diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 0000000000000000000000000000000000000000..b7ce9bae57499e84c952023efe88f84f07f44ce2
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,6 @@
+Rebuilding PDF documentation:
+
+apt-get install texlive-latex-base texlive-fonts-recommended \
+ texlive-generic-recommended
+
+make pdf
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000000000000000000000000000000000000..9b50376d4539c44752019d9712ea5f04721b0303
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,2895 @@
+gnutls28 (3.4.10-4ubuntu1.7) xenial-security; urgency=medium
+
+ * SECURITY UPDATE: Allow re-enabling SHA1 for certificate signing with a
+ priority string (LP: #1860656)
+ - debian/patches/allow_broken_priority_string.patch: introduce the
+ %VERIFY_ALLOW_BROKEN priority string option.
+ - debian/patches/allow_sha1_priority_string.patch: introduce the
+ %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string option.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Jan 2020 08:47:43 -0500
+
+gnutls28 (3.4.10-4ubuntu1.6) xenial-security; urgency=medium
+
+ * SECURITY UPDATE: Mark SHA1 as insecure for certificate signing
+ - debian/patches/insecuresha1-*.patch: backport upstream patches to
+ allow marking SHA1 as insecure, but only for certificate signing.
+ - debian/libgnutls30.symbols: added new symbol.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 08 Jan 2020 12:52:12 -0500
+
+gnutls28 (3.4.10-4ubuntu1.5) xenial-security; urgency=medium
+
+ * SECURITY UPDATE: Lucky-13 issues
+ - debian/patches/CVE-2018-1084x-1.patch: correctly account the length
+ field in SHA384 HMAC in lib/algorithms/mac.c, lib/gnutls_cipher.c.
+ - debian/patches/CVE-2018-1084x-2.patch: always hash the same amount of
+ blocks that would have been on minimum pad in lib/gnutls_cipher.c.
+ - debian/patches/CVE-2018-1084x-3.patch: require minimum padding under
+ SSL3.0 in lib/gnutls_cipher.c.
+ - debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256
+ ciphersuites were removed from defaults in lib/gnutls_priority.c,
+ tests/priorities.c.
+ - debian/patches/CVE-2018-1084x-5.patch: fix test for SHA512 in
+ tests/pkcs12_encode.c.
+ - CVE-2018-10844
+ - CVE-2018-10845
+ - CVE-2018-10846
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 May 2019 13:32:56 -0400
+
+gnutls28 (3.4.10-4ubuntu1.4) xenial; urgency=medium
+
+ * use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
+ OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
+ which includes TLS1.2 support. (LP: #1709193)
+
+ -- Simon Deziel <simon.deziel@gmail.com> Mon, 07 Aug 2017 23:04:43 +0000
+
+gnutls28 (3.4.10-4ubuntu1.3) xenial-security; urgency=medium
+
+ * SECURITY UPDATE: null pointer dereference via status response TLS
+ extension decoding
+ - debian/patches/CVE-2017-7507-1.patch: ensure response IDs are
+ properly deinitialized in lib/ext/status_request.c.
+ - debian/patches/CVE-2017-7507-2.patch: remove parsing of responder IDs
+ from client extension in lib/ext/status_request.c.
+ - debian/patches/CVE-2017-7507-3.patch: documented requirements for
+ parameters in lib/ext/status_request.c.
+ - CVE-2017-7507
+ * SECURITY UPDATE: DoS and possible code execution via OpenPGP
+ certificate decoding
+ - debian/patches/CVE-2017-7869.patch: enforce packet limits in
+ lib/opencdk/read-packet.c.
+ - CVE-2017-7869
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 12 Jun 2017 09:32:37 -0400
+
+gnutls28 (3.4.10-4ubuntu1.2) xenial-security; urgency=medium
+
+ * SECURITY UPDATE: OCSP validation issue
+ - debian/patches/CVE-2016-7444.patch: correctly verify the serial
+ length in lib/x509/ocsp.c.
+ - CVE-2016-7444
+ * SECURITY UPDATE: denial of service via warning alerts
+ - debian/patches/CVE-2016-8610.patch: set a maximum number of warning
+ messages in lib/gnutls_int.h, lib/gnutls_handshake.c,
+ lib/gnutls_state.c.
+ - CVE-2016-8610
+ * SECURITY UPDATE: double-free when reading proxy language
+ - debian/patches/CVE-2017-5334.patch: fix double-free in
+ lib/x509/x509_ext.c.
+ - CVE-2017-5334
+ * SECURITY UPDATE: out of memory error in stream reading functions
+ - debian/patches/CVE-2017-5335.patch: add error checking to
+ lib/opencdk/read-packet.c.
+ - CVE-2017-5335
+ * SECURITY UPDATE: stack overflow in cdk_pk_get_keyid
+ - debian/patches/CVE-2017-5336.patch: check return code in
+ lib/opencdk/pubkey.c.
+ - CVE-2017-5336
+ * SECURITY UPDATE: heap read overflow when reading streams
+ - debian/patches/CVE-2017-5337.patch: add more precise checks to
+ lib/opencdk/read-packet.c.
+ - CVE-2017-5337
+ * debian/patches/fix_expired_certs.patch: use datefudge to fix test with
+ expired certs.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 26 Jan 2017 10:14:03 -0500
+
+gnutls28 (3.4.10-4ubuntu1.1) xenial-proposed; urgency=medium
+
+ * SRU: LP: #1592693.
+ * gnutls-doc: Don't install the sgml files, not building with gtk-doc-tools
+ in xenial.
+
+ -- Matthias Klose <doko@ubuntu.com> Wed, 15 Jun 2016 10:00:17 +0200
+
+gnutls28 (3.4.10-4ubuntu1) xenial; urgency=medium
+
+ * Merge with Debian; remaining changes:
+ - Make gnutls28 default.
+ - debian/patches/disable_global_init_override_test.patch: disable failing
+ test.
+
+ -- Matthias Klose <doko@ubuntu.com> Mon, 21 Mar 2016 14:53:18 +0100
+
+gnutls28 (3.4.10-4) unstable; urgency=medium
+
+ * 43_fix_cpucapoverride.diff by Nikos Mavrogiannopoulos: Fix
+ GNUTLS_CPUID_OVERRIDE function, stopping it from enabling SSE3 when it is
+ unavailable. Closes: #818341
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 17 Mar 2016 19:41:22 +0100
+
+gnutls28 (3.4.10-3) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 14 Mar 2016 18:29:53 +0100
+
+gnutls28 (3.4.10-2) experimental; urgency=medium
+
+ * Simplify override_dh_auto_test target. (Thanks, Steven Chamberlain)
+ * Add debian/patches/42_mini-loss-time-improved-timeout-detection.patch,
+ another try for Closes: #813598
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 07 Mar 2016 19:22:57 +0100
+
+gnutls28 (3.4.10-1) experimental; urgency=medium
+
+ * Pull 40_src-added-systemkey-args-to-BUILT_SOURCES.patch from upstream GIT
+ master to fix FTBFS with parallel builds. Closes: #816148
+ * New upstream version.
+ * Pull 41_tests-mini-loss-time-ensure-client-timeouts.diff from upstream
+ master branch to fix occasional testsuite error. Closes: #813598
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 05 Mar 2016 08:45:52 +0100
+
+gnutls28 (3.4.9-2ubuntu1) xenial; urgency=medium
+
+ * Merge with Debian; remaining changes:
+ - Make gnutls28 default.
+ - debian/patches/disable_global_init_override_test.patch: disable failing
+ test.
+
+ -- Matthias Klose <doko@ubuntu.com> Wed, 17 Feb 2016 20:47:48 +0100
+
+gnutls28 (3.4.9-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 07 Feb 2016 15:18:46 +0100
+
+gnutls28 (3.4.9-1) experimental; urgency=medium
+
+ * New upstream version.
+ * Drop 35_Revert-Fix-out-of-bounds-read-in-gnutls_x509_ext_exp.patch and
+ 36_Revert-tests-updated-to-account-for-cert-generation.patch.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 06 Feb 2016 15:57:24 +0100
+
+gnutls28 (3.4.8-3) unstable; urgency=medium
+
+ * Pull 35_Revert-Fix-out-of-bounds-read-in-gnutls_x509_ext_exp.patch and
+ 36_Revert-tests-updated-to-account-for-cert-generation.patch
+ from upstream GIT. Closes: #813243
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 31 Jan 2016 17:28:05 +0100
+
+gnutls28 (3.4.8-2) unstable; urgency=medium
+
+ * Merge master branch into experimental.
+ + Drop ancient Conflicts/Replaces: gnutls0, gnutls0.4.
+ + libgnutls-deb0-28 temporarily Conflicts with libnettle4, libhogweed2.
+ This is a kludge and technically wrong, but will prevent partial
+ upgrades from stable. See: #788735
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 21 Jan 2016 15:45:49 +0100
+
+gnutls28 (3.4.8-1) experimental; urgency=medium
+
+ * Migrate from libgnutls30-dbg to ddebs. dh_strip's --ddeb-migration
+ option was added to debhelper/unstable with version 9.20150628, bump
+ build-dependency accordingly.
+ * autoreconf requires automake 1.12.2, add build-dependency.
+ * New upstream version.
+ + Update symbol file.
+ * Move Vcs-* from git/http to https.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 08 Jan 2016 19:30:07 +0100
+
+gnutls28 (3.4.7-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Update symbol file.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 22 Nov 2015 15:29:19 +0100
+
+gnutls28 (3.4.6-1) experimental; urgency=medium
+
+ * Make use of autogen's MAN_PAGE_DATE (available in version 5.18.6 and
+ later) to improve reproducibility of build.
+ * New upstream version.
+ + Update symbol file.
+ * Bump debhelper build-dependency to >= 9.20141010 and add b-d on dpkg-dev
+ (>= 1.17.14). Both are required for build-profile support added in
+ previous upload. (Thanks, lintian.)
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 20 Oct 2015 20:00:55 +0200
+
+gnutls28 (3.4.5-1) experimental; urgency=medium
+
+ [ Helmut Grohne ]
+ * Turn Build-Depends: datefudge optional via <!nocheck> profile.
+ Closes: #797544
+
+ [ Andreas Metzler ]
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 26 Sep 2015 13:48:12 +0200
+
+gnutls28 (3.4.4.1-1) experimental; urgency=medium
+
+ * New upstream version.
+ + GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY added to gnutls_pkcs11_obj_flags,
+ bump dependency info for functions taking it as argument or returning it.
+ + Bump dependency info on private symbols.
+ + Update debian/copyright.
+ + Fixes double free in DN decoding [GNUTLS-SA-2015-3]. Closes: #795068
+ CVE-2015-6251
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 11 Aug 2015 20:12:46 +0200
+
+gnutls28 (3.4.3-1) experimental; urgency=medium
+
+ * Re-enable libidn-support, use versioned b-d on libidn11-dev >= 1.31.
+ * New upstream version.
+ + Bump dependency info on gnutls_pkcs11_token_get_info due to changed enum
+ gnutls_pkcs11_token_info_t.
+ + Add dependency info for new symbols, bump private symbol dependency.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 12 Jul 2015 20:01:09 +0200
+
+gnutls28 (3.4.2-2) experimental; urgency=medium
+
+ * Disable libidn support because CVE-2015-2059 is still not fixed. See
+ <https://gitlab.com/gnutls/gnutls/issues/10>. This also disables building
+ of crywrap.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 05 Jul 2015 14:18:06 +0200
+
+gnutls28 (3.4.2-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Drop 50_updated-sign-md5-rep-to-reduce-false-failures.patch.
+ + Update libgnutls30.symbols. (Add new fuctions, bump private symbol
+ version, bump gnutls_init() due to newly added GNUTLS_NO_SIGNAL flag.)
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 20 Jun 2015 08:45:14 +0200
+
+gnutls28 (3.4.1-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Bump (build)-depends on nettle and p11-kit.
+ + Drop 20_debian_specific_soname.diff, 40_no_more_ssl3.diff and
+ 55_nettle3.patch.
+ + Update 14_version_gettextcat.diff.
+ + Soname bump, library package renamed from libgnutls-deb0-28 to
+ libgnutls30.
+ + OpenSSL compat layer is not built by default anymore, pass
+ --enable-openssl-compatibility to ./configure.
+ + Update symbol file.
+ + libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are
+ restricted to the corresponding protocols only, and the VERS-ALL
+ string is introduced to catch all possible protocols. Closes: #773145
+ + Since the pkg-config file gnutls.pc now lists libidn in Requires.private
+ "pkg-config --exists gnutls" will fail if libidn.pc is not present. Add
+ dependency on libidn11-dev to libgnutls28-dev.
+ * Fix typo in debian/rules
+ (s/-disable-silent-rules/--disable-silent-rules).
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 05 Jun 2015 11:39:19 +0200
+
+gnutls28 (3.3.20-1ubuntu1) xenial; urgency=medium
+
+ * Merge from Debian unstable. Remaining changes:
+ - Make gnutls28 default.
+ * debian/patches/disable_global_init_override_test.patch: disable failing
+ test.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Jan 2016 08:58:40 -0500
+
+gnutls28 (3.3.20-1) unstable; urgency=medium
+
+ * autoreconf requires automake 1.12.2, add build-dependency.
+ * New upstream version.
+ * Move Vcs-* from git/http to https.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 08 Jan 2016 18:57:41 +0100
+
+gnutls28 (3.3.19-1) unstable; urgency=medium
+
+ * New upstream version.
+ + Refresh 20_debian_specific_soname.diff.
+ + Update symbol file.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 22 Nov 2015 17:48:27 +0100
+
+gnutls28 (3.3.18-1ubuntu1) xenial; urgency=medium
+
+ * Merge from Debian unstable. Remaining changes:
+ - Make gnutls28 default.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 30 Oct 2015 08:32:53 -0400
+
+gnutls28 (3.3.18-1) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 30 Sep 2015 18:49:13 +0200
+
+gnutls28 (3.3.17-1) unstable; urgency=medium
+
+ * New upstream version.
+ + Drop superfluous patches.
+ (45_As-server-don-t-try-to-send-extensions-we-didn-t-rec.patch,
+ 46_safe-renegotiation-handle-case-where-client-didn-t-s.patch,
+ 47_safe-renegotiation-simulate-receiving-the-extension-.patch)
+ + GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY added to gnutls_pkcs11_obj_flags,
+ bump dependency info for functions taking it as argument or returning it.
+ + Bump dependency info on private symbols.
+ + Fixes double free in DN decoding [GNUTLS-SA-2015-3]. Closes: #795068
+ CVE-2015-6251
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 10 Aug 2015 19:48:11 +0200
+
+gnutls28 (3.3.16-2) unstable; urgency=medium
+
+ * Refresh 40_no_more_ssl3.diff.
+ * 45_As-server-don-t-try-to-send-extensions-we-didn-t-rec.patch
+ 46_safe-renegotiation-handle-case-where-client-didn-t-s.patch
+ 47_safe-renegotiation-simulate-receiving-the-extension-.patch
+ Pull three patches from upstream GIT to fix issue with server side sending
+ the status request extension even when not requested.
+ <http://article.gmane.org/gmane.network.gnutls.general/3929>
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 01 Aug 2015 11:30:17 +0200
+
+gnutls28 (3.3.16-1) unstable; urgency=medium
+
+ * Limit watchfile to 3.3.x versions.
+ * New upstream version.
+ + Drop superfluous patches
+ (50_updated-sign-md5-rep-to-reduce-false-failures.patch,
+ 55_nettle3.patch,
+ 56_Corrected-camellia256-set-key-in-nettle3-compat-mode.patch)
+ + Bump private symbol versioning.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 12 Jul 2015 19:00:04 +0200
+
+gnutls28 (3.3.15-7) unstable; urgency=medium
+
+ * libgnutls-deb0-28 temporarily Conflicts with libnettle4, libhogweed2. This
+ is a kludge and technically wrong, but will prevent partial upgrades from
+ stable. Closes: #788735
+ * Drop ancient Conflicts/Replaces: gnutls0, gnutls0.4.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 16 Jun 2015 19:06:09 +0200
+
+gnutls28 (3.3.15-6) unstable; urgency=high
+
+ * Pull 56_Corrected-camellia256-set-key-in-nettle3-compat-mode.patch
+ Closes: #788011
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 12 Jun 2015 19:10:33 +0200
+
+gnutls28 (3.3.15-5ubuntu2) wily; urgency=medium
+
+ * SECURITY UPDATE: Double free in certificate DN decoding
+ - debian/patches/CVE-2015-6251.patch: Reset the output value on error
+ in lib/x509/common.c.
+ - CVE-2015-6251
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 31 Aug 2015 14:45:42 -0400
+
+gnutls28 (3.3.15-5ubuntu1) wily; urgency=medium
+
+ * Merge from Debian unstable. Remaining changes:
+ - Make gnutls28 default.
+
+ -- Adam Conrad <adconrad@ubuntu.com> Thu, 11 Jun 2015 14:47:40 -0600
+
+gnutls28 (3.3.15-5) unstable; urgency=medium
+
+ * Upload to unstable.
+ * Downgrade nettle-dev b-d to 2.7, this upload should build correctly
+ against both 2.7 and 3.x.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 02 Jun 2015 19:21:57 +0200
+
+gnutls28 (3.3.15-4) experimental; urgency=medium
+
+ * 55_nettle3.patch: Use version from GnuTLS GIT gnutls_3_3_x branch, it
+ allows compilation against both nettle 2.7 and 3.x.
+ * Drop >= version requirements of libgnutls28-dev dependencies on nettle-dev
+ and libtasn1-6-dev, the =${binary:Version} dependency of the development
+ packages on the respective library packages should make this superfluous.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 16 May 2015 12:45:19 +0200
+
+gnutls28 (3.3.15-3) experimental; urgency=medium
+
+ * Add 55_nettle3.patch from
+ http://pkgs.fedoraproject.org/cgit/compat-gnutls28.git/ to allow building
+ against nettle3.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 13 May 2015 19:20:07 +0200
+
+gnutls28 (3.3.15-2ubuntu1) wily; urgency=medium
+
+ * Merge from Debian unstable. Remaining changes:
+ - Make gnutls28 default.
+ * Dropped patches included in new version:
+ - debian/patches/CVE-2015-0294.patch
+ - debian/patches/CVE-2014-8564.patch
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 May 2015 08:47:19 -0400
+
+gnutls28 (3.3.15-2) unstable; urgency=medium
+
+ * 50_updated-sign-md5-rep-to-reduce-false-failures.patch from upstream GIT,
+ fixing a testsuite error on kfreebsd-*.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 06 May 2015 19:06:03 +0200
+
+gnutls28 (3.3.15-1) unstable; urgency=medium
+
+ * New upstream stable release.
+ + Fix for MD5 downgrade in TLS 1.2 signatures. [GNUTLS-SA-2015-2].
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 04 May 2015 19:24:42 +0200
+
+gnutls28 (3.3.14-3) experimental; urgency=medium
+
+ * 50_nettle3_*.patch: Update to head of upstream gnutls_3_3_x branch.
+ * (Build-)depend on nettle-dev >= 3.0.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 01 May 2015 11:49:04 +0200
+
+gnutls28 (3.3.14-2) unstable; urgency=medium
+
+ * Upload to unstable.
+ * Sync version of Depends and Build-Depends on libtasn1-6-dev.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 27 Apr 2015 09:27:50 +0200
+
+gnutls28 (3.3.14-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Bump libtasn b-d to >= 4.3.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 31 Mar 2015 18:29:42 +0200
+
+gnutls28 (3.3.13-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Includes fix for CVE-2015-0294, a certificate algorithm consistency
+ checking issue.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 28 Feb 2015 08:27:10 +0100
+
+gnutls28 (3.3.12-1) experimental; urgency=medium
+
+ * New upstream version.
+ + gnutls-cli-debug STARTTLS is working. Closes: #467022
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 17 Jan 2015 12:42:06 +0100
+
+gnutls28 (3.3.11-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Includes fix for OCSP response parsing issue. Closes: #772055
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 11 Dec 2014 19:07:23 +0100
+
+gnutls28 (3.3.10-2) experimental; urgency=medium
+
+ * Remove SSL 3.0 from default priorities list.
+ Closes: #769904
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 19 Nov 2014 19:33:23 +0100
+
+gnutls28 (3.3.10-1) experimental; urgency=medium
+
+ * debian/rules: fix pattern for removal (and re-generation) of autogen-ed
+ manpages.
+ * New upstream version.
+ + Includes fix for a denial of service issue CVE-2014-8564 /
+ GNUTLS-SA-2014-5.
+ + When gnutls_global_init() is called for a second time, it will check
+ whether the /dev/urandom fd kept is still open and matches the original
+ one. That behavior works around issues with servers that close all file
+ descriptors. This should take care of #760476.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 10 Nov 2014 19:29:30 +0100
+
+gnutls28 (3.3.9-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Unfuzz 20_debian_specific_soname.diff.
+ + Drop 31_fallback_to_RUSAGE_SELF.diff.
+ + Bump private symbol dependency info.
+ + Bump dependency version of gnutls_certificate_get_issuer() and
+ gnutls_x509_trust_list_get_issuer() because of newly added
+ GNUTLS_TL_GET_COPY flag.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 13 Oct 2014 20:08:58 +0200
+
+gnutls28 (3.3.8-7) unstable; urgency=medium
+
+ * 45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff:
+ Pull two patches from upstream to a use-after-free flaw in
+ gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308
+ Closes: #782776
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 18 Apr 2015 19:11:01 +0200
+
+gnutls28 (3.3.8-6) unstable; urgency=medium
+
+ * 39_check-whether-the-two-signatur.patch: Pull and unfuzz
+ 6e76e9b9fa845b76b0b9a45f05f4b54a052578ff from upstream GIT: On
+ certificate import check whether the two signature algorithms match.
+ CVE-2015-0294. Closes: #779428
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 28 Feb 2015 14:17:21 +0100
+
+gnutls28 (3.3.8-5) unstable; urgency=medium
+
+ * Remove SSL 3.0 from default priorities list.
+ Closes: #769904
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 20 Nov 2014 19:25:20 +0100
+
+gnutls28 (3.3.8-4) unstable; urgency=high
+
+ * Drop 31_fallback_to_RUSAGE_SELF.diff.
+ * 35_recheck_urandom_fd.diff: When gnutls_global_init() is called manually
+ from the application check the urandom fd for validity. Closes: #768841
+ and takes care of #760476.
+ * 36_less_refresh-rnd-state.diff: do not explicitly refresh rnd state on
+ session deinit. It is already being refreshed during the session lifetime.
+ * 37_X9.63_sanity_check.diff: when exporting curve coordinates to X9.63
+ format, perform additional sanity checks on input.
+ CVE-2014-8564 / GNUTLS-SA-2014-5. Closes: #769154
+ * 38_testforsanitycheck.diff adds a test for CVE-2014-8564. (As the test
+ uses a cert in binary der-format which is not representable in a quilt
+ patches and we want to limit debian.tar.xz to modify stuff in debian/ we
+ have some special handling in debian/rules.)
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 12 Nov 2014 19:31:07 +0100
+
+gnutls28 (3.3.8-3ubuntu3) vivid; urgency=medium
+
+ * SECURITY UPDATE: certificate algorithm consistency issue
+ - debian/patches/CVE-2015-0294.patch: make sure the two signature
+ algorithms match on cert import in lib/x509/x509.c.
+ - CVE-2015-0294
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Mar 2015 08:16:02 -0400
+
+gnutls28 (3.3.8-3ubuntu2) vivid; urgency=medium
+
+ * SECURITY UPDATE: denial of service and possible code execution via
+ elliptic curves parameter printing
+ - debian/patches/CVE-2014-8564.patch: add more sanity checks in
+ lib/gnutls_ecc.c.
+ - CVE-2014-8564
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 10 Nov 2014 15:18:59 -0500
+
+gnutls28 (3.3.8-3ubuntu1) vivid; urgency=low
+
+ * Merge from Debian unstable. Remaining changes:
+ - Make gnutls28 default.
+
+ -- Michael Vogt <michael.vogt@ubuntu.com> Thu, 30 Oct 2014 15:21:33 +0100
+
+gnutls28 (3.3.8-3) unstable; urgency=high
+
+ [ Daniel Kahn Gillmor ]
+ * Add list of executables to gnutls-bin package description.
+ Closes: #763671
+
+ [ Andreas Metzler ]
+ * 31_fallback_to_RUSAGE_SELF.diff from upstream GIT: if RUSAGE_THREAD fails
+ try RUSAGE_SELF, which should fix a crash in cups. (Thanks, Nikos
+ Mavrogiannopoulos!) Closes: #760476
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 11 Oct 2014 16:16:00 +0200
+
+gnutls28 (3.3.8-2) unstable; urgency=medium
+
+ * Correct libtasn1-6-dev (build-)dependency version requirement, GnuTLS
+ 3.3.8 requires libtasn1 >= 3.9.
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 21 Sep 2014 11:52:40 +0200
+
+gnutls28 (3.3.8-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Refresh 20_debian_specific_soname.diff.
+ + Bump libp11-kit-dev b-d to >= 0.20.7, add (temporary) build-conflicts
+ with old experimental upload 0.21.2-1
+ + Add newly added symbols to libgnutls-deb0-28.symbols, bump version of
+ some functions in the gnutls_pkcs11_* family due to new members in enums
+ gnutls_pkcs11_obj_type_t and gnutls_pkcs11_obj_flags, bump private
+ symbol dependency info, and bump shlibs.
+ * Drop version from libgnutls28-dev's dependency on libp11-kit-dev.
+ The GnuTLS library package automatically gets a dependency on libp11-kit0
+ (>= the-version-in-build-depends). OTOH libp11-kit-dev depends on
+ libp11-kit0 (= ${binary:Version}). Therefore these dependencies already
+ enforce a version on libp11-kit-dev and we do not need to duplicate the
+ info.
+ * Add explicit build-dependency on libopts25-dev. Closes: #761618
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 20 Sep 2014 12:11:01 +0200
+
+gnutls28 (3.3.7-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 30 Aug 2014 08:01:51 +0200
+
+gnutls28 (3.3.7-1) experimental; urgency=medium
+
+ * New upstream release.
+ + Refresh 20_debian_specific_soname.diff.
+ + Add newly added symbols to libgnutls-deb0-28.symbols, bump private
+ symbol dependency info, and bump shlibs.
+ + New member in gnutls_pkcs11_obj_attr_t, bump version of
+ gnutls_pkcs11_obj_list_import_url*.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 24 Aug 2014 13:35:44 +0200
+
+gnutls28 (3.3.6-2) unstable; urgency=medium
+
+ * Upload to unstable. We want 3.3 in jessie, as it is (going to be) GnuTLS
+ lastest stable at freeze time.
+ * 30_guile-snarf.diff: Work around #759096 (guile-snarf hard-codes the
+ at-build-time-default-compiler) by exporting @CPP@.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 24 Aug 2014 09:32:36 +0200
+
+gnutls28 (3.3.6-1) experimental; urgency=medium
+
+ * [debian/copright]: Replace reference to GPLv2.1 (which does not exist)
+ with one to GPLv2. (Thanks, Jakub Wilk) Closes: #754160
+ * New upstream release.
+ + Refresh 20_debian_specific_soname.diff.
+ + Add newly added symbols to libgnutls-deb0-28.symbols and bump private
+ symbol dependency info.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 24 Jul 2014 08:50:01 +0200
+
+gnutls28 (3.3.5-1) experimental; urgency=medium
+
+ * New upstream version.
+ * Refresh patches/20_debian_specific_soname.diff.
+ * Drop 30_Updated-asm-sources.patch.
+ * Add new public symbols to symbol file, bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 28 Jun 2014 13:53:06 +0200
+
+gnutls28 (3.3.3-1) experimental; urgency=medium
+
+ * New upstream version, including a fix for GNUTLS-SA-2014-3
+ CVE-2014-3466.
+ * Refresh 20_debian_specific_soname.diff.
+ * 30_Updated-asm-sources.patch: Updated asm code pulled from upstream git.
+ * New symbol gnutls_credentials_get, update symbol file and bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 31 May 2014 07:58:37 +0200
+
+gnutls28 (3.3.2-2) experimental; urgency=high
+
+ * Fix crashes due to symbol clashes when a binary ends up being linked
+ against GnuTLS v2 and v3 by bumping library symbol-versioning (and
+ therefore also the soname) in a Debian specific way, to make sure there is
+ no conflict with future:
+ + 20_debian_specific_soname.diff
+ - Symbol versions: GNUTLS_* -> GNUTLS_DEBIAN_0_*
+ - Add "-release deb0" to libtool link command.
+ + Rename libgnutls28 to libgnutls-deb0-28, matching the new soname.
+ + Adapt symbol file accordingly.
+ + Change 14_version_gettextcat.diff, too.
+ Closes: #748742
+ * Drop libgnutls28-dbg Conflicts with libgnutls13-dbg, libgnutls26-dbg.
+ These have been unnecessary since we started using dh compat v9, where
+ debugging symbols are installed to /usr/lib/debug/.build-id.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 24 May 2014 19:27:01 +0200
+
+gnutls28 (3.3.2-1) experimental; urgency=medium
+
+ * Do not build-depend on guile-2.0 on m68k. Closes: #745461
+ * Manually version libgnutls28's dependency on libgmp10 as (>= 2:6), to
+ enforce a dual-licensed (GPLv2+/LGPLv2.1+) version of GMP. Also add a
+ corresponding versioned build-dependency, to prevent building of
+ uninstallable packages.
+ * New upstream version. Drop 20_guile_no_override_allocation.diff and
+ 21_Treat-othername-as-printable.diff.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 08 May 2014 19:47:09 +0200
+
+gnutls28 (3.3.1-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Drop 20_sparc_chainverify_buserror.diff.
+ + Pull 20_guile_no_override_allocation.diff and
+ 21_Treat-othername-as-printable.diff from upstream GIT.
+ + Drop gnutls_secure_calloc@GNUTLS_1_4 from symbol file. It was dropped
+ upstream since it was never exported in a public header and is not
+ used according to codesearch.d.o.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 19 Apr 2014 19:25:11 +0200
+
+gnutls28 (3.3.0-2) experimental; urgency=medium
+
+ * Drop last remains of -xssl from debian/.
+ * Add debian/libgnutls28.symbols.
+ * 20_sparc_chainverify_buserror.diff from upstream GIT: In chainverify test
+ increase the space available for certificates to fix sparc testsuite
+ error.
+ * Build OpenSSL wrapper from gnutls28, provide libgnutls-openssl-dev from
+ libgnutls28-dev.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 17 Apr 2014 19:53:30 +0200
+
+gnutls28 (3.3.0-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 12 Apr 2014 07:49:11 +0200
+
+gnutls28 (3.3.0~pre0-1) experimental; urgency=medium
+
+ * Also version the p11-kit dependency.
+ * New upstream version.
+ + Set --enable-static, as only shared libs are built by default.
+ + libgnutls-xssl is no more.
+ + Bump shlibs.
+ * Upload to experimental.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 29 Mar 2014 19:19:37 +0100
+
+gnutls28 (3.2.16-1ubuntu2) utopic; urgency=medium
+
+ * No-change rebuild to get debug symbols on all architectures.
+
+ -- Brian Murray <brian@ubuntu.com> Tue, 21 Oct 2014 14:15:57 -0700
+
+gnutls28 (3.2.16-1ubuntu1) utopic; urgency=medium
+
+ * Make gnutls28 default.
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 08 Aug 2014 08:24:17 +0100
+
+gnutls28 (3.2.16-1) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 23 Jul 2014 12:36:32 +0200
+
+gnutls28 (3.2.15-3) unstable; urgency=medium
+
+ * [debian/copright]: Replace reference to GPLv2.1 (which does not exist)
+ with one to GPLv2. (Thanks, Jakub Wilk) Closes: #754160
+ * Stop shipping libgnutls-xssl0, it has been removed in upstream's 3.3
+ series.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 12 Jul 2014 13:55:48 +0200
+
+gnutls28 (3.2.15-2) unstable; urgency=high
+
+ * Fix crashes due to symbol clashes when a binary ends up being linked
+ against GnuTLS v2 and v3 by bumping library symbol-versioning (and
+ therefore also the soname) in a Debian specific way, to make sure there is
+ no conflict with future:
+ + 20_debian_specific_soname.diff
+ - Symbol versions: GNUTLS_* -> GNUTLS_DEBIAN_0_*
+ - Add "-release deb0" to libtool link command.
+ + Rename libgnutls28 to libgnutls-deb0-28, matching the new soname.
+ + Change 14_version_gettextcat.diff, too.
+ Closes: #74874
+ * Drop libgnutls28-dbg Conflicts with libgnutls13-dbg, libgnutls26-dbg.
+ These have been unnecessary since we started using dh compat v9, where
+ debugging symbols are installed to /usr/lib/debug/.build-id.
+ * debian/copyright: Add info about GPLv2 compatibility.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 05 Jun 2014 18:56:03 +0200
+
+gnutls28 (3.2.15-1) unstable; urgency=high
+
+ * New upstream version.
+ + Includes a fix for GNUTLS-SA-2014-3 / CVE-2014-3466.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 31 May 2014 08:37:00 +0200
+
+gnutls28 (3.2.14-1) unstable; urgency=medium
+
+ * Do not build-depend on guile-2.0 on m68k. Closes: #745461
+ * New upstream version.
+ * Manually version libgnutls28's dependency on libgmp10 as (>= 2:6), to
+ enforce a dual-licensed (GPLv2+/LGPLv2.1+) version of GMP. Also add a
+ corresponding versioned build-dependency, to prevent building of
+ uninstallable packages.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 07 May 2014 19:29:26 +0200
+
+gnutls28 (3.2.13-2) unstable; urgency=medium
+
+ * Build OpenSSL wrapper from gnutls28, provide libgnutls-openssl-dev from
+ libgnutls28-dev.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 16 Apr 2014 19:24:25 +0200
+
+gnutls28 (3.2.13-1) unstable; urgency=medium
+
+ * Also version the p11-kit dependency.
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 10 Apr 2014 19:08:40 +0200
+
+gnutls28 (3.2.12.1-2) unstable; urgency=medium
+
+ * Upload to unstable.
+ * Sync from Ubuntu (Colin Watson):
+ + Add arm64 and ppc64el to the list of non-ia64 architectures on which
+ guile-gnutls is built.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 12 Mar 2014 17:50:43 +0100
+
+gnutls28 (3.2.12.1-1) experimental; urgency=medium
+
+ * New upstream version.
+ + Drop superfluous patches:
+ 20_bug-in-gnutls_pcert_list_import_x509_raw.patch
+ 20_CVE-2014-0092.diff
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 05 Mar 2014 19:40:42 +0100
+
+gnutls28 (3.2.11-2) unstable; urgency=high
+
+ * Bump version of Build-Depends on libp11-kit-dev, as required by 3.2.11.
+ * 20_CVE-2014-0092.diff by Nikos Mavrogiannopoulos: Fix certificate
+ validation issue. CVE-2014-0092
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 01 Mar 2014 08:48:21 +0100
+
+gnutls28 (3.2.11-1) unstable; urgency=high
+
+ * New upstream version. (Closes CVE-2014-1959 / GNUTLS-SA-2014-1)
+ * Pull 20_bug-in-gnutls_pcert_list_import_x509_raw.patch from upstream git.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 15 Feb 2014 14:38:52 +0100
+
+gnutls28 (3.2.10-2) unstable; urgency=high
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 02 Feb 2014 12:10:16 +0100
+
+gnutls28 (3.2.10-1) experimental; urgency=high
+
+ * New upstream version.
+ * New symbols exported, bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 01 Feb 2014 09:22:36 +0100
+
+gnutls28 (3.2.9-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 29 Jan 2014 19:05:05 +0100
+
+gnutls28 (3.2.9-1) experimental; urgency=medium
+
+ * New upstream version.
+ + %COMPAT implies %DUMBFW. (See #733039)
+ * Drop 40_guilenoparallel.diff, which did not have any effect after enabling
+ dh_autoreconf.
+ * Stop dh_clean from removing *.bak, upstream tarball actually contains
+ files named such in src/ subdirectory.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 25 Jan 2014 19:00:11 +0100
+
+gnutls28 (3.2.8.1-3) unstable; urgency=medium
+
+ * Correct c'n'p error in Vcs-Git field.
+ * Update debian/copyright from upstream's README. (Thanks, Kurt Roeckx)
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 19 Jan 2014 13:23:46 +0100
+
+gnutls28 (3.2.8.1-2) unstable; urgency=low
+
+ * Upload to unstable, without libgnutls-openssl27.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 27 Dec 2013 15:45:39 +0100
+
+gnutls28 (3.2.8.1-1) experimental; urgency=low
+
+ * New upstream version.
+ + Drop debian/patches/45_add_strerror-module.patch, which was pulled from
+ upstream.
+ + Bump shlibs.
+ * Add debian/upstream-signing-key.pgp (listed in
+ debian/source/include-binaries) and update watchfile to check
+ upstream signature.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 21 Dec 2013 16:59:19 +0100
+
+gnutls28 (3.2.7-4) experimental; urgency=low
+
+ * Upload to experimental, with libgnutls-openssl27.
+ * Version libgnutls-openssl27 shlibs. (Mainly to identify rebuilt packages.)
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 08 Dec 2013 18:43:16 +0100
+
+gnutls28 (3.2.7-3) unstable; urgency=low
+
+ * Point vcs* to git.
+ * Upload to unstable, without libgnutls-openssl27.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 08 Dec 2013 18:15:43 +0100
+
+gnutls28 (3.2.7-2) experimental; urgency=low
+
+ * Fix kfreebsd FTBFS.
+ + 45_add_strerror-module.patch add gnulib strerror module.
+ + Use dh_autoreconf.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 29 Nov 2013 19:10:39 +0100
+
+gnutls28 (3.2.7-1) experimental; urgency=low
+
+ * New upstream version.
+ + Add b-d on bison.
+ + Bump shlibs.
+ + Drop 30_forcesystemlibopts.diff 50_Ignore-SIGPIPE.patch.
+ + Simplify debian/rules, stop removing autogened files.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 27 Nov 2013 19:30:00 +0100
+
+gnutls28 (3.2.6-2) experimental; urgency=low
+
+ * Print out test-suite.log on test-suite-error. (Thanks, Steven Chamberlain
+ for the hint.)
+ * 50_Ignore-SIGPIPE.patch - fix spurious FTBFS due to race condition.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 10 Nov 2013 13:54:49 +0100
+
+gnutls28 (3.2.6-1) experimental; urgency=low
+
+ * New upstream version.
+ + Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 05 Nov 2013 19:25:51 +0100
+
+gnutls28 (3.2.5-1) experimental; urgency=low
+
+ * New upstream version.
+ + Bump shlibs.
+ * Ship examples/examples.h which is needed for building examples/*.c. Also
+ add ex-cxx.cpp, while we are at it. (Thanks, Daniel Kahn Gillmor)
+ Closes: #726971
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 26 Oct 2013 14:40:05 +0200
+
+gnutls28 (3.2.4-5) experimental; urgency=low
+
+ * Re-enable building of libgnutls-openssl27 binary package.
+ * Let libgnutls-dev provide libgnutls-openssl-dev to prepare a seamless
+ transition to gnutls28.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 06 Oct 2013 19:10:06 +0200
+
+gnutls28 (3.2.4-4) unstable; urgency=low
+
+ * 40_guilenoparallel.diff: Disable parallel build in
+ guile/modules/.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 09 Sep 2013 19:48:04 +0200
+
+gnutls28 (3.2.4-3) unstable; urgency=low
+
+ * Looks like "Architecture" in debian/control cannot be folded, unfold the
+ respective entry for guile-gnutls.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 08 Sep 2013 08:03:27 +0200
+
+gnutls28 (3.2.4-2) unstable; urgency=low
+
+ * Manpages were missing on binary-only builds. Closes: #721725
+ * Build with
+ --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt since
+ ca-certificates not pulled in by build-dependencies anymore.
+ Closes: #721726
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 07 Sep 2013 08:10:17 +0200
+
+gnutls28 (3.2.4-1) experimental; urgency=low
+
+ * New upstream release.
+ + Drop 40_Clean-up-after-test.patch.
+ * Fix path to png files in info files with sed instead of symlinking images.
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 31 Aug 2013 19:02:33 +0200
+
+gnutls28 (3.2.3-3) experimental; urgency=low
+
+ * Switch to dh, to easily allow us to move gtk-doc-tools to
+ Build-Depends-Indep. Closes: #682596
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 25 Aug 2013 10:25:52 +0200
+
+gnutls28 (3.2.3-2) experimental; urgency=low
+
+ * Build gnutls-guile against guile-2.0.
+ + Drop --disable-largefile on armel armhf mipsel.
+ + ia64 does not build guile-2.0, disable guile-support there.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 04 Aug 2013 13:28:13 +0200
+
+gnutls28 (3.2.3-1) unstable; urgency=low
+
+ * New upstream release.
+ * Drop superfluous patches. (35_gnutls-priority-string.diff
+ 36_avoid-leaking-a-buffer-element.diff)
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 30 Jul 2013 19:45:28 +0200
+
+gnutls28 (3.2.2-2) unstable; urgency=low
+
+ * Pull two patches from upstream:
+ +35_gnutls-priority-string.diff Fix priority string parsing broken in
+ 3.2.2 Closes: #717314
+ +36_avoid-leaking-a-buffer-element.diff
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 21 Jul 2013 18:08:42 +0200
+
+gnutls28 (3.2.2-1) unstable; urgency=low
+
+ * Mark libgnutls28-dev Multi-Arch: same. (Thanks, Nicolas Le Cam)
+ Closes: #678070
+ * New upstream version.
+ * Drop superfluous patches. 31_testsuite32bit.diff 32_linkagainstgmp.diff
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 15 Jul 2013 11:41:50 +0200
+
+gnutls28 (3.2.1-2) unstable; urgency=low
+
+ * Upload to unstable.
+ * Do not link everything against nettle on mips(el), the issue being worked
+ around was fixed by the latest eglibc upload.
+ * Use debhelper v9 mode. This allows us to mark libgnutls28-dbg Multi-Arch:
+ same.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 23 Jun 2013 16:55:09 +0200
+
+gnutls28 (3.2.1-1) experimental; urgency=low
+
+ * New upstream version.
+ + Bump nettle build-dep to >= 2.7.
+ + Bump shlibs.
+ + Disable 20_test-select.diff instead of ufuzzing the patch. - Let's check
+ whether it still fails on kfreebsd-i386.
+ + [31_testsuite32bit.diff] Avoid comparing the expiration date to prevent
+ false positive error in 32-bit systems.
+ + [32_linkagainstgmp.diff] Link libgnutls against gmp.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 09 Jun 2013 20:08:29 +0200
+
+gnutls28 (3.1.12-2) unstable; urgency=low
+
+ * Upload to unstable.
+ * Fix vcs-field-not-canonical lintian error by using anonscm instead of
+ svn.debian.org.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 08 Jun 2013 14:41:39 +0200
+
+gnutls28 (3.1.12-1) experimental; urgency=low
+
+ * Use rm -f on clean, fixing an issue with building twice in row.
+ * New upstream version.
+ * On mips/mipsel link everything and the kitchen-sink against nettle to work
+ around toolchain breakage ("crt1.o: undefined reference to symbol '_gp'").
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 02 Jun 2013 07:58:55 +0200
+
+gnutls28 (3.1.11-1) experimental; urgency=low
+
+ * New upstream version.
+ + Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 10 May 2013 16:39:17 +0200
+
+gnutls28 (3.1.10-1) experimental; urgency=low
+
+ * New upstream version.
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 23 Mar 2013 16:21:30 +0100
+
+gnutls28 (3.1.9.1-1) experimental; urgency=low
+
+ * New upstream version.
+ * Bump shlibs.
+ * Force re-generation of autogen-ed manpages.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 03 Mar 2013 17:06:05 +0100
+
+gnutls28 (3.1.8-1) experimental; urgency=low
+
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 10 Feb 2013 13:35:32 +0100
+
+gnutls28 (3.1.7-1) experimental; urgency=low
+
+ * Let libgnutls28 depend on libtasn1-6 instead of on libtasn1-3, matching
+ the build-depency. (Thanks, Daniel Kahn Gillmor)
+ * New upstream version.
+ + Includes a fix for GNUTLS-SA-2013-1 TLS CBC padding timing attack.
+ CVE-2013-0169 CVE-2013-1619.
+ + New symbols added, bump shlibs.
+ + Ship newly available libgnutls-xssl0 library in a separate package.
+ * Disable Heart Beat (RFC6520) support.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 05 Feb 2013 14:58:31 +0100
+
+gnutls28 (3.1.6-1) experimental; urgency=low
+
+ * Update watchfile, based on Bart Martens version for gnutls26 on
+ q.d.o, but use a) ftp.gnutls.org as mirror and b) limit the the match to
+ 3.x versions.
+ * New upstream version.
+ + requires libtasn1 >= 3.1, bump build-depends.
+ + requires a a newer version of autogen, bump build-depends.
+ + update debian/copyright to reflect the fact that GnuTLS authors have
+ stopped assigning copyright to FSF.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 05 Jan 2013 09:38:41 +0100
+
+gnutls28 (3.1.5-1) experimental; urgency=low
+
+ * New upstream version.
+ + Drop 40_danetestfail.diff
+ + Unfuzz 20_test-select.diff
+ + Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 28 Nov 2012 19:23:10 +0100
+
+gnutls28 (3.1.4-1) experimental; urgency=low
+
+ * New upstream release.
+ + Drop 40_fixtypo.diff.
+ + debian/copyright: update upstream author list.
+ + New symbols added, bump shlibs.
+ * 40_danetestfail.diff - Do not try to run dane test without dane support.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 10 Nov 2012 09:21:41 +0100
+
+gnutls28 (3.1.3-1) experimental; urgency=low
+
+ * New upstream release.
+ * Explicitly set --disable-libdane --without-tpm.
+ * Bump shlibs.
+ * 40_fixtypo.diff pulled from upstream git.
+ * Update debian/copyright from AUTHORS.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 13 Oct 2012 15:52:09 +0200
+
+gnutls28 (3.1.2-1) experimental; urgency=low
+
+ * New upstream release.
+ + Requires libtasn1-3 2.14, bump (b-)d.
+ + New symbols added, bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 29 Sep 2012 08:13:47 +0200
+
+gnutls28 (3.1.1-1) experimental; urgency=low
+
+ * New upstream release.
+ + Includes patch by Bernhard R. Link for gnutls-serv listening on ipv6.
+ Closes: #686242
+ + Drop superfluous patches. (40_debugtestsuite 41_use-errno.diff
+ 42_dump-the-errno.diff 43_possiblefix.diff)
+ + Bump shlibs.
+ * Sync version of libgnutls-dev dependency on nettle-dev with the
+ build-dependency.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 04 Sep 2012 19:28:08 +0200
+
+gnutls28 (3.1.0-5) experimental; urgency=low
+
+ * 43_possiblefix.diff might fix the test suite error.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 02 Sep 2012 16:05:34 +0200
+
+gnutls28 (3.1.0-4) experimental; urgency=low
+
+ * 41_use-errno.diff 42_dump-the-errno.diff: Get more info for debugging the
+ testsuite error.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 02 Sep 2012 13:28:55 +0200
+
+gnutls28 (3.1.0-3) experimental; urgency=low
+
+ * [40_debugtestsuite] Debug the correct test, mini-handshake-timeout.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 01 Sep 2012 10:02:54 +0200
+
+gnutls28 (3.1.0-2) experimental; urgency=low
+
+ * Mention abbreviation "DTLS" in package description.
+ * [40_debugtestsuite] Enable verbose execution of mini-emsgsize-dtls test,
+ it spuriously fails on about half of the buildds.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 01 Sep 2012 08:41:11 +0200
+
+gnutls28 (3.1.0-1) experimental; urgency=low
+
+ * New upstream release.
+ + Bump nettle build-dep to >= 2.5.
+ + Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 26 Aug 2012 13:40:15 +0200
+
+gnutls28 (3.0.22-2) unstable; urgency=low
+
+ * Upload to unstable. This is a leaf-package, experimental should get
+ 3.1.0.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 25 Aug 2012 09:22:37 +0200
+
+gnutls28 (3.0.22-1) experimental; urgency=low
+
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 05 Aug 2012 08:29:14 +0200
+
+gnutls28 (3.0.21-1) experimental; urgency=low
+
+ * New upstream version.
+ + Drop 35_s390buildfix.diff.
+ * Bump shlibs (new functions added.)
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 03 Jul 2012 19:50:14 +0200
+
+gnutls28 (3.0.20-3) unstable; urgency=low
+
+ * 35_s390buildfix.diff - Fixes test-suite error on s390x.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 21 Jun 2012 19:52:47 +0200
+
+gnutls28 (3.0.20-2) unstable; urgency=low
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 16 Jun 2012 16:20:01 +0200
+
+gnutls28 (3.0.20-1) experimental; urgency=low
+
+ * New upstream version.
+ * Bump shlibs (new functions added.)
+ * Drop 25_disabledtls_kFreeBSD.diff, kFreeBSD has support for
+ CLOCK_MONOTONIC now. #662018
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 06 Jun 2012 20:46:11 +0200
+
+gnutls28 (3.0.19-2) unstable; urgency=low
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 22 Apr 2012 18:42:46 +0200
+
+gnutls28 (3.0.19-1) experimental; urgency=low
+
+ * New upstream version.
+ + libgnutls: When decoding a PKCS #11 URL the pin-source field
+ is assumed to be a file that stores the pin. (LP: #929108)
+ + Drop 31_killchild.diff, included upstream.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 22 Apr 2012 18:14:41 +0200
+
+gnutls28 (3.0.18-2) unstable; urgency=low
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 14 Apr 2012 16:34:15 +0200
+
+gnutls28 (3.0.18-1) experimental; urgency=low
+
+ * New upstream version.
+ + Bump shlibs.
+ * patches/31_killchild.diff: Revert upstream change which caused tee-ing a
+ build to hang.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 07 Apr 2012 09:11:39 +0200
+
+gnutls28 (3.0.17-2) unstable; urgency=low
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 20 Mar 2012 19:19:31 +0100
+
+gnutls28 (3.0.17-1) experimental; urgency=low
+
+ * New upstream version.
+ + Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 17 Mar 2012 15:59:17 +0100
+
+gnutls28 (3.0.15-2) experimental; urgency=low
+
+ * 25_disabledtls_kFreeBSD.diff: Skip dtls-stress on kFreeBSD-* since
+ support for CLOCK_MONOTONIC is missing there. (See #662018.)
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 11 Mar 2012 10:24:39 +0100
+
+gnutls28 (3.0.15-1) experimental; urgency=low
+
+ * New upstream version.
+ + Drop superfluous patches (30_microseconds-does-not-overflow.patch,
+ 31_provide-accurate-value-to-select.patch)
+ + Includes fix for CVE-2012-1573.
+ * 30_forcesystemlibopts.diff: Force linkage against Debian's libopts.
+ * Bump libgnutls-dev dependency on libp11-kit-dev.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 04 Mar 2012 15:58:38 +0100
+
+gnutls28 (3.0.14-1) experimental; urgency=low
+
+ * New upstream version.
+ + Drop 30_force-kill-of-child.diff.
+ * Pull 30_microseconds-does-not-overflow.patch and
+ 31_provide-accurate-value-to-select.patch from GIT head, fixing testsuite
+ error (tests/mini-loss) on kfreebsd-*.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 25 Feb 2012 15:24:39 +0100
+
+gnutls28 (3.0.13-1) experimental; urgency=low
+
+ * New upstream version.
+ + bump libp11-kit-dev build-dep. to >= 0.11.
+ + drop 30_guilegnutlserrorcodes.diff.
+ * Drop debian/ocsptool.1 use, newly available upstream manpage instead.
+ * Use and link against Debian's packaged version of autogen/libopts.
+ + B-d on autogen.
+ + remove autogen-generated files (*.c, *.h) on clean. autogen requires
+ that the system headers are at least of the same version as the
+ one which was used to generate the files from their respective .def
+ sources.
+ * 30_force-kill-of-child.diff: Kill child process in mini-loss-time test.
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 20 Feb 2012 19:30:16 +0100
+
+gnutls28 (3.0.12-2) unstable; urgency=low
+
+ * De-multiarch guile-gnutls. Closes: #658110
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 04 Feb 2012 14:34:48 +0100
+
+gnutls28 (3.0.12-1) unstable; urgency=low
+
+ * New upstream version.
+ * [30_guilegnutlserrorcodes.diff] (pulled from git head): fixes guile
+ testsuite error.
+ * Update debian/copyright.
+ * Bump shlibs. (OCSP support)
+ * Add trivial ocsptool manpage.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 21 Jan 2012 10:38:44 +0100
+
+gnutls28 (3.0.11-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 07 Jan 2012 12:55:33 +0100
+
+gnutls28 (3.0.10-1) unstable; urgency=low
+
+ * Drop guile-gnutls.README.Debian - binary guile modules are no longer
+ directly installed in $libdir.
+ * New upstream version.
+ + Drop patches/30_correctly-set-the-odd-bits.patch.
+ + gnutls_random_art() added. Update copyright, bump shlibs.
+ + src/serv.c: Only use configured interfaces. Patch by Pino Toscano.
+ Closes: #652552
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 06 Jan 2012 08:52:19 +0100
+
+gnutls28 (3.0.9-2) unstable; urgency=low
+
+ * [20_test-select.diff] Do not run gnulib test-select test anymore. The
+ test fails on kfreebsd-i386, the gnutls library does not use select().
+ * [30_correctly-set-the-odd-bits.patch] Post release fix from GIT head.
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 17 Dec 2011 11:41:19 +0100
+
+gnutls28 (3.0.9-1) experimental; urgency=low
+
+ * New upstream version.
+ * Include guile-gnutls package.
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 14 Dec 2011 19:54:20 +0100
+
+gnutls28 (3.0.8-2) unstable; urgency=low
+
+ * First upload to unstable.
+ + Disable openssl-wrapper package, let it be provided by gnutls26 until
+ gnutls28 is in testing.
+ + Disable gnutls-guile package, let it be provided by gnutls26 until
+ gnutls28 is in testing.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 03 Dec 2011 10:30:04 +0100
+
+gnutls28 (3.0.8-1) experimental; urgency=low
+
+ * Build gnutls with --disable-largefile on armel, armhf and mipsel to fix
+ guile related FTBFS on these architectures.
+ See http://lists.gnu.org/archive/html/gnutls-devel/2011-10/msg00075.html
+ * New upstream version.
+ + Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 12 Nov 2011 17:05:25 +0100
+
+gnutls28 (3.0.7-1) experimental; urgency=low
+
+ * New upstream version.
+ + Fixes GNUTLS-SA-2011-2 CVE-2011-4128 #648441
+ * Drop 20_addGNU-stack.diff, included upstream.
+ * loadable Guile module no longer installed directly to $libdir but to
+ $libdir/guile/X.Y/. Drop nunnecessary lintian overrides and
+ Pre-Depends: ${misc:Pre-Depends} from guile-gnutls. Also modify
+ DEB_DH_MAKESHLIBS_ARGS_guile-gnutls to ignore the binary module.
+ * gnutls-extra is removed upstream, there is no need anymore to manually
+ remove the bits and pieces in debian/rules.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 10 Nov 2011 19:35:30 +0100
+
+gnutls28 (3.0.4-2) experimental; urgency=low
+
+ * Drop libgnutls-dev.README.Debian, the information provided there stopped
+ being relevant in 2.7.12.
+ * Delete superfluous info from debian/README.source.
+ * Rename libgnutls-dev to libgnutls28-dev. A big quick transition does not
+ seem to be possible.
+ http://lists.debian.org/debian-devel/2011/10/msg00332.html
+ * Simplify dependencies:
+ + libgnutls28-dev Provides/Conflicts/Replaces gnutls-dev (which is
+ also provided by gnutls26' libgnutls-dev).
+ + Drop *ancient* Conflicts/Replaces against libgnutls5-dev, gnutls0.4-dev,
+ gnutls-dev (<< 0.4.0-0), libgnutls11-dev.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 23 Oct 2011 17:41:27 +0200
+
+gnutls28 (3.0.4-1) experimental; urgency=low
+
+ * New upstream version.
+ + bump shlibs.
+ + bump nettle build-dependency to >= 2.4. (Required for ripemd-160).
+ * Add libp11-kit-dev to libgnutls-dev dependencies. Closes: #643811
+ * [20_addGNU-stack.diff] Add GNU-stack note to newly added
+ padlock-common.s.
+ * Stop shipping libgnutls-extra.so. It is an empty shell currently and will
+ be packaged for Debian again when it provides functionality.
+ * Update debian/copyright, accelerated assembly code is non-FSF copyright.
+ * Add crywrap.8 manpage.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 15 Oct 2011 13:37:39 +0200
+
+gnutls28 (3.0.3-1) experimental; urgency=low
+
+ * New upstream version. (Includes a fix for #640639)
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 20 Sep 2011 19:37:06 +0200
+
+gnutls28 (3.0.2-1) experimental; urgency=low
+
+ * Update debian/copyright for crywrap.
+ * Since libgnutls*-dbg contains debugging symbols of helper applications
+ libgnutls26-dbg and libgnutls28-dbg are not co-installable. Update
+ Conflicts.
+ * New upstream version. It also includes the fixes for #638586 (Correct
+ parsing of XMPP subject alternative names) and #638595
+ (gnutls_certificate_set_x509_key() and
+ gnutls_certificate_set_openpgp_key() operate as in 2.10.x and allow the
+ release of the private key during the lifetime of the certificate
+ structure.)
+ * Configure with --enable-gtk-doc, the included API reference is incomplete
+ in the tarball.
+ * [lintian] Get rid of binary-control-field-duplicates-source field
+ warnings.
+ * [lintian] Add description header to 14_version_gettextcat.diff
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 03 Sep 2011 13:18:17 +0200
+
+gnutls28 (3.0.1-1) experimental; urgency=low
+
+ * Update Vcs-Svn and Vcs-Browser for new source package name.
+ * New upstream version.
+ + corrects formatting of gnutls-cli(1) manpage. Closes: #637551
+ * Bump build-dependency on libp11-kit-dev to (>= 0.4).
+ * Drop 20_executablestack.diff, included upstream.
+ * Includes crywrap(8), an application that proxies TLS session to a port
+ using a plaintext service.
+ * Add build-dependency on libidn11-dev, needed for newly added crywrap tool.
+ * Bump shlibs. (New flags).
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 21 Aug 2011 14:54:23 +0200
+
+gnutls28 (3.0.0-2) experimental; urgency=low
+
+ * Add missing b-d on chrpath.
+ * Search for .xz instead of .bz2 in watchfile.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 16 Aug 2011 13:57:22 +0200
+
+gnutls28 (3.0.0-1) experimental; urgency=low
+
+ * Drop gcrypt related patches (16_unnecessarydep.diff
+ 17_ignoretestsuitteerrors.diff 18_gpgerrorinpkgconfig.diff
+ 20_gcrypt15compat.diff), update remaining one
+ (14_version_gettextcat.diff).
+ * Build against nettle and p11-kit.
+ + Update DEB_CONFIGURE_EXTRA_FLAGS.
+ + Update (Build-)Depends. (Add pkg-config, it is used for locating
+ p11-kit.)
+ * Changed sonames: libgnutlsxx27 -> libgnutlsxx28, libgnutls26 ->
+ libgnutls28.
+ * Drop libgnutls Breaks, they are superfluous after the soname change.
+ * Delete config.log on clean.
+ * [20_executablestack] pulled from upstream GIT. Adds GNU-stack note to
+ assembly files.
+ * Delete unneccessary rpath entries.
+ * Update debian/copyright. GnuTLS is LGPLv3+ now, GnuTLS-EXTRA GPLv3+. Add a
+ NEWS entry for this license change.
+ * Move gnutls-extra library to separate package.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 14 Aug 2011 16:44:11 +0200
+
+gnutls26 (2.12.7-4) unstable; urgency=low
+
+ * Upload to unstable.
+ * Point watch file to stable release directory.
+ * 18_gpgerrorinpkgconfig.diff: Add libgpg-error to pkg-config
+ Libs.private. Closes: #632891
+ * Update libgnutls26 Breaks (snowdrop and zoneminder versions.)
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 07 Aug 2011 09:58:28 +0200
+
+gnutls26 (2.12.7-3) experimental; urgency=low
+
+ [ Simon Josefsson ]
+ * Fix Debian BTS URL in --with-packager-bug-reports option.
+
+ [ Andreas Metzler ]
+ * [20_gcrypt15compat.diff] Fix compatibility with gcrypt 1.5.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 25 Jul 2011 19:59:36 +0200
+
+gnutls26 (2.12.7-2) experimental; urgency=low
+
+ * Stop shipping libtool la files.
+ * Convert to multi-arch. (Partial merge from Ubuntu 2.10.5-1ubuntu2):
+ + configure with --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH), update
+ *.install accordingly.
+ + Bump cdbs Build-Depends to 0.4.93 (required for expanding
+ $(DEB_HOST_MULTIARCH)).
+ + Bump debhelper b-d to 8.1.3 (for ${misc:Pre-Depends}).
+ + runtime libraries and guile-wrapper are Multi-Arch: same with
+ Pre-Depends: ${misc:Pre-Depends}, -bin (helper binaries) and -doc are
+ Multi-Arch: foreign, -dev and -dbg remain unchanged.
+ + Diverge from Ubuntu patch by not settting Multi-Arch: same on -dbg
+ package. It contains debugging symbols for both library and helper
+ binaries ( e.g. /usr/lib/debug/usr/bin/gnutls-cli) and is therefore not
+ co-installable with itself.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 26 Jun 2011 15:01:58 +0200
+
+gnutls26 (2.12.7-1) experimental; urgency=low
+
+ * New upstream version.
+ * Update 17_ignoretestsuitteerrors.diff.
+ * A new version of pokerth has been uploaded to sid, update libgnutls26
+ Breaks accordingly.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 19 Jun 2011 08:49:01 +0200
+
+gnutls26 (2.12.6.1-1) experimental; urgency=low
+
+ * New upstream version.
+ * Bump shlibs, global_set_time_function() was added.
+ * Stop setting CFLAGS += -Wall, it is set by default again.
+ * [17_ignoretestsuitteerrors.diff] Ignore two (not serious) testsuite
+ errors.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 05 Jun 2011 13:18:50 +0200
+
+gnutls26 (2.12.5-1) experimental; urgency=low
+
+ * New upstream version.
+ * Bump shlibs, gnutls_x509_crq_verify() was added.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 14 May 2011 13:21:12 +0200
+
+gnutls26 (2.12.4-1) experimental; urgency=low
+
+ * New upstream version.
+ * Bump shlibs. (gnutls_certificate_get_issuer() added).
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 08 May 2011 15:19:18 +0200
+
+gnutls26 (2.12.3-1) experimental; urgency=low
+
+ * New upstream version.
+ * Drop patches included upstream: [18_restoreHMAC-MD5.diff]
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 22 Apr 2011 18:26:11 +0200
+
+gnutls26 (2.12.2-2) experimental; urgency=low
+
+ * [18_restoreHMAC-MD5.diff], pulled from upstream git, restore HMAC-MD5
+ for compatibility. Closes: #623001
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 17 Apr 2011 15:44:30 +0200
+
+gnutls26 (2.12.2-1) experimental; urgency=low
+
+ * New upstream version.
+ * [lintian] Drop article from short package descriptions.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 08 Apr 2011 19:36:27 +0200
+
+gnutls26 (2.12.1-1) experimental; urgency=low
+
+ * New upstream version.
+ + certtool: Generated certificate request with stricter permissions.
+ Closes: #619746
+ * Drop superfluous patches:
+ 17_sizeof_gnutls_openpgp_keyid_t.diff 18_ext_mod_iadef.diff
+ 19_uninitializedvar.diff 20_access_freedmemory.diff
+ * Add Breaks for all packages using the GnuTLS OpenSSL wrapper. They will
+ need a binNMU when gnutls 2.12.x uploaded to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 02 Apr 2011 15:22:46 +0200
+
+gnutls26 (2.12.0-1) experimental; urgency=low
+
+ * New upstream stable release.
+ + Drop superceded patches 17_goldhotfix.patch
+ 18_libgnutls-openssl_soname.diff.
+ * Pull a couple of post release fixes from upstream gnutls_2_12_x branch:
+ 17_sizeof_gnutls_openpgp_keyid_t.diff 18_ext_mod_iadef.diff
+ 19_uninitializedvar.diff 20_access_freedmemory.diff
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 27 Mar 2011 10:23:11 +0200
+
+gnutls26 (2.11.7-2) experimental; urgency=low
+
+ * 18_libgnutls-openssl_soname.diff. Bump libgnutls-openssl soname (libtool
+ versioning: 27:0:0).
+ * Split off libgnutls-openssl to a separate package, since the sonames are
+ not in sync anymore.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 11 Mar 2011 17:48:47 +0100
+
+gnutls26 (2.11.7-1) experimental; urgency=low
+
+ * New upstream version (rc for 2.12)
+ + Drop superfluous patches (15_fixgnutlspc.diff 17_endian.diff)
+ + Bump shlibs.
+ * debian/patches/17_goldhotfix.patch Link gnutls-extra gainst gcrypt.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 10 Mar 2011 12:12:01 +0100
+
+gnutls26 (2.11.6-2) experimental; urgency=low
+
+ * 17_endian.diff - Pulled from upstream. Fix testsuite error (./tests/resume)
+ on big endian architectures.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 23 Feb 2011 19:20:40 +0100
+
+gnutls26 (2.11.6-1) experimental; urgency=low
+
+ * Development release.
+ * Continue building against libgcrypt, run configure with --with-libgcrypt.
+ * Refresh patches/15_fixgnutlspc.diff.
+ * Set --with-packager* options.
+ * Install newly available p11tool binary.
+ * Bump libgcrypt11-dev Build-Depends.
+ * C++ wrapper soname bump, change package name accordingly.
+ * Bump shlibs.
+ * Update debian/copyright.
+ * Set CFLAGS += -Wall, the latest combination of cdbs + dpkg-dev does not
+ seem to set it by default.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 19 Feb 2011 15:29:43 +0100
+
+gnutls26 (2.10.5-3) unstable; urgency=medium
+
+ * [20_gcrypt15compat.diff] Fix compatibility with gcrypt 1.5.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 25 Jul 2011 19:26:34 +0200
+
+gnutls26 (2.10.5-2) unstable; urgency=low
+
+ * Stop shipping libtool la files.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 25 Jun 2011 18:13:38 +0200
+
+gnutls26 (2.10.5-1) unstable; urgency=low
+
+ * New upstream bugfix release.
+ + Drop 15_fixgnutlspc.diff, included upstream.
+ * Set C(XX)FLAGS += -Wall, the latest combination of cdbs + dpkg-dev does not
+ seem to set it by default.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 28 Feb 2011 18:52:57 +0100
+
+gnutls26 (2.10.4-2) unstable; urgency=low
+
+ * Use debhelper compatibility level 7.
+ * Merge in changes from 2.8.6-1:
+ + Use dh_lintian.
+ + Use dh_makeshlibs for the guile stuff, too. This gets us
+ a) ldconfig in postinst. Closes: #553109
+ and
+ b) a shlibs file.
+ However the shared objects /usr/lib/libguile-gnutls*so* are still not
+ designed to be used as libraries (linking) but are dlopened. guile-1.10
+ will address this issue by keeping this stuff in a private directory.
+ + hotfix pkg-config files (proper fix to be included upstream).
+ + Stop unneeeded linkage against libgpg-error. 16_unnecessarydep.diff
+ Closes: #405239
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 06 Feb 2011 16:44:09 +0100
+
+gnutls26 (2.10.4-1) experimental; urgency=low
+
+ * New upstream release. V1 CAs are trusted by default.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 06 Dec 2010 19:13:48 +0100
+
+gnutls26 (2.10.3-1) experimental; urgency=low
+
+ * Drop workaround for 519006, binutils is fixed even in squeeze.
+ * New upstream bugfix release.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 19 Nov 2010 19:19:26 +0100
+
+gnutls26 (2.10.2-1) experimental; urgency=low
+
+ * New upstream version.
+ + Fix asynchronous API handling. Closes: #588187
+ + certtool does not crash on reading from /dev/null anymore.
+ Closes: #588029
+ * Standards-Version 3.9.1 -Stop building with -D_REENTRANT.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 30 Sep 2010 19:10:31 +0200
+
+gnutls26 (2.10.1-1) experimental; urgency=low
+
+ * Update package descriptions. Closes: #588067
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 25 Jul 2010 14:56:45 +0200
+
+gnutls26 (2.10.0-2) experimental; urgency=low
+
+ * libgnutls26 now Breaks: libsoup2.4-1 (<= 2.30.1-1),
+ libsoup2.4-1 (= 2.31.2-1). The problem is caused by addition of TLS1.2
+ support in GnuTLS. Sid (2.30.2-1) is already fixed, experimental
+ (2.31.2-1) not yet. Closes: #587755
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 03 Jul 2010 08:58:57 +0200
+
+gnutls26 (2.10.0-1) experimental; urgency=low
+
+ * New upstream stable release.
+ * Point watchfile to stable releases.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 26 Jun 2010 14:48:40 +0200
+
+gnutls26 (2.9.12-2) experimental; urgency=low
+
+ * Work around gcc-4.4 bug <http://bugs.debian.org/519006> by building
+ without -g on mips/mipsel. (As a side effect this makes libgnutls26-dbg a
+ useless and almost empty package on these archs.)
+ * Drop ancient workaround for gcc bug on hppa.
+ http://bugs.debian.org/128036
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 19 Jun 2010 14:38:22 +0200
+
+gnutls26 (2.9.12-1) experimental; urgency=low
+
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 17 Jun 2010 19:20:04 +0200
+
+gnutls26 (2.9.11-1) experimental; urgency=low
+
+ * New upstream version.
+ * Drop 15_gnutlspriority.diff, superseded.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 07 Jun 2010 19:36:33 +0200
+
+gnutls26 (2.9.10-2) experimental; urgency=low
+
+ * [15_gnutlspriority.diff] Restore compatibility with programs using
+ gnutls_*_set_priority() instead of gnutls_priority_*(), e.g. exim.
+ Closes: #579831
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 27 May 2010 18:40:53 +0200
+
+gnutls26 (2.9.10-1) experimental; urgency=low
+
+ * New upstream version.
+ * New functions added, bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 22 Apr 2010 19:29:52 +0200
+
+gnutls26 (2.9.9-1) experimental; urgency=low
+
+ * Package upstream development branch for experimental.
+ * Track development versions in watchfile.
+ * Package C++ wrapper again. Closes: #548637
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 20 Dec 2009 11:31:33 +0100
+
+gnutls26 (2.8.6-1) unstable; urgency=low
+
+ * Use dh_lintian.
+ * Use dh_makeshlibs for the guile stuff, too. This gets us
+ a) ldconfig in postinst. Closes: #553109
+ and
+ b) a shlibs file.
+ However the shared objects /usr/lib/libguile-gnutls*so* are still not
+ designed to be used as libraries (linking) but are dlopened. guile-1.10
+ will address this issue by keeping this stuff in a private directory.
+ * hotfix pkg-config files (proper fix to be included upstream).
+ * Stop unneeeded linkage against libgpg-error. 16_unnecessarydep.diff
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 20 Mar 2010 15:53:35 +0100
+
+gnutls26 (2.8.5-2) unstable; urgency=low
+
+ * Add a huge bunch of lintian overrides for the guile stuff to make dak
+ happy.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 13 Nov 2009 19:53:04 +0100
+
+gnutls26 (2.8.5-1) unstable; urgency=low
+
+ * Add datefudge to build-depends. (Only needed for the pkcs1-pad test.)
+ * Switch to '3.0 (quilt)' source format, allowing us to use upstreams
+ orig.tar.bz2 without repacking it to gz.
+ * New upstream version.
+ + Drop patches/20_fixtimebomb.diff.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 12 Nov 2009 19:57:08 +0100
+
+gnutls26 (2.8.4-2) unstable; urgency=high
+
+ * [20_fixtimebomb.diff] Fix testsuite error. Closes: #552920
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 01 Nov 2009 13:21:27 +0100
+
+gnutls26 (2.8.4-1) unstable; urgency=low
+
+ * New upstream version.
+ + Drop debian/patches/15_openpgp.diff.
+ * Sync priorities with override file, libgnutls26 has been bumped from
+ important to standard.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 26 Sep 2009 10:33:52 +0200
+
+gnutls26 (2.8.3-3) unstable; urgency=low
+
+ * Empty dependency_libs in la-files. (Squeeze release goal.)
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 05 Sep 2009 09:09:22 +0200
+
+gnutls26 (2.8.3-2) unstable; urgency=low
+
+ * [ debian/patches/15_openpgp.diff ] The CVE-2009-2730 patch broke
+ openpgp connections.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 22 Aug 2009 14:14:48 +0200
+
+gnutls26 (2.8.3-1) unstable; urgency=high
+
+ * New upstream version.
+ + Stops hardcoding a hard dependency on the versions of gcrypt and tasn it
+ was built against. Closes: #540449
+ + Fixes CVE-2009-2730, a vulnerability related to NUL bytes in X.509
+ certificate name fields. Closes: #541439 GNUTLS-SA-2009-4
+ http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html
+ * Drop 15_chainverify_expiredcert.diff, included upstream.
+ * Urgency high, since 541439 applies to testing, too.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 14 Aug 2009 19:14:29 +0200
+
+gnutls26 (2.8.1-2) unstable; urgency=low
+
+ [ Simon Josefsson ]
+ * Remove cruft in rules file.
+ * Remove patches/15_tasn1inpc.diff, not needed.
+
+ [ Andreas Metzler ]
+ * Finally add an entry to the NEWS.Debian file concerning the deprecation of
+ RSA-MD2 and RSA-MD5 for signature verification. Closes: #514578
+ * Upload to unstable.
+ * 15_chainverify_expiredcert.diff: New patch, pulled from upstream GIT.
+ Fix testsuite error caused by expired certificate.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 06 Aug 2009 19:12:51 +0200
+
+gnutls26 (2.8.1-1) experimental; urgency=low
+
+ * New upstream stable release.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 11 Jun 2009 09:15:28 +0200
+
+gnutls26 (2.7.14-1) experimental; urgency=low
+
+ * [debian/control] set section setting of source package to libs instead of
+ devel.
+ * New upstream version.
+ + Drop debian/patches/16_symbolversioning_fix.diff, included upstream.
+ + Bump shlibs, new symbols added.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 26 May 2009 19:51:41 +0200
+
+gnutls26 (2.7.12-1) experimental; urgency=low
+
+ * Fix typo in changelog. Closes: #526427
+ * New upstream release.
+ + Does not ship the scripts libgnutls-extra-config and libgnutls-config
+ and the .m4 snippet to use it anymore. Please switch to pkg-config or
+ standard autoconf test. Drop manpages and
+ both patches/13_lessdeps_gnutls-config.diff and
+ patches/13_lessdeps_gnutls-config.diff from the debian diff.
+ + Update remaining patches.
+ + Bump shlibs, new symbols added.
+ * [patches/16_symbolversioning_fix.diff] Since gnutls_x509_crq_set_key was
+ already present in 2.6.x it needs to be versioned GNUTLS_1_4 instead of
+ GNUTLS_2_8.
+ * New upstream uses separate ./configure scripts for the different
+ libraries. Invoke the main ./configure script with
+ --cache-file=$(CURDIR)/config.cache to speed things up.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 21 May 2009 11:18:35 +0200
+
+gnutls26 (2.6.6-1) unstable; urgency=high
+
+ * use @LTLIBTASN1@ instead of @LIBTASN1@ in Libs.private of *.pc.in. This
+ way lib-link.m4 gives us -ltasn1 instead of /usr/lib/libtasn1.so.
+ * New upstream security release.
+ + libgnutls: Corrected double free on signature verification failure.
+ GNUTLS-SA-2009-1 CVE-2009-1415
+ + libgnutls: Fix DSA key generation. Noticed when investigating the
+ previous GNUTLS-SA-2009-1 problem. All DSA keys generated using GnuTLS
+ 2.6.x are corrupt. See the advisory for more details.
+ GNUTLS-SA-2009-2 CVE-2009-1416
+ + libgnutls: Check expiration/activation time on untrusted certificates.
+ Before the library did not check activation/expiration times on
+ certificates, and was documented as not doing so.
+ GNUTLS-SA-2009-3 CVE-2009-1417
+ * The former two issues only apply to gnutls 2.6.x. The latter is a
+ behavior change, add a NEWS.Debian file to document it.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 30 Apr 2009 19:00:21 +0200
+
+gnutls26 (2.6.5-1) unstable; urgency=low
+
+ * Sync sections in debian/control with override file. libgnutls26-dbg is
+ section debug, guile-gnutls is section lisp.
+ * New upstream version. (Needed for Libtasn1-3 2.0)
+ * New patch 15_tasn1inpc.diff. Make sure libtasn1 is listed in Libs.private.
+ * Standards-Version: 3.8.1, no changes required.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 14 Apr 2009 14:23:19 +0200
+
+gnutls26 (2.6.4-2) unstable; urgency=low
+
+ * Upload to unstable.
+ * Merge changelog entries from unstable and experimental.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 16 Feb 2009 16:43:37 +0100
+
+gnutls26 (2.6.4-1) experimental; urgency=low
+
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 07 Feb 2009 14:32:57 +0100
+
+gnutls26 (2.6.3-1) experimental; urgency=low
+
+ * New upstream version.
+ + Corrects bug gnutls-cli which caused a rehandshake request
+ to be ignored. Closes: #396867
+ * Drop debian/patches/21_GNUTLS-SA-2008-3.fix.patch (included upstream)
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 21 Dec 2008 10:46:38 +0100
+
+gnutls26 (2.6.2-2) experimental; urgency=low
+
+ * 21_GNUTLS-SA-2008-3.fix.patch Another fix for the verification fix. Some
+ correct certificate chains were not recognized as verified.
+ Closes: #507633
+ * [lintian] Add ${misc:Depends} to multiple dendency lines.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 06 Dec 2008 13:31:58 +0100
+
+gnutls26 (2.6.2-1) experimental; urgency=low
+
+ * New upstream version.
+ + Fixes certification verifaction error CVE-2008-4989. Closes: #505360
+ + Drop 20_fix_501077.diff.
+ * ia64 has guile-1.8 nowadays, let's try building the guile-gnutls wrappper
+ there.
+ * Add Simon Josefsson to uploaders.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 13 Nov 2008 19:30:06 +0100
+
+gnutls26 (2.6.0-1) experimental; urgency=low
+
+ * New upstream stable release.
+ * Add debian/patches/20_fix_501077.diff to fix an out of bound access in
+ gnutls-openssl. (Thanks, Thomas Viehmann). Closes: #501077
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 25 Oct 2008 09:59:03 +0200
+
+gnutls26 (2.5.9-1) experimental; urgency=low
+
+ * New upstream development version.
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 04 Oct 2008 12:40:01 +0200
+
+gnutls26 (2.4.2-6) unstable; urgency=medium
+
+ * New patches, syncing with 2.4.3 upstream oldstable release:
+ + 24_intermedcertificate.patch If a non-root certificate ist trusted
+ gnutls certificateificate verification stops there instead of checking
+ up to the root of the certificate chain.
+ + 22_whitespace.patch - Whitespace only changes, to make it possible to
+ apply upstream fixes without manual changes.
+ + 25_bufferoverrun.patch. Fix buffer overrun bug in
+ gnutls_x509_crt_list_import.
+ http://news.gmane.org/find-root.php?message_id=%3c000001c91d6e%2463059c90%242910d5b0%24%40com%3e
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 07 Feb 2009 12:58:51 +0100
+
+gnutls26 (2.4.2-5) unstable; urgency=low
+
+ * Pull two patches from upstream stable branch to make gnutls behavior
+ match documentation:
+ + patch 23_permit_v1_CA.diff:Accept v1 x509 CA
+ certs if GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Closes: #509593
+ + 22_deprecate_md2_md5_x509_validation.diff: Verifying untrusted X.509
+ certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
+ GNUTLS_CERT_INSECURE_ALGORITHM verification output.
+ CVE-2009-2409
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 31 Jan 2009 16:26:52 +0100
+
+gnutls26 (2.4.2-4) unstable; urgency=medium
+
+ * Add Simon Josefsson to uploaders.
+ * Another fix for the verification fix. Some correct certificate chains were
+ not recognized as verified. Closes: #507633
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 06 Dec 2008 12:09:33 +0100
+
+gnutls26 (2.4.2-3) unstable; urgency=low
+
+ * Fix a crash on trying to verify self-signed certificates introduced by the
+ patch for CVE-2008-4989. Closes: #505279
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 12 Nov 2008 19:23:23 +0100
+
+gnutls26 (2.4.2-2) unstable; urgency=medium
+
+ * [CVE-2008-4989.diff] Fix man in the middle attack for certificate
+ verification. CVE-2008-4989 GNUTLS-SA-2008-3
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 10 Nov 2008 19:42:54 +0100
+
+gnutls26 (2.4.2-1) unstable; urgency=low
+
+ * New upstream bugfix release.
+ * Up to date gnutls-cli manpage. Closes: #492775
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 21 Sep 2008 10:35:16 +0200
+
+gnutls26 (2.4.1-1) unstable; urgency=medium
+
+ * New upstream version, fixing a local denial of service vulnerability only
+ present in >= 2.3.5. GNUTLS-SA-2008-2 CVE-2008-2377
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 01 Jul 2008 19:35:51 +0200
+
+gnutls26 (2.4.0-2) unstable; urgency=low
+
+ * Standards version 3.8.0. Rename README.source_and_patches to README.source.
+ * Upload to unstable.
+ * Point watchfile to stable releases again.
+ * Merge experimental and unstable changelog.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 24 Jun 2008 19:13:25 +0200
+
+gnutls26 (2.4.0-1) experimental; urgency=low
+
+ * New upstream stable release.
+ * New APIs to retrieve fingerprint from OpenPGP subkeys. Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 18 Jun 2008 19:40:38 +0200
+
+gnutls26 (2.3.15-1) experimental; urgency=low
+
+ * New upstream version. (rc4)
+ Disables 'openpgp-certs' tests. Closes: #486269
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 16 Jun 2008 19:08:24 +0200
+
+gnutls26 (2.3.14-1) experimental; urgency=low
+
+ * New upstream version. (rc3)
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 11 Jun 2008 19:16:18 +0200
+
+gnutls26 (2.3.13-1) experimental; urgency=low
+
+ * New upstream version. 2nd rc for 2.4.0.
+ * Drop debian/patches/15_gnutls-pgpself.diff, included upstream.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 08 Jun 2008 18:00:51 +0200
+
+gnutls26 (2.3.12-1) experimental; urgency=low
+
+ * New upstream version. Bump shlibs.
+ * Ship doc/certtool.cfg in /usr/share/doc/gnutls-bin/examples. Closes: #483798
+ * Add 15_gnutls-pgpself.diff (Pulled from upstream GIT), fixing testsuite
+ failure on sparc.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 05 Jun 2008 19:08:29 +0200
+
+gnutls26 (2.3.11-1) experimental; urgency=low
+
+ * New upstream version.
+ + Fixes three security vulnerabilities.
+ [GNUTLS-SA-2008-1-1] [GNUTLS-SA-2008-1-2] [GNUTLS-SA-2008-1-3]. See
+ <http://www.gnu.org/software/gnutls/security.html>.
+ CVE-2008-1948, CVE-2008-1949, CVE-2008-1950. DSA-1581-1
+ + Fixes subjectAltName wildcard matching. Closes: #479174
+ + certtool now writes keyfiles with 0600 permissions. Closes: #373169
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 24 May 2008 08:25:36 +0200
+
+gnutls26 (2.2.5-1) unstable; urgency=high
+
+ * New upstream version.
+ Fixes three security vulnerabilities.
+ [GNUTLS-SA-2008-1-1] [GNUTLS-SA-2008-1-2] [GNUTLS-SA-2008-1-3]. See
+ <http://www.gnu.org/software/gnutls/security.html>.
+ CVE-2008-1948, CVE-2008-1949, CVE-2008-1950. DSA-1581-1
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 20 May 2008 19:19:55 +0200
+
+gnutls26 (2.3.9-1) experimental; urgency=low
+
+ * New upstream development version.
+ - OpenPGP support merged into libgnutls and is now licensed under LGPL.
+ The included copy of OpenCDK has been stripped down and re-licensed
+ under the LGPL. Using the external OpenCDK is not supported anymore, the
+ external library will not be maintained anymore. Drop respective
+ (build-)depends.
+ - API extended, bump shlibs.
+ - certtool asks for password confirmation. Closes: #364287
+ - performance enhancements for gnutls_certificate_set_x509_trust_file.
+ Closes: #400448
+ - gnutls-cli: exits when hostname doesn't match certificate.
+ Use --insecure to avoid hostname comparison.
+ * For paranoia sake build with -D_REENTRANT even if upstream has stopped
+ doing so.
+ * [debian/copyright] : update, and stop including a GFDL copy.
+ * Point watchfile to development versions.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 17 May 2008 16:56:04 +0200
+
+gnutls26 (2.2.3-1) unstable; urgency=low
+
+ * New upstream stable release.
+ - --priority is documented in gnutls-cli(1) manpage. Closes: #467051
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 12 May 2008 18:29:12 +0200
+
+gnutls26 (2.2.3~rc-1) unstable; urgency=low
+
+ * New upstream version. Release candidate for 2.2.3.
+ + Increase default handshake packet size limit to 48kb. Closes: #478191
+ * remove unsupported .l command from debian/libgnutls-config.1
+ * Use Programming/C as doc-base section.
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 01 May 2008 13:09:49 +0200
+
+gnutls26 (2.2.2-1) unstable; urgency=low
+
+ * New upstream version.
+ Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name()
+ and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary
+ strings and return the proper size.
+ corrected string handling in parse_general_name.
+ Closes: #465197
+ * Point watchfile to ftp.gnutls.org.
+ * Downgrade libtasn build-dep from 0.3.4-1 to 0.3.4-0.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 22 Feb 2008 19:08:36 +0100
+
+gnutls26 (2.2.1-3) unstable; urgency=low
+
+ * Resurrect accidentally reverted fix for ftbfs on ia64. Do not try to build
+ gnutls guile wrapper on ia64.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 04 Feb 2008 19:14:03 +0100
+
+gnutls26 (2.2.1-2) unstable; urgency=low
+
+ * Add Vcs-Svn: and Vcs-Browser control fields.
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 03 Feb 2008 18:14:21 +0100
+
+gnutls26 (2.2.1-1) experimental; urgency=low
+
+ * New upstream version.
+ * guile-1.8 does not build on ia64. Stop trying to build the gnutls wrapper
+ there.
+ * libgnutls26-dbg needs to conflict with libgnutls13-dbg, since both
+ packages contain gnutls-bin debugging symbols. Closes: #459295.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 20 Jan 2008 18:27:33 +0100
+
+gnutls26 (2.2.0-1) experimental; urgency=low
+
+ * New upstream version.
+ License change! Main library stays LGPLv2.1+ but libgnutls-extra,
+ libgnutls-openssl and the binaries are GPLv3+ now. debian/copyright is
+ updated.
+ * Stop linking agains liblzo2. Version 2.02 of this library if GPLv2 (older
+ versions were GPLv2+) and this license is not compatible with GPLv3+.
+ * Non packaged 2.1.8 introduced new symbol
+ gnutls_x509_crt_get_subject_alt_name2(), bump shlibs.
+ * Standards-Version: 3.7.3. ${binary:Version} instead of ${Source-Version}.
+ * Bump build-depends to libgcrypt11-dev >= 1.3.2, since it is needed for
+ DSA2 support. Closes: #455513
+ * Drop erraneous libgcrypt11 (>= 1.3.0) from b-d.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 15 Dec 2007 16:41:54 +0100
+
+gnutls26 (2.1.7-1) experimental; urgency=low
+
+ * New upstream version.
+ - Another soname bump. Packages renamed.
+ * Continue using a repacked orig.tar.gz, instead of upstream's tar.bz2 since
+ dak does not allow that yet.
+ * Add Build-Conflicts: libgnutls-dev to stop libtool from linking
+ libgnutls-extra against libgnutls.so in /usr/lib/. Closes: #453035
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 1 Dec 2007 10:40:17 +0100
+
+gnutls25 (2.1.6-2) experimental; urgency=low
+
+ * Temporarily add libgcrypt11 (>= 1.3.0) to build-depends, to make
+ experimental buildds happy.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 19 Nov 2007 18:58:48 +0100
+
+gnutls25 (2.1.6-1) experimental; urgency=low
+
+ * New upstream version. API changes! Please consult
+ /usr/share/doc/libgnutls-dev/NEWS.gz for the detailed list of deprecated,
+ removed (mainly *_authz_*) and changed interfaces.
+ This is the first release canddate for 2.2. The deprecation of
+ gnutls_set_default_priority() is supposed to be undone before the final
+ stable release.
+ * Bump build-depends.
+ * Stop building and shipping the C++ library, since nobody is using it. I
+ will happly re-add it if requested.
+ * Add Homepage field to debian/control.
+ * Build and ship Guile bindings. Requested by Ludovic Courtès who also
+ provided the initial patch. (On a sidenote I think guile generally does
+ not do the right thing by throwing dlopened modules into /usr/lib/.)
+ * Update debian/copyright.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 17 Nov 2007 16:42:01 +0100
+
+gnutls13 (2.0.1-1) unstable; urgency=low
+
+ * New upstream version.
+ * Remove doc/*.info* on clean to allow building thrice in a row.
+ (Closes: #441740)
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 29 Sep 2007 11:29:22 +0200
+
+gnutls13 (1.7.19-1) unstable; urgency=low
+
+ * New upstream version 1.7.19.
+ - Fix gnutls_error_is_fatal so that positive "errors" are non-critical.
+ This takes of care of the mutt breakage. Closes: #439640
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 27 Aug 2007 19:36:23 +0200
+
+gnutls13 (1.7.18-2) unstable; urgency=low
+
+ * Upload to unstable
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 25 Aug 2007 09:27:18 +0200
+
+gnutls13 (1.7.18-1) experimental; urgency=low
+
+ * New upstream version 1.7.18, release candidate for 2.0.
+ * Bump shlibs, since functions have been added.
+ * Image files renamed upstream with gnutls- prefix and symlinked to
+ /usr/share/info/ in Debian package. Closes: #423577
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 18 Aug 2007 09:06:11 +0200
+
+gnutls13 (1.7.16-1) experimental; urgency=low
+
+ * New upstream version 1.7.16.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 11 Aug 2007 10:50:21 +0200
+
+gnutls13 (1.7.14-1) experimental; urgency=low
+
+ * New upstream version
+ - fixes crash in gnutls-cli when TLS handshake fails. Closes: #429183
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 30 Jun 2007 09:06:35 +0200
+
+gnutls13 (1.7.12-1) experimental; urgency=low
+
+ * New upstream version 1.7.12
+ - Fixes memory errors in certificate parsing. Closes: #333050
+ * Bump shlibs, due to API extensions in 1.7.10.
+ * Rebuilding of docs simpified, strip debian/README.source_and_patches to
+ reflect that.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 23 Jun 2007 11:14:26 +0200
+
+gnutls13 (1.7.9-1) experimental; urgency=low
+
+ * Switch to liblzo2. (Thanks, Peter Eisentraut) (Closes: #423332)
+ * New upstream version.
+ - Uses opencdk10 (0.6.x).
+ - Improved gnutls_set_default_priority() priorities, with matching correct
+ docs. (Closes: #422024)
+ - bumped shlibs.
+ * Do not delete doc/gnutls.pdf on clean, allowing to run dpkg-buildpackage
+ twice in a row on the same sourcetree. (Closes: #424357) Document what is
+ needed to rebuild doc/gnutls.pdf in README.source_and_patches.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 28 May 2007 08:36:42 +0200
+
+gnutls13 (1.7.7-1) experimental; urgency=low
+
+ * New development upstream version 1.7.7.
+ - Point watchfile to development versions.
+ - Bump shlibs for added APIs.
+ - Includes German translation. (Closes: #392857)
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 15 Apr 2007 10:11:21 +0200
+
+gnutls13 (1.6.3-1) unstable; urgency=low
+
+ * New upstream version, pulling selected fixes and features from 1.7.x.
+ * Bump shlibs.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 27 May 2007 09:26:14 +0200
+
+gnutls13 (1.6.2-2) unstable; urgency=low
+
+ * Switch to liblzo2. (Thanks, Peter Eisentraut) (Closes: #423332)
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 13 May 2007 09:48:31 +0200
+
+gnutls13 (1.6.2-1) unstable; urgency=low
+
+ * New upstream version
+ - Really Closes: #403887 libgnutls failes to parse OpenSSL generated
+ certificates, since it contains a regenerated pkix_asn1_tab.c.
+ - Ship German translation. Closes: #392857
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 21 Apr 2007 10:57:02 +0200
+
+gnutls13 (1.6.1-2) unstable; urgency=low
+
+ * [gnutls-bin.install] Ship psktool.
+ * Ship gettext translations in deb package, but as gnutls13.mo instead of
+ gnutls.mo.
+ * Upload to unstable. Merge branch1.5.x.EXP to svn trunk. Include 1.4.4-*
+ changelog entries after branchoff. Point watchfile to stable upstream
+ versions again.
+ * Drop dependency of libgnutls13-dbg on libgnutlsxx13.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 3 Feb 2007 13:49:48 +0100
+
+gnutls13 (1.6.1-1) experimental; urgency=low
+
+ [ James Westby ]
+ * New upstream release.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 3 Feb 2007 13:18:03 +0100
+
+gnutls13 (1.6.0-1) experimental; urgency=low
+
+ * New upstream version.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 18 Nov 2006 13:21:56 +0100
+
+gnutls13 (1.5.3-1) experimental; urgency=low
+
+ [ Andreas Metzler ]
+ * Fix debian/copyright.
+ - Do not use "copyright" as title of a paragraph listing licenses.
+ (Closes: #290194)
+ - Add a copy of the FDL 1.2 to debian/copyright.
+ * New upstream version 1.5.3.
+ * Bump shlibs to get rid of reference to ugly 1.5.1.cvs2006093.
+ * Drop code for re-libtoolizing and running auto* from debian/rules, it is
+ unused and would not work anymore. (We can later grab the from SVN and
+ update it to make work if we ever need it.)
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 28 Oct 2006 12:56:46 +0200
+
+gnutls13 (1.5.1.cvs20060930-1) experimental; urgency=low
+
+ [ Andreas Metzler ]
+ * Add a watchfile.
+ * New upstream development version.
+ - Pulled from http://josefsson.org/daily/gnutls/gnutls-20060930.tar.gz
+ - Using a cvs snapshot instead of 1.5.1 because the soname in 1.5.1 was
+ broken.
+ - Drop unneeded patches/16_libs.private_gnutls.diff
+ patches/16_libs.private_gnutls-extra.diff
+ - Point watchfile to development versions.
+ - Builds a C++ library.
+ * Switch to debhelper v5 mode to be able to ship debug symbols of
+ libgnutls13 and libgnutlsxx13 in a common libgnutls13-dbg package.
+ * Branched off from 1.4.4-1.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 30 Sep 2006 09:54:38 +0200
+
+gnutls13 (1.4.4-3) unstable; urgency=low
+
+ * Pulled /patches/18_negotiate_cypher.diff from 1.4.5:
+ When a GnuTLS server receive a SSLv2 Client Hello for an unknown TLS
+ version, try to negotiate the highest version support by the GnuTLS
+ server, instead of the lowest.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 11 Nov 2006 10:35:29 +0100
+
+gnutls13 (1.4.4-2) unstable; urgency=low
+
+ [ Andreas Metzler ]
+ * Add a watchfile.
+ * Fix debian/copyright.
+ - Do not use "copyright" as title of a paragraph listing licenses.
+ (Closes: #290194)
+ - Add a copy of the FDL 1.2 to debian/copyright.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 12 Sep 2006 19:57:49 +0200
+
+gnutls13 (1.4.4-1) unstable; urgency=high
+
+ [ Andreas Metzler ]
+ * New upstream version 1.4.4
+ - Updated fix for GNUTLS-SA-2006-4, that is not too strict and doesn't
+ crash mutt. (closes: #386725)
+ GNUTLS-SA-2006-4 is CVE-2006-4790.
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 12 Sep 2006 19:09:47 +0200
+
+gnutls13 (1.4.3-2) unstable; urgency=low
+
+ * the lesser of two weevils release.
+ [ Andreas Metzler ]
+ * Revert patch for GNUTLS-SA-2006-4 as it caused segmentation faults in
+ various programs, including mutt. (closes: #386680)
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 9 Sep 2006 19:29:52 +0200
+
+gnutls13 (1.4.3-1) unstable; urgency=high
+
+ [ Andreas Metzler ]
+ * New upstream version 1.4.3.
+ - Fix PKCS#1 verification to avoid a variant of Bleichenbacher's Crypto 06
+ rump session attack. GNUTLS-SA-2006-4
+ - Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack..
+ GNUTLS-SA-2006-3
+ - Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key.
+
+ -- Andreas Metzler <ametzler@debian.org> Fri, 8 Sep 2006 19:12:33 +0200
+
+gnutls13 (1.4.2-1) unstable; urgency=medium
+
+ [ Andreas Metzler ]
+ * New upstream bugfix release.
+ - Fixes a crash in the certificate verification logic.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 12 Aug 2006 10:44:16 +0200
+
+gnutls13 (1.4.1-1) unstable; urgency=low
+
+ [ James Westby ]
+ * New upstream release.
+ * Remove the following patches as they are now included upstream:
+ - 10_certtoolmanpage.diff
+ - 15_fixcompilewarning.diff
+ - 30_man_hyphen_*.patch
+ * Link the API reference in /usr/share/gtk-doc/html as gnutls rather than
+ gnutls-api so that devhelp can find it.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 15 Jul 2006 11:11:08 +0200
+
+gnutls13 (1.4.0-3) unstable; urgency=low
+
+ [ Andreas Metzler ]
+ * Strip "libgnutls-config --libs"' output to only list stuff required for
+ dynamic linking. (Closes: #375815). Document this in "libgnutls-dev's
+ README.Debian.
+ * Pull patches/16_libs.private_gnutls.diff and
+ debian/patches/16_libs.private_gnutls-extra.diff from upstream to make
+ pkg-config usable for static linking.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 2 Jul 2006 12:10:56 +0200
+
+gnutls13 (1.4.0-2) unstable; urgency=low
+
+ [ Andreas Metzler ]
+ * Set maintainer to alioth mailinglist.
+ * Drop code for updating config.guess/config.sub from debian/rules, as cdbs
+ handles this. Build-Depend on autotools-dev.
+ * Drop build-dependency on binutils (>= 2.14.90.0.7), even sarge has 2.15-6.
+ * Use cdbs' simple-patchsys.mk.
+ - add debian/README.source_and_patches
+ - add patches/10_certtoolmanpage.diff patches/12_lessdeps.diff
+ * Fix libgnutls-dev's Suggests to point to existing package. (gnutls-doc)
+ * Also ship css-, devhelp- and sgml files in gnutls-doc.
+ * patches/15_fixcompilewarning.diff correct order of funtion arguments.
+
+ [ James Westby ]
+ * This release allows the port to be specified as the name of the service
+ when using gnutls-cli (closes: #342891)
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 17 Jun 2006 20:44:09 +0200
+
+gnutls13 (1.4.0-1) experimental; urgency=low
+
+ * New maintainer team. Thanks, Matthias for all the work you did.
+ * Re-add gnutls-doc package, featuring api-reference as manual pages and
+ html, and reference manual in html and pdf format.
+ (closes: #368185,#368449)
+ * Fix reference to gnutls0.4-doc package in debian/copyright. Update
+ debian/copyright and include actual copyright statements.
+ (closes: #369071)
+ * Bump shlibs because of changes to extra.h
+ * Drop debian/libgnutls13.dirs and debian/libgnutls-dev.dirs. dh_* will
+ generate the necessary directories.
+ * Drop debian/NEWS.Debian as it only talks about the move of the (since
+ purged) gnutls-doc package to contrib a long time ago.
+ (Thanks Simon Josefsson, for these suggestions.)
+ * new upstream version. (closes: #368323)
+ * clean packaging against upstream tarball.
+ - Drop all patches, except for fixing error in certtool.1 and setting
+ gnutls_libs=-lgnutls-extra in libgnutls-extra-config.
+ - Add --enable-ld-version-script
+ to DEB_CONFIGURE_EXTRA_FLAGS to force versioning of symbols, instead of
+ patching ./configure.in.
+ (closes: #367358)
+ * Set DEB_MAKE_CHECK_TARGET = check to run included testsuite.
+ * Build against external libtasn1-3. (closes: #363294)
+ * Standards-Version: 3.7.2, no changes required.
+ * debian/control and override file are in sync with respect to Priority and
+ Section, everthing except libgnutls13-dbg already was. (closes: #366956)
+ * acknowledge my own NMU. (closes: #367065)
+ * libgnutls13-dbg is nonempty (closes: #367056)
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 20 May 2006 11:22:36 +0000
+
+gnutls13 (1.3.5-1.1) unstable; urgency=low
+
+ * NMU
+ * Invoke ./configure with --with-included-libtasn1 to prevent accidental
+ linking against the broken 0.3.1-1 upload of libtasn1-2-dev which
+ contained libtasn1.so.3 and force gnutls13 to use the internal version of
+ libtasn instead until libtasn1-3-dev is uploaded. Drop broken
+ Build-Depency on libtasn1-2-dev (>= 0.3.1). (closes: #363294)
+ * Make libgnutls13-dbg nonempty by using --dbg-package=libgnutls13 instead
+ of --dbg-package=libgnutls12. (closes: #367056)
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 13 May 2006 07:45:32 +0000
+
+gnutls13 (1.3.5-1) unstable; urgency=low
+
+ * New Upstream version.
+ - Security fix.
+ - Yet another ABI change.
+ * Depends on libgcrypt 1.2.2, thus should close:#330019,#355272
+ * Let -dev package depend on liblzo-dev (closes:#347438)
+ * Fix certtool help output (closes:#338623)
+
+ -- Matthias Urlichs <smurf@debian.org> Sat, 18 Mar 2006 22:46:25 +0100
+
+gnutls12 (1.2.9-2) unstable; urgency=low
+
+ * Install /usr/lib/pkgconfig/*.pc files.
+ * Depend on texinfo (>= 4.8, for the @euro{} sign).
+
+ -- Matthias Urlichs <smurf@debian.org> Tue, 15 Nov 2005 19:26:02 +0100
+
+gnutls12 (1.2.9-1) unstable; urgency=low
+
+ * New Upstream version.
+
+ -- Matthias Urlichs <smurf@debian.org> Fri, 11 Nov 2005 18:51:28 +0100
+
+gnutls12 (1.2.8-1) unstable; urgency=low
+
+ * New Upstream version.
+ - depends on libgcrypt11 1.2.2
+ * Bumped shlibs version, just to be on the safe side.
+
+ -- Matthias Urlichs <smurf@debian.org> Wed, 19 Oct 2005 12:05:14 +0200
+
+gnutls12 (1.2.6-1) unstable; urgency=low
+
+ * New Upstream version.
+ * Remove Provides: on libgnutls11-dev.
+ Hopefully this will be temporary (pending discussion with Upstream).
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 11 Aug 2005 12:21:36 +0200
+
+gnutls12 (1.2.5-3) unstable; urgency=high
+
+ * Updated libgnutls12.shlibs file.
+ Thanks to Mike Paul <w5ydkaz02@sneakemail.com>.
+ Closes: #319291: libgnutls12: Wrong soversion in shlibs file; breaks
+ dependencies on this library
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 21 Jul 2005 13:19:25 +0200
+
+gnutls12 (1.2.5-2) unstable; urgency=medium
+
+ * Did not depend on libgnutls12 -- not picked up by dh_shlibdeps.
+ Added an explicit dependency as a stopgap fix.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 21 Jul 2005 08:27:22 +0200
+
+gnutls12 (1.2.5-1) unstable; urgency=low
+
+ * Merged with the latest stable release.
+ * Renamed to gnutls12.
+ - Changed the library version strings to GNUTLS_1_2.
+ - Renamed the development package back to "libgnutls-dev".
+
+ -- Matthias Urlichs <smurf@debian.org> Tue, 5 Jul 2005 10:35:56 +0200
+
+gnutls11 (1.0.19-1) experimental; urgency=low
+
+ * Merged with the latest stable release.
+
+ -- Matthias Urlichs <smurf@debian.org> Sun, 26 Dec 2004 13:28:45 +0100
+
+gnutls11 (1.0.16-13) unstable; urgency=high
+
+ * Fixed an ASN.1 extraction error.
+ Found by Pelle Johansson <morth@morth.org>.
+
+ -- Matthias Urlichs <smurf@debian.org> Mon, 29 Nov 2004 10:16:21 +0100
+
+gnutls11 (1.0.16-12) unstable; urgency=high
+
+ * Fixed a segfault in certtool. Closes: #278361.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 11 Nov 2004 09:40:02 +0100
+
+gnutls11 (1.0.16-11) unstable; urgency=medium
+
+ * Merged binary (non-UF8) string printing code from Upstream.
+ * Password code in certtool was somewhat broken.
+
+ -- Matthias Urlichs <smurf@debian.org> Sat, 6 Nov 2004 13:11:03 +0100
+
+gnutls11 (1.0.16-10) unstable; urgency=high
+
+ * Fixed one instance of uninitialized memory usage.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 21 Oct 2004 06:07:53 +0200
+
+gnutls11 (1.0.16-9) unstable; urgency=high
+
+ * Pulled from Upstream CVS:
+ - Fix two memory leaks.
+ - Fix NULL dereference.
+
+ -- Matthias Urlichs <smurf@debian.org> Fri, 8 Oct 2004 10:43:20 +0200
+
+gnutls11 (1.0.16-8) unstable; urgency=high
+
+ * Pulled these changes from Upstream CVS:
+ - Added default limits in the verification of certificate chains,
+ to avoid denial of service attacks.
+ - Added gnutls_certificate_set_verify_limits() to override them.
+ - Added gnutls_certificate_verify_peers2().
+
+ -- Matthias Urlichs <smurf@debian.org> Sun, 12 Sep 2004 02:05:25 +0200
+
+gnutls11 (1.0.16-7) unstable; urgency=low
+
+ * Removed superfluous -lFOO entries from libgnutls{,-extra}-config output.
+ Thanks to joeyh@debian.org for reporting this problem.
+
+ -- Matthias Urlichs <smurf@debian.org> Sat, 14 Aug 2004 11:22:51 +0200
+
+gnutls11 (1.0.16-6) unstable; urgency=medium
+
+ * Memory leak, found by Modestas Vainius <geromanas@mailas.com>.
+ - Closes: #264420
+
+ -- Matthias Urlichs <smurf@debian.org> Sun, 8 Aug 2004 22:21:01 +0200
+
+gnutls11 (1.0.16-5) unstable; urgency=low
+
+ * Depend on current libtasn1-2 (>= 0.2.10).
+ - Closes: #264198.
+ * Fixed maintainer email to point to Debian address.
+
+ -- Matthias Urlichs <smurf@debian.org> Sat, 7 Aug 2004 19:44:38 +0200
+
+gnutls11 (1.0.16-4) unstable; urgency=low
+
+ * The OpenSSL compatibility library has been linked incorrectly
+ (-ltasn1 was missing).
+ * Need to build-depend on current opencdk8 and libtasn1-2 version.
+
+ -- Matthias Urlichs <smurf@debian.org> Sat, 7 Aug 2004 19:29:32 +0200
+
+gnutls11 (1.0.16-3) unstable; urgency=high
+
+ * Documentation no longer includes LaTeX-produced output
+ (the source contains latex2html-specific features, which is non-free).
+ * Urgency: High because of pending base freeze.
+
+ -- Matthias Urlichs <smurf@debian.org> Mon, 26 Jul 2004 11:18:20 +0200
+
+gnutls11 (1.0.16-2) unstable; urgency=high
+
+ * Actually *enable* debug symbols :-/
+ * Urgency: High for speedy inclusion in d-i
+
+ -- Matthias Urlichs <smurf@debian.org> Fri, 23 Jul 2004 22:38:07 +0200
+
+gnutls11 (1.0.16-1) experimental; urgency=low
+
+ * Update to latest Upstream version.
+ * now depends on libgcrypt11
+ * Include debugging package
+ * Use hevea, not latex2html.
+
+ -- Matthias Urlichs <smurf@debian.org> Wed, 21 Jul 2004 16:58:26 +0200
+
+gnutls10 (1.0.4-4) unstable; urgency=low
+
+ * New maintainer.
+ * Run autotools at source package build time.
+ - Closes: #257237: FTBFS (i386/sid): aclocal failed
+ * Remove "package is still changed upstream" warning.
+ * Build-Depend on debhelper 4.1 (cdbs), versioned libgcrypt7.
+
+ -- Matthias Urlichs <smurf@debian.org> Fri, 16 Jul 2004 02:09:36 +0200
+
+gnutls10 (1.0.4-3) unstable; urgency=low
+
+ * control: Changed the build dependency and the dependency of
+ libgnutls10-dev to be versioned on libopencdk8-dev >= 0.5.3;
+ libopencdk8-dev 0.5.1 had an invalid dependency on libgcrypt-dev which
+ could cause linking against two versions of libgcrypt.
+
+ -- Ivo Timmermans <ivo@debian.org> Sat, 24 Jan 2004 15:32:22 +0100
+
+gnutls10 (1.0.4-2) unstable; urgency=low
+
+ * libgnutls-doc.doc-base: Removed HTML manual listing.
+ * control: Removed Jordi Mallach from the list of Uploaders. Thanks,
+ Jordi :)
+
+ -- Ivo Timmermans <ivo@debian.org> Wed, 14 Jan 2004 13:35:42 +0100
+
+gnutls10 (1.0.4-1) unstable; urgency=low
+
+ * New upstream release (Closes: #227527)
+ * The new documentation in libgnutls-doc fixes several typo's and
+ style glitches:
+ Closes: #215772: inconsistent auth method list in manual
+ Closes: #215775: dangling footnote on page 14 of manual
+ Closes: #215777: bad sentence on page 18 of manual
+ Closes: #215780: incorrect info about ldaps/imaps in manual
+ * rules:
+ * Use --add-missing instead of --force in the call to automake.
+ * Don't build gnutls.ps, use the upstream version.
+ (Closes: #224846)
+ * gnutls-bin.manpages: Use glob to find manpages.
+ * patches/008_manpages.diff: Removed; included upstream.
+
+ -- Ivo Timmermans <ivo@debian.org> Tue, 13 Jan 2004 23:57:16 +0100
+
+gnutls10 (1.0.0-1) unstable; urgency=low
+
+ * New upstream release.
+ * Major soversion changed to 10.
+ * control: Changed build dependencies of libtasn1-dev.
+ * libgnutls10.shlibs: Added libgnutls-openssl to the list.
+
+ -- Ivo Timmermans <ivo@debian.org> Mon, 29 Dec 2003 23:23:08 +0100
+
+gnutls8 (0.9.99-1) experimental; urgency=low
+
+ * New upstream release.
+ * Included upstream GPG signature in .orig.tar.gz.
+
+ -- Ivo Timmermans <ivo@debian.org> Wed, 3 Dec 2003 22:33:52 +0100
+
+gnutls8 (0.9.98-1) experimental; urgency=low
+
+ * New upstream release.
+ * debian/control: libgnutls8-dev depends on libopencdk8-dev.
+ * debian/libgnutls-doc.examples: Install src/*.[ch].
+
+ -- Ivo Timmermans <ivo@debian.org> Sun, 23 Nov 2003 15:44:38 +0100
+
+gnutls8 (0.9.95-1) experimental; urgency=low
+
+ * New upstream version.
+
+ -- Ivo Timmermans <ivo@debian.org> Fri, 7 Nov 2003 19:50:22 +0100
+
+gnutls8 (0.9.94-1) experimental; urgency=low
+
+ * New upstream version; package based on gnutls7 0.8.12-2.
+ * debian/control:
+ * Build-depend on libgcrypt7-dev (>= 1.1.44-0).
+ * debian/rules: Run auto* after the patches have been applied.
+
+ -- Ivo Timmermans <ivo@debian.org> Fri, 31 Oct 2003 18:47:09 +0100
+
+
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000000000000000000000000000000000000..ec635144f60048986bc560c5576355344005e6e7
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000000000000000000000000000000000000..cca90299a1e2f192017d992bd73542f61c8a7eb9
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,229 @@
+Source: gnutls28
+Section: libs
+Priority: optional
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
+Uploaders: Andreas Metzler <ametzler@debian.org>,
+ Eric Dorland <eric@debian.org>,
+ James Westby <jw+debian@jameswestby.net>,
+ Simon Josefsson <simon@josefsson.org>
+Build-Depends: debhelper (>= 9.20150628), nettle-dev (>= 3.1), zlib1g-dev,
+ libtasn1-6-dev (>= 4.3), autotools-dev, guile-2.0-dev [!ia64 !m68k],
+ datefudge <!nocheck>, dpkg-dev (>= 1.17.14),
+ libp11-kit-dev (>= 0.23.1), pkg-config, chrpath, libidn11-dev (>= 1.31),
+ autogen (>= 1:5.16-0), bison, dh-autoreconf, libgmp-dev (>= 2:6),
+ libopts25-dev, automake (>= 1:1.12.2)
+# The b-d on libgmp-dev is not technically necessary, since nettle brings
+# it along. However we want to enforce that gnutls is only built if the
+# dual-licensed GMP is available, otherwise the resulting binary
+# cannot be installed.
+Build-Depends-Indep: gtk-doc-tools, texinfo (>= 4.8)
+Build-Conflicts: libgnutls-dev
+Standards-Version: 3.9.7
+Vcs-Git: https://anonscm.debian.org/git/pkg-gnutls/gnutls.git
+Vcs-Browser: https://anonscm.debian.org/cgit/pkg-gnutls/gnutls.git/
+Homepage: http://www.gnutls.org/
+
+Package: libgnutls-dev
+Section: libdevel
+Architecture: any
+Provides: gnutls-dev, libgnutls-openssl-dev
+Depends: libgnutls30 (= ${binary:Version}),
+ libgnutls-openssl27 (= ${binary:Version}),
+ libgnutlsxx28 (= ${binary:Version}),
+ nettle-dev, libc6-dev | libc-dev, zlib1g-dev,
+ libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31), ${misc:Depends}
+Suggests: gnutls-doc, gnutls-bin, guile-gnutls
+Conflicts: gnutls-dev
+Replaces: gnutls-dev
+Multi-Arch: same
+Description: GNU TLS library - development files
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+ Transport Layer Security (DTLS 1.0, 1.2) protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains the GnuTLS development files.
+
+Package: libgnutls28-dev
+Section: libdevel
+Architecture: any
+Depends: libgnutls-dev (= ${binary:Version})
+Multi-Arch: same
+Description: dummy transitional package for GNU TLS library - development files
+ This is a transitional dummy package for libgnutls28-dev to
+ libgnutls-dev migration. GnuTLS is a portable library which
+ implements the Transport Layer Security (TLS 1.0, 1.1, 1.2) and
+ Secure Sockets Layer (SSL) 3.0 and Datagram Transport Layer Security
+ (DTLS 1.0, 1.2) protocols.
+ .
+ This package can be safely removed.
+
+Package: libgnutls30
+Priority: standard
+Architecture: any
+# GMP >= 6 is dual-licensed GPLv2+/LGPLv2.1+. Be nice to rdeps and
+# enforce usage of this version. - Remove on gmp soname bump!
+Depends: ${shlibs:Depends}, ${misc:Depends}, libgmp10 (>= 2:6)
+Conflicts: libnettle4, libhogweed2
+Pre-Depends: ${misc:Pre-Depends}
+Suggests: gnutls-bin
+Multi-Arch: same
+Description: GNU TLS library - main runtime library
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+ Transport Layer Security (DTLS 1.0, 1.2) protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains the main runtime library.
+
+Package: gnutls-bin
+Architecture: any
+Section: net
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: foreign
+Description: GNU TLS library - commandline utilities
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+ Transport Layer Security (DTLS 1.0, 1.2) protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains a commandline interface to the GNU TLS library, which
+ can be used to set up secure connections from e.g. shell scripts, debugging
+ connection issues or managing certificates.
+ .
+ Useful utilities include:
+ - TLS termination: gnutls-cli, gnutls-serv, crywrap
+ - key and certificate management: certtool, ocsptool, p11tool
+ - credential management: srptool, psktool
+
+Package: gnutls-doc
+Architecture: all
+Section: doc
+Depends: ${misc:Depends}
+Multi-Arch: foreign
+Description: GNU TLS library - documentation and examples
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+ Transport Layer Security (DTLS 1.0, 1.2) protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains all the GnuTLS documentation.
+
+Package: guile-gnutls
+# everything except ia64 - Field must be single line, unfolded!
+Architecture: amd64 arm64 armel armhf i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64el s390 s390x sparc hurd-i386
+Section: lisp
+Depends: ${misc:Depends},${shlibs:Depends}, guile-2.0
+Description: GNU TLS library - GNU Guile bindings
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+ Transport Layer Security (DTLS 1.0, 1.2) protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains the GNU Guile 2.0 modules.
+
+Package: libgnutlsxx28
+Priority: extra
+Architecture: any
+Depends: libgnutls30 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Multi-Arch: same
+Description: GNU TLS library - C++ runtime library
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+ Transport Layer Security (DTLS 1.0, 1.2) protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains the C++ runtime libraries.
+
+Package: libgnutls-openssl27
+Priority: standard
+Architecture: any
+Depends: libgnutls30 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Multi-Arch: same
+Description: GNU TLS library - OpenSSL wrapper
+ GnuTLS is a portable library which implements the Transport Layer
+ Security (TLS 1.0, 1.1, 1.2) and Secure Sockets Layer (SSL) 3.0 and Datagram
+ Transport Layer Security (DTLS 1.0, 1.2) protocols.
+ .
+ GnuTLS features support for:
+ - TLS extensions: server name indication, max record size, opaque PRF
+ input, etc.
+ - authentication using the SRP protocol.
+ - authentication using both X.509 certificates and OpenPGP keys.
+ - TLS Pre-Shared-Keys (PSK) extension.
+ - Inner Application (TLS/IA) extension.
+ - X.509 and OpenPGP certificate handling.
+ - X.509 Proxy Certificates (RFC 3820).
+ - all the strong encryption algorithms (including SHA-256/384/512 and
+ Camellia (RFC 4132)).
+ .
+ This package contains the runtime library of the GnuTLS OpenSSL wrapper.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000000000000000000000000000000000000..a2ef61499005048cc098841133d2bbb733ba9b5e
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,425 @@
+This package was debianized by Ivo Timmermans <ivo@debian.org> on
+Fri, 3 Aug 2001 10:00:42 +0200.
+It was later taken over by Matthias Urlichs <smurf@debian.org> and is now
+maintained by Andreas Metzler <ametzler@debian.org> Eric Dorland
+<eric@debian.org>, James Westby <jw+debian@jameswestby.net>
+
+
+It was downloaded from ftp://ftp.gnutls.org/gcrypt/gnutls/
+
+Upstream Authors:
+ Simon Josefsson *simon [at] josefsson.org*
+ Current maintainer; draft TLS 1.2 support.
+
+ Nikos Mavrogiannopoulos *nmav [at] gnutls.org*
+ Original author and maintainer of GnuTLS.
+
+ Fabio Fiorina *Fabio.Fiorina [at] alcatel.it*
+ ASN.1 structures parser library (libtasn1).
+
+ Timo Schulz *twoaday [at] freakmail.de*
+ OpenPGP support (OpenCDK library).
+
+ Andrew McDonald *andrew [at] mcdonald.org.uk*
+ OpenSSL compatible interface.
+
+ Ludovic Courtes *ludo [at] gnu.org*
+ Guile bindings, OpenPGP bug fixes.
+
+ Mario Lenz *m [at] riolenz.de*
+ Fixes to OpenCDK.
+
+ Howard Chu *hyc [at] symas.com*
+ APIs to extract X.500 DN's from Certificates.
+
+ Ivo Timmermans *ivo [at] o2w.nl*
+ Man pages, OpenCDK, fixes.
+
+ Stefan Walter *stef [at] memberwebs.com*
+ PKCS8 fix, PKCS #11 backend move to p11-kit.
+
+ Yoshisato YANAGISAWA *yanagisawa [at] csg.is.titech.ac.jp*
+ Camellia support.
+
+ Emile Van Bergen *emile [at] e-advies.nl*
+ TLS/IA fixes.
+
+ Joe Orton *jorton [at] redhat.com*
+ Certificate name import/export, build fixes, test vectors.
+
+ Daniel Kahn Gillmor *dkg-debian.org [at] fifthhorseman.net*
+ OpenPGP discussion and improvements.
+
+ David MarÃÂn Carreño *davefx [at] gmail.com*
+ Added gnutls_x509_crq_get_key_id.
+
+ Daiki Ueno *ueno [at] unixuser.org*
+ Added TLS Session Ticket (RFC 5077) support,
+ finished client-side TLS 1.2 support.
+
+ Brad Hards *bradh [at] frogmouth.net*
+ Add X.509 Issuer Alternative Name functions.
+
+ Boyan Kasarov *bkasarov [at] gmail.com*
+ C++ fixes.
+
+ Steve Dispensa *dispensa [at] phonefactor.com*
+ Initial TLS safe renegotiation patch.
+
+ Jonathan Bastien-Filiatrault *joe [at] x2a.org*
+ Fix TLS-version checks.
+ Redesign and implementation of the buffering layer.
+ Initial DTLS implementation.
+
+ Ruslan Ijbulatov (LRN) *lrn1986 [at] gmail.com*
+ Win32 patches.
+
+ Andy Polyakov *appro [at] openssl.org*
+ AES-NI and Padlock assembler code (at lib/accelerated/intel/asm/)
+
+ David Woodhouse *dwmw2 [at] infradead.org*
+ DTLS 0.9 implementation.
+
+ Olga Smolenchuk *olyasib12 [at] gmail.com*
+ DTLS/TLS heartbeat implementation.
+
+ Ilya Tumaykin *itumaykin [at] gmail.com*
+ Elliptic curve support improvements (wmNAF implementation and others).
+
+ Martin Storjo *martin [at] martin.st*
+ DTLS-SRTP support.
+
+
+License: The main library is licensed under GNU Lesser
+General Public License (LGPL) version 2.1+, Gnutls Extra (which is currently
+just the openssl wrapper library), build system, testsuite and commandline
+utilities are licenced under the GNU General Public License version 3+. The
+Guile bindings use the same license as the respective underlying library,
+i.e. LGPLv2.1+ for the main library and GPLv3+ for Gnutls extra.
+
+However to be able to use and link against libgnutls a program needs to be
+available under a license compatible with LGPLv3+ or GPLv2+ since GnuTLS
+requires nettle which requires GMP. GMP (>= 6.0.0) is dual licensed
+LGPLv3+ or GPLv2+.
+
+Copyright:
+--------------------
+/* -*- c -*-
+ * Copyright (C) 2000-2016 Free Software Foundation, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+--------------------
+/*
+ * Copyright (C) 2004-2015 Free Software Foundation, Inc.
+ * Copyright (c) 2002 Andrew McDonald <andrew@mcdonald.org.uk>
+ *
+ * This file is part of GnuTLS-EXTRA.
+ *
+ * GnuTLS-extra is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS-extra is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+--------------------
+
+The documentation is distributed under the terms of the GNU Free
+Documentation License (FDL):
+--------------------
+Copyright (C) 2001-2015 Free Software Foundation, Inc.
+Copyright (C) 2001-2015 Nikos Mavrogiannopoulos
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License,
+ Version 1.3 or any later version published by the Free Software
+ Foundation; with no Invariant Sections, no Front-Cover Texts, and
+ no Back-Cover Texts. A copy of the license is included in the
+ section entitled "GNU Free Documentation License".
+--------------------
+
+--------------------
+From December 2012 onwards FSF is not the sole copyright holder of GnuTLS
+anymore (See <http://article.gmane.org/gmane.network.gnutls.general/3026>),
+the headers currently also list these authors/copyright holders::
+* Nikos Mavrogiannopoulos
+* KU Leuven
+* INRIA Paris-Rocquencourt
+* Lucas Fisher
+* Sean Buckheister
+* Frank Morgner
+* Bardenheuer GmbH, Munich and Bundesdruckerei GmbH, Berlin
+* Adam Sampson
+* Christian Grothoff
+* Andrew McDonald <andrew@mcdonald.org.uk
+* Red Hat
+* Paul Sheer
+--------------------
+
+
+
+On Debian GNU/Linux systems, the complete text of the latest version of
+the GNU Lesser General Public License can be found in
+`/usr/share/common-licenses/LGPL' v3 of the license in
+`/usr/share/common-licenses/LGPL-3'; the GNU General Public License can
+be found in `/usr/share/common-licenses/GPL' (version 3 in
+/usr/share/common-licenses/GPL-3) The GNU Free Documentation
+License is available under /usr/share/common-licenses/GFDL-1.3.
+
+============================================
+
+Excerpt from upstream's README:
+
+LICENSING
+=========
+
+Since GnuTLS version 3.1.10, the core library has been released under
+the GNU Lesser General Public License (LGPL) version 2.1 or later.
+
+Note, however, that version 6.0.0 and later of the gmplib library used
+by GnuTLS are distributed under a LGPLv3+ or GPLv2+ dual license, and
+as such binaries of this library need to adhere to either LGPLv3+ or
+GPLv2+ license.
+
+
+
+
+The GNU LGPL applies to the main GnuTLS library, while the
+included applications as well as gnutls-openssl
+library are under the GNU GPL version 3. The gnutls library is
+located in the lib/ and libdane/ directories, while the applications
+in src/ and, the gnutls-openssl library is at extra/.
+
+For any copyright year range specified as YYYY-ZZZZ in this package
+note that the range specifies every single year in that closed interval.
+============================================
+============================================
+
+Non FSF code
+
+============================================
+crywrap is shipped with GnuTLS.
+Upstream Authors: Gergely Nagy <algernon@bonehunter.rulez.org>
+ Nikos Mavrogiannopoulos
+License: GPLv3+
+
+Copyright:
+--------------------
+ * Copyright (C) 2003, 2004 Gergely Nagy <algernon@bonehunter.rulez.org>
+ * Copyright (C) 2011 Nikos Mavrogiannopoulos
+ *
+ * This file is part of CryWrap.
+ *
+ * CryWrap is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * CryWrap is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+--------------------
+
+crywrap documentation (manpage):
+Upstream Author: Gergely Nagy <algernon@bonehunter.rulez.org>
+License: nonstandard, see below
+Copyright:
+--------------------
+.\" This manual is for CRYWrap
+.\"
+.\" Copyright (C) 2003 Gergely Nagy <algernon@@bonehunter.rulez.org>
+.\"
+.\" Permission is granted to make and distribute verbatim copies of this
+.\" manual provided the copyright notice and this permission notice are
+.\" preserved on all copies.
+.\"
+.\" Permission is granted to copy and distribute modified versions of this
+.\" manual under the conditions for verbatim copying, provided that the
+.\" entire resulting derived work is distributed under the terms of a
+.\" permission notice identical to this one.
+.\"
+.\" Permission is granted to copy and distribute translations of this
+.\" manual into another language, under the above conditions for modified
+.\" versions, except that this permission notice may be stated in a
+.\" translation approved by the Author.
+--------------------
+
+============================================
+
+lib/accelerated/x86 contains code by Andy Polyakov <appro@openssl.org>,
+copyright is not assigned to the FSF. The code is licensed under the
+CRYPTOGAMS license.
+
+--------------------
+# Copyright (c) 2011-2013, Andy Polyakov by <appro@openssl.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# * Redistributions of source code must retain copyright notices,
+# this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials
+# provided with the distribution.
+#
+# * Neither the name of the Andy Polyakov nor the names of its
+# copyright holder and contributors may be used to endorse or
+# promote products derived from this software without specific
+# prior written permission.
+#
+# ALTERNATIVELY, provided that this notice is retained in full, this
+# product may be distributed under the terms of the GNU General Public
+# License (GPL), in which case the provisions of the GPL apply INSTEAD OF
+# those given above.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+--------------------
+
+============================================
+
+lib/extras/randomart.*
+
+
+Upstream Authors: Markus Friedl
+ Alexander von Gernler
+
+Copyright:
+ * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
+License:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+============================================
+
+lib/accelerated/x86/elf/aes-ssse3-x86.s
+lib/accelerated/x86/macosx/aes-ssse3-x86.s
+
+Upstream Authors: Mike Hamburg (Stanford University)
+
+Copyright:
+ * Mike Hamburg (Stanford University), 2009.
+License:
+ Public domain.
+
+============================================
+
+lib/inet_pton.c
+
+Upstream Authors: Internet Software Consortium
+
+Copyright/License:
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+
+============================================
+
+lib/vasprintf.c
+Upstream Authors: David Woodhouse <dwmw2@infradead.org>
+Copyright: 2008-2014 Intel Corporation
+License: LGPL2.1
+Comment: This code is not used on Debian/*, since we have a working
+ vasprintf() in glibc.
+
+lib/extras/hex.*
+Author: Rusty Russell <rusty@rustcorp.com.au>
+Comment: http://ccodearchive.net/info/str/hex.html
+License: CC0 license
+ Statement of Purpose
+
+ The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").
+
+ Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.
+
+ For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.
+
+ 1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:
+
+ the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
+ moral rights retained by the original author(s) and/or performer(s);
+ publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
+ rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
+ rights protecting the extraction, dissemination, use and reuse of data in a Work;
+ database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
+ other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.
+
+ 2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.
+
+ 3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.
+
+ 4. Limitations and Disclaimers.
+
+ No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
+ Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
+ Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
+ Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.
diff --git a/debian/crywrap.8 b/debian/crywrap.8
new file mode 100644
index 0000000000000000000000000000000000000000..76a6c92899c039181070f784167cb0d413e47a8f
--- /dev/null
+++ b/debian/crywrap.8
@@ -0,0 +1,121 @@
+.\" -*- nroff -*-
+.\" This manual is for CRYWrap
+.\"
+.\" Copyright (C) 2003 Gergely Nagy <algernon@@bonehunter.rulez.org>
+.\"
+.\" Permission is granted to make and distribute verbatim copies of this
+.\" manual provided the copyright notice and this permission notice are
+.\" preserved on all copies.
+.\"
+.\" Permission is granted to copy and distribute modified versions of this
+.\" manual under the conditions for verbatim copying, provided that the
+.\" entire resulting derived work is distributed under the terms of a
+.\" permission notice identical to this one.
+.\"
+.\" Permission is granted to copy and distribute translations of this
+.\" manual into another language, under the above conditions for modified
+.\" versions, except that this permission notice may be stated in a
+.\" translation approved by the Author.
+.TH CRYWRAP 8 "03 May 2003" "CryWrap" "CryWrap"
+.SH "NAME"
+CryWrap \- Simple TCP/IP service encryption using TLS/SSL
+.SH "SYNOPSIS"
+.BI "crywrap \-\-listen " HOST / PORT " \-\-destination " HOST / PORT
+.BI [ options ]
+.SH "DESCRIPTION"
+.B CryWrap
+is a simple wrapper that waits for TLS/SSL connections, and proxies
+them to an unencrypted location.
+.SH "OPTIONS"
+.B CryWrap
+takes the following options:
+.SS "Required options"
+.TP
+.BI "\-\-destionation (\-d) " HOST / PORT
+The destionation host and address, where CryWrap should connect
+to. Both arguments are required.
+.SS "TLS options"
+.TP
+.B \-\-anon (\-a)
+Enables Anon-DH mode. If enabled, no certificate will be sent to the
+client, and only anonymous sessions will be enabled.
+.br
+Default is \fBoff\fR.
+.TP
+.BI "\-\-cert (\-c) " PATH
+.TP
+.BI "\-\-key (\-k) " PATH
+.br
+The public certificate to send to clients, and the private server key.
+.br
+Default is \fB/etc/crywrap/server.pem\fR, unless \fB--anon\fR is also
+specified, in which case no certificate will be used.
+.BI "\-\-ca (\-z) " PATH
+.br
+A Certificate Authority certificate to be used for verification of client certificates.
+.TP
+.BI "\-\-verify (\-v) [" LEVEL ]
+Set the level of client certificate verification. Level one simply
+logs the result, level two and above abort if the certificate could
+not be verified.
+.br
+Default is \fB0\fR.
+.SS "Miscellaneous options"
+.TP
+.B \-\-inetd (\-i)
+Enable inetd-mode. Use this if you want to run CryWrap from inetd. If
+this option is not enabled, then \fB\-\-listen\fR is a required
+option.
+.br
+Default is \fBoff\fR.
+.TP
+.BI "\-\-listen (\-l) " HOST / PORT
+The host and port CryWrap should listen on. \fIHOST\fR can be an IPv4
+or IPv6 address, or a hostname, and is optional \- if unspecified,
+CryWrap will listen on all available addresses. \fIPORT\fR is
+mandatory.
+.br
+This option is required, unless CryWrap was put into inetd mode.
+.TP
+.BI "\-\-pidfile (\-P) " PIDFILE
+Write the pid thy runs with to
+.IR PIDFILE .
+.br
+Default is
+.BR /var/run/crywrap.pid .
+.TP
+.BI "\-\-user (\-u) " UID
+.I UID
+is the numerical user id of the user thy should run as.
+.br
+Default is
+.BR 65534 .
+.TP
+.B \-\-version (\-V)
+Print the version number and exit.
+.TP
+.B \-\-help (\-?)
+Print a verbose help screen and exit.
+.TP
+.B \-\-usage
+Print a short summary of options.
+.SH "EXAMPLES"
+.SS "Setting up pop3s"
+.nf
+crywrap \-\-listen /995 \-\-destination localhost/110
+.fi
+.SS "Setting up imaps with a different certificate"
+.nf
+crywrap \-\-listen /993 \-\-destination localhost/143 \\
+ \-\-pem /etc/ssl/certs/imap.pem
+.fi
+.SH "FILES"
+.TP
+.I /etc/crywrap/
+.RS
+This directory contains the default server key and certificate.
+.RE
+.SH "BUGS"
+Probably many.
+.SH "AUTHOR"
+Gergely Nagy <algernon@bonehunter.rulez.org>
diff --git a/debian/gnutls-bin.examples b/debian/gnutls-bin.examples
new file mode 100644
index 0000000000000000000000000000000000000000..9ff2c75d09ba8db81d13f5cdc0f1ce31677bbbef
--- /dev/null
+++ b/debian/gnutls-bin.examples
@@ -0,0 +1 @@
+doc/certtool.cfg
diff --git a/debian/gnutls-bin.install b/debian/gnutls-bin.install
new file mode 100644
index 0000000000000000000000000000000000000000..bd72fefffb169856e087dd4abd07db9b71aaed0e
--- /dev/null
+++ b/debian/gnutls-bin.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/* usr/bin
diff --git a/debian/gnutls-bin.manpages b/debian/gnutls-bin.manpages
new file mode 100644
index 0000000000000000000000000000000000000000..c55d01e7cbc8042fef803c7ff5a3e0e5f6775691
--- /dev/null
+++ b/debian/gnutls-bin.manpages
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/man/*/*.1
+debian/tmp/usr/share/man/*/*.8
+debian/crywrap.8
diff --git a/debian/gnutls-doc.dirs b/debian/gnutls-doc.dirs
new file mode 100644
index 0000000000000000000000000000000000000000..08216380b3f67b1b658dcb0ca5f2cc1b83057ef2
--- /dev/null
+++ b/debian/gnutls-doc.dirs
@@ -0,0 +1 @@
+/usr/share/info
diff --git a/debian/gnutls-doc.doc-base b/debian/gnutls-doc.doc-base
new file mode 100644
index 0000000000000000000000000000000000000000..cb926c521d1a12874d541e9245333313bc845724
--- /dev/null
+++ b/debian/gnutls-doc.doc-base
@@ -0,0 +1,16 @@
+Document: gnutls
+Title: GnuTLS Manual
+Author: Simon Josefsson
+Abstract: GnuTLS library manual
+Section: Programming/C
+
+Format: HTML
+Index: /usr/share/doc/gnutls-doc/html/gnutls.html
+Files: /usr/share/doc/gnutls-doc/html/*
+
+Format: PDF
+Files: /usr/share/doc/gnutls-doc/gnutls.pdf
+
+Format: info
+Index: /usr/share/info/gnutls.info.gz
+Files: /usr/share/info/gnutls.info*
diff --git a/debian/gnutls-doc.doc-base.apireference b/debian/gnutls-doc.doc-base.apireference
new file mode 100644
index 0000000000000000000000000000000000000000..ed73de0700fedb20b58e81521604ee62a2c9c538
--- /dev/null
+++ b/debian/gnutls-doc.doc-base.apireference
@@ -0,0 +1,9 @@
+Document: gnutls-api
+Title: GNU TLS API Reference Manual
+Author: Simon Josefsson
+Abstract: GNU TLS API Reference Manual
+Section: Programming/C
+
+Format: HTML
+Index: /usr/share/doc/gnutls-doc/api-reference/index.html
+Files: /usr/share/doc/gnutls-doc/api-reference/*
diff --git a/debian/gnutls-doc.docs b/debian/gnutls-doc.docs
new file mode 100644
index 0000000000000000000000000000000000000000..27cd8007bea3a10fb5d7c8e1c9fc8b86a85f0959
--- /dev/null
+++ b/debian/gnutls-doc.docs
@@ -0,0 +1 @@
+doc/gnutls.pdf
diff --git a/debian/gnutls-doc.examples b/debian/gnutls-doc.examples
new file mode 100644
index 0000000000000000000000000000000000000000..933da2141216a394154cd345e15aaed944c95bbb
--- /dev/null
+++ b/debian/gnutls-doc.examples
@@ -0,0 +1,3 @@
+doc/examples/*.c
+doc/examples/*.cpp
+doc/examples/*.h
diff --git a/debian/gnutls-doc.info b/debian/gnutls-doc.info
new file mode 100644
index 0000000000000000000000000000000000000000..1af96a088d170e6e592fe33f2d766595e2a4ea94
--- /dev/null
+++ b/debian/gnutls-doc.info
@@ -0,0 +1 @@
+debian/tmp/usr/share/info/gnutls.info*
diff --git a/debian/gnutls-doc.install b/debian/gnutls-doc.install
new file mode 100644
index 0000000000000000000000000000000000000000..b0d72fe671d23dd1ee07b966aba9c687fb4411a6
--- /dev/null
+++ b/debian/gnutls-doc.install
@@ -0,0 +1,6 @@
+doc/reference/html/*html usr/share/doc/gnutls-doc/api-reference
+doc/reference/html/*png usr/share/doc/gnutls-doc/api-reference
+doc/reference/html/*.css usr/share/doc/gnutls-doc/api-reference
+doc/reference/html/*.devhelp* usr/share/doc/gnutls-doc/api-reference
+doc/*.html usr/share/doc/gnutls-doc/html
+doc/*.png usr/share/doc/gnutls-doc/html
diff --git a/debian/gnutls-doc.links b/debian/gnutls-doc.links
new file mode 100644
index 0000000000000000000000000000000000000000..52baaf5c39a18701b93a9704144c5fc818a0b21e
--- /dev/null
+++ b/debian/gnutls-doc.links
@@ -0,0 +1 @@
+/usr/share/doc/gnutls-doc/api-reference /usr/share/gtk-doc/html/gnutls
diff --git a/debian/gnutls-doc.manpages b/debian/gnutls-doc.manpages
new file mode 100644
index 0000000000000000000000000000000000000000..7c726776fbd540cadae526736588fea6d8703b56
--- /dev/null
+++ b/debian/gnutls-doc.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man3/*
diff --git a/debian/guile-gnutls.install b/debian/guile-gnutls.install
new file mode 100644
index 0000000000000000000000000000000000000000..e9cea960614c260c7b09e93bb6a209aee254fad4
--- /dev/null
+++ b/debian/guile-gnutls.install
@@ -0,0 +1,2 @@
+debian/tmp/usr/lib/*/guile/*/guile-gnutls*.so*
+debian/tmp/usr/share/guile/site
diff --git a/debian/libgnutls-dev.install b/debian/libgnutls-dev.install
new file mode 100644
index 0000000000000000000000000000000000000000..8639bf4750acf0159c6595200dd5c2e99e482a1a
--- /dev/null
+++ b/debian/libgnutls-dev.install
@@ -0,0 +1,4 @@
+debian/tmp/usr/include/*
+debian/tmp/usr/lib/*/libgnutls*.so
+debian/tmp/usr/lib/*/libgnutls*.a
+debian/tmp/usr/lib/*/pkgconfig/gnutls.pc
diff --git a/debian/libgnutls-openssl27.install b/debian/libgnutls-openssl27.install
new file mode 100644
index 0000000000000000000000000000000000000000..391ab90586c0132029562316f81f46fc2772252a
--- /dev/null
+++ b/debian/libgnutls-openssl27.install
@@ -0,0 +1 @@
+debian/tmp/usr/lib/*/libgnutls-openssl.so.*
diff --git a/debian/libgnutls30.NEWS b/debian/libgnutls30.NEWS
new file mode 100644
index 0000000000000000000000000000000000000000..c30ea2c668a71c0418ed8b22afcc1daa7598081a
--- /dev/null
+++ b/debian/libgnutls30.NEWS
@@ -0,0 +1,55 @@
+gnutls28 (3.0.0-1) experimental; urgency=low
+
+ GnuTLS is now using nettle instead of libgcrypt as crypto backend.
+
+ Related to this change (nettle uses LGPLv3+ licensed GMP) the licensing has
+ change. GnuTLS is LGPLv3+ now, GnuTLS-EXTRA GPLv3+. GnuTLS can therefore not
+ be used by projects using GPLv2 without the "or later" clause.
+
+ -- Andreas Metzler <ametzler@downhill.g.la> Sun, 14 Aug 2011 14:27:12 +0200
+
+gnutls26 (2.6.6-1) unstable; urgency=high
+
+ libgnutls: Check expiration/activation time on untrusted certificates.
+ Before the library did not check activation/expiration times on
+ certificates, and was documented as not doing so. We have realized that
+ many applications that use libgnutls, including gnutls-cli, fail to
+ perform proper checks. Implementing similar logic in all applications
+ leads to code duplication. Hence, we decided to check whether the
+ current time (as reported by the time function) is within the
+ activation/expiration period of certificates when verifying untrusted
+ certificates.
+
+ This changes the semantics of gnutls_x509_crt_list_verify, which in
+ turn is used by gnutls_certificate_verify_peers and
+ gnutls_certificate_verify_peers2. We add two new
+ gnutls_certificate_status_t codes for reporting the new error
+ condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also
+ add a new gnutls_certificate_verify_flags flag,
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
+ behaviour.
+ GNUTLS-SA-2009-3 CVE-2009-1417
+ http://www.gnu.org/software/gnutls/security.html
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 30 Apr 2009 19:00:21 +0200
+
+gnutls26 (2.4.2-5) unstable; urgency=medium
+
+ * The gnutls certificate verification code has been changed to stop
+ trusting some weak algoritms. Verifying untrusted X.509 certificates
+ signed with RSA-MD2 or RSA-MD5 will now fail with a
+ GNUTLS_CERT_INSECURE_ALGORITHM verification output.
+
+ See <http://www.win.tue.nl/hashclash/rogue-ca/>,
+ <http://bugs.debian.org/514578> and
+ <http://www.gnu.org/software/gnutls/manual/gnutls.html#Digital-signatures>
+
+ "certtool -i < signature.pem" will inform about the algoritm used for
+ signing (Search for "Signature Algorithm" in its output.). The proper
+ fix is to re-issue the certificates with a more secure algoritm. As a
+ hotfix the respective certicate itself can be added to the list of
+ trusted certificates. Obviously this should only be done after
+ verifying the certificate by different means than relying on the weak
+ signature.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 07 Feb 2009 12:58:51 +0100
diff --git a/debian/libgnutls30.docs b/debian/libgnutls30.docs
new file mode 100644
index 0000000000000000000000000000000000000000..05c2865150d55ffaeddc9dd180216ea6439bcc9d
--- /dev/null
+++ b/debian/libgnutls30.docs
@@ -0,0 +1,4 @@
+AUTHORS
+NEWS
+README
+THANKS
diff --git a/debian/libgnutls30.install b/debian/libgnutls30.install
new file mode 100644
index 0000000000000000000000000000000000000000..8856fe2c73c8436046827398e0c0adfc528aace9
--- /dev/null
+++ b/debian/libgnutls30.install
@@ -0,0 +1,2 @@
+debian/tmp/usr/lib/*/libgnutls.so.*
+debian/tmp/usr/share/locale/*
diff --git a/debian/libgnutls30.symbols b/debian/libgnutls30.symbols
new file mode 100644
index 0000000000000000000000000000000000000000..b72046915c89118bff633240879302c584defefd
--- /dev/null
+++ b/debian/libgnutls30.symbols
@@ -0,0 +1,1048 @@
+libgnutls.so.30 libgnutls30 #MINVER#
+* Build-Depends-Package: libgnutls28-dev
+ GNUTLS_3_4@GNUTLS_3_4 3.4.0
+ GNUTLS_FIPS140_3_4@GNUTLS_FIPS140_3_4 3.4.0
+ (regex|optional)"@GNUTLS_PRIVATE_3_4$" 3.4.7-0+private+1
+ _gnutls_encode_ber_rs_raw@GNUTLS_FIPS140_3_4 3.4.7-0+private+1
+ _gnutls_global_init_skip@GNUTLS_3_4 3.4.7
+ gnutls_aead_cipher_decrypt@GNUTLS_3_4 3.4.0
+ gnutls_aead_cipher_deinit@GNUTLS_3_4 3.4.0
+ gnutls_aead_cipher_encrypt@GNUTLS_3_4 3.4.0
+ gnutls_aead_cipher_init@GNUTLS_3_4 3.4.0
+ gnutls_alert_get@GNUTLS_3_4 3.4.0
+ gnutls_alert_get_name@GNUTLS_3_4 3.4.0
+ gnutls_alert_get_strname@GNUTLS_3_4 3.4.0
+ gnutls_alert_send@GNUTLS_3_4 3.4.0
+ gnutls_alert_send_appropriate@GNUTLS_3_4 3.4.0
+ gnutls_alpn_get_selected_protocol@GNUTLS_3_4 3.4.0
+ gnutls_alpn_set_protocols@GNUTLS_3_4 3.4.0
+ gnutls_anon_allocate_client_credentials@GNUTLS_3_4 3.4.0
+ gnutls_anon_allocate_server_credentials@GNUTLS_3_4 3.4.0
+ gnutls_anon_free_client_credentials@GNUTLS_3_4 3.4.0
+ gnutls_anon_free_server_credentials@GNUTLS_3_4 3.4.0
+ gnutls_anon_set_params_function@GNUTLS_3_4 3.4.0
+ gnutls_anon_set_server_dh_params@GNUTLS_3_4 3.4.0
+ gnutls_anon_set_server_params_function@GNUTLS_3_4 3.4.0
+ gnutls_auth_client_get_type@GNUTLS_3_4 3.4.0
+ gnutls_auth_get_type@GNUTLS_3_4 3.4.0
+ gnutls_auth_server_get_type@GNUTLS_3_4 3.4.0
+ gnutls_buffer_append_data@GNUTLS_3_4 3.4.0
+ gnutls_bye@GNUTLS_3_4 3.4.0
+ gnutls_calloc@GNUTLS_3_4 3.4.0
+ gnutls_certificate_activation_time_peers@GNUTLS_3_4 3.4.0
+ gnutls_certificate_allocate_credentials@GNUTLS_3_4 3.4.0
+ gnutls_certificate_client_get_request_status@GNUTLS_3_4 3.4.0
+ gnutls_certificate_expiration_time_peers@GNUTLS_3_4 3.4.0
+ gnutls_certificate_free_ca_names@GNUTLS_3_4 3.4.0
+ gnutls_certificate_free_cas@GNUTLS_3_4 3.4.0
+ gnutls_certificate_free_credentials@GNUTLS_3_4 3.4.0
+ gnutls_certificate_free_crls@GNUTLS_3_4 3.4.0
+ gnutls_certificate_free_keys@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_crt_raw@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_issuer@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_openpgp_crt@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_openpgp_key@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_ours@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_peers@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_peers_subkey_id@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_trust_list@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_verify_flags@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_x509_crt@GNUTLS_3_4 3.4.0
+ gnutls_certificate_get_x509_key@GNUTLS_3_4 3.4.0
+ gnutls_certificate_send_x509_rdn_sequence@GNUTLS_3_4 3.4.0
+ gnutls_certificate_server_set_request@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_dh_params@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_flags@GNUTLS_3_4 3.4.7
+ gnutls_certificate_set_key@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_ocsp_status_request_file@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_ocsp_status_request_function@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_openpgp_key@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_openpgp_key_file2@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_openpgp_key_file@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_openpgp_key_mem2@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_openpgp_key_mem@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_openpgp_keyring_file@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_openpgp_keyring_mem@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_params_function@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_retrieve_function2@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_retrieve_function@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_trust_list@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_verify_flags@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_verify_function@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_verify_limits@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_crl@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_crl_file@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_crl_mem@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_key@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_key_file2@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_key_file@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_key_mem2@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_key_mem@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_simple_pkcs12_file@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_simple_pkcs12_mem@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_system_trust@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_trust@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_trust_dir@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_trust_file@GNUTLS_3_4 3.4.0
+ gnutls_certificate_set_x509_trust_mem@GNUTLS_3_4 3.4.0
+ gnutls_certificate_type_get@GNUTLS_3_4 3.4.0
+ gnutls_certificate_type_get_id@GNUTLS_3_4 3.4.0
+ gnutls_certificate_type_get_name@GNUTLS_3_4 3.4.0
+ gnutls_certificate_type_list@GNUTLS_3_4 3.4.0
+ gnutls_certificate_verification_status_print@GNUTLS_3_4 3.4.0
+ gnutls_certificate_verify_peers2@GNUTLS_3_4 3.4.0
+ gnutls_certificate_verify_peers3@GNUTLS_3_4 3.4.0
+ gnutls_certificate_verify_peers@GNUTLS_3_4 3.4.0
+ gnutls_check_version@GNUTLS_3_4 3.4.0
+ gnutls_cipher_add_auth@GNUTLS_3_4 3.4.0
+ gnutls_cipher_decrypt2@GNUTLS_3_4 3.4.0
+ gnutls_cipher_decrypt@GNUTLS_3_4 3.4.0
+ gnutls_cipher_deinit@GNUTLS_3_4 3.4.0
+ gnutls_cipher_encrypt2@GNUTLS_3_4 3.4.0
+ gnutls_cipher_encrypt@GNUTLS_3_4 3.4.0
+ gnutls_cipher_get@GNUTLS_3_4 3.4.0
+ gnutls_cipher_get_block_size@GNUTLS_3_4 3.4.0
+ gnutls_cipher_get_id@GNUTLS_3_4 3.4.0
+ gnutls_cipher_get_iv_size@GNUTLS_3_4 3.4.0
+ gnutls_cipher_get_key_size@GNUTLS_3_4 3.4.0
+ gnutls_cipher_get_name@GNUTLS_3_4 3.4.0
+ gnutls_cipher_get_tag_size@GNUTLS_3_4 3.4.0
+ gnutls_cipher_init@GNUTLS_3_4 3.4.0
+ gnutls_cipher_list@GNUTLS_3_4 3.4.0
+ gnutls_cipher_set_iv@GNUTLS_3_4 3.4.0
+ gnutls_cipher_suite_get_name@GNUTLS_3_4 3.4.0
+ gnutls_cipher_suite_info@GNUTLS_3_4 3.4.0
+ gnutls_cipher_tag@GNUTLS_3_4 3.4.0
+ gnutls_compression_get@GNUTLS_3_4 3.4.0
+ gnutls_compression_get_id@GNUTLS_3_4 3.4.0
+ gnutls_compression_get_name@GNUTLS_3_4 3.4.0
+ gnutls_compression_list@GNUTLS_3_4 3.4.0
+ gnutls_credentials_clear@GNUTLS_3_4 3.4.0
+ gnutls_credentials_get@GNUTLS_3_4 3.4.0
+ gnutls_credentials_set@GNUTLS_3_4 3.4.0
+ gnutls_crypto_register_aead_cipher@GNUTLS_3_4 3.4.0
+ gnutls_crypto_register_cipher@GNUTLS_3_4 3.4.0
+ gnutls_crypto_register_digest@GNUTLS_3_4 3.4.0
+ gnutls_crypto_register_mac@GNUTLS_3_4 3.4.0
+ gnutls_db_check_entry@GNUTLS_3_4 3.4.0
+ gnutls_db_check_entry_time@GNUTLS_3_4 3.4.0
+ gnutls_db_get_default_cache_expiration@GNUTLS_3_4 3.4.0
+ gnutls_db_get_ptr@GNUTLS_3_4 3.4.0
+ gnutls_db_remove_session@GNUTLS_3_4 3.4.0
+ gnutls_db_set_cache_expiration@GNUTLS_3_4 3.4.0
+ gnutls_db_set_ptr@GNUTLS_3_4 3.4.0
+ gnutls_db_set_remove_function@GNUTLS_3_4 3.4.0
+ gnutls_db_set_retrieve_function@GNUTLS_3_4 3.4.0
+ gnutls_db_set_store_function@GNUTLS_3_4 3.4.0
+ gnutls_deinit@GNUTLS_3_4 3.4.0
+ gnutls_dh_get_group@GNUTLS_3_4 3.4.0
+ gnutls_dh_get_peers_public_bits@GNUTLS_3_4 3.4.0
+ gnutls_dh_get_prime_bits@GNUTLS_3_4 3.4.0
+ gnutls_dh_get_pubkey@GNUTLS_3_4 3.4.0
+ gnutls_dh_get_secret_bits@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_cpy@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_deinit@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_export2_pkcs3@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_export_pkcs3@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_export_raw@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_generate2@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_import_pkcs3@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_import_raw2@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_import_raw@GNUTLS_3_4 3.4.0
+ gnutls_dh_params_init@GNUTLS_3_4 3.4.0
+ gnutls_dh_set_prime_bits@GNUTLS_3_4 3.4.0
+ gnutls_digest_get_id@GNUTLS_3_4 3.4.0
+ gnutls_digest_get_name@GNUTLS_3_4 3.4.0
+ gnutls_digest_get_oid@GNUTLS_3_4 3.4.3
+ gnutls_digest_list@GNUTLS_3_4 3.4.0
+ gnutls_dtls_cookie_send@GNUTLS_3_4 3.4.0
+ gnutls_dtls_cookie_verify@GNUTLS_3_4 3.4.0
+ gnutls_dtls_get_data_mtu@GNUTLS_3_4 3.4.0
+ gnutls_dtls_get_mtu@GNUTLS_3_4 3.4.0
+ gnutls_dtls_get_timeout@GNUTLS_3_4 3.4.0
+ gnutls_dtls_prestate_set@GNUTLS_3_4 3.4.0
+ gnutls_dtls_set_data_mtu@GNUTLS_3_4 3.4.0
+ gnutls_dtls_set_mtu@GNUTLS_3_4 3.4.0
+ gnutls_dtls_set_timeouts@GNUTLS_3_4 3.4.0
+ gnutls_ecc_curve_get@GNUTLS_3_4 3.4.0
+ gnutls_ecc_curve_get_id@GNUTLS_3_4 3.4.3
+ gnutls_ecc_curve_get_name@GNUTLS_3_4 3.4.0
+ gnutls_ecc_curve_get_oid@GNUTLS_3_4 3.4.3
+ gnutls_ecc_curve_get_size@GNUTLS_3_4 3.4.0
+ gnutls_ecc_curve_list@GNUTLS_3_4 3.4.0
+ gnutls_error_is_fatal@GNUTLS_3_4 3.4.0
+ gnutls_error_to_alert@GNUTLS_3_4 3.4.0
+ gnutls_est_record_overhead_size@GNUTLS_3_4 3.4.0
+ gnutls_ext_get_data@GNUTLS_3_4 3.4.0
+ gnutls_ext_register@GNUTLS_3_4 3.4.0
+ gnutls_ext_set_data@GNUTLS_3_4 3.4.0
+ gnutls_fingerprint@GNUTLS_3_4 3.4.0
+ gnutls_fips140_mode_enabled@GNUTLS_3_4 3.4.0
+ gnutls_free@GNUTLS_3_4 3.4.0
+ gnutls_global_deinit@GNUTLS_3_4 3.4.0
+ gnutls_global_init@GNUTLS_3_4 3.4.0
+ gnutls_global_set_audit_log_function@GNUTLS_3_4 3.4.0
+ gnutls_global_set_log_function@GNUTLS_3_4 3.4.0
+ gnutls_global_set_log_level@GNUTLS_3_4 3.4.0
+ gnutls_global_set_mem_functions@GNUTLS_3_4 3.4.0
+ gnutls_global_set_mutex@GNUTLS_3_4 3.4.0
+ gnutls_global_set_time_function@GNUTLS_3_4 3.4.0
+ gnutls_handshake@GNUTLS_3_4 3.4.0
+ gnutls_handshake_description_get_name@GNUTLS_3_4 3.4.0
+ gnutls_handshake_get_last_in@GNUTLS_3_4 3.4.0
+ gnutls_handshake_get_last_out@GNUTLS_3_4 3.4.0
+ gnutls_handshake_set_hook_function@GNUTLS_3_4 3.4.0
+ gnutls_handshake_set_max_packet_length@GNUTLS_3_4 3.4.0
+ gnutls_handshake_set_post_client_hello_function@GNUTLS_3_4 3.4.0
+ gnutls_handshake_set_private_extensions@GNUTLS_3_4 3.4.0
+ gnutls_handshake_set_random@GNUTLS_3_4 3.4.0
+ gnutls_handshake_set_timeout@GNUTLS_3_4 3.4.0
+ gnutls_hash@GNUTLS_3_4 3.4.0
+ gnutls_hash_deinit@GNUTLS_3_4 3.4.0
+ gnutls_hash_fast@GNUTLS_3_4 3.4.0
+ gnutls_hash_get_len@GNUTLS_3_4 3.4.0
+ gnutls_hash_init@GNUTLS_3_4 3.4.0
+ gnutls_hash_output@GNUTLS_3_4 3.4.0
+ gnutls_heartbeat_allowed@GNUTLS_3_4 3.4.0
+ gnutls_heartbeat_enable@GNUTLS_3_4 3.4.0
+ gnutls_heartbeat_get_timeout@GNUTLS_3_4 3.4.0
+ gnutls_heartbeat_ping@GNUTLS_3_4 3.4.0
+ gnutls_heartbeat_pong@GNUTLS_3_4 3.4.0
+ gnutls_heartbeat_set_timeouts@GNUTLS_3_4 3.4.0
+ gnutls_hex2bin@GNUTLS_3_4 3.4.0
+ gnutls_hex_decode2@GNUTLS_3_4 3.4.4
+ gnutls_hex_decode@GNUTLS_3_4 3.4.0
+ gnutls_hex_encode@GNUTLS_3_4 3.4.0
+ gnutls_hex_encode2@GNUTLS_3_4 3.4.4
+ gnutls_hmac@GNUTLS_3_4 3.4.0
+ gnutls_hmac_deinit@GNUTLS_3_4 3.4.0
+ gnutls_hmac_fast@GNUTLS_3_4 3.4.0
+ gnutls_hmac_get_len@GNUTLS_3_4 3.4.0
+ gnutls_hmac_init@GNUTLS_3_4 3.4.0
+ gnutls_hmac_output@GNUTLS_3_4 3.4.0
+ gnutls_hmac_set_nonce@GNUTLS_3_4 3.4.0
+ gnutls_init@GNUTLS_3_4 3.4.2
+ gnutls_key_generate@GNUTLS_3_4 3.4.0
+ gnutls_kx_get@GNUTLS_3_4 3.4.0
+ gnutls_kx_get_id@GNUTLS_3_4 3.4.0
+ gnutls_kx_get_name@GNUTLS_3_4 3.4.0
+ gnutls_kx_list@GNUTLS_3_4 3.4.0
+ gnutls_load_file@GNUTLS_3_4 3.4.0
+ gnutls_mac_get@GNUTLS_3_4 3.4.0
+ gnutls_mac_get_id@GNUTLS_3_4 3.4.0
+ gnutls_mac_get_key_size@GNUTLS_3_4 3.4.0
+ gnutls_mac_get_name@GNUTLS_3_4 3.4.0
+ gnutls_mac_get_nonce_size@GNUTLS_3_4 3.4.0
+ gnutls_mac_list@GNUTLS_3_4 3.4.0
+ gnutls_malloc@GNUTLS_3_4 3.4.0
+ gnutls_memcmp@GNUTLS_3_4 3.4.0
+ gnutls_memset@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_add_cert@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_add_cert_id@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_deinit@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_export@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_get_cert_id@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_get_extension@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_get_nonce@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_get_version@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_import@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_init@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_print@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_randomize_nonce@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_set_extension@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_req_set_nonce@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_check_crt@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_deinit@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_export@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_certs@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_extension@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_nonce@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_produced@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_responder@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_responder_raw_id@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_response@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_signature@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_signature_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_single@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_status@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_get_version@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_import@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_init@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_print@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_verify@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_resp_verify_direct@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_status_request_enable_client@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_status_request_get@GNUTLS_3_4 3.4.0
+ gnutls_ocsp_status_request_is_checked@GNUTLS_3_4 3.4.0
+ gnutls_oid_to_digest@GNUTLS_3_4 3.4.3
+ gnutls_oid_to_ecc_curve@GNUTLS_3_4 3.4.3
+ gnutls_oid_to_pk@GNUTLS_3_4 3.4.3
+ gnutls_oid_to_sign@GNUTLS_3_4 3.4.3
+ gnutls_openpgp_crt_check_email@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_check_hostname2@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_check_hostname@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_deinit@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_export2@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_export@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_auth_subkey@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_creation_time@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_expiration_time@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_fingerprint@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_key_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_name@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_pk_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_pk_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_preferred_key_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_revoked_status@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_count@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_creation_time@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_expiration_time@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_fingerprint@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_idx@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_pk_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_pk_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_revoked_status@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_subkey_usage@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_get_version@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_import@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_init@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_print@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_set_preferred_key_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_verify_ring@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_crt_verify_self@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_keyring_check_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_keyring_deinit@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_keyring_get_crt@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_keyring_get_crt_count@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_keyring_import@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_keyring_init@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_deinit@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_export2@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_export@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_export_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_export_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_export_subkey_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_export_subkey_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_fingerprint@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_key_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_preferred_key_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_revoked_status@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_subkey_count@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_subkey_creation_time@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_subkey_expiration_time@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_subkey_fingerprint@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_subkey_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_subkey_idx@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_subkey_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_get_subkey_revoked_status@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_import@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_init@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_sec_param@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_set_preferred_key_id@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_privkey_sign_hash@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_send_cert@GNUTLS_3_4 3.4.0
+ gnutls_openpgp_set_recv_key_function@GNUTLS_3_4 3.4.0
+ gnutls_packet_deinit@GNUTLS_3_4 3.4.0
+ gnutls_packet_get@GNUTLS_3_4 3.4.0
+ gnutls_pcert_deinit@GNUTLS_3_4 3.4.0
+ gnutls_pcert_export_openpgp@GNUTLS_3_4 3.4.0
+ gnutls_pcert_export_x509@GNUTLS_3_4 3.4.0
+ gnutls_pcert_import_openpgp@GNUTLS_3_4 3.4.0
+ gnutls_pcert_import_openpgp_raw@GNUTLS_3_4 3.4.0
+ gnutls_pcert_import_x509@GNUTLS_3_4 3.4.0
+ gnutls_pcert_import_x509_list@GNUTLS_3_4 3.4.0
+ gnutls_pcert_import_x509_raw@GNUTLS_3_4 3.4.0
+ gnutls_pcert_list_import_x509_raw@GNUTLS_3_4 3.4.0
+ gnutls_pem_base64_decode2@GNUTLS_3_4 3.4.0
+ gnutls_pem_base64_decode@GNUTLS_3_4 3.4.0
+ gnutls_pem_base64_encode2@GNUTLS_3_4 3.4.0
+ gnutls_pem_base64_encode@GNUTLS_3_4 3.4.0
+ gnutls_perror@GNUTLS_3_4 3.4.0
+ gnutls_pk_algorithm_get_name@GNUTLS_3_4 3.4.0
+ gnutls_pk_bits_to_sec_param@GNUTLS_3_4 3.4.0
+ gnutls_pk_get_id@GNUTLS_3_4 3.4.0
+ gnutls_pk_get_name@GNUTLS_3_4 3.4.0
+ gnutls_pk_get_oid@GNUTLS_3_4 3.4.3
+ gnutls_pk_list@GNUTLS_3_4 3.4.0
+ gnutls_pk_to_sign@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_add_provider@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_copy_attached_extension@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_copy_pubkey@GNUTLS_3_4 3.4.6
+ gnutls_pkcs11_copy_secret_key@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_copy_x509_crt2@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_copy_x509_privkey2@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_crt_is_known@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_deinit@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_delete_url@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_get_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_get_raw_issuer@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_get_raw_issuer_by_dn@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_get_raw_issuer_by_subject_key_id@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_init@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_deinit@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_export2@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_export3@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_export@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_export_url@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_flags_get_str@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_obj_get_exts@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_get_flags@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_obj_get_info@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_get_type@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_import_url@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_init@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_list_import_url3@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_obj_list_import_url4@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_obj_set_info@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_obj_set_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_cpy@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_deinit@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_export_pubkey@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_export_url@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_generate3@GNUTLS_3_4 3.4.4
+ gnutls_pkcs11_privkey_get_info@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_import_url@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_init@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_set_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_privkey_status@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_reinit@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_set_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_set_token_function@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_token_get_flags@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_token_get_info@GNUTLS_3_4 3.4.3
+ gnutls_pkcs11_token_get_mechanism@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_token_get_random@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_token_get_url@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_token_init@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_token_set_pin@GNUTLS_3_4 3.4.0
+ gnutls_pkcs11_type_get_name@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_decrypt@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_deinit@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_enc_info@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_encrypt@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_get_count@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_get_data@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_get_friendly_name@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_get_key_id@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_get_type@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_init@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_set_crl@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_set_crt@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_set_data@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_set_friendly_name@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_set_key_id@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_bag_set_privkey@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_deinit@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_export2@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_export@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_generate_mac2@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_generate_mac@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_get_bag@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_import@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_init@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_mac_info@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_set_bag@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_simple_parse@GNUTLS_3_4 3.4.0
+ gnutls_pkcs12_verify_mac@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_add_attr@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_attrs_deinit@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_deinit@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_delete_crl@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_delete_crt@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_export2@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_export@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_get_attr@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_get_crl_count@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_get_crl_raw2@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_get_crl_raw@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_get_crt_count@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_get_crt_raw2@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_get_crt_raw@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_get_embedded_data@GNUTLS_3_4 3.4.8
+ gnutls_pkcs7_get_signature_count@GNUTLS_3_4 3.4.3
+ gnutls_pkcs7_get_signature_info@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_import@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_init@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_print@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_set_crl@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_set_crl_raw@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_set_crt@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_set_crt_raw@GNUTLS_3_4 3.4.0
+ gnutls_pkcs7_sign@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_signature_info_deinit@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_verify@GNUTLS_3_4 3.4.2
+ gnutls_pkcs7_verify_direct@GNUTLS_3_4 3.4.2
+ gnutls_pkcs8_info@GNUTLS_3_4 3.4.0
+ gnutls_pkcs_schema_get_name@GNUTLS_3_4 3.4.0
+ gnutls_pkcs_schema_get_oid@GNUTLS_3_4 3.4.0
+ gnutls_prf@GNUTLS_3_4 3.4.0
+ gnutls_prf_raw@GNUTLS_3_4 3.4.0
+ gnutls_prf_rfc5705@GNUTLS_3_4 3.4.4
+ gnutls_priority_certificate_type_list@GNUTLS_3_4 3.4.0
+ gnutls_priority_cipher_list@GNUTLS_3_4 3.4.0
+ gnutls_priority_compression_list@GNUTLS_3_4 3.4.0
+ gnutls_priority_deinit@GNUTLS_3_4 3.4.0
+ gnutls_priority_ecc_curve_list@GNUTLS_3_4 3.4.0
+ gnutls_priority_get_cipher_suite_index@GNUTLS_3_4 3.4.0
+ gnutls_priority_init@GNUTLS_3_4 3.4.0
+ gnutls_priority_kx_list@GNUTLS_3_4 3.4.0
+ gnutls_priority_mac_list@GNUTLS_3_4 3.4.0
+ gnutls_priority_protocol_list@GNUTLS_3_4 3.4.0
+ gnutls_priority_set@GNUTLS_3_4 3.4.0
+ gnutls_priority_set_direct@GNUTLS_3_4 3.4.0
+ gnutls_priority_sign_list@GNUTLS_3_4 3.4.0
+ gnutls_priority_string_list@GNUTLS_3_4 3.4.0
+ gnutls_privkey_decrypt_data@GNUTLS_3_4 3.4.0
+ gnutls_privkey_deinit@GNUTLS_3_4 3.4.0
+ gnutls_privkey_export_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_export_ecc_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_export_openpgp@GNUTLS_3_4 3.4.0
+ gnutls_privkey_export_pkcs11@GNUTLS_3_4 3.4.0
+ gnutls_privkey_export_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_export_x509@GNUTLS_3_4 3.4.0
+ gnutls_privkey_generate@GNUTLS_3_4 3.4.0
+ gnutls_privkey_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_privkey_get_type@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_ecc_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_ext2@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_ext3@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_ext@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_openpgp@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_openpgp_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_pkcs11@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_tpm_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_tpm_url@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_url@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_x509@GNUTLS_3_4 3.4.0
+ gnutls_privkey_import_x509_raw@GNUTLS_3_4 3.4.0
+ gnutls_privkey_init@GNUTLS_3_4 3.4.0
+ gnutls_privkey_set_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_privkey_sign_data@GNUTLS_3_4 3.4.0
+ gnutls_privkey_sign_hash@GNUTLS_3_4 3.4.0
+ gnutls_privkey_status@GNUTLS_3_4 3.4.0
+ gnutls_privkey_verify_params@GNUTLS_3_4 3.4.0
+ gnutls_protocol_get_id@GNUTLS_3_4 3.4.0
+ gnutls_protocol_get_name@GNUTLS_3_4 3.4.0
+ gnutls_protocol_get_version@GNUTLS_3_4 3.4.0
+ gnutls_protocol_list@GNUTLS_3_4 3.4.0
+ gnutls_psk_allocate_client_credentials@GNUTLS_3_4 3.4.0
+ gnutls_psk_allocate_server_credentials@GNUTLS_3_4 3.4.0
+ gnutls_psk_client_get_hint@GNUTLS_3_4 3.4.0
+ gnutls_psk_free_client_credentials@GNUTLS_3_4 3.4.0
+ gnutls_psk_free_server_credentials@GNUTLS_3_4 3.4.0
+ gnutls_psk_server_get_username@GNUTLS_3_4 3.4.0
+ gnutls_psk_set_client_credentials@GNUTLS_3_4 3.4.0
+ gnutls_psk_set_client_credentials_function@GNUTLS_3_4 3.4.0
+ gnutls_psk_set_params_function@GNUTLS_3_4 3.4.0
+ gnutls_psk_set_server_credentials_file@GNUTLS_3_4 3.4.0
+ gnutls_psk_set_server_credentials_function@GNUTLS_3_4 3.4.0
+ gnutls_psk_set_server_credentials_hint@GNUTLS_3_4 3.4.0
+ gnutls_psk_set_server_dh_params@GNUTLS_3_4 3.4.0
+ gnutls_psk_set_server_params_function@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_deinit@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_encrypt_data@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_export2@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_export@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_export_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_export_ecc_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_export_ecc_x962@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_export_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_get_key_id@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_get_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_get_openpgp_key_id@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_get_preferred_hash_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_ecc_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_ecc_x962@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_openpgp@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_openpgp_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_pkcs11@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_privkey@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_tpm_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_tpm_url@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_url@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_x509@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_x509_crq@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_import_x509_raw@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_init@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_print@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_set_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_set_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_verify_data2@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_verify_hash2@GNUTLS_3_4 3.4.0
+ gnutls_pubkey_verify_params@GNUTLS_3_4 3.4.0
+ gnutls_random_art@GNUTLS_3_4 3.4.0
+ gnutls_range_split@GNUTLS_3_4 3.4.0
+ gnutls_realloc@GNUTLS_3_4 3.4.0
+ gnutls_record_can_use_length_hiding@GNUTLS_3_4 3.4.0
+ gnutls_record_check_corked@GNUTLS_3_4 3.4.0
+ gnutls_record_check_pending@GNUTLS_3_4 3.4.0
+ gnutls_record_cork@GNUTLS_3_4 3.4.0
+ gnutls_record_disable_padding@GNUTLS_3_4 3.4.0
+ gnutls_record_discard_queued@GNUTLS_3_4 3.4.0
+ gnutls_record_get_direction@GNUTLS_3_4 3.4.0
+ gnutls_record_get_discarded@GNUTLS_3_4 3.4.0
+ gnutls_record_get_max_size@GNUTLS_3_4 3.4.0
+ gnutls_record_get_state@GNUTLS_3_4 3.4.0
+ gnutls_record_overhead_size@GNUTLS_3_4 3.4.0
+ gnutls_record_recv@GNUTLS_3_4 3.4.0
+ gnutls_record_recv_packet@GNUTLS_3_4 3.4.0
+ gnutls_record_recv_seq@GNUTLS_3_4 3.4.0
+ gnutls_record_send@GNUTLS_3_4 3.4.0
+ gnutls_record_send_range@GNUTLS_3_4 3.4.0
+ gnutls_record_set_max_size@GNUTLS_3_4 3.4.0
+ gnutls_record_set_state@GNUTLS_3_4 3.4.0
+ gnutls_record_set_timeout@GNUTLS_3_4 3.4.0
+ gnutls_record_uncork@GNUTLS_3_4 3.4.0
+ gnutls_register_custom_url@GNUTLS_3_4 3.4.0
+ gnutls_rehandshake@GNUTLS_3_4 3.4.0
+ gnutls_rnd@GNUTLS_3_4 3.4.0
+ gnutls_rnd_refresh@GNUTLS_3_4 3.4.0
+ gnutls_safe_renegotiation_status@GNUTLS_3_4 3.4.0
+ gnutls_sec_param_get_name@GNUTLS_3_4 3.4.0
+ gnutls_sec_param_to_pk_bits@GNUTLS_3_4 3.4.0
+ gnutls_sec_param_to_symmetric_bits@GNUTLS_3_4 3.4.0
+ gnutls_secure_malloc@GNUTLS_3_4 3.4.0
+ gnutls_server_name_get@GNUTLS_3_4 3.4.0
+ gnutls_server_name_set@GNUTLS_3_4 3.4.0
+ gnutls_session_channel_binding@GNUTLS_3_4 3.4.0
+ gnutls_session_enable_compatibility_mode@GNUTLS_3_4 3.4.0
+ gnutls_session_etm_status@GNUTLS_3_4 3.4.0
+ gnutls_session_ext_master_secret_status@GNUTLS_3_4 3.4.0
+ gnutls_session_force_valid@GNUTLS_3_4 3.4.0
+ gnutls_session_get_data2@GNUTLS_3_4 3.4.0
+ gnutls_session_get_data@GNUTLS_3_4 3.4.0
+ gnutls_session_get_desc@GNUTLS_3_4 3.4.0
+ gnutls_session_get_id2@GNUTLS_3_4 3.4.0
+ gnutls_session_get_id@GNUTLS_3_4 3.4.0
+ gnutls_session_get_ptr@GNUTLS_3_4 3.4.0
+ gnutls_session_get_random@GNUTLS_3_4 3.4.0
+ gnutls_session_get_verify_cert_status@GNUTLS_3_4 3.4.6
+ gnutls_session_is_resumed@GNUTLS_3_4 3.4.0
+ gnutls_session_resumption_requested@GNUTLS_3_4 3.4.0
+ gnutls_session_set_data@GNUTLS_3_4 3.4.0
+ gnutls_session_set_id@GNUTLS_3_4 3.4.0
+ gnutls_session_set_premaster@GNUTLS_3_4 3.4.0
+ gnutls_session_set_ptr@GNUTLS_3_4 3.4.0
+ gnutls_session_set_verify_cert2@GNUTLS_3_4 3.4.6
+ gnutls_session_set_verify_cert@GNUTLS_3_4 3.4.6
+ gnutls_session_set_verify_function@GNUTLS_3_4 3.4.6
+ gnutls_session_ticket_enable_client@GNUTLS_3_4 3.4.0
+ gnutls_session_ticket_enable_server@GNUTLS_3_4 3.4.0
+ gnutls_session_ticket_key_generate@GNUTLS_3_4 3.4.0
+ gnutls_set_default_priority@GNUTLS_3_4 3.4.0
+ gnutls_sign_algorithm_get@GNUTLS_3_4 3.4.0
+ gnutls_sign_algorithm_get_client@GNUTLS_3_4 3.4.0
+ gnutls_sign_algorithm_get_requested@GNUTLS_3_4 3.4.0
+ gnutls_sign_get_hash_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_sign_get_id@GNUTLS_3_4 3.4.0
+ gnutls_sign_get_name@GNUTLS_3_4 3.4.0
+ gnutls_sign_get_oid@GNUTLS_3_4 3.4.3
+ gnutls_sign_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_sign_is_secure2@GNUTLS_3_4 3.4.10-4ubuntu1.6
+ gnutls_sign_is_secure@GNUTLS_3_4 3.4.0
+ gnutls_sign_list@GNUTLS_3_4 3.4.0
+ gnutls_srp_1024_group_generator@GNUTLS_3_4 3.4.0
+ gnutls_srp_1024_group_prime@GNUTLS_3_4 3.4.0
+ gnutls_srp_1536_group_generator@GNUTLS_3_4 3.4.0
+ gnutls_srp_1536_group_prime@GNUTLS_3_4 3.4.0
+ gnutls_srp_2048_group_generator@GNUTLS_3_4 3.4.0
+ gnutls_srp_2048_group_prime@GNUTLS_3_4 3.4.0
+ gnutls_srp_3072_group_generator@GNUTLS_3_4 3.4.0
+ gnutls_srp_3072_group_prime@GNUTLS_3_4 3.4.0
+ gnutls_srp_4096_group_generator@GNUTLS_3_4 3.4.0
+ gnutls_srp_4096_group_prime@GNUTLS_3_4 3.4.0
+ gnutls_srp_allocate_client_credentials@GNUTLS_3_4 3.4.0
+ gnutls_srp_allocate_server_credentials@GNUTLS_3_4 3.4.0
+ gnutls_srp_base64_decode2@GNUTLS_3_4 3.4.0
+ gnutls_srp_base64_decode@GNUTLS_3_4 3.4.0
+ gnutls_srp_base64_encode2@GNUTLS_3_4 3.4.0
+ gnutls_srp_base64_encode@GNUTLS_3_4 3.4.0
+ gnutls_srp_free_client_credentials@GNUTLS_3_4 3.4.0
+ gnutls_srp_free_server_credentials@GNUTLS_3_4 3.4.0
+ gnutls_srp_server_get_username@GNUTLS_3_4 3.4.0
+ gnutls_srp_set_client_credentials@GNUTLS_3_4 3.4.0
+ gnutls_srp_set_client_credentials_function@GNUTLS_3_4 3.4.0
+ gnutls_srp_set_prime_bits@GNUTLS_3_4 3.4.0
+ gnutls_srp_set_server_credentials_file@GNUTLS_3_4 3.4.0
+ gnutls_srp_set_server_credentials_function@GNUTLS_3_4 3.4.0
+ gnutls_srp_set_server_fake_salt_seed@GNUTLS_3_4 3.4.0
+ gnutls_srp_verifier@GNUTLS_3_4 3.4.0
+ gnutls_srtp_get_keys@GNUTLS_3_4 3.4.0
+ gnutls_srtp_get_mki@GNUTLS_3_4 3.4.0
+ gnutls_srtp_get_profile_id@GNUTLS_3_4 3.4.0
+ gnutls_srtp_get_profile_name@GNUTLS_3_4 3.4.0
+ gnutls_srtp_get_selected_profile@GNUTLS_3_4 3.4.0
+ gnutls_srtp_set_mki@GNUTLS_3_4 3.4.0
+ gnutls_srtp_set_profile@GNUTLS_3_4 3.4.0
+ gnutls_srtp_set_profile_direct@GNUTLS_3_4 3.4.0
+ gnutls_store_commitment@GNUTLS_3_4 3.4.0
+ gnutls_store_pubkey@GNUTLS_3_4 3.4.0
+ gnutls_strdup@GNUTLS_3_4 3.4.0
+ gnutls_strerror@GNUTLS_3_4 3.4.0
+ gnutls_strerror_name@GNUTLS_3_4 3.4.0
+ gnutls_subject_alt_names_deinit@GNUTLS_3_4 3.4.0
+ gnutls_subject_alt_names_get@GNUTLS_3_4 3.4.0
+ gnutls_subject_alt_names_init@GNUTLS_3_4 3.4.0
+ gnutls_subject_alt_names_set@GNUTLS_3_4 3.4.0
+ gnutls_supplemental_get_name@GNUTLS_3_4 3.4.0
+ gnutls_supplemental_recv@GNUTLS_3_4 3.4.0
+ gnutls_supplemental_register@GNUTLS_3_4 3.4.0
+ gnutls_supplemental_send@GNUTLS_3_4 3.4.0
+ gnutls_system_key_add_x509@GNUTLS_3_4 3.4.0
+ gnutls_system_key_delete@GNUTLS_3_4 3.4.0
+ gnutls_system_key_iter_deinit@GNUTLS_3_4 3.4.0
+ gnutls_system_key_iter_get_info@GNUTLS_3_4 3.4.0
+ gnutls_system_recv_timeout@GNUTLS_3_4 3.4.0
+ gnutls_tdb_deinit@GNUTLS_3_4 3.4.0
+ gnutls_tdb_init@GNUTLS_3_4 3.4.0
+ gnutls_tdb_set_store_commitment_func@GNUTLS_3_4 3.4.0
+ gnutls_tdb_set_store_func@GNUTLS_3_4 3.4.0
+ gnutls_tdb_set_verify_func@GNUTLS_3_4 3.4.0
+ gnutls_tpm_get_registered@GNUTLS_3_4 3.4.0
+ gnutls_tpm_key_list_deinit@GNUTLS_3_4 3.4.0
+ gnutls_tpm_key_list_get_url@GNUTLS_3_4 3.4.0
+ gnutls_tpm_privkey_delete@GNUTLS_3_4 3.4.0
+ gnutls_tpm_privkey_generate@GNUTLS_3_4 3.4.0
+ gnutls_transport_get_int2@GNUTLS_3_4 3.4.0
+ gnutls_transport_get_int@GNUTLS_3_4 3.4.0
+ gnutls_transport_get_ptr2@GNUTLS_3_4 3.4.0
+ gnutls_transport_get_ptr@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_errno@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_errno_function@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_int2@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_ptr2@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_ptr@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_pull_function@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_pull_timeout_function@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_push_function@GNUTLS_3_4 3.4.0
+ gnutls_transport_set_vec_push_function@GNUTLS_3_4 3.4.0
+ gnutls_url_is_supported@GNUTLS_3_4 3.4.0
+ gnutls_verify_stored_pubkey@GNUTLS_3_4 3.4.0
+ gnutls_x509_aia_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_aia_get@GNUTLS_3_4 3.4.0
+ gnutls_x509_aia_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_aia_set@GNUTLS_3_4 3.4.0
+ gnutls_x509_aki_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_aki_get_cert_issuer@GNUTLS_3_4 3.4.0
+ gnutls_x509_aki_get_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_aki_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_aki_set_cert_issuer@GNUTLS_3_4 3.4.0
+ gnutls_x509_aki_set_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_check_issuer@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_dist_points_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_dist_points_get@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_dist_points_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_dist_points_set@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_export2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_export@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_authority_key_gn_serial@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_authority_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_crt_count@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_crt_serial@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_dn_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_extension_data2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_extension_data@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_extension_info@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_extension_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_issuer_dn2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_issuer_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_issuer_dn_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_next_update@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_number@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_raw_issuer_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_signature@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_signature_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_this_update@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_get_version@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_import@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_iter_crt_serial@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_iter_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_list_import2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_list_import@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_print@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_privkey_sign@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_set_authority_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_set_crt@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_set_crt_serial@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_set_next_update@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_set_number@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_set_this_update@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_set_version@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_sign2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_sign@GNUTLS_3_4 3.4.0
+ gnutls_x509_crl_verify@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_export2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_export@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_attribute_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_attribute_data@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_attribute_info@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_basic_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_challenge_password@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_dn2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_dn_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_dn_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_extension_by_oid2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_extension_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_extension_data2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_extension_data@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_extension_info@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_key_purpose_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_key_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_private_key_usage_period@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_signature_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_subject_alt_name@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_subject_alt_othername_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_get_version@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_import@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_print@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_privkey_sign@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_attribute_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_basic_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_challenge_password@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_dn_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_key@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_key_purpose_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_key_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_private_key_usage_period@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_pubkey@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_subject_alt_name@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_set_version@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_sign2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_sign@GNUTLS_3_4 3.4.0
+ gnutls_x509_crq_verify@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_check_email@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_check_hostname2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_check_hostname@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_check_issuer@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_check_revocation@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_cpy_crl_dist_points@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_export2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_export@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_activation_time@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_authority_info_access@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_authority_key_gn_serial@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_authority_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_basic_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_ca_status@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_crl_dist_points@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_dn2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_dn_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_dn_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_expiration_time@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_extension_by_oid2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_extension_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_extension_data2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_extension_data@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_extension_info@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_extension_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_fingerprint@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer_alt_name2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer_alt_name@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer_alt_othername_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer_dn2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer_dn_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer_dn_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_issuer_unique_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_key_purpose_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_name_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_pk_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_pk_ecc_raw@GNUTLS_3_4 3.4.1
+ gnutls_x509_crt_get_pk_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_policy@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_preferred_hash_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_private_key_usage_period@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_proxy@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_raw_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_raw_issuer_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_serial@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_signature@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_signature_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_subject@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_subject_alt_name2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_subject_alt_name@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_subject_alt_othername_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_subject_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_subject_unique_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_get_version@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_import@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_import_pkcs11@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_import_url@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_list_import2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_list_import@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_list_import_pkcs11@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_list_verify@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_print@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_privkey_sign@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_activation_time@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_authority_info_access@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_authority_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_basic_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_ca_status@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_crl_dist_points2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_crl_dist_points@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_crq@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_crq_extensions@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_dn_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_expiration_time@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_extension_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_issuer_alt_name@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_issuer_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_issuer_dn_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_issuer_unique_id@GNUTLS_3_4 3.4.7
+ gnutls_x509_crt_set_key@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_key_purpose_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_name_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_policy@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_private_key_usage_period@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_proxy@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_proxy_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_pubkey@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_serial@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_subject_alt_name@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_subject_alternative_name@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_subject_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_set_subject_unique_id@GNUTLS_3_4 3.4.7
+ gnutls_x509_crt_set_version@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_sign2@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_sign@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_verify@GNUTLS_3_4 3.4.0
+ gnutls_x509_crt_verify_data2@GNUTLS_3_4 3.4.2
+ gnutls_x509_dn_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_dn_export2@GNUTLS_3_4 3.4.0
+ gnutls_x509_dn_export@GNUTLS_3_4 3.4.0
+ gnutls_x509_dn_get_rdn_ava@GNUTLS_3_4 3.4.0
+ gnutls_x509_dn_get_str@GNUTLS_3_4 3.4.2
+ gnutls_x509_dn_import@GNUTLS_3_4 3.4.0
+ gnutls_x509_dn_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_dn_oid_known@GNUTLS_3_4 3.4.0
+ gnutls_x509_dn_oid_name@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_aia@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_authority_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_basic_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_crl_dist_points@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_key_purposes@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_name_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_policies@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_private_key_usage_period@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_proxy@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_subject_alt_names@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_export_subject_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_aia@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_authority_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_basic_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_crl_dist_points@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_key_purposes@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_key_usage@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_name_constraints@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_policies@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_private_key_usage_period@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_proxy@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_subject_alt_names@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_import_subject_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_ext_print@GNUTLS_3_4 3.4.0
+ gnutls_x509_key_purpose_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_key_purpose_get@GNUTLS_3_4 3.4.0
+ gnutls_x509_key_purpose_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_key_purpose_set@GNUTLS_3_4 3.4.0
+ gnutls_x509_name_constraints_add_excluded@GNUTLS_3_4 3.4.0
+ gnutls_x509_name_constraints_add_permitted@GNUTLS_3_4 3.4.0
+ gnutls_x509_name_constraints_check@GNUTLS_3_4 3.4.0
+ gnutls_x509_name_constraints_check_crt@GNUTLS_3_4 3.4.0
+ gnutls_x509_name_constraints_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_name_constraints_get_excluded@GNUTLS_3_4 3.4.0
+ gnutls_x509_name_constraints_get_permitted@GNUTLS_3_4 3.4.0
+ gnutls_x509_name_constraints_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_othername_to_virtual@GNUTLS_3_4 3.4.0
+ gnutls_x509_policies_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_policies_get@GNUTLS_3_4 3.4.0
+ gnutls_x509_policies_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_policies_set@GNUTLS_3_4 3.4.0
+ gnutls_x509_policy_release@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_cpy@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_export2@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_export2_pkcs8@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_export@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_export_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_export_ecc_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_export_pkcs8@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_export_rsa_raw2@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_export_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_fix@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_generate@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_get_key_id@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_get_pk_algorithm2@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_get_pk_algorithm@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_import2@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_import@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_import_dsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_import_ecc_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_import_openssl@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_import_pkcs8@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_import_rsa_raw2@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_import_rsa_raw@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_sec_param@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_set_pin_function@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_sign_data@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_sign_hash@GNUTLS_3_4 3.4.0
+ gnutls_x509_privkey_verify_params@GNUTLS_3_4 3.4.0
+ gnutls_x509_rdn_get@GNUTLS_3_4 3.4.0
+ gnutls_x509_rdn_get_by_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_rdn_get_oid@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_add_cas@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_add_crls@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_add_named_crt@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_add_system_trust@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_add_trust_dir@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_add_trust_file@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_add_trust_mem@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_get_issuer@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_get_issuer_by_dn@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_get_issuer_by_subject_key_id@GNUTLS_3_4 3.4.2
+ gnutls_x509_trust_list_init@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_iter_deinit@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_iter_get_ca@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_remove_cas@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_remove_trust_file@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_remove_trust_mem@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_verify_crt2@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_verify_crt@GNUTLS_3_4 3.4.0
+ gnutls_x509_trust_list_verify_named_crt@GNUTLS_3_4 3.4.0
diff --git a/debian/libgnutlsxx28.install b/debian/libgnutlsxx28.install
new file mode 100644
index 0000000000000000000000000000000000000000..d3af152965aeee8df06a14ae1f23b2f4028de1a6
--- /dev/null
+++ b/debian/libgnutlsxx28.install
@@ -0,0 +1 @@
+debian/tmp/usr/lib/*/libgnutlsxx.so.*
diff --git a/debian/patches/14_version_gettextcat.diff b/debian/patches/14_version_gettextcat.diff
new file mode 100644
index 0000000000000000000000000000000000000000..ba4b71cbbdd4118e154be1e707e201d9d7654dcd
--- /dev/null
+++ b/debian/patches/14_version_gettextcat.diff
@@ -0,0 +1,17 @@
+Description: Version filename of locale data (gnutls28.mo instead of
+ gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
+ co-installable.
+Author: Andreas Metzler <ametzler@debian.org>
+Last-Update: 2014-05-24
+
+--- gnutls28-3.3.2.orig/po/Makevars
++++ gnutls28-3.3.2/po/Makevars
+@@ -1,7 +1,7 @@
+ # Makefile variables for PO directory in any package using GNU gettext.
+
+ # Usually the message domain is the same as the package name.
+-DOMAIN = $(PACKAGE)
++DOMAIN = $(PACKAGE)30
+
+ # These two variables depend on the location of this directory.
+ subdir = po
diff --git a/debian/patches/30_guile-snarf.diff b/debian/patches/30_guile-snarf.diff
new file mode 100644
index 0000000000000000000000000000000000000000..f4f09b379f74e0f0a5ddaae09c75baa915f2cc1d
--- /dev/null
+++ b/debian/patches/30_guile-snarf.diff
@@ -0,0 +1,18 @@
+Description: Work around guile-snarf hardcoding the at-build default compiler
+ which breaks when it changes ion Debian.
+Author: Andreas Metzler <ametzler@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/759096
+Last-Update: 2014-08-24
+
+--- gnutls28-3.3.6.orig/guile/src/Makefile.am
++++ gnutls28-3.3.6/guile/src/Makefile.am
+@@ -15,6 +15,8 @@
+ # License along with GnuTLS; if not, write to the Free Software
+ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
++export CPP := @CPP@
++
+ GUILE_FOR_BUILD = \
+ GUILE_AUTO_COMPILE=0 $(GUILE) -L $(top_srcdir)/guile/modules
+
diff --git a/debian/patches/40_src-added-systemkey-args-to-BUILT_SOURCES.patch b/debian/patches/40_src-added-systemkey-args-to-BUILT_SOURCES.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f2d78c7f17031aaf3883f029ec6a5004e081e508
--- /dev/null
+++ b/debian/patches/40_src-added-systemkey-args-to-BUILT_SOURCES.patch
@@ -0,0 +1,25 @@
+From 107e1df19715ffd4701bfcd3325c5cc80e5174b0 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 18 Feb 2016 09:17:17 +0100
+Subject: [PATCH] src: added systemkey-args to BUILT_SOURCES
+
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 1901a76..fda8b9e 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -25,7 +25,7 @@ BUILT_SOURCES = srptool-args.c srptool-args.h \
+ serv-args.c serv-args.h cli-args.c cli-args.h \
+ cli-debug-args.c cli-debug-args.h certtool-args.c certtool-args.h \
+ danetool-args.c danetool-args.h p11tool-args.c p11tool-args.h \
+- tpmtool-args.c tpmtool-args.h
++ tpmtool-args.c tpmtool-args.h systemkey-args.c systemkey-args.h
+
+ if ENABLE_CRYWRAP
+ SUBDIRS += crywrap
+--
+2.7.0
+
diff --git a/debian/patches/41_tests-mini-loss-time-ensure-client-timeouts.diff b/debian/patches/41_tests-mini-loss-time-ensure-client-timeouts.diff
new file mode 100644
index 0000000000000000000000000000000000000000..951dc59c92c6bca9028a546653977fa89bf0128b
--- /dev/null
+++ b/debian/patches/41_tests-mini-loss-time-ensure-client-timeouts.diff
@@ -0,0 +1,37 @@
+From e6dcb14dbbd3e9e40a1f193a7bf6657e82b88cb9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 15 Feb 2016 09:52:10 +0100
+Subject: [PATCH] tests: mini-loss-time: ensure client timeouts after the
+ server is
+
+This addresses issue with the server detecting the client disconnection
+prior to its timeout. Reported by Steven Chamberlain, Andreas Metzler.
+---
+ tests/mini-loss-time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/mini-loss-time.c b/tests/mini-loss-time.c
+index 13de21e..b95f631 100644
+--- a/tests/mini-loss-time.c
++++ b/tests/mini-loss-time.c
+@@ -50,7 +50,7 @@ int main()
+ #include "utils.h"
+
+ /* This program tests whether a DTLS handshake would timeout
+- * in a minute.
++ * in the expected time.
+ */
+
+ static void print_type(const unsigned char *buf, int size)
+@@ -136,7 +136,7 @@ static void client(int fd)
+ */
+ gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
+ gnutls_dtls_set_mtu(session, 1500);
+- gnutls_dtls_set_timeouts(session, 1 * 1000, 30 * 1000);
++ gnutls_dtls_set_timeouts(session, 1 * 1000, 31 * 1000);
+
+ /* Use default priorities */
+ gnutls_priority_set_direct(session,
+--
+2.7.0
+
diff --git a/debian/patches/42_mini-loss-time-improved-timeout-detection.patch b/debian/patches/42_mini-loss-time-improved-timeout-detection.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7cf144c0d8e55a27a1c26aa99f36534b4c688249
--- /dev/null
+++ b/debian/patches/42_mini-loss-time-improved-timeout-detection.patch
@@ -0,0 +1,74 @@
+From bbfde250fbbac0ce65569f9be1d2bc88925dcd4e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 7 Mar 2016 09:30:44 +0100
+Subject: [PATCH] tests: mini-loss-time: improved timeout detection
+
+---
+ tests/mini-loss-time.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tests/mini-loss-time.c b/tests/mini-loss-time.c
+index b95f631..33a5eec 100644
+--- a/tests/mini-loss-time.c
++++ b/tests/mini-loss-time.c
+@@ -116,7 +116,7 @@ push(gnutls_transport_ptr_t tr, const void *data, size_t len)
+ return send(fd, data, len, 0);
+ }
+
+-static void client(int fd)
++static void client(int fd, unsigned timeout)
+ {
+ int ret;
+ gnutls_anon_client_credentials_t anoncred;
+@@ -136,7 +136,7 @@ static void client(int fd)
+ */
+ gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
+ gnutls_dtls_set_mtu(session, 1500);
+- gnutls_dtls_set_timeouts(session, 1 * 1000, 31 * 1000);
++ gnutls_dtls_set_timeouts(session, 1 * 1000, timeout * 1000);
+
+ /* Use default priorities */
+ gnutls_priority_set_direct(session,
+@@ -178,7 +178,7 @@ static void client(int fd)
+ /* These are global */
+ pid_t child;
+
+-static void server(int fd, int packet)
++static void server(int fd, int packet, unsigned timeout)
+ {
+ gnutls_anon_server_credentials_t anoncred;
+ gnutls_session_t session;
+@@ -196,7 +196,7 @@ static void server(int fd, int packet)
+
+ gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
+ gnutls_dtls_set_mtu(session, 1500);
+- gnutls_dtls_set_timeouts(session, 1 * 1000, 30 * 1000);
++ gnutls_dtls_set_timeouts(session, 1 * 1000, timeout * 1000);
+
+ /* avoid calling all the priority functions, since the defaults
+ * are adequate.
+@@ -265,17 +265,17 @@ static void start(int server_packet, int wait_server)
+ /* parent */
+ close(fd[0]);
+ if (wait_server)
+- server(fd[1], server_packet);
++ server(fd[1], server_packet, 30);
+ else
+- client(fd[1]);
++ client(fd[1], 30);
+ close(fd[1]);
+ kill(child, SIGTERM);
+ } else {
+ close(fd[1]);
+ if (wait_server)
+- client(fd[0]);
++ client(fd[0], 32);
+ else
+- server(fd[0], server_packet);
++ server(fd[0], server_packet, 32);
+ close(fd[0]);
+ exit(0);
+ }
+--
+2.7.0
+
diff --git a/debian/patches/43_fix_cpucapoverride.diff b/debian/patches/43_fix_cpucapoverride.diff
new file mode 100644
index 0000000000000000000000000000000000000000..b666a2955bbb01599d922c19ef416f58edddb2d6
--- /dev/null
+++ b/debian/patches/43_fix_cpucapoverride.diff
@@ -0,0 +1,123 @@
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+To: GnuTLS development list <gnutls-devel@lists.gnutls.org>
+Subject: Re: [gnutls-devel] gnutls 3.4.10 testsuite error on amd64 (SSSE3
+ cipher tests failed)
+Message-ID: <CAJU7zaL-5uaGwASBaqQEPnB34-k83HbALofNfNqEQwdYjmmEPw@mail.gmail.com>
+
+ On Wed, Mar 16, 2016 at 5:44 PM, Andreas Metzler <ametzler@bebt.de> wrote:
+ > On 2016-03-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote:
+ [...]
+ >> Thanks. It seems that the CPU has no SSSE3 and the test overrides the
+ >> cpuid to force SSSE3 usage. I'm wondering whether it is better to
+ >> change the test to detect cpu capabilities via /proc/cpuinfo, or
+ >> remove the ability to override a CPU flag if the CPU doesn't support
+ >> it.
+
+ > I thought that GNUTLS_CPUID_OVERRIDE was not supposed to enable
+ > unavailable features: "Note that CPU detection cannot be overriden,
+ > i.e., VIA options cannot be enabled on an Intel CPU."
+
+ Correct, and the statement is in a way precise :) Only VIA options
+ cannot be enabled on an Intel CPU. Let's fix that then. Does the
+ attached patch solves the issue in the system without ssse3?
+
+
+diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
+index 18e3710..5cc8c00 100644
+--- a/lib/accelerated/x86/x86-common.c
++++ b/lib/accelerated/x86/x86-common.c
+@@ -76,18 +76,40 @@ unsigned int _gnutls_x86_cpuid_s[3];
+
+ static void capabilities_to_intel_cpuid(unsigned capabilities)
+ {
++ unsigned a,b,c,t;
++
+ memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
++
+ if (capabilities & EMPTY_SET) {
+ return;
+ }
++
++ gnutls_cpuid(1, &t, &a, &b, &c);
++
+ if (capabilities & INTEL_AES_NI) {
+- _gnutls_x86_cpuid_s[1] |= bit_AES;
++ if (b & bit_AES) {
++ _gnutls_x86_cpuid_s[1] |= bit_AES;
++ } else {
++ _gnutls_debug_log
++ ("AESNI acceleration requested but not available\n");
++ }
+ }
++
+ if (capabilities & INTEL_SSSE3) {
+- _gnutls_x86_cpuid_s[1] |= bit_SSSE3;
++ if (b & bit_SSSE3) {
++ _gnutls_x86_cpuid_s[1] |= bit_SSSE3;
++ } else {
++ _gnutls_debug_log
++ ("SSSE3 acceleration requested but not available\n");
++ }
+ }
+- if (capabilities & INTEL_PCLMUL) { /* ecx */
+- _gnutls_x86_cpuid_s[1] |= bit_PCLMUL;
++ if (capabilities & INTEL_PCLMUL) {
++ if (b & bit_PCLMUL) { /* ecx */
++ _gnutls_x86_cpuid_s[1] |= bit_PCLMUL;
++ } else {
++ _gnutls_debug_log
++ ("PCLMUL acceleration requested but not available\n");
++ }
+ }
+ }
+
+@@ -111,19 +133,43 @@ static unsigned check_pclmul(void)
+ #ifdef ENABLE_PADLOCK
+ static unsigned capabilities_to_via_edx(unsigned capabilities)
+ {
++ unsigned a,b,c,t;
++
+ memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
++
+ if (capabilities & EMPTY_SET) {
+ return 0;
+ }
+- if (capabilities & VIA_PADLOCK) { /* edx */
+- _gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK;
++
++ gnutls_cpuid(1, &t, &a, &b, &c);
++
++ if (capabilities & VIA_PADLOCK) {
++ if (c & via_bit_PADLOCK) {
++ _gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK;
++ } else {
++ _gnutls_debug_log
++ ("Padlock acceleration requested but not available\n");
++ }
+ }
+- if (capabilities & VIA_PADLOCK_PHE) { /* edx */
+- _gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK_PHE;
++
++ if (capabilities & VIA_PADLOCK_PHE) {
++ if (c & via_bit_PADLOCK_PHE) { /* edx */
++ _gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK_PHE;
++ } else {
++ _gnutls_debug_log
++ ("Padlock-PHE acceleration requested but not available\n");
++ }
+ }
+- if (capabilities & VIA_PADLOCK_PHE_SHA512) { /* edx */
+- _gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK_PHE_SHA512;
++
++ if (capabilities & VIA_PADLOCK_PHE_SHA512) {
++ if (c & via_bit_PADLOCK_PHE_SHA512) {
++ _gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK_PHE_SHA512;
++ } else {
++ _gnutls_debug_log
++ ("Padlock-PHE-SHA512 acceleration requested but not available\n");
++ }
+ }
++
+ return _gnutls_x86_cpuid_s[2];
+ }
+
diff --git a/debian/patches/CVE-2016-7444.patch b/debian/patches/CVE-2016-7444.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cdfb369cc5140b3f607e71bb0a6b64ba892f6ab7
--- /dev/null
+++ b/debian/patches/CVE-2016-7444.patch
@@ -0,0 +1,25 @@
+From c089e019ef83a77b2fdca24d0875ef25f6b38f1a Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 27 Aug 2016 17:03:09 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+), 0 deletions(-)
+
+Index: gnutls28-3.4.10/lib/x509/ocsp.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/x509/ocsp.c 2017-01-26 10:10:24.872428703 -0500
++++ gnutls28-3.4.10/lib/x509/ocsp.c 2017-01-26 10:10:24.868428646 -0500
+@@ -1318,6 +1318,7 @@
+ gnutls_assert();
+ goto cleanup;
+ }
++ cserial.size = t;
+
+ if (rserial.size != cserial.size
+ || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
diff --git a/debian/patches/CVE-2016-8610.patch b/debian/patches/CVE-2016-8610.patch
new file mode 100644
index 0000000000000000000000000000000000000000..932da6feb79c9051a51d84a9691d53742b99c639
--- /dev/null
+++ b/debian/patches/CVE-2016-8610.patch
@@ -0,0 +1,70 @@
+From 648bf9b00e1cbf45c6d05fab07e91fad97e6926d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 14 Oct 2016 10:22:07 +0200
+Subject: [PATCH] handshake: set a maximum number of warning messages that can be received per handshake
+
+That is to avoid DoS due to the assymetry of cost of sending an alert vs the cost
+of processing.
+---
+ lib/gnutls_handshake.c | 15 ++++++++++-----
+ lib/gnutls_int.h | 6 +++---
+ lib/gnutls_state.c | 2 +-
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+Index: gnutls28-3.4.10/lib/gnutls_handshake.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/gnutls_handshake.c 2017-01-26 10:10:32.256534850 -0500
++++ gnutls28-3.4.10/lib/gnutls_handshake.c 2017-01-26 10:10:32.248534735 -0500
+@@ -2649,12 +2649,17 @@
+ return ret; \
+ if (ret == GNUTLS_E_GOT_APPLICATION_DATA && session->internals.initial_negotiation_completed != 0) \
+ return ret; \
+- if (ret == GNUTLS_E_LARGE_PACKET && session->internals.handshake_large_loops < 16) { \
+- session->internals.handshake_large_loops++; \
+- return ret; \
++ if (session->internals.handshake_suspicious_loops < 16) { \
++ if (ret == GNUTLS_E_LARGE_PACKET) { \
++ session->internals.handshake_suspicious_loops++; \
++ return ret; \
++ } \
++ /* a warning alert might interrupt handshake */ \
++ if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) { \
++ session->internals.handshake_suspicious_loops++; \
++ return ret; \
++ } \
+ } \
+- /* a warning alert might interrupt handshake */ \
+- if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
+ gnutls_assert(); \
+ ERR( str, ret); \
+ /* do not allow non-fatal errors at this point */ \
+Index: gnutls28-3.4.10/lib/gnutls_int.h
+===================================================================
+--- gnutls28-3.4.10.orig/lib/gnutls_int.h 2017-01-26 10:10:32.256534850 -0500
++++ gnutls28-3.4.10/lib/gnutls_int.h 2017-01-26 10:10:32.252534793 -0500
+@@ -953,9 +953,9 @@
+
+ /* DTLS session state */
+ dtls_st dtls;
+- /* In case of clients that don't handle GNUTLS_E_LARGE_PACKET, don't
+- * force them into an infinite loop */
+- unsigned handshake_large_loops;
++ /* Protect from infinite loops due to GNUTLS_E_LARGE_PACKET non-handling
++ * or due to multiple alerts being received. */
++ unsigned handshake_suspicious_loops;
+ /* should be non-zero when a handshake is in progress */
+ bool handshake_in_progress;
+
+Index: gnutls28-3.4.10/lib/gnutls_state.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/gnutls_state.c 2017-01-26 10:10:32.256534850 -0500
++++ gnutls28-3.4.10/lib/gnutls_state.c 2017-01-26 10:10:32.252534793 -0500
+@@ -262,7 +262,7 @@
+
+ session->internals.resumable = RESUME_TRUE;
+
+- session->internals.handshake_large_loops = 0;
++ session->internals.handshake_suspicious_loops = 0;
+ session->internals.dtls.hsk_read_seq = 0;
+ session->internals.dtls.hsk_write_seq = 0;
+ }
diff --git a/debian/patches/CVE-2017-5334.patch b/debian/patches/CVE-2017-5334.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c6564a690ff1ee7cf6f1306c7c9533613c205894
--- /dev/null
+++ b/debian/patches/CVE-2017-5334.patch
@@ -0,0 +1,72 @@
+From bbfd47d4bb6935b3eddae227deb9f340e2c1a69d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 15 Dec 2016 15:02:18 +0100
+Subject: [PATCH] gnutls_x509_ext_import_proxy: fix issue reading the policy language
+
+If the language was set but the policy wasn't, that could lead to
+a double free, as the value returned to the user was freed.
+---
+ lib/x509/x509_ext.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+Index: gnutls28-3.4.10/lib/x509/x509_ext.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/x509/x509_ext.c 2017-01-26 10:10:40.316650700 -0500
++++ gnutls28-3.4.10/lib/x509/x509_ext.c 2017-01-26 10:10:40.312650643 -0500
+@@ -1415,7 +1415,8 @@
+ {
+ ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
+ int result;
+- gnutls_datum_t value = { NULL, 0 };
++ gnutls_datum_t value1 = { NULL, 0 };
++ gnutls_datum_t value2 = { NULL, 0 };
+
+ if ((result = asn1_create_element
+ (_gnutls_get_pkix(), "PKIX1.ProxyCertInfo",
+@@ -1445,20 +1446,18 @@
+ }
+
+ result = _gnutls_x509_read_value(c2, "proxyPolicy.policyLanguage",
+- &value);
++ &value1);
+ if (result < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ if (policyLanguage) {
+- *policyLanguage = (char *)value.data;
+- } else {
+- gnutls_free(value.data);
+- value.data = NULL;
++ *policyLanguage = (char *)value1.data;
++ value1.data = NULL;
+ }
+
+- result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value);
++ result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value2);
+ if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
+ if (policy)
+ *policy = NULL;
+@@ -1469,16 +1468,17 @@
+ goto cleanup;
+ } else {
+ if (policy) {
+- *policy = (char *)value.data;
+- value.data = NULL;
++ *policy = (char *)value2.data;
++ value2.data = NULL;
+ }
+ if (sizeof_policy)
+- *sizeof_policy = value.size;
++ *sizeof_policy = value2.size;
+ }
+
+ result = 0;
+ cleanup:
+- gnutls_free(value.data);
++ gnutls_free(value1.data);
++ gnutls_free(value2.data);
+ asn1_delete_structure(&c2);
+
+ return result;
diff --git a/debian/patches/CVE-2017-5335.patch b/debian/patches/CVE-2017-5335.patch
new file mode 100644
index 0000000000000000000000000000000000000000..eb96dea048238d558d1e4d9c1c69d4c9c6b9b15c
--- /dev/null
+++ b/debian/patches/CVE-2017-5335.patch
@@ -0,0 +1,127 @@
+From 785af1ab577f899d2e54172ff120f404709bf172 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 15:22:13 +0100
+Subject: [PATCH] opencdk: added error checking in the stream reading functions
+
+This addresses an out of memory error. Issue found using oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 35 insertions(+), 5 deletions(-)
+
+Index: gnutls28-3.4.10/lib/opencdk/read-packet.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/opencdk/read-packet.c 2017-01-26 10:10:49.072776537 -0500
++++ gnutls28-3.4.10/lib/opencdk/read-packet.c 2017-01-26 10:10:49.072776537 -0500
+@@ -50,13 +50,13 @@
+ static u32 read_32(cdk_stream_t s)
+ {
+ byte buf[4];
+- size_t nread;
++ size_t nread = 0;
+
+ assert(s != NULL);
+
+ stream_read(s, buf, 4, &nread);
+ if (nread != 4)
+- return (u32) - 1;
++ return (u32) -1;
+ return buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
+ }
+
+@@ -65,7 +65,7 @@
+ static u16 read_16(cdk_stream_t s)
+ {
+ byte buf[2];
+- size_t nread;
++ size_t nread = 0;
+
+ assert(s != NULL);
+
+@@ -547,7 +547,7 @@
+ static cdk_error_t
+ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
+ {
+- byte c, c1;
++ int c, c1;
+ size_t size, nread, n;
+ cdk_subpkt_t node;
+ cdk_error_t rc;
+@@ -562,11 +562,18 @@
+ *r_nbytes = 0;
+ c = cdk_stream_getc(inp);
+ n++;
++
+ if (c == 255) {
+ size = read_32(inp);
++ if (size == (u32)-1)
++ return CDK_Inv_Packet;
++
+ n += 4;
+ } else if (c >= 192 && c < 255) {
+ c1 = cdk_stream_getc(inp);
++ if (c1 == EOF)
++ return CDK_Inv_Packet;
++
+ n++;
+ if (c1 == 0)
+ return 0;
+@@ -831,17 +838,29 @@
+ read_old_length(cdk_stream_t inp, int ctb, size_t * r_len, size_t * r_size)
+ {
+ int llen = ctb & 0x03;
++ int c;
+
+ if (llen == 0) {
+- *r_len = cdk_stream_getc(inp);
++ c = cdk_stream_getc(inp);
++ if (c == EOF)
++ goto fail;
++
++ *r_len = c;
+ (*r_size)++;
+ } else if (llen == 1) {
+ *r_len = read_16(inp);
++ if (*r_len == (u16)-1)
++ goto fail;
+ (*r_size) += 2;
+ } else if (llen == 2) {
+ *r_len = read_32(inp);
++ if (*r_len == (u32)-1) {
++ goto fail;
++ }
++
+ (*r_size) += 4;
+ } else {
++ fail:
+ *r_len = 0;
+ *r_size = 0;
+ }
+@@ -856,15 +875,25 @@
+ int c, c1;
+
+ c = cdk_stream_getc(inp);
++ if (c == EOF)
++ return;
++
+ (*r_size)++;
+ if (c < 192)
+ *r_len = c;
+ else if (c >= 192 && c <= 223) {
+ c1 = cdk_stream_getc(inp);
++ if (c1 == EOF)
++ return;
++
+ (*r_size)++;
+ *r_len = ((c - 192) << 8) + c1 + 192;
+ } else if (c == 255) {
+ *r_len = read_32(inp);
++ if (*r_len == (u32)-1) {
++ return;
++ }
++
+ (*r_size) += 4;
+ } else {
+ *r_len = 1 << (c & 0x1f);
diff --git a/debian/patches/CVE-2017-5336.patch b/debian/patches/CVE-2017-5336.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6e5cbe267953fd6af49822aef29fbe4513e74ed3
--- /dev/null
+++ b/debian/patches/CVE-2017-5336.patch
@@ -0,0 +1,42 @@
+From 7dec871f82e205107a81281e3286f0aa9caa93b3 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 14:56:50 +0100
+Subject: [PATCH] opencdk: cdk_pk_get_keyid: fix stack overflow
+
+Issue found using oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/pubkey.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/opencdk/pubkey.c b/lib/opencdk/pubkey.c
+index 6e753bd..da43129 100644
+--- a/lib/opencdk/pubkey.c
++++ b/lib/opencdk/pubkey.c
+@@ -518,6 +518,7 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid)
+ {
+ u32 lowbits = 0;
+ byte buf[24];
++ int rc;
+
+ if (pk && (!pk->keyid[0] || !pk->keyid[1])) {
+ if (pk->version < 4 && is_RSA(pk->pubkey_algo)) {
+@@ -525,7 +526,12 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid)
+ size_t n;
+
+ n = MAX_MPI_BYTES;
+- _gnutls_mpi_print(pk->mpi[0], p, &n);
++ rc = _gnutls_mpi_print(pk->mpi[0], p, &n);
++ if (rc < 0 || n < 8) {
++ keyid[0] = keyid[1] = (u32)-1;
++ return (u32)-1;
++ }
++
+ pk->keyid[0] =
+ p[n - 8] << 24 | p[n - 7] << 16 | p[n -
+ 6] << 8 |
+--
+libgit2 0.24.0
+
diff --git a/debian/patches/CVE-2017-5337.patch b/debian/patches/CVE-2017-5337.patch
new file mode 100644
index 0000000000000000000000000000000000000000..102cb056186d08330b054f336c11f457eb6cdf55
--- /dev/null
+++ b/debian/patches/CVE-2017-5337.patch
@@ -0,0 +1,95 @@
+Backport of:
+
+From 6231a4a087f9fdbd5f5f274e80c7a71e3e45b9c8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 14:42:03 +0100
+Subject: [PATCH] opencdk: read_attribute: added more precise checks when reading stream
+
+That addresses heap read overflows found using oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+Index: gnutls28-3.4.10/lib/opencdk/read-packet.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/opencdk/read-packet.c 2017-01-26 10:11:21.437289687 -0500
++++ gnutls28-3.4.10/lib/opencdk/read-packet.c 2017-01-26 10:13:07.566968471 -0500
+@@ -477,44 +477,63 @@
+ return CDK_Out_Of_Core;
+ rc = stream_read(inp, buf, pktlen, &nread);
+ if (rc) {
+- cdk_free(buf);
+- return CDK_Inv_Packet;
++ gnutls_assert();
++ rc = CDK_Inv_Packet;
++ goto error;
+ }
++
+ p = buf;
+ len = *p++;
+ pktlen--;
++
+ if (len == 255) {
++ if (pktlen < 4) {
++ gnutls_assert();
++ rc = CDK_Inv_Packet;
++ goto error;
++ }
++
+ len = _cdk_buftou32(p);
+ p += 4;
+ pktlen -= 4;
+ } else if (len >= 192) {
+ if (pktlen < 2) {
+- cdk_free(buf);
+- return CDK_Inv_Packet;
++ gnutls_assert();
++ rc = CDK_Inv_Packet;
++ goto error;
+ }
+ len = ((len - 192) << 8) + *p + 192;
+ p++;
+ pktlen--;
+ }
+
+- if (*p != 1) { /* Currently only 1, meaning an image, is defined. */
+- cdk_free(buf);
+- return CDK_Inv_Packet;
++ if (!len || *p != 1) { /* Currently only 1, meaning an image, is defined. */
++ rc = CDK_Inv_Packet;
++ goto error;
+ }
++
+ p++;
+ len--;
+
+- if (len >= pktlen)
+- return CDK_Inv_Packet;
++ if (len >= pktlen) {
++ rc = CDK_Inv_Packet;
++ goto error;
++ }
++
+ attr->attrib_img = cdk_calloc(1, len);
+ if (!attr->attrib_img) {
+- cdk_free(buf);
+- return CDK_Out_Of_Core;
++ rc = CDK_Out_Of_Core;
++ goto error;
+ }
++
+ attr->attrib_len = len;
+ memcpy(attr->attrib_img, p, len);
+ cdk_free(buf);
+ return rc;
++
++ error:
++ cdk_free(buf);
++ return rc;
+ }
+
+
diff --git a/debian/patches/CVE-2017-7507-1.patch b/debian/patches/CVE-2017-7507-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ecf61ef952626d2b494228990d174864af47512c
--- /dev/null
+++ b/debian/patches/CVE-2017-7507-1.patch
@@ -0,0 +1,67 @@
+From 4c4d35264fada08b6536425c051fb8e0b05ee86b Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 24 May 2017 10:46:03 +0200
+Subject: [PATCH] ext/status_request: ensure response IDs are properly deinitialized
+
+That is, do not attempt to loop through the array if there is no array
+allocated.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/ext/status_request.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+Index: gnutls28-3.4.10/lib/ext/status_request.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:31:49.636110502 -0400
++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:31:49.612110214 -0400
+@@ -68,7 +68,10 @@ typedef struct {
+
+ static void deinit_responder_id(status_request_ext_st *priv)
+ {
+-unsigned i;
++ unsigned i;
++
++ if (priv->responder_id == NULL)
++ return;
+
+ for (i = 0; i < priv->responder_id_size; i++)
+ gnutls_free(priv->responder_id[i].data);
+@@ -134,6 +137,7 @@ server_recv(gnutls_session_t session,
+ {
+ size_t i;
+ ssize_t data_size = size;
++ unsigned responder_ids = 0;
+
+ /* minimum message is type (1) + responder_id_list (2) +
+ request_extension (2) = 5 */
+@@ -152,23 +156,24 @@ server_recv(gnutls_session_t session,
+ DECR_LEN(data_size, 1);
+ data++;
+
+- priv->responder_id_size = _gnutls_read_uint16(data);
++ responder_ids = _gnutls_read_uint16(data);
+
+ DECR_LEN(data_size, 2);
+ data += 2;
+
+- if (data_size <= (ssize_t) (priv->responder_id_size * 2))
++ if (data_size <= (ssize_t) (responder_ids * 2))
+ return
+ gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+- if (priv->responder_id != NULL)
+- deinit_responder_id(priv);
++ deinit_responder_id(priv);
+
+- priv->responder_id = gnutls_calloc(1, priv->responder_id_size
++ priv->responder_id = gnutls_calloc(1, responder_ids
+ * sizeof(*priv->responder_id));
+ if (priv->responder_id == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
++ priv->responder_id_size = responder_ids;
++
+ for (i = 0; i < priv->responder_id_size; i++) {
+ size_t l;
+
diff --git a/debian/patches/CVE-2017-7507-2.patch b/debian/patches/CVE-2017-7507-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1eba51cde4b740f96b11597c4675516827744a19
--- /dev/null
+++ b/debian/patches/CVE-2017-7507-2.patch
@@ -0,0 +1,120 @@
+From 3efb6c5fd0e3822ec11879d5bcbea0e8d322cd03 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 24 May 2017 11:38:16 +0200
+Subject: [PATCH] ext/status_request: Removed the parsing of responder IDs from client extension
+
+These values were never used by gnutls, nor were accessible to applications,
+and as such there is not reason to parse them.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/ext/status_request.c | 68 ++++++++++++++++----------------------------------------------------
+ 1 file changed, 16 insertions(+), 52 deletions(-)
+
+Index: gnutls28-3.4.10/lib/ext/status_request.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:31:57.940210185 -0400
++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:31:57.936210137 -0400
+@@ -66,21 +66,6 @@ typedef struct {
+ opaque Extensions<0..2^16-1>;
+ */
+
+-static void deinit_responder_id(status_request_ext_st *priv)
+-{
+- unsigned i;
+-
+- if (priv->responder_id == NULL)
+- return;
+-
+- for (i = 0; i < priv->responder_id_size; i++)
+- gnutls_free(priv->responder_id[i].data);
+-
+- gnutls_free(priv->responder_id);
+- priv->responder_id = NULL;
+- priv->responder_id_size = 0;
+-}
+-
+
+ static int
+ client_send(gnutls_session_t session,
+@@ -135,9 +120,8 @@ server_recv(gnutls_session_t session,
+ status_request_ext_st * priv,
+ const uint8_t * data, size_t size)
+ {
+- size_t i;
+ ssize_t data_size = size;
+- unsigned responder_ids = 0;
++ unsigned rid_bytes = 0;
+
+ /* minimum message is type (1) + responder_id_list (2) +
+ request_extension (2) = 5 */
+@@ -156,44 +140,17 @@ server_recv(gnutls_session_t session,
+ DECR_LEN(data_size, 1);
+ data++;
+
+- responder_ids = _gnutls_read_uint16(data);
++ rid_bytes = _gnutls_read_uint16(data);
+
+ DECR_LEN(data_size, 2);
+- data += 2;
++ /*data += 2;*/
+
+- if (data_size <= (ssize_t) (responder_ids * 2))
++ /* sanity check only, we don't use any of the data below */
++
++ if (data_size < (ssize_t)rid_bytes)
+ return
+ gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+- deinit_responder_id(priv);
+-
+- priv->responder_id = gnutls_calloc(1, responder_ids
+- * sizeof(*priv->responder_id));
+- if (priv->responder_id == NULL)
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+- priv->responder_id_size = responder_ids;
+-
+- for (i = 0; i < priv->responder_id_size; i++) {
+- size_t l;
+-
+- DECR_LEN(data_size, 2);
+-
+- l = _gnutls_read_uint16(data);
+- data += 2;
+-
+- DECR_LEN(data_size, l);
+-
+- priv->responder_id[i].data = gnutls_malloc(l);
+- if (priv->responder_id[i].data == NULL)
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+- memcpy(priv->responder_id[i].data, data, l);
+- priv->responder_id[i].size = l;
+-
+- data += l;
+- }
+-
+ return 0;
+ }
+
+@@ -477,11 +434,18 @@ gnutls_certificate_set_ocsp_status_reque
+ static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv)
+ {
+ status_request_ext_st *priv = epriv;
++ unsigned i;
+
+ if (priv == NULL)
+ return;
+
+- deinit_responder_id(priv);
++ if (priv->responder_id != NULL) {
++ for (i = 0; i < priv->responder_id_size; i++)
++ gnutls_free(priv->responder_id[i].data);
++
++ gnutls_free(priv->responder_id);
++ }
++
+ gnutls_free(priv->request_extensions.data);
+ gnutls_free(priv->response.data);
+ gnutls_free(priv);
diff --git a/debian/patches/CVE-2017-7507-3.patch b/debian/patches/CVE-2017-7507-3.patch
new file mode 100644
index 0000000000000000000000000000000000000000..aaad41cb38911fa6142b90a9ed7becbaa131f652
--- /dev/null
+++ b/debian/patches/CVE-2017-7507-3.patch
@@ -0,0 +1,36 @@
+From e1d6c59a7b0392fb3b8b75035614084a53e2c8c9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 24 May 2017 11:48:24 +0200
+Subject: [PATCH] gnutls_ocsp_status_request_enable_client: documented requirements for parameters
+
+That is, the fact that extensions and responder_id parameters must be
+allocated, and are assigned to the session.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/ext/status_request.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+Index: gnutls28-3.4.10/lib/ext/status_request.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:32:31.988618904 -0400
++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:32:31.984618855 -0400
+@@ -265,9 +265,15 @@ _gnutls_status_request_recv_params(gnutl
+ *
+ * This function is to be used by clients to request OCSP response
+ * from the server, using the "status_request" TLS extension. Only
+- * OCSP status type is supported. A typical server has a single
+- * OCSP response cached, so @responder_id and @extensions
+- * should be null.
++ * OCSP status type is supported.
++ *
++ * The @responder_id array, its containing elements as well as
++ * the data of @extensions, must be allocated using gnutls_malloc(). They
++ * will be deinitialized on session cleanup.
++ *
++ * Due to the difficult semantics of the @responder_id and @extensions
++ * parameters, it is recommended to only call this function with these
++ * parameters set to %NULL.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
diff --git a/debian/patches/CVE-2017-7869.patch b/debian/patches/CVE-2017-7869.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6a58a2393d1ea4d4b85f39b729d142b44313db10
--- /dev/null
+++ b/debian/patches/CVE-2017-7869.patch
@@ -0,0 +1,54 @@
+Backport of:
+
+From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 20 Feb 2017 11:13:08 +0100
+Subject: [PATCH] cdk_pkt_read: enforce packet limits
+
+That ensures that there are no overflows in the subsequent
+calculations.
+
+Resolves the oss-fuzz found bug:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
+
+Relates: #159
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/read-packet.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+Index: gnutls28-3.5.6/lib/opencdk/read-packet.c
+===================================================================
+--- gnutls28-3.5.6.orig/lib/opencdk/read-packet.c 2017-06-12 09:25:46.991757303 -0400
++++ gnutls28-3.5.6/lib/opencdk/read-packet.c 2017-06-12 09:25:46.987757255 -0400
+@@ -936,6 +936,7 @@ static void skip_packet(cdk_stream_t inp
+ assert(pktlen == 0);
+ }
+
++#define MAX_PACKET_LEN (1<<24)
+
+ /**
+ * cdk_pkt_read:
+@@ -988,6 +989,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t in
+ else
+ read_old_length(inp, ctb, &pktlen, &pktsize);
+
++ /* enforce limits to ensure that the following calculations
++ * do not overflow */
++ if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) {
++ _cdk_log_info("cdk_pkt_read: too long packet\n");
++ return gnutls_assert_val(CDK_Inv_Packet);
++ }
++
+ pkt->pkttype = pkttype;
+ pkt->pktlen = pktlen;
+ pkt->pktsize = pktsize + pktlen;
+@@ -1012,6 +1020,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t in
+ break;
+
+ case CDK_PKT_USER_ID:
++
+ pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id
+ + pkt->pktlen + 1);
+ if (!pkt->pkt.user_id)
diff --git a/debian/patches/CVE-2018-1084x-1.patch b/debian/patches/CVE-2018-1084x-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5110e5a8848f6b700c6359867adf6a5ec1868bf9
--- /dev/null
+++ b/debian/patches/CVE-2018-1084x-1.patch
@@ -0,0 +1,90 @@
+Backport of:
+
+From e14d85eb8b1987d86f7b1d101a0e7795675d20d4 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 12 Jun 2018 14:22:52 +0200
+Subject: [PATCH] dummy_wait: correctly account the length field in SHA384 HMAC
+
+The existing lucky13 attack count-measures did not work correctly for
+SHA384 HMAC.
+
+The overall impact of that should not be significant as SHA384 is prioritized
+lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a
+client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both
+cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is unsupported
+by the peer.
+
+Relates #455
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/algorithms/mac.c | 4 ++--
+ lib/cipher.c | 24 +++++++++++-------------
+ 2 files changed, 13 insertions(+), 15 deletions(-)
+
+Index: gnutls28-3.4.10/lib/algorithms/mac.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/algorithms/mac.c 2019-05-28 13:24:12.290599924 -0400
++++ gnutls28-3.4.10/lib/algorithms/mac.c 2019-05-28 13:24:39.070714728 -0400
+@@ -31,9 +31,9 @@ static const mac_entry_st hash_algorithm
+ {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1,
+ 64},
+ {"SHA384", HASH_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1,
+- 64},
++ 128},
+ {"SHA512", HASH_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1,
+- 64},
++ 128},
+ {"SHA224", HASH_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1,
+ 64},
+ {"UMAC-96", NULL, GNUTLS_MAC_UMAC_96, 12, 16, 8, 0, 1, 0},
+Index: gnutls28-3.4.10/lib/gnutls_cipher.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/gnutls_cipher.c 2019-05-28 13:24:12.290599924 -0400
++++ gnutls28-3.4.10/lib/gnutls_cipher.c 2019-05-28 13:24:12.286599907 -0400
+@@ -457,9 +457,10 @@ static void dummy_wait(record_parameters
+ gnutls_datum_t * plaintext, unsigned pad_failed,
+ unsigned int pad, unsigned total)
+ {
+- /* this hack is only needed on CBC ciphers */
++ /* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode
++ * is not supported by the peer. */
+ if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
+- unsigned len;
++ unsigned len, v;
+
+ /* force an additional hash compression function evaluation to prevent timing
+ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
+@@ -467,11 +468,14 @@ static void dummy_wait(record_parameters
+ if (pad_failed == 0 && pad > 0) {
+ len = _gnutls_mac_block_size(params->mac);
+ if (len > 0) {
+- /* This is really specific to the current hash functions.
+- * It should be removed once a protocol fix is in place.
+- */
+- if ((pad + total) % len > len - 9
+- && total % len <= len - 9) {
++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
++ /* v = 1 for the hash function padding + 16 for message length */
++ v = 17;
++ else /* v = 1 for the hash function padding + 8 for message length */
++ v = 9;
++
++ if ((pad + total) % len > len - v
++ && total % len <= len - v) {
+ if (len < plaintext->size)
+ _gnutls_auth_cipher_add_auth
+ (¶ms->read.
+@@ -810,12 +814,6 @@ ciphertext_to_compressed(gnutls_session_
+ if (unlikely(ret < 0))
+ return gnutls_assert_val(ret);
+
+- /* Here there could be a timing leakage in CBC ciphersuites that
+- * could be exploited if the cost of a successful memcmp is high.
+- * A constant time memcmp would help there, but it is not easy to maintain
+- * against compiler optimizations. Currently we rely on the fact that
+- * a memcmp comparison is negligible over the crypto operations.
+- */
+ if (unlikely
+ (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
+ /* HMAC was not the same. */
diff --git a/debian/patches/CVE-2018-1084x-2.patch b/debian/patches/CVE-2018-1084x-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..187b9e16baea10885d428955d3d65bdb00967eec
--- /dev/null
+++ b/debian/patches/CVE-2018-1084x-2.patch
@@ -0,0 +1,106 @@
+Backport of:
+
+From c2e094acd68f7159025b2e2556d6fb4427b41dd7 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 12 Jun 2018 14:27:57 +0200
+Subject: [PATCH] dummy_wait: always hash the same amount of blocks that would
+ have been on minimum pad
+
+This improves protection against lucky13-type of attacks when
+encrypt-then-mac is not in use.
+
+Resolves #456
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/cipher.c | 63 +++++++++++++++++++++++++++-------------------------
+ 1 file changed, 33 insertions(+), 30 deletions(-)
+
+Index: gnutls28-3.4.10/lib/gnutls_cipher.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/gnutls_cipher.c 2019-05-28 13:25:39.338972870 -0400
++++ gnutls28-3.4.10/lib/gnutls_cipher.c 2019-05-28 13:25:39.330972836 -0400
+@@ -453,41 +453,42 @@ compressed_to_ciphertext(gnutls_session_
+ return length;
+ }
+
+-static void dummy_wait(record_parameters_st * params,
+- gnutls_datum_t * plaintext, unsigned pad_failed,
+- unsigned int pad, unsigned total)
++static void dummy_wait(record_parameters_st *params,
++ gnutls_datum_t *plaintext,
++ unsigned int mac_data, unsigned int max_mac_data)
+ {
+ /* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode
+ * is not supported by the peer. */
+ if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
+- unsigned len, v;
++ unsigned v;
++ unsigned int tag_size =
++ _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state);
++ unsigned hash_block = _gnutls_mac_block_size(params->mac);
+
+- /* force an additional hash compression function evaluation to prevent timing
++ /* force additional hash compression function evaluations to prevent timing
+ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
+ */
+- if (pad_failed == 0 && pad > 0) {
+- len = _gnutls_mac_block_size(params->mac);
+- if (len > 0) {
+- if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
+- /* v = 1 for the hash function padding + 16 for message length */
+- v = 17;
+- else /* v = 1 for the hash function padding + 8 for message length */
+- v = 9;
+-
+- if ((pad + total) % len > len - v
+- && total % len <= len - v) {
+- if (len < plaintext->size)
+- _gnutls_auth_cipher_add_auth
+- (¶ms->read.
+- cipher_state,
+- plaintext->data, len);
+- else
+- _gnutls_auth_cipher_add_auth
+- (¶ms->read.
+- cipher_state,
+- plaintext->data,
+- plaintext->size);
+- }
++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
++ /* v = 1 for the hash function padding + 16 for message length */
++ v = 17;
++ else /* v = 1 for the hash function padding + 8 for message length */
++ v = 9;
++
++ if (hash_block > 0) {
++ int max_blocks = (max_mac_data+v+hash_block-1)/hash_block;
++ int hashed_blocks = (mac_data+v+hash_block-1)/hash_block;
++ unsigned to_hash;
++
++ max_blocks -= hashed_blocks;
++ if (max_blocks < 1)
++ return;
++
++ to_hash = max_blocks * hash_block;
++ if ((unsigned)to_hash+1+tag_size < plaintext->size) {
++ _gnutls_auth_cipher_add_auth
++ (¶ms->read.cipher_state,
++ plaintext->data+plaintext->size-tag_size-to_hash-1,
++ to_hash);
+ }
+ }
+ }
+@@ -817,8 +818,10 @@ ciphertext_to_compressed(gnutls_session_
+ if (unlikely
+ (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
+ /* HMAC was not the same. */
+- dummy_wait(params, compressed, pad_failed, pad,
+- length + preamble_size);
++ gnutls_datum_t data = {compressed->data, ciphertext->size};
++
++ dummy_wait(params, &data, length + preamble_size,
++ preamble_size + ciphertext->size - tag_size - 1);
+
+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+ }
diff --git a/debian/patches/CVE-2018-1084x-3.patch b/debian/patches/CVE-2018-1084x-3.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b65e767cdc09e616c95a526ecec859f290eba184
--- /dev/null
+++ b/debian/patches/CVE-2018-1084x-3.patch
@@ -0,0 +1,36 @@
+Backport of:
+
+From 62a39773e9d0c4a686a3d8d2b6cca32f82c26cd7 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 12 Jun 2018 14:29:57 +0200
+Subject: [PATCH] cbc_mac_verify: require minimum padding under SSL3.0
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/cipher.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+Index: gnutls28-3.4.10/lib/gnutls_cipher.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/gnutls_cipher.c 2019-05-28 13:26:13.143117534 -0400
++++ gnutls28-3.4.10/lib/gnutls_cipher.c 2019-05-28 13:27:16.587388822 -0400
+@@ -744,7 +744,10 @@ ciphertext_to_compressed(gnutls_session_
+ * Note that we access all 256 bytes of ciphertext for padding check
+ * because there is a timing channel in that memory access (in certain CPUs).
+ */
+- if (ver->id != GNUTLS_SSL3)
++ if (ver->id == GNUTLS_SSL3) {
++ if (pad >= blocksize)
++ pad_failed = 1;
++ } else {
+ for (i = 2; i <= MIN(256, ciphertext->size); i++) {
+ tmp_pad_failed |=
+ (compressed->
+@@ -752,6 +755,7 @@ ciphertext_to_compressed(gnutls_session_
+ pad_failed |=
+ ((i <= (1 + pad)) & (tmp_pad_failed));
+ }
++ }
+
+ if (unlikely
+ (pad_failed != 0
diff --git a/debian/patches/CVE-2018-1084x-4.patch b/debian/patches/CVE-2018-1084x-4.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8a4bb7e8175b7a176aa7e5c843062c22b37cd2f5
--- /dev/null
+++ b/debian/patches/CVE-2018-1084x-4.patch
@@ -0,0 +1,90 @@
+Backport of:
+
+From c433cdf92349afae66c703bdacedf987f423605e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 12 Jun 2018 14:31:40 +0200
+Subject: [PATCH] hmac-sha384 and sha256 ciphersuites were removed from
+ defaults
+
+These ciphersuites are deprecated since the introduction of AEAD
+ciphersuites, and are only necessary for compatibility with older
+servers. Since older servers already support hmac-sha1 there is
+no reason to keep these ciphersuites enabled by default, as they
+increase our attack surface.
+
+Relates #456
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/priority.c | 8 --------
+ tests/dtls1-2-mtu-check.c | 2 +-
+ tests/priorities.c | 12 ++++++------
+ 3 files changed, 7 insertions(+), 15 deletions(-)
+
+Index: gnutls28-3.4.10/lib/gnutls_priority.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/gnutls_priority.c 2019-05-28 13:29:18.707910302 -0400
++++ gnutls28-3.4.10/lib/gnutls_priority.c 2019-05-28 13:29:18.703910285 -0400
+@@ -386,8 +386,6 @@ static const int* sign_priority_secure19
+
+ static const int mac_priority_normal_default[] = {
+ GNUTLS_MAC_SHA1,
+- GNUTLS_MAC_SHA256,
+- GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_AEAD,
+ GNUTLS_MAC_MD5,
+ 0
+@@ -395,8 +393,6 @@ static const int mac_priority_normal_def
+
+ static const int mac_priority_normal_fips[] = {
+ GNUTLS_MAC_SHA1,
+- GNUTLS_MAC_SHA256,
+- GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_AEAD,
+ 0
+ };
+@@ -421,16 +417,12 @@ static const int* mac_priority_suiteb =
+
+ static const int _mac_priority_secure128[] = {
+ GNUTLS_MAC_SHA1,
+- GNUTLS_MAC_SHA256,
+- GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_AEAD,
+ 0
+ };
+ static const int* mac_priority_secure128 = _mac_priority_secure128;
+
+ static const int _mac_priority_secure192[] = {
+- GNUTLS_MAC_SHA256,
+- GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_AEAD,
+ 0
+ };
+Index: gnutls28-3.4.10/tests/priorities.c
+===================================================================
+--- gnutls28-3.4.10.orig/tests/priorities.c 2019-05-28 13:29:18.707910302 -0400
++++ gnutls28-3.4.10/tests/priorities.c 2019-05-28 13:31:01.928350476 -0400
+@@ -101,18 +101,18 @@ try_prio(const char *prio, unsigned expe
+
+ void doit(void)
+ {
+- const int normal = 54;
+- const int null = 5;
+- const int sec128 = 50;
++ const int normal = 38;
++ const int null = 4;
++ const int sec128 = 34;
+
+ try_prio("NORMAL", normal, 11, __LINE__);
+ try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 11, __LINE__);
+ try_prio("NORMAL:+CIPHER-ALL", normal, 11, __LINE__); /* all (except null) */
+ try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1, __LINE__); /* null */
+ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 12, __LINE__); /* should be null + all */
+- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 8, 1, __LINE__); /* should be null + all */
++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 4, 1, __LINE__); /* should be null + all */
+ try_prio("PERFORMANCE", normal, 11, __LINE__);
+- try_prio("SECURE256", 19, 5, __LINE__);
++ try_prio("SECURE256", 11, 5, __LINE__);
+ try_prio("SECURE128", sec128, 10, __LINE__);
+ try_prio("SECURE128:+SECURE256", sec128, 10, __LINE__); /* should be the same as SECURE128 */
+ try_prio("SECURE128:+SECURE256:+NORMAL", normal, 11, __LINE__); /* should be the same as NORMAL */
diff --git a/debian/patches/CVE-2018-1084x-5.patch b/debian/patches/CVE-2018-1084x-5.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b596a685d2e18265c701ead599161e72735f9378
--- /dev/null
+++ b/debian/patches/CVE-2018-1084x-5.patch
@@ -0,0 +1,38 @@
+From 9fdd24d53c84cc68dac1be28f8b1436e424ce1f1 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 13 Jun 2018 12:55:02 +0200
+Subject: [PATCH] tests: pkcs12_encode: fix test for SHA512
+
+We don't support SHA512 in the 3.5.x branch.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ tests/pkcs12_encode.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
+index 46c5092e49..e45755789b 100644
+--- a/tests/pkcs12_encode.c
++++ b/tests/pkcs12_encode.c
+@@ -220,18 +220,6 @@ void doit(void)
+ exit(1);
+ }
+
+- ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1");
+- if (ret < 0) {
+- fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+- exit(1);
+- }
+-
+- ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1");
+- if (ret < 0) {
+- fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+- exit(1);
+- }
+-
+ size = sizeof(outbuf);
+ ret =
+ gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
+--
+2.21.0
+
diff --git a/debian/patches/allow_broken_priority_string.patch b/debian/patches/allow_broken_priority_string.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9d704325ed14cea4020348e3e39a2ba4528d92a1
--- /dev/null
+++ b/debian/patches/allow_broken_priority_string.patch
@@ -0,0 +1,281 @@
+Backport of:
+
+From 773f7e8e3d16a0426c11edd7c3d8883ab6ee3a56 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 13 Mar 2017 17:06:47 +0100
+Subject: [PATCH] Introduced the %VERIFY_ALLOW_BROKEN priority string option
+
+This allows enabling broken signature algorithms in certificate verification.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ doc/cha-cert-auth.texi | 1 +
+ doc/cha-gtls-app.texi | 4 ++++
+ lib/priority.c | 5 +++++
+ lib/priority_options.gperf | 1 +
+ 4 files changed, 11 insertions(+)
+
+--- a/doc/cha-cert-auth.texi
++++ b/doc/cha-cert-auth.texi
+@@ -752,6 +752,7 @@ certificate chain, you can call
+ @itemize
+ @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2}
+ @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5}
++@item @code{GNUTLS_VERIFY_ALLOW_BROKEN}
+ @end itemize
+ as in the following example:
+
+--- a/doc/cha-gtls-app.texi
++++ b/doc/cha-gtls-app.texi
+@@ -1258,6 +1258,10 @@ client hello. Note that this should be
+ try to reconnect with a downgraded protocol version. See RFC7507 for
+ details.
+
++@item %VERIFY_ALLOW_BROKEN @tab
++will allow signatures with known to be broken algorithms (such as MD5 or
++SHA1) in certificate chains.
++
+ @item %VERIFY_ALLOW_SIGN_RSA_MD5 @tab
+ will allow RSA-MD5 signatures in certificate chains.
+
+--- a/lib/gnutls_priority.c
++++ b/lib/gnutls_priority.c
+@@ -817,6 +817,11 @@ static void enable_verify_allow_rsa_md5(
+ c->additional_verify_flags |=
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
+ }
++static void enable_verify_allow_broken(gnutls_priority_t c)
++{
++ c->additional_verify_flags |=
++ GNUTLS_VERIFY_ALLOW_BROKEN;
++}
+ static void disable_crl_checks(gnutls_priority_t c)
+ {
+ c->additional_verify_flags |=
+--- a/lib/priority_options.gperf
++++ b/lib/priority_options.gperf
+@@ -13,6 +13,7 @@ NO_TICKETS, enable_no_tickets
+ NO_ETM, enable_no_etm
+ NO_SESSION_HASH, enable_no_ext_master_secret
+ STATELESS_COMPRESSION, enable_stateless_compression
++VERIFY_ALLOW_BROKEN, enable_verify_allow_broken
+ VERIFY_ALLOW_SIGN_RSA_MD5, enable_verify_allow_rsa_md5
+ VERIFY_DISABLE_CRL_CHECKS, disable_crl_checks
+ SSL3_RECORD_VERSION, enable_ssl3_record_version
+--- a/lib/priority_options.h
++++ b/lib/priority_options.h
+@@ -1,6 +1,6 @@
+ /* ANSI-C code produced by gperf version 3.0.4 */
+ /* Command-line: gperf --global-table -t priority_options.gperf */
+-/* Computed positions: -k'1,$' */
++/* Computed positions: -k'9,$' */
+
+ #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
+ && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
+@@ -36,12 +36,12 @@ static const struct priority_options_st
+ #line 7 "priority_options.gperf"
+ struct priority_options_st { const char *name; option_set_func func; };
+
+-#define TOTAL_KEYWORDS 28
++#define TOTAL_KEYWORDS 29
+ #define MIN_WORD_LENGTH 6
+ #define MAX_WORD_LENGTH 27
+ #define MIN_HASH_VALUE 6
+-#define MAX_HASH_VALUE 49
+-/* maximum key range = 44, duplicates = 0 */
++#define MAX_HASH_VALUE 74
++/* maximum key range = 69, duplicates = 0 */
+
+ #ifdef __GNUC__
+ __inline
+@@ -55,101 +55,117 @@ hash (register const char *str, register
+ {
+ static const unsigned char asso_values[] =
+ {
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 25, 50, 50, 5, 50, 50, 20, 50, 50, 50,
+- 50, 50, 50, 50, 50, 10, 50, 0, 5, 20,
+- 10, 3, 0, 50, 50, 10, 20, 30, 0, 50,
+- 5, 50, 50, 0, 0, 0, 0, 0, 50, 5,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+- 50, 50, 50, 50, 50, 50
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 15, 75, 75, 10, 75, 75, 10, 75, 75, 75,
++ 75, 75, 75, 75, 75, 5, 75, 75, 75, 10,
++ 75, 25, 0, 10, 75, 0, 5, 30, 0, 10,
++ 75, 75, 20, 0, 5, 5, 5, 0, 75, 0,
++ 75, 75, 75, 75, 75, 0, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
++ 75, 75, 75, 75, 75, 75
+ };
+- return len + asso_values[(unsigned char)str[len - 1]] + asso_values[(unsigned char)str[0]];
++ register int hval = len;
++
++ switch (hval)
++ {
++ default:
++ hval += asso_values[(unsigned char)str[8]];
++ /*FALLTHROUGH*/
++ case 8:
++ case 7:
++ case 6:
++ break;
++ }
++ return hval + asso_values[(unsigned char)str[len - 1]];
+ }
+
+ static const struct priority_options_st wordlist[] =
+ {
+ {""}, {""}, {""}, {""}, {""}, {""},
++#line 10 "priority_options.gperf"
++ {"DUMBFW", enable_dumbfw},
++ {""}, {""}, {""}, {""},
+ #line 9 "priority_options.gperf"
+ {"COMPAT", enable_compat},
+- {""}, {""}, {""},
++#line 33 "priority_options.gperf"
++ {"PROFILE_HIGH", enable_profile_high},
++#line 11 "priority_options.gperf"
++ {"NO_EXTENSIONS", enable_no_extensions},
++ {""},
+ #line 12 "priority_options.gperf"
+ {"NO_TICKETS", enable_no_tickets},
+-#line 10 "priority_options.gperf"
+- {"DUMBFW", enable_dumbfw},
++#line 30 "priority_options.gperf"
++ {"PROFILE_LOW", enable_profile_low},
++#line 27 "priority_options.gperf"
++ {"DISABLE_WILDCARDS", disable_wildcards},
++#line 26 "priority_options.gperf"
++ {"FALLBACK_SCSV", enable_fallback_scsv},
++#line 31 "priority_options.gperf"
++ {"PROFILE_LEGACY", enable_profile_legacy},
+ {""},
+-#line 11 "priority_options.gperf"
+- {"NO_EXTENSIONS", enable_no_extensions},
+-#line 36 "priority_options.gperf"
+- {"NEW_PADDING", dummy_func},
++#line 15 "priority_options.gperf"
++ {"STATELESS_COMPRESSION", enable_stateless_compression},
++#line 29 "priority_options.gperf"
++ {"PROFILE_VERY_WEAK", enable_profile_very_weak},
++#line 34 "priority_options.gperf"
++ {"PROFILE_ULTRA", enable_profile_ultra},
++#line 16 "priority_options.gperf"
++ {"VERIFY_ALLOW_BROKEN", enable_verify_allow_broken},
+ #line 14 "priority_options.gperf"
+ {"NO_SESSION_HASH", enable_no_ext_master_secret},
+-#line 29 "priority_options.gperf"
+- {"PROFILE_LOW", enable_profile_low},
+-#line 32 "priority_options.gperf"
+- {"PROFILE_HIGH", enable_profile_high},
+-#line 22 "priority_options.gperf"
++#line 25 "priority_options.gperf"
++ {"DISABLE_SAFE_RENEGOTIATION", disable_safe_renegotiation},
++#line 35 "priority_options.gperf"
++ {"PROFILE_SUITEB128", enable_profile_suiteb128},
++#line 23 "priority_options.gperf"
+ {"SAFE_RENEGOTIATION", enable_safe_renegotiation},
+-#line 18 "priority_options.gperf"
++#line 19 "priority_options.gperf"
+ {"SSL3_RECORD_VERSION", enable_ssl3_record_version},
+-#line 21 "priority_options.gperf"
++#line 22 "priority_options.gperf"
+ {"UNSAFE_RENEGOTIATION", enable_unsafe_renegotiation},
+-#line 15 "priority_options.gperf"
+- {"STATELESS_COMPRESSION", enable_stateless_compression},
+-#line 26 "priority_options.gperf"
+- {"DISABLE_WILDCARDS", disable_wildcards},
+-#line 25 "priority_options.gperf"
+- {"FALLBACK_SCSV", enable_fallback_scsv},
+-#line 30 "priority_options.gperf"
+- {"PROFILE_LEGACY", enable_profile_legacy},
+-#line 17 "priority_options.gperf"
+- {"VERIFY_DISABLE_CRL_CHECKS", disable_crl_checks},
+-#line 23 "priority_options.gperf"
+- {"PARTIAL_RENEGOTIATION", enable_partial_safe_renegotiation},
+ #line 20 "priority_options.gperf"
++ {"LATEST_RECORD_VERSION", enable_latest_record_version},
++#line 36 "priority_options.gperf"
++ {"PROFILE_SUITEB192", enable_profile_suiteb192},
++ {""}, {""},
++#line 18 "priority_options.gperf"
++ {"VERIFY_DISABLE_CRL_CHECKS", disable_crl_checks},
++#line 13 "priority_options.gperf"
++ {"NO_ETM", enable_no_etm},
++#line 21 "priority_options.gperf"
+ {"VERIFY_ALLOW_X509_V1_CA_CRT", dummy_func},
+-#line 33 "priority_options.gperf"
+- {"PROFILE_ULTRA", enable_profile_ultra},
+- {""},
+-#line 16 "priority_options.gperf"
++ {""}, {""},
++#line 17 "priority_options.gperf"
+ {"VERIFY_ALLOW_SIGN_RSA_MD5", enable_verify_allow_rsa_md5},
+ #line 24 "priority_options.gperf"
+- {"DISABLE_SAFE_RENEGOTIATION", disable_safe_renegotiation},
++ {"PARTIAL_RENEGOTIATION", enable_partial_safe_renegotiation},
++ {""}, {""}, {""}, {""},
++#line 37 "priority_options.gperf"
++ {"NEW_PADDING", dummy_func},
+ #line 28 "priority_options.gperf"
+- {"PROFILE_VERY_WEAK", enable_profile_very_weak},
+- {""}, {""}, {""},
+-#line 13 "priority_options.gperf"
+- {"NO_ETM", enable_no_etm},
+-#line 27 "priority_options.gperf"
+ {"SERVER_PRECEDENCE", enable_server_precedence},
+- {""}, {""}, {""},
+-#line 19 "priority_options.gperf"
+- {"LATEST_RECORD_VERSION", enable_latest_record_version},
+-#line 34 "priority_options.gperf"
+- {"PROFILE_SUITEB128", enable_profile_suiteb128},
+- {""}, {""}, {""}, {""},
+-#line 35 "priority_options.gperf"
+- {"PROFILE_SUITEB192", enable_profile_suiteb192},
+- {""},
+-#line 31 "priority_options.gperf"
++ {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
++ {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
++ {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
++#line 32 "priority_options.gperf"
+ {"PROFILE_MEDIUM", enable_profile_medium}
+ };
+
diff --git a/debian/patches/allow_sha1_priority_string.patch b/debian/patches/allow_sha1_priority_string.patch
new file mode 100644
index 0000000000000000000000000000000000000000..245ea8f71116900ed8fa7fb916aeade2571e5bd5
--- /dev/null
+++ b/debian/patches/allow_sha1_priority_string.patch
@@ -0,0 +1,339 @@
+Backport of:
+
+From eb3650c4602ea9b92cfd084ef417bc7f6b89555c Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 13 Mar 2017 17:13:48 +0100
+Subject: [PATCH] Introduced flag GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1
+
+This allows performing a verification with only SHA1 allowed
+from the broken algorithms. This can be used to fine-tune
+verification in case default verification fails, to detect
+whether the failed algorithm was SHA1.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ doc/cha-cert-auth.texi | 1 +
+ doc/cha-gtls-app.texi | 3 +++
+ lib/includes/gnutls/x509.h | 5 ++++-
+ lib/priority.c | 5 +++++
+ lib/priority_options.gperf | 1 +
+ lib/x509/verify.c | 12 ++++++++++--
+ 6 files changed, 24 insertions(+), 3 deletions(-)
+
+--- a/doc/cha-cert-auth.texi
++++ b/doc/cha-cert-auth.texi
+@@ -752,6 +752,7 @@ certificate chain, you can call
+ @itemize
+ @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2}
+ @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5}
++@item @code{GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1}
+ @item @code{GNUTLS_VERIFY_ALLOW_BROKEN}
+ @end itemize
+ as in the following example:
+--- a/doc/cha-gtls-app.texi
++++ b/doc/cha-gtls-app.texi
+@@ -1265,6 +1265,9 @@ SHA1) in certificate chains.
+ @item %VERIFY_ALLOW_SIGN_RSA_MD5 @tab
+ will allow RSA-MD5 signatures in certificate chains.
+
++@item %VERIFY_ALLOW_SIGN_WITH_SHA1 @tab
++will allow signatures with SHA1 hash algorithm in certificate chains.
++
+ @item %VERIFY_DISABLE_CRL_CHECKS @tab
+ will disable CRL or OCSP checks in the verification of the certificate chain.
+
+--- a/lib/includes/gnutls/x509.h
++++ b/lib/includes/gnutls/x509.h
+@@ -810,6 +810,8 @@ int gnutls_x509_crl_set_number(gnutls_x5
+ * using the broken MD2 algorithm.
+ * @GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: Allow certificates to be signed
+ * using the broken MD5 algorithm.
++ * @GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Allow certificates to be signed
++ * using the broken SHA1 hash algorithm.
+ * @GNUTLS_VERIFY_ALLOW_BROKEN: Allow certificates to be signed
+ * using any broken algorithm.
+ * @GNUTLS_VERIFY_DISABLE_TIME_CHECKS: Disable checking of activation
+@@ -839,7 +841,8 @@ typedef enum gnutls_certificate_verify_f
+ GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1 << 10,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1 << 11,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12,
+- GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13
++ GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13,
++ GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 = 1 << 15,
+ /* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */
+ } gnutls_certificate_verify_flags;
+
+--- a/lib/gnutls_priority.c
++++ b/lib/gnutls_priority.c
+@@ -817,6 +817,11 @@ static void enable_verify_allow_rsa_md5(
+ c->additional_verify_flags |=
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
+ }
++static void enable_verify_allow_sha1(gnutls_priority_t c)
++{
++ c->additional_verify_flags |=
++ GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
++}
+ static void enable_verify_allow_broken(gnutls_priority_t c)
+ {
+ c->additional_verify_flags |=
+--- a/lib/priority_options.gperf
++++ b/lib/priority_options.gperf
+@@ -15,6 +15,7 @@ NO_SESSION_HASH, enable_no_ext_master_se
+ STATELESS_COMPRESSION, enable_stateless_compression
+ VERIFY_ALLOW_BROKEN, enable_verify_allow_broken
+ VERIFY_ALLOW_SIGN_RSA_MD5, enable_verify_allow_rsa_md5
++VERIFY_ALLOW_SIGN_WITH_SHA1, enable_verify_allow_sha1
+ VERIFY_DISABLE_CRL_CHECKS, disable_crl_checks
+ SSL3_RECORD_VERSION, enable_ssl3_record_version
+ LATEST_RECORD_VERSION, enable_latest_record_version
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -385,6 +385,12 @@ static unsigned int check_time_status(gn
+ static
+ int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags)
+ {
++ gnutls_digest_algorithm_t hash;
++
++ /* we have a catch all */
++ if ((flags & GNUTLS_VERIFY_ALLOW_BROKEN) == GNUTLS_VERIFY_ALLOW_BROKEN)
++ return 1;
++
+ /* the first two are for backwards compatibility */
+ if ((sig == GNUTLS_SIGN_RSA_MD2)
+ && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2))
+@@ -392,9 +398,11 @@ int is_broken_allowed(gnutls_sign_algori
+ if ((sig == GNUTLS_SIGN_RSA_MD5)
+ && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))
+ return 1;
+- /* we no longer have individual flags - but rather a catch all */
+- if ((flags & GNUTLS_VERIFY_ALLOW_BROKEN) == GNUTLS_VERIFY_ALLOW_BROKEN)
++
++ hash = gnutls_sign_get_hash_algorithm(sig);
++ if (hash == GNUTLS_DIG_SHA1 && (flags & GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1))
+ return 1;
++
+ return 0;
+ }
+
+--- a/lib/priority_options.h
++++ b/lib/priority_options.h
+@@ -1,6 +1,6 @@
+ /* ANSI-C code produced by gperf version 3.0.4 */
+ /* Command-line: gperf --global-table -t priority_options.gperf */
+-/* Computed positions: -k'9,$' */
++/* Computed positions: -k'1,$' */
+
+ #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
+ && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
+@@ -36,12 +36,12 @@ static const struct priority_options_st
+ #line 7 "priority_options.gperf"
+ struct priority_options_st { const char *name; option_set_func func; };
+
+-#define TOTAL_KEYWORDS 29
++#define TOTAL_KEYWORDS 30
+ #define MIN_WORD_LENGTH 6
+ #define MAX_WORD_LENGTH 27
+ #define MIN_HASH_VALUE 6
+-#define MAX_HASH_VALUE 74
+-/* maximum key range = 69, duplicates = 0 */
++#define MAX_HASH_VALUE 52
++/* maximum key range = 47, duplicates = 0 */
+
+ #ifdef __GNUC__
+ __inline
+@@ -55,118 +55,107 @@ hash (register const char *str, register
+ {
+ static const unsigned char asso_values[] =
+ {
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 15, 75, 75, 10, 75, 75, 10, 75, 75, 75,
+- 75, 75, 75, 75, 75, 5, 75, 75, 75, 10,
+- 75, 25, 0, 10, 75, 0, 5, 30, 0, 10,
+- 75, 75, 20, 0, 5, 5, 5, 0, 75, 0,
+- 75, 75, 75, 75, 75, 0, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+- 75, 75, 75, 75, 75, 75
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 20,
++ 25, 53, 53, 5, 53, 53, 20, 53, 53, 53,
++ 53, 53, 53, 53, 53, 10, 53, 0, 5, 20,
++ 5, 3, 0, 53, 53, 5, 20, 30, 0, 53,
++ 5, 53, 53, 0, 0, 0, 5, 0, 53, 10,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
++ 53, 53, 53, 53, 53, 53
+ };
+- register int hval = len;
+-
+- switch (hval)
+- {
+- default:
+- hval += asso_values[(unsigned char)str[8]];
+- /*FALLTHROUGH*/
+- case 8:
+- case 7:
+- case 6:
+- break;
+- }
+- return hval + asso_values[(unsigned char)str[len - 1]];
++ return len + asso_values[(unsigned char)str[len - 1]] + asso_values[(unsigned char)str[0]];
+ }
+
+ static const struct priority_options_st wordlist[] =
+ {
+ {""}, {""}, {""}, {""}, {""}, {""},
+-#line 10 "priority_options.gperf"
+- {"DUMBFW", enable_dumbfw},
+- {""}, {""}, {""}, {""},
+ #line 9 "priority_options.gperf"
+ {"COMPAT", enable_compat},
+-#line 33 "priority_options.gperf"
+- {"PROFILE_HIGH", enable_profile_high},
+-#line 11 "priority_options.gperf"
+- {"NO_EXTENSIONS", enable_no_extensions},
+- {""},
++ {""}, {""}, {""},
+ #line 12 "priority_options.gperf"
+ {"NO_TICKETS", enable_no_tickets},
+-#line 30 "priority_options.gperf"
+- {"PROFILE_LOW", enable_profile_low},
+-#line 27 "priority_options.gperf"
+- {"DISABLE_WILDCARDS", disable_wildcards},
+-#line 26 "priority_options.gperf"
+- {"FALLBACK_SCSV", enable_fallback_scsv},
+-#line 31 "priority_options.gperf"
+- {"PROFILE_LEGACY", enable_profile_legacy},
++#line 10 "priority_options.gperf"
++ {"DUMBFW", enable_dumbfw},
+ {""},
++#line 11 "priority_options.gperf"
++ {"NO_EXTENSIONS", enable_no_extensions},
++#line 38 "priority_options.gperf"
++ {"NEW_PADDING", dummy_func},
++#line 14 "priority_options.gperf"
++ {"NO_SESSION_HASH", enable_no_ext_master_secret},
++#line 31 "priority_options.gperf"
++ {"PROFILE_LOW", enable_profile_low},
++#line 34 "priority_options.gperf"
++ {"PROFILE_HIGH", enable_profile_high},
++#line 24 "priority_options.gperf"
++ {"SAFE_RENEGOTIATION", enable_safe_renegotiation},
++#line 20 "priority_options.gperf"
++ {"SSL3_RECORD_VERSION", enable_ssl3_record_version},
++#line 23 "priority_options.gperf"
++ {"UNSAFE_RENEGOTIATION", enable_unsafe_renegotiation},
+ #line 15 "priority_options.gperf"
+ {"STATELESS_COMPRESSION", enable_stateless_compression},
+-#line 29 "priority_options.gperf"
+- {"PROFILE_VERY_WEAK", enable_profile_very_weak},
+-#line 34 "priority_options.gperf"
+- {"PROFILE_ULTRA", enable_profile_ultra},
++#line 28 "priority_options.gperf"
++ {"DISABLE_WILDCARDS", disable_wildcards},
++#line 27 "priority_options.gperf"
++ {"FALLBACK_SCSV", enable_fallback_scsv},
+ #line 16 "priority_options.gperf"
+ {"VERIFY_ALLOW_BROKEN", enable_verify_allow_broken},
+-#line 14 "priority_options.gperf"
+- {"NO_SESSION_HASH", enable_no_ext_master_secret},
++ {""},
+ #line 25 "priority_options.gperf"
+- {"DISABLE_SAFE_RENEGOTIATION", disable_safe_renegotiation},
++ {"PARTIAL_RENEGOTIATION", enable_partial_safe_renegotiation},
++#line 30 "priority_options.gperf"
++ {"PROFILE_VERY_WEAK", enable_profile_very_weak},
+ #line 35 "priority_options.gperf"
+- {"PROFILE_SUITEB128", enable_profile_suiteb128},
+-#line 23 "priority_options.gperf"
+- {"SAFE_RENEGOTIATION", enable_safe_renegotiation},
++ {"PROFILE_ULTRA", enable_profile_ultra},
++#line 32 "priority_options.gperf"
++ {"PROFILE_LEGACY", enable_profile_legacy},
+ #line 19 "priority_options.gperf"
+- {"SSL3_RECORD_VERSION", enable_ssl3_record_version},
+-#line 22 "priority_options.gperf"
+- {"UNSAFE_RENEGOTIATION", enable_unsafe_renegotiation},
+-#line 20 "priority_options.gperf"
+- {"LATEST_RECORD_VERSION", enable_latest_record_version},
+-#line 36 "priority_options.gperf"
+- {"PROFILE_SUITEB192", enable_profile_suiteb192},
+- {""}, {""},
+-#line 18 "priority_options.gperf"
+ {"VERIFY_DISABLE_CRL_CHECKS", disable_crl_checks},
+-#line 13 "priority_options.gperf"
+- {"NO_ETM", enable_no_etm},
+-#line 21 "priority_options.gperf"
++#line 26 "priority_options.gperf"
++ {"DISABLE_SAFE_RENEGOTIATION", disable_safe_renegotiation},
++#line 22 "priority_options.gperf"
+ {"VERIFY_ALLOW_X509_V1_CA_CRT", dummy_func},
+ {""}, {""},
+ #line 17 "priority_options.gperf"
+ {"VERIFY_ALLOW_SIGN_RSA_MD5", enable_verify_allow_rsa_md5},
+-#line 24 "priority_options.gperf"
+- {"PARTIAL_RENEGOTIATION", enable_partial_safe_renegotiation},
++#line 13 "priority_options.gperf"
++ {"NO_ETM", enable_no_etm},
++#line 29 "priority_options.gperf"
++ {"SERVER_PRECEDENCE", enable_server_precedence},
++ {""}, {""}, {""},
++#line 21 "priority_options.gperf"
++ {"LATEST_RECORD_VERSION", enable_latest_record_version},
++#line 36 "priority_options.gperf"
++ {"PROFILE_SUITEB128", enable_profile_suiteb128},
+ {""}, {""}, {""}, {""},
+ #line 37 "priority_options.gperf"
+- {"NEW_PADDING", dummy_func},
+-#line 28 "priority_options.gperf"
+- {"SERVER_PRECEDENCE", enable_server_precedence},
+- {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+- {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+- {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+-#line 32 "priority_options.gperf"
+- {"PROFILE_MEDIUM", enable_profile_medium}
++ {"PROFILE_SUITEB192", enable_profile_suiteb192},
++ {""},
++#line 33 "priority_options.gperf"
++ {"PROFILE_MEDIUM", enable_profile_medium},
++ {""}, {""},
++#line 18 "priority_options.gperf"
++ {"VERIFY_ALLOW_SIGN_WITH_SHA1", enable_verify_allow_sha1}
+ };
+
+ #ifdef __GNUC__
diff --git a/debian/patches/disable_global_init_override_test.patch b/debian/patches/disable_global_init_override_test.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9eb06d23901296ee42f2eee2d0a8b42eaf439b76
--- /dev/null
+++ b/debian/patches/disable_global_init_override_test.patch
@@ -0,0 +1,17 @@
+Description: disable failing test
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+Forwarded: no
+
+Index: b/tests/Makefile.am
+===================================================================
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -90,7 +90,7 @@ ctests = mini-record-2 simple gc set_pkc
+ x509sign-verify2 mini-alignment oids atfork prf \
+ status-request status-request-ok fallback-scsv pkcs8-key-decode \
+ mini-session-verify-function auto-verify mini-x509-default-prio \
+- global-init-override pcert-list
++ pcert-list
+
+ mini_dtls_pthread_LDADD = $(LDADD) -lpthread
+
diff --git a/debian/patches/fix_expired_certs.patch b/debian/patches/fix_expired_certs.patch
new file mode 100644
index 0000000000000000000000000000000000000000..130915c0b160fe74630d2c8aa32d40bdf15ef10e
--- /dev/null
+++ b/debian/patches/fix_expired_certs.patch
@@ -0,0 +1,34 @@
+From 47f25d9e08d4e102572804a2aed186b01db23c65 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 29 Jun 2016 17:31:13 +0200
+Subject: [PATCH] tests: use datefudge in name-constraints test
+
+This avoids the expiration of the used certificate to affect the test.
+---
+ tests/cert-tests/name-constraints | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+Index: gnutls28-3.4.10/tests/cert-tests/name-constraints
+===================================================================
+--- gnutls28-3.4.10.orig/tests/cert-tests/name-constraints 2017-01-26 11:28:50.479152285 -0500
++++ gnutls28-3.4.10/tests/cert-tests/name-constraints 2017-01-26 11:28:50.475152233 -0500
+@@ -27,7 +27,18 @@
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+ fi
+
+-${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/name-constraints-ip.pem"
++export TZ="UTC"
++
++# Check for datefudge
++TSTAMP=`datefudge -s "2006-09-23" date -u +%s || true`
++if test "$TSTAMP" != "1158969600"; then
++ echo $TSTAMP
++ echo "You need datefudge to run this test"
++ exit 77
++fi
++
++datefudge -s "2016-04-22" \
++ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/name-constraints-ip.pem"
+ rc=$?
+
+ if test "${rc}" != "0"; then
diff --git a/debian/patches/insecuresha1-1.patch b/debian/patches/insecuresha1-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..67e08b4d9e9c26a507d2b3cc5664b8f0b7007b4e
--- /dev/null
+++ b/debian/patches/insecuresha1-1.patch
@@ -0,0 +1,29 @@
+Backport of:
+
+From 1d75e116b1681d0e6b140d7530e7f0403088da88 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 24 Feb 2017 08:35:34 +0100
+Subject: [PATCH] algorithms: tag SHA1 as insecure algorithm
+
+Although SHA1 was considered to be risky to use the past few years,
+there has been no demonstration of breakage. As of 2017-2-23 there has
+been a demonstrated collision in SHA1, and even though the attack was
+a costly one, it provided the incentive to should move SHA1 into
+the broken hashes list together with MD5 and MD2.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/algorithms/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/algorithms/mac.c
++++ b/lib/algorithms/mac.c
+@@ -26,7 +26,7 @@
+ #include <x509/common.h>
+
+ static const mac_entry_st hash_algorithms[] = {
+- {"SHA1", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20, 20, 0, 0, 1, 64},
++ {"SHA1", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20, 20, 0, 0, 0, 64},
+ {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5, 16, 16, 0, 0, 0, 64},
+ {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1,
+ 64},
diff --git a/debian/patches/insecuresha1-10.patch b/debian/patches/insecuresha1-10.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2b7d43a16e9aebdc65e792666add9b6a7b489546
--- /dev/null
+++ b/debian/patches/insecuresha1-10.patch
@@ -0,0 +1,25 @@
+From 8958a7a10ce309c5603e618dcd2b9329714c93b5 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 20 Jul 2017 14:43:20 +0200
+Subject: [PATCH] algorithms/mac: marked RIPEMD160 as insecure for certificates
+
+This is an algorithm which is not really used in Internet PKI
+and due to that has seen no public cryptanalysis. As such
+we disable it for certificate verification to prevent it from
+being used as an attack vector.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/algorithms/mac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/algorithms/mac.c
++++ b/lib/algorithms/mac.c
+@@ -93,6 +93,7 @@ static const mac_entry_st hash_algorithm
+ .id = GNUTLS_MAC_RMD160,
+ .output_size = 20,
+ .key_size = 20,
++ .slevel = _INSECURE_FOR_CERTS,
+ .block_size = 64},
+ {.name = "MAC-NULL",
+ .id = GNUTLS_MAC_NULL},
diff --git a/debian/patches/insecuresha1-11.patch b/debian/patches/insecuresha1-11.patch
new file mode 100644
index 0000000000000000000000000000000000000000..eed8c202a849d8765e7f1e506d99456b15c3f17d
--- /dev/null
+++ b/debian/patches/insecuresha1-11.patch
@@ -0,0 +1,35 @@
+Backport of:
+
+From d5ee107005a1b5faa998f72076530acc58b2754d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 21 Jul 2017 10:05:44 +0200
+Subject: [PATCH] updated auto-generated files
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ doc/Makefile.am | 2 ++
+ doc/manpages/Makefile.am | 1 +
+ symbols.last | 1 +
+ 3 files changed, 4 insertions(+)
+
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -1913,6 +1913,8 @@ FUNCS += functions/gnutls_sign_get_pk_al
+ FUNCS += functions/gnutls_sign_get_pk_algorithm.short
+ FUNCS += functions/gnutls_sign_is_secure
+ FUNCS += functions/gnutls_sign_is_secure.short
++FUNCS += functions/gnutls_sign_is_secure2
++FUNCS += functions/gnutls_sign_is_secure2.short
+ FUNCS += functions/gnutls_sign_list
+ FUNCS += functions/gnutls_sign_list.short
+ FUNCS += functions/gnutls_srp_allocate_client_credentials
+--- a/doc/manpages/Makefile.am
++++ b/doc/manpages/Makefile.am
+@@ -744,6 +744,7 @@ APIMANS += gnutls_sign_get_name.3
+ APIMANS += gnutls_sign_get_oid.3
+ APIMANS += gnutls_sign_get_pk_algorithm.3
+ APIMANS += gnutls_sign_is_secure.3
++APIMANS += gnutls_sign_is_secure2.3
+ APIMANS += gnutls_sign_list.3
+ APIMANS += gnutls_srp_allocate_client_credentials.3
+ APIMANS += gnutls_srp_allocate_server_credentials.3
diff --git a/debian/patches/insecuresha1-12.patch b/debian/patches/insecuresha1-12.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8aed2913a04aac6be33c075248f7d28f01ed7a71
--- /dev/null
+++ b/debian/patches/insecuresha1-12.patch
@@ -0,0 +1,27 @@
+Backport of:
+
+From 10ebf799f12d331b4e28336deeff6f13a39c0e87 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 24 Feb 2017 09:09:10 +0100
+Subject: [PATCH] is_level_acceptable: no longer checks for broken algorithms
+
+This is done at is_broken_allowed(), and in fact checking them in
+is_level_acceptable() creates a conflict when overrides like flag
+GNUTLS_VERIFY_ALLOW_BROKEN is used.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/x509/verify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -403,7 +403,7 @@ int is_broken_allowed(gnutls_sign_algori
+ _gnutls_debug_log(#level": certificate's signature hash is unknown\n"); \
+ return gnutls_assert_val(0); \
+ } \
+- if (entry->secure == 0 || entry->output_size*8/2 < sym_bits) { \
++ if (entry->output_size*8/2 < sym_bits) { \
+ _gnutls_debug_log(#level": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", entry->output_size*8/2, sym_bits); \
+ return gnutls_assert_val(0); \
+ } \
diff --git a/debian/patches/insecuresha1-13.patch b/debian/patches/insecuresha1-13.patch
new file mode 100644
index 0000000000000000000000000000000000000000..dcc428a7e44ba3cfed4447f7d2bf484d4c5fe10c
--- /dev/null
+++ b/debian/patches/insecuresha1-13.patch
@@ -0,0 +1,30 @@
+From f20525b5eac8adff2926bc9c0ee8ab98940680e8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 24 Feb 2017 08:46:01 +0100
+Subject: [PATCH] verify: is_broken_allowed: account for "new" flag
+ GNUTLS_VERIFY_ALLOW_BROKEN
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/x509/verify.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -385,12 +385,16 @@ static unsigned int check_time_status(gn
+ static
+ int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags)
+ {
++ /* the first two are for backwards compatibility */
+ if ((sig == GNUTLS_SIGN_RSA_MD2)
+ && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2))
+ return 1;
+ if ((sig == GNUTLS_SIGN_RSA_MD5)
+ && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))
+ return 1;
++ /* we no longer have individual flags - but rather a catch all */
++ if ((flags & GNUTLS_VERIFY_ALLOW_BROKEN) == GNUTLS_VERIFY_ALLOW_BROKEN)
++ return 1;
+ return 0;
+ }
+
diff --git a/debian/patches/insecuresha1-14.patch b/debian/patches/insecuresha1-14.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f1e20d1ad203311ae7b95e195819d95e69e1897c
--- /dev/null
+++ b/debian/patches/insecuresha1-14.patch
@@ -0,0 +1,62 @@
+From 2c452107b3876c6e76726bd95962c3c10e50d8e0 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 24 Feb 2017 09:24:19 +0100
+Subject: [PATCH] gnutls_ocsp_resp_verify_direct, gnutls_ocsp_resp_verify:
+ defined flags argument
+
+That was defined to be gnutls_certificate_verify_flags, and
+it allows passing verification flags, such as flags to allow
+broken algorithms.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/x509/ocsp.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1981,7 +1981,7 @@ _ocsp_resp_verify_direct(gnutls_ocsp_res
+ goto done;
+ }
+
+- rc = gnutls_pubkey_verify_data2(pubkey, sigalg, 0, &data, &sig);
++ rc = gnutls_pubkey_verify_data2(pubkey, sigalg, flags, &data, &sig);
+ if (rc == GNUTLS_E_PK_SIG_VERIFY_FAILED) {
+ gnutls_assert();
+ *verify = GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE;
+@@ -2052,7 +2052,7 @@ static int check_ocsp_purpose(gnutls_x50
+ * @resp: should contain a #gnutls_ocsp_resp_t type
+ * @issuer: certificate believed to have signed the response
+ * @verify: output variable with verification status, an #gnutls_ocsp_verify_reason_t
+- * @flags: verification flags, 0 for now.
++ * @flags: verification flags from #gnutls_certificate_verify_flags
+ *
+ * Verify signature of the Basic OCSP Response against the public key
+ * in the @issuer certificate.
+@@ -2091,7 +2091,7 @@ gnutls_ocsp_resp_verify_direct(gnutls_oc
+
+ unsigned int vtmp;
+
+- rc = gnutls_x509_crt_verify(signercert, &issuer, 1, 0,
++ rc = gnutls_x509_crt_verify(signercert, &issuer, 1, flags,
+ &vtmp);
+ if (rc != GNUTLS_E_SUCCESS) {
+ gnutls_assert();
+@@ -2128,7 +2128,7 @@ gnutls_ocsp_resp_verify_direct(gnutls_oc
+ * @resp: should contain a #gnutls_ocsp_resp_t type
+ * @trustlist: trust anchors as a #gnutls_x509_trust_list_t type
+ * @verify: output variable with verification status, an #gnutls_ocsp_verify_reason_t
+- * @flags: verification flags, 0 for now.
++ * @flags: verification flags from #gnutls_certificate_verify_flags
+ *
+ * Verify signature of the Basic OCSP Response against the public key
+ * in the certificate of a trusted signer. The @trustlist should be
+@@ -2210,7 +2210,7 @@ gnutls_ocsp_resp_verify(gnutls_ocsp_resp
+ rc = gnutls_x509_trust_list_verify_crt2(trustlist,
+ &signercert, 1,
+ &vdata, 1,
+- 0, &vtmp, NULL);
++ flags, &vtmp, NULL);
+ if (rc != GNUTLS_E_SUCCESS) {
+ gnutls_assert();
+ goto done;
diff --git a/debian/patches/insecuresha1-15.patch b/debian/patches/insecuresha1-15.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cd08084538d99e0ccbd3e1ac41c417551dfbc3c9
--- /dev/null
+++ b/debian/patches/insecuresha1-15.patch
@@ -0,0 +1,49 @@
+From d766bb305afd9ba3006d87aa7aa9d2af91715364 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 24 Feb 2017 08:57:27 +0100
+Subject: [PATCH] gnutls_store_commitment: introduced flag
+ GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN
+
+This flag allows operation of the function even with broken algorithms.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/includes/gnutls/gnutls.h.in | 1 +
+ lib/verify-tofu.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -2210,6 +2210,7 @@ int gnutls_verify_stored_pubkey(const ch
+ const gnutls_datum_t * cert,
+ unsigned int flags);
+
++#define GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN 1
+ int gnutls_store_commitment(const char *db_name,
+ gnutls_tdb_t tdb,
+ const char *host,
+--- a/lib/verify-tofu.c
++++ b/lib/verify-tofu.c
+@@ -615,7 +615,7 @@ gnutls_store_pubkey(const char *db_name,
+ * @hash_algo: The hash algorithm type
+ * @hash: The raw hash
+ * @expiration: The expiration time (use 0 to disable expiration)
+- * @flags: should be 0.
++ * @flags: should be 0 or %GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN.
+ *
+ * This function will store the provided hash commitment to
+ * the list of stored public keys. The key with the given
+@@ -645,9 +645,12 @@ gnutls_store_commitment(const char *db_n
+ char local_file[MAX_FILENAME];
+ const mac_entry_st *me = hash_to_entry(hash_algo);
+
+- if (me == NULL || _gnutls_digest_is_secure(me) == 0)
++ if (me == NULL)
+ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+
++ if (!(flags & GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN) && _gnutls_digest_is_secure(me) == 0)
++ return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
++
+ if (_gnutls_hash_get_algo_len(me) != hash->size)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
diff --git a/debian/patches/insecuresha1-16.patch b/debian/patches/insecuresha1-16.patch
new file mode 100644
index 0000000000000000000000000000000000000000..12806d415ac9683b0e1b6a756086f0206758a43d
--- /dev/null
+++ b/debian/patches/insecuresha1-16.patch
@@ -0,0 +1,90 @@
+From 8ee8a53bef77be018c4eeb261309846f261a35c8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 31 Mar 2016 16:58:37 +0200
+Subject: [PATCH] certtool: added flag to allow verification using broken
+ algorithms
+
+---
+ src/certtool-args.def | 6 ++++++
+ src/certtool.c | 19 +++++++++++++++----
+ 2 files changed, 21 insertions(+), 4 deletions(-)
+
+--- a/src/certtool-args.def
++++ b/src/certtool-args.def
+@@ -111,6 +111,12 @@ flag = {
+ };
+
+ flag = {
++ name = verify-allow-broken;
++ descrip = "Allow broken algorithms, such as MD5 for verification";
++ doc = "This can be combined with --p7-verify, --verify or --verify-chain.";
++};
++
++flag = {
+ name = generate-dh-params;
+ descrip = "Generate PKCS #3 encoded Diffie-Hellman parameters";
+ doc = "";
+--- a/src/certtool.c
++++ b/src/certtool.c
+@@ -2465,6 +2465,7 @@ _verify_x509_mem(const void *cert, int c
+ unsigned int x509_ncerts, x509_ncrls = 0, x509_ncas = 0;
+ gnutls_x509_trust_list_t list;
+ unsigned int output;
++ unsigned vflags;
+
+ ret = gnutls_x509_trust_list_init(&list, 0);
+ if (ret < 0) {
+@@ -2571,6 +2572,12 @@ _verify_x509_mem(const void *cert, int c
+ fprintf(stdout, "Loaded %d certificates, %d CAs and %d CRLs\n\n",
+ x509_ncerts, x509_ncas, x509_ncrls);
+
++ vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME;
++
++ if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
++ vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
++
++
+ if (purpose || hostname || email) {
+ gnutls_typed_vdata_st vdata[2];
+ unsigned vdata_size = 0;
+@@ -2599,14 +2606,14 @@ _verify_x509_mem(const void *cert, int c
+ x509_ncerts,
+ vdata,
+ vdata_size,
+- GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
++ vflags,
+ &output,
+ detailed_verification);
+ } else {
+ ret =
+ gnutls_x509_trust_list_verify_crt(list, x509_cert_list,
+ x509_ncerts,
+- GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
++ vflags,
+ &output,
+ detailed_verification);
+ }
+@@ -2895,6 +2902,7 @@ void verify_pkcs7(common_info_st * cinfo
+ gnutls_typed_vdata_st vdata[2];
+ unsigned vdata_size = 0;
+ gnutls_x509_crt_t signer = NULL;
++ unsigned flags = 0;
+
+ ret = gnutls_pkcs7_init(&pkcs7);
+ if (ret < 0) {
+@@ -2983,10 +2991,13 @@ void verify_pkcs7(common_info_st * cinfo
+
+ gnutls_pkcs7_signature_info_deinit(&info);
+
++ if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
++ flags |= GNUTLS_VERIFY_ALLOW_BROKEN;
++
+ if (signer)
+- ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, 0);
++ ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags);
+ else
+- ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, 0);
++ ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
+ if (ret < 0) {
+ fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));
+ ecode = 1;
diff --git a/debian/patches/insecuresha1-2.patch b/debian/patches/insecuresha1-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e19fe6ab1515cc1b39793e75319f07d8dab24975
--- /dev/null
+++ b/debian/patches/insecuresha1-2.patch
@@ -0,0 +1,325 @@
+Backport of:
+
+From b26a40b616a90ab6af9408cabf228bdec2e15b69 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 24 Feb 2017 09:42:26 +0100
+Subject: [PATCH] tests: updated to account SHA1 move to broken set
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ tests/cert-tests/aki | 2 +-
+ tests/cert-tests/certtool-long-oids | 4 ++--
+ tests/cert-tests/name-constraints | 4 ++--
+ tests/cert-tests/pathlen | 2 +-
+ tests/cert-tests/pem-decoding | 2 +-
+ tests/cert-tests/pkcs1-pad | 4 ++--
+ tests/cert-tests/pkcs7-cat | 2 +-
+ tests/chainverify-unsorted.c | 2 +-
+ tests/cve-2008-4989.c | 2 +-
+ tests/dn2.c | 2 +-
+ tests/mini-tdb.c | 2 +-
+ tests/ocsp.c | 16 +++++++------
+ tests/suite/chain.sh | 2 +-
+ tests/suite/crl-test | 2 +-
+ tests/suite/pkcs7-cat | 4 ++--
+ tests/test-chains.h | 36 ++++++++++++++---------------
+ tests/x509cert-tl.c | 4 ++--
+ 17 files changed, 47 insertions(+), 45 deletions(-)
+
+--- a/tests/cert-tests/aki
++++ b/tests/cert-tests/aki
+@@ -30,7 +30,7 @@ if ! test -z "${VALGRIND}"; then
+ fi
+
+ ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/aki-cert.pem" \
+- |grep -v "Algorithm Security Level" > tmp-aki.pem
++ |grep -v "Algorithm Security Level"|grep -v ^warning > tmp-aki.pem
+ rc=$?
+
+ if test "${rc}" != "0"; then
+--- a/tests/cert-tests/name-constraints
++++ b/tests/cert-tests/name-constraints
+@@ -38,7 +38,7 @@ if test "$TSTAMP" != "1158969600"; then
+ fi
+
+ datefudge -s "2016-04-22" \
+- ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/name-constraints-ip.pem"
++ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken -e --infile "${srcdir}/name-constraints-ip.pem"
+ rc=$?
+
+ if test "${rc}" != "0"; then
+--- a/tests/cert-tests/pathlen
++++ b/tests/cert-tests/pathlen
+@@ -30,7 +30,7 @@ if ! test -z "${VALGRIND}"; then
+ fi
+
+ ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/ca-no-pathlen.pem" \
+- |grep -v "Algorithm Security Level" > new-ca-no-pathlen.pem
++ |grep -v "Algorithm Security Level"|grep -v ^warning > new-ca-no-pathlen.pem
+ rc=$?
+
+ if test "${rc}" != "0"; then
+--- a/tests/cert-tests/pem-decoding
++++ b/tests/cert-tests/pem-decoding
+@@ -87,7 +87,7 @@ fi
+
+ cat "${srcdir}/xmpp-othername.pem" |grep -v "Not After:" >tmp1
+ cat tmp-pem.pem |grep -v "Not After:" >tmp2
+-${DIFF} tmp1 tmp2 || ${DIFF} --strip-trailing-cr tmp1 tmp2
++${DIFF} -I ^warning tmp1 tmp2 || ${DIFF} --strip-trailing-cr tmp1 tmp2
+ rc=$?
+
+ if test "${rc}" != "0"; then
+--- a/tests/pkcs1-padding/pkcs1-pad
++++ b/tests/pkcs1-padding/pkcs1-pad
+@@ -39,8 +39,8 @@ fi
+
+ EXPECT1=2002
+
+-datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/pkcs1-pad-ok.pem" | tee out1 >/dev/null 2>&1
+-datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/pkcs1-pad-broken.pem" | tee out2 >/dev/null 2>&1
++datefudge "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/pkcs1-pad-ok.pem" | tee out1 >/dev/null 2>&1
++datefudge "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/pkcs1-pad-broken.pem" | tee out2 >/dev/null 2>&1
+
+ out1oks=`grep 'Verified.' out1 | wc -l | tr -d " "`
+ out2oks=`grep 'Verified.' out2 | wc -l | tr -d " "`
+--- a/tests/chainverify-unsorted.c
++++ b/tests/chainverify-unsorted.c
+@@ -603,7 +603,7 @@ void doit(void)
+ gnutls_x509_crt_t *crts;
+ unsigned int crts_size, i;
+ gnutls_x509_trust_list_t tl;
+- unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
++ unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN|GNUTLS_VERIFY_ALLOW_BROKEN;
+ unsigned int not_flags = GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN;
+
+ /* this must be called once in the program
+--- a/tests/cve-2008-4989.c
++++ b/tests/cve-2008-4989.c
+@@ -202,7 +202,7 @@ int main(int argc, char *argv[])
+ ret = gnutls_x509_crt_list_verify(certs, CHAIN_LENGTH,
+ &ca, 1,
+ NULL, 0,
+- GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
++ GNUTLS_VERIFY_DISABLE_TIME_CHECKS|GNUTLS_VERIFY_ALLOW_BROKEN,
+ &verify_status);
+ if (ret < 0) {
+ fprintf(stderr, "gnutls_x509_crt_list_verify[%d]: %s",
+--- a/tests/dn2.c
++++ b/tests/dn2.c
+@@ -64,7 +64,7 @@ static char pem[] =
+ "/do1TDFI0vSl5+M=\n" "-----END CERTIFICATE-----\n";
+
+ static const char *info =
+- "subject `jurisdictionOfIncorporationCountryName=DE,jurisdictionOfIncorporationLocalityName=Muenchen,businessCategory=V1.0\\, Clause 5.(b),serialNumber=HRB 144261,C=DE,postalCode=80807,ST=Bavaria,L=Muenchen,street=Frankfurter Ring 129,O=GMX GmbH,CN=www.gmx.de', issuer `C=US,O=VeriSign\\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA', RSA key 1024 bits, signed using RSA-SHA1, activated `2008-11-13 00:00:00 UTC', expires `2009-11-13 23:59:59 UTC', SHA-1 fingerprint `7ece297c45d5b17685224b4e929a30e91a9553cb'";
++ "subject `jurisdictionOfIncorporationCountryName=DE,jurisdictionOfIncorporationLocalityName=Muenchen,businessCategory=V1.0\\, Clause 5.(b),serialNumber=HRB 144261,C=DE,postalCode=80807,ST=Bavaria,L=Muenchen,street=Frankfurter Ring 129,O=GMX GmbH,CN=www.gmx.de', issuer `C=US,O=VeriSign\\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA', RSA key 1024 bits, signed using RSA-SHA1 (broken!), activated `2008-11-13 00:00:00 UTC', expires `2009-11-13 23:59:59 UTC', SHA-1 fingerprint `7ece297c45d5b17685224b4e929a30e91a9553cb'";
+
+ void doit(void)
+ {
+--- a/tests/mini-tdb.c
++++ b/tests/mini-tdb.c
+@@ -116,7 +116,7 @@ void doit(void)
+
+ /* verify whether the stored hash verification succeeeds */
+ ret = gnutls_store_commitment(TMP_FILE, NULL, "localhost", "https",
+- GNUTLS_DIG_SHA1, &hash, 0, 0);
++ GNUTLS_DIG_SHA1, &hash, 0, GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN);
+ if (ret != 0) {
+ fail("commitment storage: %s\n", gnutls_strerror(ret));
+ goto fail;
+--- a/tests/ocsp.c
++++ b/tests/ocsp.c
+@@ -110,6 +110,7 @@ static const gnutls_datum_t resp1 =
+ " Extensions:\n" \
+ " Nonce: 16897d913ab525a445fec9fdc2e508a4\n" \
+ " Signature Algorithm: RSA-SHA1\n" \
++ "warning: signed using a broken signature algorithm that can be forged.\n" \
+ " Signature:\n" \
+ " 4e:ad:6b:2b:f7:f2:bf:a9:23:1e:3a:0b:06:db:55:53\n" \
+ " 2b:64:54:11:32:bf:60:f7:4f:e0:8e:9b:a0:a2:4c:79\n" \
+@@ -151,6 +152,7 @@ static const gnutls_datum_t resp2 =
+ " Next Update: Thu Sep 11 06:04:00 UTC 2014\n" \
+ " Extensions:\n" \
+ " Signature Algorithm: RSA-SHA1\n" \
++"warning: signed using a broken signature algorithm that can be forged.\n" \
+ " Signature:\n" \
+ " 6e:5e:5e:81:ff:3f:4d:c7:53:c7:1b:f3:d3:1d:dc:9a\n" \
+ " c7:ce:77:2c:67:56:13:98:91:02:01:76:dc:48:b2:1f\n" \
+@@ -1406,7 +1408,7 @@ static void resp_verify(void)
+
+ /* check direct verify with signer (should succeed) */
+
+- ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, 0);
++ ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify_direct (signer) %d\n", ret);
+ exit(1);
+@@ -1419,7 +1421,7 @@ static void resp_verify(void)
+
+ /* check direct verify with cert (should fail) */
+
+- ret = gnutls_ocsp_resp_verify_direct(resp, cert, &verify, 0);
++ ret = gnutls_ocsp_resp_verify_direct(resp, cert, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify_direct (cert) %d\n", ret);
+ exit(1);
+@@ -1444,7 +1446,7 @@ static void resp_verify(void)
+ exit(1);
+ }
+
+- ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0);
++ ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret);
+ exit(1);
+@@ -1471,7 +1473,7 @@ static void resp_verify(void)
+ exit(1);
+ }
+
+- ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0);
++ ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret);
+ exit(1);
+@@ -1498,7 +1500,7 @@ static void resp_verify(void)
+ exit(1);
+ }
+
+- ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0);
++ ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret);
+ exit(1);
+@@ -1537,7 +1539,7 @@ static void resp_verify(void)
+ exit(1);
+ }
+
+- ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0);
++ ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret);
+ exit(1);
+@@ -1597,7 +1599,7 @@ static void long_resp_check(void)
+
+ /* check direct verify with signer (should succeed) */
+
+- ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, 0);
++ ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify_direct (signer) %d\n", ret);
+ exit(1);
+--- a/tests/test-chains.h
++++ b/tests/test-chains.h
+@@ -1697,16 +1697,16 @@ static struct
+ 0,
+ GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL, 1412850586},
+ { "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2],
+- 0,
++ GNUTLS_VERIFY_ALLOW_BROKEN,
+ GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL},
+ { "amazon.com ok", verisign_com_chain_g5, &verisign_com_chain_g5[4],
+- GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW),
++ GNUTLS_VERIFY_ALLOW_BROKEN | GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW),
+ 0, NULL},
+ { "verisign.com v1 fail", verisign_com_chain, &verisign_com_chain[3],
+- 0,
++ GNUTLS_VERIFY_ALLOW_BROKEN,
+ GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL},
+ { "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3],
+- GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW),
++ GNUTLS_VERIFY_ALLOW_BROKEN | GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW),
+ 0, NULL},
+ { "verisign.com v1 not ok due to profile", verisign_com_chain, &verisign_com_chain[3],
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY),
+@@ -1715,23 +1715,23 @@ static struct
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH),
+ GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL},
+ { "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2],
+- GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
++ GNUTLS_VERIFY_ALLOW_BROKEN | GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
+ { "expired self signed", pem_self_cert, &pem_self_cert[0],
+ 0, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL},
+ { "self signed", pem_self_cert, &pem_self_cert[0],
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL},
+ { "ca=false", thea_chain, &thea_chain[1],
+- 0,
++ GNUTLS_VERIFY_ALLOW_BROKEN,
+ GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
+ { "ca=false2", thea_chain, &thea_chain[1],
+- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
++ GNUTLS_VERIFY_ALLOW_BROKEN, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
+ { "hbci v1 fail", hbci_chain, &hbci_chain[2],
+- GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
++ GNUTLS_VERIFY_ALLOW_BROKEN | GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
+ { "hbci v1 ok expired", hbci_chain, &hbci_chain[2],
+- 0,
++ GNUTLS_VERIFY_ALLOW_BROKEN,
+ GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL},
+ { "hbci v1 ok", hbci_chain, &hbci_chain[2],
+- GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
++ GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
+ 0, NULL},
+ { "rsa-md5 fail", mayfirst_chain, &mayfirst_chain[1],
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
+@@ -1745,7 +1745,7 @@ static struct
+ { "rsa-md5 ok", mayfirst_chain, &mayfirst_chain[1],
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0, NULL},
+ { "v1ca fail", v1ca, &v1ca[2],
+- GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
++ GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL},
+
+ { "pathlen fail", pathlen_check, &pathlen_check[2],
+ GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT | GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL},
+@@ -1763,26 +1763,26 @@ static struct
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL},
+
+ { "v1ca expired", v1ca, &v1ca[2],
+- 0,
++ GNUTLS_VERIFY_ALLOW_BROKEN,
+ GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID , NULL},
+ { "v1ca ok", v1ca, &v1ca[2],
+- GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
++ GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
+ 0, NULL},
+ { "v1ca2 expired", v1ca, &v1ca[2],
+- GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT,
++ GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT,
+ GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL},
+ { "v1ca2 ok", v1ca, &v1ca[2],
+- GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT,
++ GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT,
+ 0, NULL},
+ { "cacertrsamd5 fail", cacertrsamd5, &cacertrsamd5[2],
+ 0, GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL},
+ { "cacertrsamd5 ok", cacertrsamd5, &cacertrsamd5[2],
+- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0, NULL},
++ GNUTLS_VERIFY_ALLOW_BROKEN, 0, NULL},
+ { "cacertrsamd5 short-cut not ok", cacertrsamd5, &cacertrsamd5[0],
+ GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
+ GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL},
+ { "cacertrsamd5 short-cut ok", cacertrsamd5, &cacertrsamd5[1],
+- 0, 0, NULL},
++ GNUTLS_VERIFY_ALLOW_BROKEN, 0, NULL},
+ { "ecc cert ok", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH), 0, NULL},
+ { "ecc cert ok", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128), 0, NULL},
+ { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
+@@ -1793,7 +1793,7 @@ static struct
+ { "name constraints chain bad1", nc_bad1, &nc_bad1[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
+ { "name constraints chain bad2", nc_bad2, &nc_bad2[4], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
+ { "name constraints chain bad3", nc_bad3, &nc_bad3[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
+- { "not-modified", modified2, &modified2[3], 0, 0, NULL, 1412850586},
++ { "not-modified", modified2, &modified2[3], GNUTLS_VERIFY_ALLOW_BROKEN, 0, NULL, 1412850586},
+ { "kp-interm", kp_fail1, &kp_fail1[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586},
+ { "kp-fin", kp_fail2, &kp_fail2[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586},
+ { "kp-ok", kp_ok, &kp_ok[3], 0, 0, GNUTLS_KP_OCSP_SIGNING, 1412850586},
+--- a/tests/x509cert-tl.c
++++ b/tests/x509cert-tl.c
+@@ -299,7 +299,7 @@ void doit(void)
+ fail("gnutls_x509_trust_list_add_trust_dir: %d\n", ret);
+
+ ret =
+- gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0,
++ gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, GNUTLS_VERIFY_ALLOW_BROKEN,
+ &status, NULL);
+ if (ret < 0 || status != 0)
+ fail("gnutls_x509_trust_list_verify_crt\n");
diff --git a/debian/patches/insecuresha1-3.patch b/debian/patches/insecuresha1-3.patch
new file mode 100644
index 0000000000000000000000000000000000000000..89cf53b6b8339f87498cbdc0e7d8d244b5363d62
--- /dev/null
+++ b/debian/patches/insecuresha1-3.patch
@@ -0,0 +1,68 @@
+Backport of:
+
+From c020faada2688515f8a7c90ab95f8d5b0b3b82ae Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 13 Mar 2017 17:00:22 +0100
+Subject: [PATCH] Allow reverting the SHA1 ban as a signature algorithm
+
+This allows distributors to decide not to ban SHA1. This
+option may be removed in the future.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ configure.ac | 1 +
+ lib/algorithms/mac.c | 8 +++++++-
+ m4/hooks.m4 | 14 ++++++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -942,6 +942,7 @@ AC_MSG_NOTICE([Optional features:
+ if features are disabled)
+
+ DTLS-SRTP support: $ac_enable_srtp
++ Allow SHA1 sign: $ac_allow_sha1
+ ALPN support: $ac_enable_alpn
+ OCSP support: $ac_enable_ocsp
+ Ses. ticket support: $ac_enable_session_tickets
+--- a/lib/algorithms/mac.c
++++ b/lib/algorithms/mac.c
+@@ -25,8 +25,14 @@
+ #include <gnutls_errors.h>
+ #include <x509/common.h>
+
++#ifdef ALLOW_SHA1
++# define SHA1_SECURE_VAL 1
++#else
++# define SHA1_SECURE_VAL 0
++#endif
++
+ static const mac_entry_st hash_algorithms[] = {
+- {"SHA1", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20, 20, 0, 0, 0, 64},
++ {"SHA1", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20, 20, 0, 0, SHA1_SECURE_VAL, 64},
+ {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5, 16, 16, 0, 0, 0, 64},
+ {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1,
+ 64},
+--- a/m4/hooks.m4
++++ b/m4/hooks.m4
+@@ -140,6 +140,20 @@ LIBTASN1_MINIMUM=4.3
+ AC_MSG_WARN([C99 macros not supported. This may affect compiling.])
+ ])
+
++ ac_allow_sha1=no
++ AC_MSG_CHECKING([whether to allow SHA1 as an acceptable hash for digital signatures])
++ AC_ARG_ENABLE(sha1-support,
++ AS_HELP_STRING([--enable-sha1-support],
++ [allow SHA1 as an acceptable hash for digital signatures]),
++ ac_allow_sha1=$enableval)
++ if test x$ac_allow_sha1 != xno; then
++ AC_MSG_RESULT(no)
++ AC_DEFINE([ALLOW_SHA1], 1, [allow SHA1 as an acceptable hash for digital signatures])
++ else
++ AC_MSG_RESULT(yes)
++ fi
++ AM_CONDITIONAL(ALLOW_SHA1, test "$ac_allow_sha1" != "no")
++
+ ac_enable_srtp=yes
+ AC_MSG_CHECKING([whether to disable DTLS-SRTP extension])
+ AC_ARG_ENABLE(dtls-srtp-support,
diff --git a/debian/patches/insecuresha1-4.patch b/debian/patches/insecuresha1-4.patch
new file mode 100644
index 0000000000000000000000000000000000000000..28b891f95fbfdd02aec86aa2200e8b016fec78e5
--- /dev/null
+++ b/debian/patches/insecuresha1-4.patch
@@ -0,0 +1,125 @@
+Backport of:
+
+From a0875593eb9308ae9ae9fde1b886422bb03540f5 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 20 Jul 2017 12:17:40 +0200
+Subject: [PATCH] mac: re-organized the hash algorithms table
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/algorithms/mac.c | 137 ++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 109 insertions(+), 28 deletions(-)
+
+--- a/lib/algorithms/mac.c
++++ b/lib/algorithms/mac.c
+@@ -32,23 +32,75 @@
+ #endif
+
+ static const mac_entry_st hash_algorithms[] = {
+- {"SHA1", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20, 20, 0, 0, SHA1_SECURE_VAL, 64},
+- {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5, 16, 16, 0, 0, 0, 64},
+- {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1,
+- 64},
+- {"SHA384", HASH_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1,
+- 128},
+- {"SHA512", HASH_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1,
+- 128},
+- {"SHA224", HASH_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1,
+- 64},
+- {"UMAC-96", NULL, GNUTLS_MAC_UMAC_96, 12, 16, 8, 0, 1, 0},
+- {"UMAC-128", NULL, GNUTLS_MAC_UMAC_128, 16, 16, 8, 0, 1, 0},
+- {"AEAD", NULL, GNUTLS_MAC_AEAD, 0, 0, 0, 1, 1, 0},
+- {"MD2", HASH_OID_MD2, GNUTLS_MAC_MD2, 0, 0, 0, 0, 0, 0}, /* not used as MAC */
+- {"RIPEMD160", HASH_OID_RMD160, GNUTLS_MAC_RMD160, 20, 20, 0, 0, 1,
+- 64},
+- {"MAC-NULL", NULL, GNUTLS_MAC_NULL, 0, 0, 0, 0, 0, 0},
++ {.name = "SHA1",
++ .oid = HASH_OID_SHA1,
++ .id = GNUTLS_MAC_SHA1,
++ .output_size = 20,
++ .key_size = 20,
++ .secure = SHA1_SECURE_VAL,
++ .block_size = 64},
++ {.name = "MD5",
++ .oid = HASH_OID_MD5,
++ .id = GNUTLS_MAC_MD5,
++ .output_size = 16,
++ .key_size = 16,
++ .block_size = 64},
++ {.name = "SHA256",
++ .oid = HASH_OID_SHA256,
++ .id = GNUTLS_MAC_SHA256,
++ .output_size = 32,
++ .key_size = 32,
++ .secure = 1,
++ .block_size = 64},
++ {.name = "SHA384",
++ .oid = HASH_OID_SHA384,
++ .id = GNUTLS_MAC_SHA384,
++ .output_size = 48,
++ .key_size = 48,
++ .secure = 1,
++ .block_size = 64},
++ {.name = "SHA512",
++ .oid = HASH_OID_SHA512,
++ .id = GNUTLS_MAC_SHA512,
++ .output_size = 64,
++ .key_size = 64,
++ .secure = 1,
++ .block_size = 64},
++ {.name = "SHA224",
++ .oid = HASH_OID_SHA224,
++ .id = GNUTLS_MAC_SHA224,
++ .output_size = 28,
++ .key_size = 28,
++ .secure = 1,
++ .block_size = 64},
++ {.name = "UMAC-96",
++ .id = GNUTLS_MAC_UMAC_96,
++ .output_size = 12,
++ .key_size = 16,
++ .nonce_size = 8,
++ .secure = 1},
++ {.name = "UMAC-128",
++ .id = GNUTLS_MAC_UMAC_128,
++ .output_size = 16,
++ .key_size = 16,
++ .nonce_size = 8,
++ .secure = 1},
++ {.name = "AEAD",
++ .id = GNUTLS_MAC_AEAD,
++ .placeholder = 1,
++ .secure = 1},
++ {.name = "MD2",
++ .oid = HASH_OID_MD2,
++ .id = GNUTLS_MAC_MD2},
++ {.name = "RIPEMD160",
++ .oid = HASH_OID_RMD160,
++ .id = GNUTLS_MAC_RMD160,
++ .output_size = 20,
++ .key_size = 20,
++ .secure = 1,
++ .block_size = 64},
++ {.name = "MAC-NULL",
++ .id = GNUTLS_MAC_NULL},
+ {0, 0, 0, 0, 0, 0, 0, 0}
+ };
+
+@@ -176,7 +228,7 @@ gnutls_mac_algorithm_t gnutls_mac_get_id
+ * gnutls_mac_get_key_size:
+ * @algorithm: is an encryption algorithm
+ *
+- * Returns the size of the MAC key used in TLS.
++ * Returns the size of the MAC key used in TLS.
+ *
+ * Returns: length (in bytes) of the given MAC key size, or 0 if the
+ * given MAC algorithm is invalid.
+@@ -215,7 +267,7 @@ size_t gnutls_mac_get_nonce_size(gnutls_
+ * gnutls_mac_list:
+ *
+ * Get a list of hash algorithms for use as MACs. Note that not
+- * necessarily all MACs are supported in TLS cipher suites.
++ * necessarily all MACs are supported in TLS cipher suites.
+ * This function is not thread safe.
+ *
+ * Returns: Return a (0)-terminated list of #gnutls_mac_algorithm_t
diff --git a/debian/patches/insecuresha1-5.patch b/debian/patches/insecuresha1-5.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4a1908c657589f28090d4b97fb47590cda7613a2
--- /dev/null
+++ b/debian/patches/insecuresha1-5.patch
@@ -0,0 +1,185 @@
+Backport of:
+
+From 4403df554edca0de152cd6eacfbe2e16e893af6a Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 20 Jul 2017 12:40:34 +0200
+Subject: [PATCH] _gnutls_digest_is_secure_for_certs: introduced
+
+This is a macro to allow checking the security of a hash algorithm
+with respect to signing certificates.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/algorithms.h | 12 +++++++++++-
+ lib/algorithms/mac.c | 40 ++++++++++++++++------------------------
+ lib/gnutls_int.h | 9 ++++++++-
+ m4/hooks.m4 | 4 ++--
+ 4 files changed, 37 insertions(+), 28 deletions(-)
+
+--- a/lib/algorithms.h
++++ b/lib/algorithms.h
+@@ -146,12 +146,22 @@ inline static int _gnutls_mac_get_key_si
+ #define _gnutls_digest_get_name _gnutls_mac_get_name
+ #define _gnutls_hash_get_algo_len _gnutls_mac_get_algo_len
+
++/* Check generic-purpose security */
+ inline static int _gnutls_digest_is_secure(const mac_entry_st * e)
+ {
+ if (unlikely(e == NULL))
+ return 0;
+ else
+- return e->secure;
++ return (e->slevel==_SECURE || e->slevel == _INSECURE_FOR_CERTS)?1:0;
++}
++
++/* Check certificate use security */
++inline static int _gnutls_digest_is_secure_for_certs(const mac_entry_st * e)
++{
++ if (unlikely(e == NULL))
++ return 0;
++ else
++ return (e->slevel==_SECURE)?1:0;
+ }
+
+ /* Functions for cipher suites. */
+--- a/lib/algorithms/mac.c
++++ b/lib/algorithms/mac.c
+@@ -1,5 +1,6 @@
+ /*
+ * Copyright (C) 2011-2012 Free Software Foundation, Inc.
++ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+@@ -26,9 +27,9 @@
+ #include <x509/common.h>
+
+ #ifdef ALLOW_SHA1
+-# define SHA1_SECURE_VAL 1
+-#else
+ # define SHA1_SECURE_VAL 0
++#else
++# define SHA1_SECURE_VAL _INSECURE_FOR_CERTS
+ #endif
+
+ static const mac_entry_st hash_algorithms[] = {
+@@ -37,67 +38,61 @@ static const mac_entry_st hash_algorithm
+ .id = GNUTLS_MAC_SHA1,
+ .output_size = 20,
+ .key_size = 20,
+- .secure = SHA1_SECURE_VAL,
+- .block_size = 64},
+- {.name = "MD5",
+- .oid = HASH_OID_MD5,
+- .id = GNUTLS_MAC_MD5,
+- .output_size = 16,
+- .key_size = 16,
++ .slevel = SHA1_SECURE_VAL,
+ .block_size = 64},
+ {.name = "SHA256",
+ .oid = HASH_OID_SHA256,
+ .id = GNUTLS_MAC_SHA256,
+ .output_size = 32,
+ .key_size = 32,
+- .secure = 1,
+ .block_size = 64},
+ {.name = "SHA384",
+ .oid = HASH_OID_SHA384,
+ .id = GNUTLS_MAC_SHA384,
+ .output_size = 48,
+ .key_size = 48,
+- .secure = 1,
+ .block_size = 64},
+ {.name = "SHA512",
+ .oid = HASH_OID_SHA512,
+ .id = GNUTLS_MAC_SHA512,
+ .output_size = 64,
+ .key_size = 64,
+- .secure = 1,
+ .block_size = 64},
+ {.name = "SHA224",
+ .oid = HASH_OID_SHA224,
+ .id = GNUTLS_MAC_SHA224,
+ .output_size = 28,
+ .key_size = 28,
+- .secure = 1,
+ .block_size = 64},
+ {.name = "UMAC-96",
+ .id = GNUTLS_MAC_UMAC_96,
+ .output_size = 12,
+ .key_size = 16,
+- .nonce_size = 8,
+- .secure = 1},
++ .nonce_size = 8},
+ {.name = "UMAC-128",
+ .id = GNUTLS_MAC_UMAC_128,
+ .output_size = 16,
+ .key_size = 16,
+- .nonce_size = 8,
+- .secure = 1},
++ .nonce_size = 8},
+ {.name = "AEAD",
+ .id = GNUTLS_MAC_AEAD,
+- .placeholder = 1,
+- .secure = 1},
++ .placeholder = 1},
++ {.name = "MD5",
++ .oid = HASH_OID_MD5,
++ .id = GNUTLS_MAC_MD5,
++ .output_size = 16,
++ .key_size = 16,
++ .slevel = _INSECURE,
++ .block_size = 64},
+ {.name = "MD2",
+ .oid = HASH_OID_MD2,
++ .slevel = _INSECURE,
+ .id = GNUTLS_MAC_MD2},
+ {.name = "RIPEMD160",
+ .oid = HASH_OID_RMD160,
+ .id = GNUTLS_MAC_RMD160,
+ .output_size = 20,
+ .key_size = 20,
+- .secure = 1,
+ .block_size = 64},
+ {.name = "MAC-NULL",
+ .id = GNUTLS_MAC_NULL},
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -461,6 +461,13 @@ typedef struct gnutls_cipher_suite_entry
+ gnutls_mac_algorithm_t prf;
+ } gnutls_cipher_suite_entry_st;
+
++
++typedef enum hash_security_level_t {
++ _SECURE,
++ _INSECURE_FOR_CERTS,
++ _INSECURE
++} hash_security_level_t;
++
+ /* This structure is used both for MACs and digests
+ */
+ typedef struct mac_entry_st {
+@@ -471,7 +478,7 @@ typedef struct mac_entry_st {
+ unsigned key_size;
+ unsigned nonce_size;
+ unsigned placeholder; /* if set, then not a real MAC */
+- unsigned secure; /* must be set to zero if this hash is known to be broken */
++ hash_security_level_t slevel; /* contains values of hash_security_level_t */
+ unsigned block_size; /* internal block size for HMAC */
+ } mac_entry_st;
+
+--- a/m4/hooks.m4
++++ b/m4/hooks.m4
+@@ -141,10 +141,10 @@ LIBTASN1_MINIMUM=4.3
+ ])
+
+ ac_allow_sha1=no
+- AC_MSG_CHECKING([whether to allow SHA1 as an acceptable hash for digital signatures])
++ AC_MSG_CHECKING([whether to allow SHA1 as an acceptable hash for cert digital signatures])
+ AC_ARG_ENABLE(sha1-support,
+ AS_HELP_STRING([--enable-sha1-support],
+- [allow SHA1 as an acceptable hash for digital signatures]),
++ [allow SHA1 as an acceptable hash for cert digital signatures]),
+ ac_allow_sha1=$enableval)
+ if test x$ac_allow_sha1 != xno; then
+ AC_MSG_RESULT(no)
diff --git a/debian/patches/insecuresha1-6.patch b/debian/patches/insecuresha1-6.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9aa445766a69cd013dd8d69892c07339f7f38e4f
--- /dev/null
+++ b/debian/patches/insecuresha1-6.patch
@@ -0,0 +1,88 @@
+Backport of:
+
+From ca1257c02163f21d3d6b4d421a3355e34a8f27b1 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 20 Jul 2017 12:41:47 +0200
+Subject: [PATCH] gnutls_sign_is_secure2: introduced
+
+This function exports the ability to check the validity of
+a signature algorithm for signing certificates.
+
+That also introduces the flag GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS
+which when specified will cause the function to return whether
+the algorithm is secure for signing certificates.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/algorithms/sign.c | 22 +++++++++++++++++++---
+ lib/includes/gnutls/gnutls.h.in | 9 ++++++++-
+ lib/libgnutls.map | 1 +
+ 3 files changed, 28 insertions(+), 4 deletions(-)
+
+--- a/lib/algorithms/sign.c
++++ b/lib/algorithms/sign.c
+@@ -134,7 +134,19 @@ const char *gnutls_sign_get_name(gnutls_
+ *
+ * Returns: Non-zero if the provided signature algorithm is considered to be secure.
+ **/
+-int gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm)
++unsigned gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm)
++{
++ return gnutls_sign_is_secure2(algorithm, 0);
++}
++
++/**
++ * gnutls_sign_is_secure2:
++ * @algorithm: is a sign algorithm
++ * @flags: zero or %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS
++ *
++ * Returns: Non-zero if the provided signature algorithm is considered to be secure.
++ **/
++unsigned gnutls_sign_is_secure2(gnutls_sign_algorithm_t algorithm, unsigned int flags)
+ {
+ gnutls_sign_algorithm_t sign = algorithm;
+ gnutls_digest_algorithm_t dig = GNUTLS_DIG_UNKNOWN;
+@@ -142,8 +154,12 @@ int gnutls_sign_is_secure(gnutls_sign_al
+ /* avoid prefix */
+ GNUTLS_SIGN_ALG_LOOP(dig = p->mac);
+
+- if (dig != GNUTLS_DIG_UNKNOWN)
+- return _gnutls_digest_is_secure(hash_to_entry(dig));
++ if (dig != GNUTLS_DIG_UNKNOWN) {
++ if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS)
++ return _gnutls_digest_is_secure_for_certs(hash_to_entry(dig));
++ else
++ return _gnutls_digest_is_secure(hash_to_entry(dig));
++ }
+
+ return 0;
+ }
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -885,7 +885,15 @@ const char *gnutls_sign_get_oid(gnutls_s
+ size_t gnutls_cipher_get_key_size(gnutls_cipher_algorithm_t algorithm);
+ size_t gnutls_mac_get_key_size(gnutls_mac_algorithm_t algorithm);
+
+-int gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm);
++unsigned gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm);
++
++/* It is possible that a signature algorithm is ok to use for short-lived
++ * data (e.g., to sign a TLS session), but not for data that are long-lived
++ * like certificates. This flag is about checking the security of the algorithm
++ * for long-lived data. */
++#define GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS 1
++unsigned gnutls_sign_is_secure2(gnutls_sign_algorithm_t algorithm, unsigned int flags);
++
+ gnutls_digest_algorithm_t
+ gnutls_sign_get_hash_algorithm(gnutls_sign_algorithm_t sign);
+ gnutls_pk_algorithm_t
+--- a/lib/libgnutls.map
++++ b/lib/libgnutls.map
+@@ -1062,6 +1062,7 @@ GNUTLS_3_4
+ _gnutls_global_init_skip;
+ gnutls_certificate_set_flags;
+ gnutls_pkcs7_get_embedded_data;
++ gnutls_sign_is_secure2;
+ local:
+ *;
+ };
diff --git a/debian/patches/insecuresha1-7.patch b/debian/patches/insecuresha1-7.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d49f9b013cd3dbab457e299cc9f76b5abe44e37b
--- /dev/null
+++ b/debian/patches/insecuresha1-7.patch
@@ -0,0 +1,111 @@
+Backport of:
+
+From b7a1e3311d4ed0ad37e905fb8faaf2a9cf7f4e42 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 20 Jul 2017 13:16:07 +0200
+Subject: [PATCH] tests: added unit tests for gnutls_sign_is_secure2()
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ tests/Makefile.am | 2 +-
+ tests/sign-is-secure.c | 94 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 95 insertions(+), 1 deletion(-)
+ create mode 100644 tests/sign-is-secure.c
+
+--- /dev/null
++++ b/tests/sign-is-secure.c
+@@ -0,0 +1,94 @@
++/*
++ * Copyright (C) 2017 Red Hat, Inc.
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program. If not, see <http://www.gnu.org/licenses/>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/types.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++
++#include "utils.h"
++
++#define CHECK_SECURE_SIG(sig) \
++ ret = gnutls_sign_is_secure2(sig, 0); \
++ if (ret == 0) { \
++ fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
++ } \
++ ret = gnutls_sign_is_secure(sig); \
++ if (ret == 0) { \
++ fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
++ }
++
++#define CHECK_INSECURE_SIG(sig) \
++ ret = gnutls_sign_is_secure2(sig, 0); \
++ if (ret != 0) { \
++ fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
++ } \
++ ret = gnutls_sign_is_secure2(sig, GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS); \
++ if (ret != 0) { \
++ fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
++ } \
++ ret = gnutls_sign_is_secure(sig); \
++ if (ret != 0) { \
++ fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
++ }
++
++#define CHECK_INSECURE_FOR_CERTS_SIG(sig) \
++ ret = gnutls_sign_is_secure2(sig, 0); \
++ if (ret == 0) { \
++ fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
++ } \
++ ret = gnutls_sign_is_secure2(sig, GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS); \
++ if (ret != 0) { \
++ fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
++ } \
++ ret = gnutls_sign_is_secure(sig); \
++ if (ret == 0) { \
++ fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
++ }
++
++void doit(void)
++{
++ int ret;
++ unsigned i;
++
++ CHECK_INSECURE_FOR_CERTS_SIG(GNUTLS_SIGN_RSA_SHA1);
++ CHECK_INSECURE_FOR_CERTS_SIG(GNUTLS_SIGN_DSA_SHA1);
++ CHECK_INSECURE_FOR_CERTS_SIG(GNUTLS_SIGN_ECDSA_SHA1);
++
++ CHECK_INSECURE_SIG(GNUTLS_SIGN_RSA_MD5);
++ CHECK_INSECURE_SIG(GNUTLS_SIGN_RSA_MD2);
++
++ for (i=1;i<GNUTLS_SIGN_MAX;i++) {
++ if (i==GNUTLS_SIGN_RSA_SHA1||i==GNUTLS_SIGN_DSA_SHA1||i==GNUTLS_SIGN_ECDSA_SHA1||
++ i==GNUTLS_SIGN_RSA_MD5||i==GNUTLS_SIGN_RSA_MD2||i==GNUTLS_SIGN_UNKNOWN)
++ continue;
++ /* skip any unused elements */
++ if (gnutls_sign_algorithm_get_name(i)==NULL)
++ continue;
++ CHECK_SECURE_SIG(i);
++ }
++}
diff --git a/debian/patches/insecuresha1-8.patch b/debian/patches/insecuresha1-8.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0c6608ec0659bee4ecffed90b727b0a520daa19f
--- /dev/null
+++ b/debian/patches/insecuresha1-8.patch
@@ -0,0 +1,60 @@
+Backport of:
+
+From 3efadd1f8067add60ab60ab7d9fe5aa866bfc980 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 20 Jul 2017 13:18:10 +0200
+Subject: [PATCH] x509/verify: reject SHA1 in signature algorithms for
+ certificate verification
+
+That is, we now use gnutls_sign_is_secure2() with GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS
+flag for checking the validity of the signature algorithm, when
+verifying signatures in certificates.
+
+Resolves #229
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/x509/output.c | 6 +++---
+ lib/x509/verify.c | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/lib/x509/output.c
++++ b/lib/x509/output.c
+@@ -1386,7 +1386,7 @@ print_cert(gnutls_buffer_st * str, gnutl
+ name = _("unknown");
+ addf(str, _("\tSignature Algorithm: %s\n"), name);
+ }
+- if (gnutls_sign_is_secure(err) == 0) {
++ if (gnutls_sign_is_secure2(err, GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) == 0) {
+ adds(str,
+ _("warning: signed using a broken signature "
+ "algorithm that can be forged.\n"));
+@@ -1592,7 +1592,7 @@ static void print_oneline(gnutls_buffer_
+ gnutls_sign_algorithm_get_name(err);
+ if (name == NULL)
+ name = _("unknown");
+- if (gnutls_sign_is_secure(err) == 0)
++ if (gnutls_sign_is_secure2(err, GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) == 0)
+ addf(str, _("signed using %s (broken!), "),
+ name);
+ else
+@@ -2028,7 +2028,7 @@ print_crl(gnutls_buffer_st * str, gnutls
+ name = _("unknown");
+ addf(str, _("\tSignature Algorithm: %s\n"), name);
+ }
+- if (gnutls_sign_is_secure(err) == 0) {
++ if (gnutls_sign_is_secure2(err, GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) == 0) {
+ adds(str,
+ _("warning: signed using a broken signature "
+ "algorithm that can be forged.\n"));
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -756,7 +756,7 @@ verify_crt(gnutls_x509_crt_t cert,
+ * used are secure. If the certificate is self signed it doesn't
+ * really matter.
+ */
+- if (gnutls_sign_is_secure(sigalg) == 0 &&
++ if (gnutls_sign_is_secure2(sigalg, GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) == 0 &&
+ is_broken_allowed(sigalg, flags) == 0 &&
+ is_issuer(cert, cert) == 0) {
+ gnutls_assert();
diff --git a/debian/patches/insecuresha1-9.patch b/debian/patches/insecuresha1-9.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6af17223ffbf2d1773b0fe433b1971c81406353c
--- /dev/null
+++ b/debian/patches/insecuresha1-9.patch
@@ -0,0 +1,71 @@
+Backport of:
+
+From c4c7b43c26516955ea4f9bcd0c4e77b768ff7df8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 20 Jul 2017 13:26:46 +0200
+Subject: [PATCH] tests: partially reverted SHA1 broken tests
+
+SHA1 is now considered broken only for certificates, hence
+OCSP or raw signing tests no longer need to use GNUTLS_VERIFY_ALLOW_BROKEN
+in the cases where certificate verification is not performed.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ tests/ocsp.c | 10 ++++------
+ tests/privkey-verify-broken.c | 11 ++---------
+ 2 files changed, 6 insertions(+), 15 deletions(-)
+
+--- a/tests/ocsp.c
++++ b/tests/ocsp.c
+@@ -110,7 +110,6 @@ static const gnutls_datum_t resp1 =
+ " Extensions:\n" \
+ " Nonce: 16897d913ab525a445fec9fdc2e508a4\n" \
+ " Signature Algorithm: RSA-SHA1\n" \
+- "warning: signed using a broken signature algorithm that can be forged.\n" \
+ " Signature:\n" \
+ " 4e:ad:6b:2b:f7:f2:bf:a9:23:1e:3a:0b:06:db:55:53\n" \
+ " 2b:64:54:11:32:bf:60:f7:4f:e0:8e:9b:a0:a2:4c:79\n" \
+@@ -152,7 +151,6 @@ static const gnutls_datum_t resp2 =
+ " Next Update: Thu Sep 11 06:04:00 UTC 2014\n" \
+ " Extensions:\n" \
+ " Signature Algorithm: RSA-SHA1\n" \
+-"warning: signed using a broken signature algorithm that can be forged.\n" \
+ " Signature:\n" \
+ " 6e:5e:5e:81:ff:3f:4d:c7:53:c7:1b:f3:d3:1d:dc:9a\n" \
+ " c7:ce:77:2c:67:56:13:98:91:02:01:76:dc:48:b2:1f\n" \
+@@ -1408,7 +1406,7 @@ static void resp_verify(void)
+
+ /* check direct verify with signer (should succeed) */
+
+- ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
++ ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, 0);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify_direct (signer) %d\n", ret);
+ exit(1);
+@@ -1473,7 +1471,7 @@ static void resp_verify(void)
+ exit(1);
+ }
+
+- ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
++ ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret);
+ exit(1);
+@@ -1539,7 +1537,7 @@ static void resp_verify(void)
+ exit(1);
+ }
+
+- ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
++ ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret);
+ exit(1);
+@@ -1599,7 +1597,7 @@ static void long_resp_check(void)
+
+ /* check direct verify with signer (should succeed) */
+
+- ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, GNUTLS_VERIFY_ALLOW_BROKEN);
++ ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, 0);
+ if (ret < 0) {
+ fail("gnutls_ocsp_resp_verify_direct (signer) %d\n", ret);
+ exit(1);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000000000000000000000000000000000000..3856db41e5805ee9e389d1e245c5a25637af238b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,42 @@
+14_version_gettextcat.diff
+30_guile-snarf.diff
+40_src-added-systemkey-args-to-BUILT_SOURCES.patch
+41_tests-mini-loss-time-ensure-client-timeouts.diff
+42_mini-loss-time-improved-timeout-detection.patch
+43_fix_cpucapoverride.diff
+disable_global_init_override_test.patch
+CVE-2016-7444.patch
+CVE-2016-8610.patch
+CVE-2017-5334.patch
+CVE-2017-5335.patch
+CVE-2017-5336.patch
+CVE-2017-5337.patch
+fix_expired_certs.patch
+CVE-2017-7869.patch
+CVE-2017-7507-1.patch
+CVE-2017-7507-2.patch
+CVE-2017-7507-3.patch
+use_normal_priority_for_openssl_sslv23.diff
+CVE-2018-1084x-1.patch
+CVE-2018-1084x-2.patch
+CVE-2018-1084x-3.patch
+CVE-2018-1084x-4.patch
+CVE-2018-1084x-5.patch
+insecuresha1-1.patch
+insecuresha1-2.patch
+insecuresha1-3.patch
+insecuresha1-4.patch
+insecuresha1-5.patch
+insecuresha1-6.patch
+insecuresha1-7.patch
+insecuresha1-8.patch
+insecuresha1-9.patch
+insecuresha1-10.patch
+insecuresha1-11.patch
+insecuresha1-12.patch
+insecuresha1-13.patch
+insecuresha1-14.patch
+insecuresha1-15.patch
+insecuresha1-16.patch
+allow_broken_priority_string.patch
+allow_sha1_priority_string.patch
diff --git a/debian/patches/use_normal_priority_for_openssl_sslv23.diff b/debian/patches/use_normal_priority_for_openssl_sslv23.diff
new file mode 100644
index 0000000000000000000000000000000000000000..8acb5b5e2c64df975496d7e9dda2cf379277dc9d
--- /dev/null
+++ b/debian/patches/use_normal_priority_for_openssl_sslv23.diff
@@ -0,0 +1,30 @@
+Backport of:
+
+From 363056f7db6f61f818523888085638e85c6a81f7 Apr, 2 2017
+Description: Use NORMAL priority for SSLv23_*_method. Instead of
+ enforcing TLS1.0/SSL3.0 use gnutls NORMAL priority for SSLv23_*_methods.
+Author: Andreas Metzler <ametzler@bebt.de>
+Last-Update: 2017-04-02
+Bug-Ubuntu: https://launchpad.net/bugs/1709193
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857436
+
+--- gnutls28-3.4.10.orig/extra/gnutls_openssl.c
++++ gnutls28-3.4.10/extra/gnutls_openssl.c
+@@ -483,7 +483,7 @@ SSL_METHOD *SSLv23_client_method(void)
+ return NULL;
+
+ strcpy(m->priority_string,
+- "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
++ "NORMAL");
+
+ m->connend = GNUTLS_CLIENT;
+
+@@ -498,7 +498,7 @@ SSL_METHOD *SSLv23_server_method(void)
+ return NULL;
+
+ strcpy(m->priority_string,
+- "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
++ "NORMAL");
+ m->connend = GNUTLS_SERVER;
+
+ return m;
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000000000000000000000000000000000000..a981a35f8ce58f956ad63cb7dcd8a2a18279743e
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,115 @@
+#! /usr/bin/make -f
+# Build the gnutls package for Debian.
+
+export DEB_CFLAGS_MAINT_APPEND := -Wall
+export DEB_CXXFLAGS_MAINT_APPEND := -Wall
+
+# used by autogen
+ifndef SOURCE_DATE_EPOCH
+ export MAN_PAGE_DATE = $(shell env LC_ALL=C date -u -d \
+ "`dpkg-parsechangelog --show-field Date`" +%Y-%m-%d)
+else
+ export MAN_PAGE_DATE = $(shell env LC_ALL=C date -u -d \
+ "@$(SOURCE_DATE_EPOCH)" +%Y-%m-%d)
+endif
+
+AMCONFBUILDINDEP := $(shell if dh_listpackages | grep -q gnutls-doc ; \
+ then echo "--enable-gtk-doc" ; \
+ else echo "--disable-gtk-doc --disable-doc"; fi)
+AMCONFBUILDGUILE := $(shell if dh_listpackages | grep -q guile-gnutls ; \
+ then \
+ echo " --enable-guile --with-guile-site-dir=/usr/share/guile/site" ;\
+ else echo " --disable-guile" ; fi)
+
+override_dh_auto_configure:
+ dh_auto_configure --verbose -- \
+ --enable-ld-version-script --enable-cxx \
+ --enable-static \
+ --without-lzo \
+ --disable-libdane --without-tpm \
+ --disable-heartbeat-support \
+ --enable-openssl-compatibility \
+ --disable-silent-rules \
+ --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \
+ --with-packager=Debian \
+ --with-packager-bug-reports=http://bugs.debian.org/ \
+ --with-packager-version=$(shell dpkg-parsechangelog | sed -n '/^Version: /s/^Version: //p') \
+ $(AMCONFBUILDINDEP) \
+ $(AMCONFBUILDGUILE)
+
+
+override_dh_makeshlibs:
+ dh_makeshlibs -p libgnutlsxx28 -V 'libgnutlsxx28 (>= 3.3.8-0)'
+ dh_makeshlibs -p libgnutls30 -V 'libgnutls30 (>= 3.4.6-0)' -- -c4
+ dh_makeshlibs -p libgnutls-openssl27 -V 'libgnutls-openssl27 (>= 3.0-0)'
+ dh_makeshlibs --remaining-packages -Xguile/2.0/guile-gnutls-v-2.so
+
+
+# pre-clean rule: save gnutls.pdf since it is expensive to regenerate.
+# See README.source
+override_dh_auto_clean:
+ if [ -e doc/gnutls.pdf ] ; then \
+ mv -v doc/gnutls.pdf doc/gnutls.pdf.debbackup ; fi
+ if test -e Makefile ; then $(MAKE) distclean ; fi
+ #dh_auto_clean --verbose
+ # restore gnutls.pdf
+ if [ -e doc/gnutls.pdf.debbackup ] && [ ! -e doc/gnutls.pdf ] ; \
+ then mv -v doc/gnutls.pdf.debbackup doc/gnutls.pdf ; fi
+ rm -fv `grep -El 'has been AutoGen-ed |has been AutoGen-ed *$$' doc/manpages/*.?`
+
+override_dh_auto_build:
+ dh_auto_build --verbose --parallel
+ifeq ($(filter --disable-doc,$(AMCONFBUILDINDEP)),)
+ $(MAKE) html
+else
+ $(MAKE) -C doc/manpages
+endif
+
+override_dh_auto_install:
+ dh_auto_install --verbose
+ifneq ($(filter --disable-doc,$(AMCONFBUILDINDEP)),)
+ $(MAKE) -C doc/manpages DESTDIR=`pwd`/debian/tmp install
+endif
+ find debian/*/usr/lib/* -name '*.so.*.*' -type f -exec \
+ chrpath -d {} +
+
+override_dh_installinfo:
+ dh_installinfo
+ if test -e debian/gnutls-doc ; then \
+ cd debian/gnutls-doc/usr/share/info && \
+ sed -i -e 's:image src="\([^"]*.png"\):image src="/usr/share/doc/gnutls-doc/html/\1:g' *.info* ; \
+ fi
+
+override_dh_install:
+ dh_install
+ # See #658110
+ if [ "" != `ls debian/guile-gnutls/usr/lib/*/guile` ] ; then \
+ mv -v debian/guile-gnutls/usr/lib/*/guile debian/guile-gnutls/usr/lib \
+ &&\
+ rmdir -v --ignore-fail-on-non-empty \
+ debian/guile-gnutls/usr/lib/*-* ; \
+ sed -i -e 's_usr/lib/[^/]*/guile/_usr/lib/guile/_' \
+ debian/guile-gnutls/usr/share/guile/site/gnutls.scm ;\
+ else echo "Debian build DEBUG: no guile files found" ;\
+ fi
+
+override_dh_installchangelogs:
+ dh_installchangelogs
+ rm -vrf debian/libgnutlsxx28/usr/share/doc/libgnutlsxx28
+ dh_link -plibgnutlsxx28 usr/share/doc/libgnutls30 \
+ usr/share/doc/libgnutlsxx28
+
+override_dh_compress:
+ dh_compress -X.pdf
+
+override_dh_strip:
+ dh_strip --ddeb-migration='libgnutls30-dbg (<< 3.4.7-2~)'
+
+override_dh_auto_test:
+ dh_auto_test -O--parallel --verbose -- VERBOSE=1
+
+override_dh_clean:
+ dh_clean -X.bak
+
+%:
+ dh $@ --parallel --with autoreconf
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000000000000000000000000000000000000..163aaf8d82b6c54f23c45f32895dbdfdcc27b047
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 0000000000000000000000000000000000000000..95a390b97348b11de0f35248b50ed268fc163791
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1 @@
+debian/upstream-signing-key.pgp
diff --git a/debian/source/options b/debian/source/options
new file mode 100644
index 0000000000000000000000000000000000000000..ed87c392db4c0157090be4cbb0e0e776f84e7e2d
--- /dev/null
+++ b/debian/source/options
@@ -0,0 +1,2 @@
+# Don't store changes on autogenerated files
+extend-diff-ignore = "po/.*"
diff --git a/debian/upstream-signing-key.pgp b/debian/upstream-signing-key.pgp
new file mode 100644
index 0000000000000000000000000000000000000000..381c08763e15cee75bc6ce26aec0cdadd7977c14
Binary files /dev/null and b/debian/upstream-signing-key.pgp differ
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000000000000000000000000000000000000..1c16a8a6a99d4e60ac48ac0bb29d2c1d6206eae3
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,3 @@
+version=3
+opts=uversionmangle=s/(.*\d)(pre\d*)$/$1~$2/,pgpsigurlmangle=s/$/.sig/ \
+ftp://ftp.gnutls.org/gcrypt/gnutls/v3.(\d+)/gnutls-(3\.\d.*)\.(?:tgz|zip|tar\.(?:gz|bz2|xz))