outbuf[10240];
+ 	size_t size;
+ 	unsigned tests, i;
++	gnutls_fips140_context_t fips_context;
++	gnutls_fips140_operation_state_t fips_state;
+ 
+ 	ret = global_init();
+ 	if (ret < 0) {
+@@ -93,6 +118,11 @@ void doit(void)
+ 	if (debug)
+ 		gnutls_global_set_log_level(4711);
+ 
++	ret = gnutls_fips140_context_init(&fips_context);
++	if (ret < 0) {
++		fail("Cannot initialize FIPS context\n");
++	}
++
+ 	/* Read certs. */
+ 	ret = gnutls_x509_crt_init(&client);
+ 	if (ret < 0) {
+@@ -196,6 +226,8 @@ void doit(void)
+ 		gnutls_pkcs12_bag_deinit(bag);
+ 	}
+ 
++	FIPS_PUSH_CONTEXT();
++
+ 	/* MAC the structure, export and print. */
+ 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA1, "pass");
+ 	if (ret < 0) {
+@@ -203,36 +235,60 @@ void doit(void)
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_verify_mac(pkcs12, "pass");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "verify_mac: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA256, "passwd");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	size = sizeof(outbuf);
+ 	ret =
+ 	    gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
+@@ -242,10 +298,13 @@ void doit(void)
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
+ 	if (debug)
+ 		fwrite(outbuf, size, 1, stdout);
+ 
+ 	/* Cleanup. */
++	gnutls_fips140_context_deinit(fips_context);
+ 	gnutls_pkcs12_deinit(pkcs12);
+ 	gnutls_x509_crt_deinit(client);
+ 	gnutls_x509_crt_deinit(ca);
+-- 
+2.34.1
+
+
+From e7f9267342bc2231149a640163c82b63c86f1dfd Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 10 Feb 2022 17:35:13 +0100
+Subject: [PATCH 2/2] _gnutls_pkcs_raw_{decrypt,encrypt}_data: use public
+ crypto API
+
+These functions previously used the internal crypto
+API (_gnutls_cipher_*) which does not have algorithm checks for FIPS.
+
+This change switches the code to use the public crypto
+API (gnutls_cipher_*) to trigger proper state transitions under FIPS
+mode.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/pkcs7-crypt.c | 36 +++++++++++-----------------
+ tests/pkcs12_encode.c  | 54 +++++++++++++++++++++++++++---------------
+ 2 files changed, 49 insertions(+), 41 deletions(-)
+
+diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
+index 4cce52ecf0..2dc5bc4df0 100644
+--- a/lib/x509/pkcs7-crypt.c
++++ b/lib/x509/pkcs7-crypt.c
+@@ -1130,8 +1130,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 	gnutls_datum_t enc = { NULL, 0 };
+ 	uint8_t *key = NULL;
+ 	gnutls_datum_t dkey, d_iv;
+-	cipher_hd_st ch;
+-	int ch_init = 0;
++	gnutls_cipher_hd_t ch = NULL;
+ 	int key_size, ret;
+ 	unsigned int pass_len = 0;
+ 	const struct pkcs_cipher_schema_st *p;
+@@ -1237,8 +1236,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 	d_iv.data = (uint8_t *) enc_params->iv;
+ 	d_iv.size = enc_params->iv_size;
+ 
+-	ret =
+-	    _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0);
++	ret = gnutls_cipher_init(&ch, ce->id, &dkey, &d_iv);
+ 
+ 	gnutls_free(key);
+ 
+@@ -1247,9 +1245,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 		goto error;
+ 	}
+ 
+-	ch_init = 1;
+-
+-	ret = _gnutls_cipher_decrypt(&ch, enc.data, enc.size);
++	ret = gnutls_cipher_decrypt(ch, enc.data, enc.size);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_DECRYPTION_FAILED;
+@@ -1281,7 +1277,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 		decrypted_data->size = enc.size;
+ 	}
+ 
+-	_gnutls_cipher_deinit(&ch);
++	gnutls_cipher_deinit(ch);
+ 
+ 	ret = 0;
+ 
+@@ -1294,8 +1290,9 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 	gnutls_free(password);
+ 	gnutls_free(enc.data);
+ 	gnutls_free(key);
+-	if (ch_init != 0)
+-		_gnutls_cipher_deinit(&ch);
++	if (ch) {
++		gnutls_cipher_deinit(ch);
++	}
+ 	return ret;
+ }
+ 
+@@ -1725,8 +1722,7 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
+ 	int data_size;
+ 	uint8_t *data = NULL;
+ 	gnutls_datum_t d_iv;
+-	cipher_hd_st ch;
+-	int ch_init = 0;
++	gnutls_cipher_hd_t ch = NULL;
+ 	uint8_t pad, pad_size;
+ 	const cipher_entry_st *ce;
+ 
+@@ -1756,18 +1752,13 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
+ 
+ 	d_iv.data = (uint8_t *) enc_params->iv;
+ 	d_iv.size = enc_params->iv_size;
+-	result =
+-	    _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher),
+-				key, &d_iv, 1);
+-
++	result = gnutls_cipher_init(&ch, enc_params->cipher, key, &d_iv);
+ 	if (result < 0) {
+ 		gnutls_assert();
+ 		goto error;
+ 	}
+ 
+-	ch_init = 1;
+-
+-	result = _gnutls_cipher_encrypt(&ch, data, data_size);
++	result = gnutls_cipher_encrypt(ch, data, data_size);
+ 	if (result < 0) {
+ 		gnutls_assert();
+ 		goto error;
+@@ -1776,13 +1767,14 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
+ 	encrypted->data = data;
+ 	encrypted->size = data_size;
+ 
+-	_gnutls_cipher_deinit(&ch);
++	gnutls_cipher_deinit(ch);
+ 
+ 	return 0;
+ 
+  error:
+ 	gnutls_free(data);
+-	if (ch_init != 0)
+-		_gnutls_cipher_deinit(&ch);
++	if (ch) {
++		gnutls_cipher_deinit(ch);
++	}
+ 	return result;
+ }
+diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
+index b8f7d17267..78f6f41b48 100644
+--- a/tests/pkcs12_encode.c
++++ b/tests/pkcs12_encode.c
+@@ -104,9 +104,17 @@ void doit(void)
+ 	int ret, indx;
+ 	char outbuf[10240];
+ 	size_t size;
+-	unsigned tests, i;
++	unsigned i;
+ 	gnutls_fips140_context_t fips_context;
+ 	gnutls_fips140_operation_state_t fips_state;
++	size_t n_tests = 0;
++	struct tests {
++		const char *name;
++		gnutls_x509_crt_t crt;
++		const char *friendly_name;
++		unsigned bag_encrypt_flags;
++		int bag_encrypt_expected;
++	} tests[2];
+ 
+ 	ret = global_init();
+ 	if (ret < 0) {
+@@ -157,21 +165,34 @@ void doit(void)
+ 		exit(1);
+ 	}
+ 
+-	/* Generate and add PKCS#12 cert bags. */
+-	if (!gnutls_fips140_mode_enabled()) {
+-		tests = 2; /* include RC2 */
++	tests[n_tests].name = "3DES";
++	tests[n_tests].crt = client;
++	tests[n_tests].friendly_name = "client";
++	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS8_USE_PKCS12_3DES;
++	tests[n_tests].bag_encrypt_expected = 0;
++	n_tests++;
++
++	tests[n_tests].name = "RC2-40";
++	tests[n_tests].crt = ca;
++	tests[n_tests].friendly_name = "ca";
++	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
++	if (gnutls_fips140_mode_enabled()) {
++		tests[n_tests].bag_encrypt_expected =
++			GNUTLS_E_UNWANTED_ALGORITHM;
+ 	} else {
+-		tests = 1;
++		tests[n_tests].bag_encrypt_expected = 0;
+ 	}
++	n_tests++;
+ 
+-	for (i = 0; i < tests; i++) {
++	/* Generate and add PKCS#12 cert bags. */
++	for (i = 0; i < n_tests; i++) {
+ 		ret = gnutls_pkcs12_bag_init(&bag);
+ 		if (ret < 0) {
+ 			fprintf(stderr, "bag_init: %s (%d)\n", gnutls_strerror(ret), ret);
+ 			exit(1);
+ 		}
+ 
+-		ret = gnutls_pkcs12_bag_set_crt(bag, i == 0 ? client : ca);
++		ret = gnutls_pkcs12_bag_set_crt(bag, tests[i].crt);
+ 		if (ret < 0) {
+ 			fprintf(stderr, "set_crt: %s (%d)\n", gnutls_strerror(ret), ret);
+ 			exit(1);
+@@ -180,16 +201,14 @@ void doit(void)
+ 		indx = ret;
+ 
+ 		ret = gnutls_pkcs12_bag_set_friendly_name(bag, indx,
+-							  i ==
+-							  0 ? "client" :
+-							  "ca");
++							  tests[i].friendly_name);
+ 		if (ret < 0) {
+ 			fprintf(stderr, "set_friendly_name: %s (%d)\n", gnutls_strerror(ret), ret);
+ 			exit(1);
+ 		}
+ 
+ 		size = sizeof(key_id_buf);
+-		ret = gnutls_x509_crt_get_key_id(i == 0 ? client : ca, 0,
++		ret = gnutls_x509_crt_get_key_id(tests[i].crt, 0,
+ 						 key_id_buf, &size);
+ 		if (ret < 0) {
+ 			fprintf(stderr, "get_key_id: %s (%d)\n", gnutls_strerror(ret), ret);
+@@ -206,14 +225,11 @@ void doit(void)
+ 		}
+ 
+ 		ret = gnutls_pkcs12_bag_encrypt(bag, "pass",
+-						i ==
+-						0 ?
+-						GNUTLS_PKCS8_USE_PKCS12_3DES
+-						:
+-						GNUTLS_PKCS_USE_PKCS12_RC2_40);
+-		if (ret < 0) {
+-			fprintf(stderr, "bag_encrypt: %d: %s", ret,
+-				i == 0 ? "3DES" : "RC2-40");
++						tests[i].bag_encrypt_flags);
++		if (ret != tests[i].bag_encrypt_expected) {
++			fprintf(stderr, "bag_encrypt: returned %d, expected %d: %s", ret,
++				tests[i].bag_encrypt_expected,
++				tests[i].name);
+ 			exit(1);
+ 		}
+ 
+-- 
+2.34.1
+
diff --git a/SOURCES/gnutls-3.7.3-fips-rsa-keygen.patch b/SOURCES/gnutls-3.7.3-fips-rsa-keygen.patch
new file mode 100644
index 0000000..f99ddc1
--- /dev/null
+++ b/SOURCES/gnutls-3.7.3-fips-rsa-keygen.patch
@@ -0,0 +1,182 @@
+From 9f5a60c1fe576f82bcd5c7998b2ca2b0d60e8e4f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 27 Jan 2022 18:17:43 +0100
+Subject: [PATCH 1/2] rsa_generate_fips186_4_keypair: accept a few more modulus
+ sizes
+
+While _rsa_generate_fips186_4_keypair was modified to accept modulus
+sizes other than 2048 and 3076, rsa_generate_fips186_4_keypair, which
+calls that function, was not updated to accept such modulus sizes.
+
+Spotted by Alexander Sosedkin.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/int/rsa-keygen-fips186.c | 67 ++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 31 deletions(-)
+
+diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c
+index 5b221a030a..c6f7e675af 100644
+--- a/lib/nettle/int/rsa-keygen-fips186.c
++++ b/lib/nettle/int/rsa-keygen-fips186.c
+@@ -27,6 +27,7 @@
+ #include "config.h"
+ #endif
+ 
++#include <assert.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -248,6 +249,33 @@ cleanup:
+ 	return ret;
+ }
+ 
++/* Return the pre-defined seed length for modulus size, or 0 when the
++ * modulus size is unsupported.
++ */
++static inline unsigned
++seed_length_for_modulus_size(unsigned modulus_size)
++{
++	switch (modulus_size) {
++	case 2048:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
++		return 14 * 2;
++	case 3072:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
++		return 16 * 2;
++	case 4096:      /* SP 800-56B rev 2 Appendix D */
++		return 19 * 2;
++	case 6144:      /* SP 800-56B rev 2 Appendix D */
++		return 22 * 2;
++	case 7680:      /* FIPS 140-2 IG 7.5 */
++		return 24 * 2;
++	case 8192:      /* SP 800-56B rev 2 Appendix D */
++		return 25 * 2;
++	case 15360:     /* FIPS 140-2 IG 7.5 */
++		return 32 * 2;
++	default:
++		return 0;
++	}
++
++}
++
+ /* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4.
+  * 
+  * The hash function used is SHA384.
+@@ -266,33 +294,15 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 	int ret;
+ 	struct dss_params_validation_seeds cert;
+ 	unsigned l = n_size / 2;
++	unsigned s = seed_length_for_modulus_size(n_size);
+ 
+-	switch (n_size) {
+-	case 2048:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
+-		FIPS_RULE(seed_length != 14 * 2, 0, "seed length other than 28 bytes\n");
+-		break;
+-	case 3072:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
+-		FIPS_RULE(seed_length != 16 * 2, 0, "seed length other than 32 bytes\n");
+-		break;
+-	case 4096:      /* SP 800-56B rev 2 Appendix D */
+-		FIPS_RULE(seed_length != 19 * 2, 0, "seed length other than 38 bytes\n");
+-		break;
+-	case 6144:      /* SP 800-56B rev 2 Appendix D */
+-		FIPS_RULE(seed_length != 22 * 2, 0, "seed length other than 44 bytes\n");
+-		break;
+-	case 7680:      /* FIPS 140-2 IG 7.5 */
+-		FIPS_RULE(seed_length != 24 * 2, 0, "seed length other than 48 bytes\n");
+-		break;
+-	case 8192:      /* SP 800-56B rev 2 Appendix D */
+-		FIPS_RULE(seed_length != 25 * 2, 0, "seed length other than 50 bytes\n");
+-		break;
+-	case 15360:     /* FIPS 140-2 IG 7.5 */
+-		FIPS_RULE(seed_length != 32 * 2, 0, "seed length other than 64 bytes\n");
+-		break;
+-	default:
++	if (!s) {
+ 		FIPS_RULE(false, 0, "unsupported modulus size\n");
+ 	}
+ 
++	FIPS_RULE(seed_length != s, 0,
++		  "seed length other than %u bytes\n", s);
++
+ 	if (!mpz_tstbit(pub->e, 0)) {
+ 		_gnutls_debug_log("Unacceptable e (it is even)\n");
+ 		return 0;
+@@ -405,10 +415,6 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 	return ret;
+ }
+ 
+-/* Not entirely accurate but a good precision
+- */
+-#define SEED_LENGTH(bits) (_gnutls_pk_bits_to_subgroup_bits(bits)/8)
+-
+ /* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4.
+  * 
+  * The hash function used is SHA384.
+@@ -429,11 +435,10 @@ rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 	unsigned seed_length;
+ 	int ret;
+ 
+-	FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "size of prime of other than 2048 or 3072\n");
++	seed_length = seed_length_for_modulus_size(n_size);
++	FIPS_RULE(!seed_length, 0, "unsupported modulus size\n");
+ 
+-	seed_length = SEED_LENGTH(n_size);
+-	if (seed_length > sizeof(seed))
+-		return 0;
++	assert(seed_length <= sizeof(seed));
+ 
+ 	random(random_ctx, seed_length, seed);
+ 
+-- 
+2.34.1
+
+
+From 46ae6160489151034bca19aa6c40ba0df6b53bcc Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 1 Feb 2022 15:19:52 +0100
+Subject: [PATCH 2/2] certtool --generate-privkey: update warnings on RSA key
+ sizes
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ src/certtool.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/certtool.c b/src/certtool.c
+index c128500614..71d4aff13e 100644
+--- a/src/certtool.c
++++ b/src/certtool.c
+@@ -206,8 +206,12 @@ generate_private_key_int(common_info_st * cinfo)
+ 			"Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n");
+ 
+ 	if ((HAVE_OPT(SEED) || provable) && GNUTLS_PK_IS_RSA(key_type)) {
+-		if (bits != 2048 && bits != 3072) {
+-			fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to 2048 and 3072 bits\n");
++		/* Keep in sync with seed_length_for_modulus_size in
++		 * lib/nettle/int/rsa-keygen-fips186.c. */
++		if (bits != 2048 && bits != 3072 && bits != 4096 &&
++		    bits != 6144 && bits != 7680 && bits != 8192 &&
++		    bits != 15360) {
++			fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to be of known lengths (2048, 3072, etc)\n");
+ 		}
+ 	}
+ 
+@@ -225,7 +229,15 @@ generate_private_key_int(common_info_st * cinfo)
+ 		kdata[kdata_size++].size = cinfo->seed_size;
+ 
+ 		if (GNUTLS_PK_IS_RSA(key_type)) {
+-			if ((bits == 3072 && cinfo->seed_size != 32) || (bits == 2048 && cinfo->seed_size != 28)) {
++			/* Keep in sync with seed_length_for_modulus_size in
++			 * lib/nettle/int/rsa-keygen-fips186.c. */
++			if ((bits == 2048 && cinfo->seed_size != 28) ||
++			    (bits == 3072 && cinfo->seed_size != 32) ||
++			    (bits == 4096 && cinfo->seed_size != 38) ||
++			    (bits == 6144 && cinfo->seed_size != 44) ||
++			    (bits == 7680 && cinfo->seed_size != 48) ||
++			    (bits == 8192 && cinfo->seed_size != 50) ||
++			    (bits == 15360 && cinfo->seed_size != 64)) {
+ 				fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size);
+ 			}
+ 		} else if (key_type == GNUTLS_PK_DSA) {
+-- 
+2.34.1
+
diff --git a/SOURCES/gnutls-3.7.3-fix-tests-in-fips.patch b/SOURCES/gnutls-3.7.3-fix-tests-in-fips.patch
new file mode 100644
index 0000000..a5c8bee
--- /dev/null
+++ b/SOURCES/gnutls-3.7.3-fix-tests-in-fips.patch
@@ -0,0 +1,70 @@
+From 2c33761787f6530cf3984310a5f3b7dd05a7b375 Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Thu, 17 Feb 2022 11:46:29 +0100
+Subject: [PATCH] Disable some tests in fips mode
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ tests/pkcs11/pkcs11-eddsa-privkey-test.c | 5 +++++
+ tests/pkcs11/tls-neg-pkcs11-key.c        | 8 +++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
+index 44515da3f..ebbfe5278 100644
+--- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c
++++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
+@@ -107,6 +107,11 @@ void doit(void)
+ 		fail("%d: %s\n", ret, gnutls_strerror(ret));
+ 	}
+ 
++	if (gnutls_fips140_mode_enabled()) {
++		gnutls_global_deinit();
++		return;
++	}
++
+ 	gnutls_pkcs11_set_pin_function(pin_func, NULL);
+ 	gnutls_global_set_log_function(tls_log_func);
+ 	if (debug)
+diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
+index fc7c3dc4e..5cc1ae6e2 100644
+--- a/tests/pkcs11/tls-neg-pkcs11-key.c
++++ b/tests/pkcs11/tls-neg-pkcs11-key.c
+@@ -268,6 +268,7 @@ typedef struct test_st {
+ 	int exp_serv_err;
+ 	int needs_eddsa;
+ 	int needs_decryption;
++	int nofips;
+ 	unsigned requires_pkcs11_pss;
+ } test_st;
+ 
+@@ -340,6 +341,7 @@ static const test_st tests[] = {
+ 	 .cert = &server_ca3_eddsa_cert,
+ 	 .key = &server_ca3_eddsa_key,
+ 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
++	 .nofips = 1
+ 	},
+ 	{.name = "tls1.3: ecc key",
+ 	 .pk = GNUTLS_PK_ECDSA,
+@@ -392,7 +394,8 @@ static const test_st tests[] = {
+ 	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
+ 	 .cert = &server_ca3_eddsa_cert,
+ 	 .key = &server_ca3_eddsa_key,
+-	 .exp_kx = GNUTLS_KX_ECDHE_RSA
++	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
++	 .nofips = 1
+ 	}
+ };
+ 
+@@ -448,6 +451,9 @@ void doit(void)
+ 	have_eddsa = verify_eddsa_presence();
+ 
+ 	for (i=0;i<sizeof(tests)/sizeof(tests[0]);i++) {
++		if (tests[i].nofips && gnutls_fips140_mode_enabled())
++			continue;
++
+ 		if (tests[i].needs_eddsa && !have_eddsa)
+ 			continue;
+ 
+-- 
+2.35.1
+
diff --git a/SOURCES/gnutls-3.7.3-ktls-stub.patch b/SOURCES/gnutls-3.7.3-ktls-stub.patch
new file mode 100644
index 0000000..4d3dace
--- /dev/null
+++ b/SOURCES/gnutls-3.7.3-ktls-stub.patch
@@ -0,0 +1,33 @@
+From a97a93e23483aafc3508adee8e6399a2302e0fbc Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 15 Feb 2022 17:38:20 +0100
+Subject: [PATCH] gnutls_transport_is_ktls_enabled: fix return value of stub
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/system/ktls.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/lib/system/ktls.c b/lib/system/ktls.c
+index 7e3cb875ed..f156f08ab2 100644
+--- a/lib/system/ktls.c
++++ b/lib/system/ktls.c
+@@ -422,12 +422,11 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
+ 
+ #else //ENABLE_KTLS
+ gnutls_transport_ktls_enable_flags_t
+-gnutls_transport_is_ktls_enabled(gnutls_session_t session){
+-	return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
++gnutls_transport_is_ktls_enabled(gnutls_session_t session) {
++	return 0;
+ }
+ 
+-void _gnutls_ktls_enable(gnutls_session_t session){
+-	return;
++void _gnutls_ktls_enable(gnutls_session_t session) {
+ }
+ 
+ int _gnutls_ktls_set_keys(gnutls_session_t session) {
+-- 
+2.34.1
+
diff --git a/SOURCES/gnutls-3.7.3.tar.xz.sig b/SOURCES/gnutls-3.7.3.tar.xz.sig
new file mode 100644
index 0000000..7555447
Binary files /dev/null and b/SOURCES/gnutls-3.7.3.tar.xz.sig differ
diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec
index b5e6c20..0086256 100644
--- a/SPECS/gnutls.spec
+++ b/SPECS/gnutls.spec
@@ -1,12 +1,28 @@
-# This spec file has been automatically updated
-Version:	3.7.2
-Release: 8%{?dist}
+%define srpmhash() %{lua:
+local files = rpm.expand("%_specdir/gnutls.spec")
+for i, p in ipairs(patches) do
+   files = files.." "..p
+end
+for i, p in ipairs(sources) do
+   files = files.." "..p
+end
+local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
+local hash = sha256sum:read("*a")
+sha256sum:close()
+print(string.sub(hash, 0, 16))
+}
+
+Version: 3.7.3
+Release: 5%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
-Patch3:	gnutls-3.7.2-config-allowlisting.patch
-Patch4:	gnutls-3.7.2-key-share-ecdhx.patch
-Patch5:	gnutls-3.7.2-enable-intel-cet.patch
-Patch6: gnutls-3.7.2-libopts-covscan.patch
+Patch3:	gnutls-3.7.2-enable-intel-cet.patch
+Patch4: gnutls-3.7.2-no-explicit-init.patch
+Patch5: gnutls-3.7.3-disable-config-reload.patch
+Patch6: gnutls-3.7.3-fips-rsa-keygen.patch
+Patch7: gnutls-3.7.3-ktls-stub.patch
+Patch8: gnutls-3.7.3-fips-pkcs12.patch
+Patch9: gnutls-3.7.3-fix-tests-in-fips.patch
 %bcond_with bootstrap
 %bcond_without dane
 %if 0%{?rhel}
@@ -17,6 +33,7 @@ Patch6: gnutls-3.7.2-libopts-covscan.patch
 %bcond_without fips
 %endif
 %bcond_with tpm12
+%bcond_without tpm2
 %bcond_with gost
 
 Summary: A TLS protocol implementation
@@ -27,12 +44,14 @@ BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
 BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
 %if %{with bootstrap}
 BuildRequires: automake, autoconf, gperf, libtool, texinfo
-BuildRequires: autogen-libopts-devel >= 5.18, autogen
 %endif
 BuildRequires: nettle-devel >= 3.5.1
 %if %{with tpm12}
 BuildRequires: trousers-devel >= 0.3.11.2
 %endif
+%if %{with tpm2}
+BuildRequires: tpm2-tss-devel >= 3.0.3
+%endif
 BuildRequires: libidn2-devel
 BuildRequires: libunistring-devel
 BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++
@@ -167,24 +186,6 @@ rm -f lib/minitasn1/*.c lib/minitasn1/*.h
 
 echo "SYSTEM=NORMAL" >> tests/system.prio
 
-%if !%{with bootstrap}
-# These are ordered by dependency:
-touch doc/functions/* doc/enums/*
-touch doc/enums.texi doc/gnutls-api.texi
-touch doc/invoke-gnutls-cli.texi
-touch doc/invoke-gnutls-cli-debug.texi
-touch doc/invoke-gnutls-serv.texi
-touch doc/invoke-certtool.texi
-touch doc/invoke-ocsptool.texi
-touch doc/invoke-danetool.texi
-touch doc/invoke-srptool.texi
-touch doc/invoke-psktool.texi
-touch doc/invoke-p11tool.texi
-touch doc/invoke-tpmtool.texi
-touch doc/stamp_functions doc/stamp_enums
-touch doc/gnutls.info doc/gnutls.html doc/manpages/stamp_mans
-%endif
-
 # Note that we explicitly enable SHA1, as SHA1 deprecation is handled
 # via the crypto policies
 
@@ -202,9 +203,16 @@ GUILD=%{_bindir}/guild2.2
 export GUILD
 %endif
 
+%if %{with fips}
+eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
+export FIPS_MODULE_NAME="$OS_NAME $OS_VERSION_ID %name"
+%endif
+
 %configure \
 %if %{with fips}
            --enable-fips140-mode \
+           --with-fips140-module-name="$FIPS_MODULE_NAME" \
+           --with-fips140-module-version=%{version}-%{srpmhash} \
 %endif
 %if %{with gost}
     	   --enable-gost \
@@ -222,6 +230,11 @@ export GUILD
 %else
            --without-tpm \
 %endif
+%if %{with tpm2}
+           --with-tpm2 \
+%else
+           --without-tpm2 \
+%endif
            --htmldir=%{_docdir}/manual \
 %if %{with guile}
            --enable-guile \
@@ -322,6 +335,36 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Thu Feb 17 2022 Zoltan Fridrich <zfridric@redhat.com> - 3.7.3-5
+- Fix upstream testsuite in fips mode (#2051637)
+
+* Wed Feb 16 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-4
+- Specify FIPS140-3 module name and version
+- fips: allow a few more primes in RSA key generation
+- fips: tighten PKCS#12 algorithm checks
+- Correct return value of KTLS stub API
+
+* Tue Feb 15 2022 Zoltan Fridrich <zfridric@redhat.com> - 3.7.3-3
+- Disable config reload in order to not break allowlisting (#2042532)
+
+* Wed Feb  2 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-2
+- Build with TPM2 support, patch from Alexander Sosedkin (#2033220)
+
+* Tue Jan 18 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-1
+- Update to gnutls 3.7.3 (#2033220)
+
+* Wed Dec 22 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-10
+- Update gnutls_{hash,hmac}_copy man-pages as well (#1999639)
+
+* Wed Dec 22 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-9
+- Drop support for GNUTLS_NO_EXPLICIT_INIT envvar in favor of
+  GNUTLS_NO_IMPLICIT_INIT (#1999639)
+- Expand documentation of gnutls_{hash,hmac}_copy, mentioning that
+  those do not always work (#1999639)
+
+* Tue Dec 21 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-9
+- Fix race condition when resolving SYSTEM priority in allowlisting mode (#2012249)
+
 * Thu Oct 21 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-8
 - Fix issues in bundled libopts, spotted by covscan (#1938730)