Re: [PATCH] gnutls: Update to version 3.7.6

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 24896 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> - Update from version 3.6.16 to 3.7.6
> - Update of rootfile
> - find-dependencies run on sobump libs. No dependencies flagged for the old or new libs
> - Changelog
>     * Version 3.7.6 (released 2022-05-27)
> 	** libgnutls: Fixed invalid write when gnutls_realloc_zero()
> 	   is called with new_size < old_size. This bug caused heap
> 	   corruption when gnutls_realloc_zero() has been set as gmp
> 	   reallocfunc (!1592, #1367, #1368, #1369).
> 	** API and ABI modifications:
> 	No changes since last version.
>     * Version 3.7.5 (released 2022-05-15)
> 	** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority
> 	   modifier have been added to disable session ticket usage in TLS 1.2 because
> 	   it does not provide forward secrecy (#477).  On the other hand, since session
> 	   tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now
> 	   only disables session tickets in TLS 1.2.  Future backward incompatibility:
> 	   in the next major release of GnuTLS, we plan to remove those flag and
> 	   modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2.
> 	** gnutls-cli, gnutls-serv: Channel binding for printing information
> 	   has been changed from tls-unique to tls-exporter as tls-unique is
> 	   not supported in TLS 1.3.
> 	** libgnutls: Certificate sanity checks has been enhanced to make
> 	   gnutls more RFC 5280 compliant (!1583).
> 	   Following changes were included:
> 	   - critical extensions are parsed when loading x509
> 	     certificate to prohibit any random octet strings.
> 	     Requires strict-x509 configure option to be enabled
> 	   - garbage bits in Key Usage extension are prohibited
> 	   - empty DirectoryStrings in Distinguished name structures
> 	     of Issuer and Subject name are prohibited
> 	** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
> 	   According to the section 2 of SP800-131A Rev.2, 3DES algorithm
> 	   will be disallowed for encryption after December 31, 2023:
> 	   https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
> 	** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312).
> 	   The existing AEAD API that works in a scatter-gather fashion
> 	   (gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC.
> 	   For further optimization, new function (gnutls_aead_cipher_set_key) has been
> 	   added to set key on the existing AEAD handle without re-allocation.
> 	** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
> 	   when used in TLS (#1311).
> 	** The configure arguments for Brotli and Zstandard (zstd) support
> 	   have changed to reflect the previous help text: they are now
> 	   --with-brotli/--with-zstd respectively (#1342).
> 	** Detecting the Zstandard (zstd) library in configure has been
> 	   fixed (#1343).
> 	** API and ABI modifications:
> 	GNUTLS_NO_TICKETS_TLS12: New flag
> 	gnutls_aead_cipher_set_key: New function
>     * Version 3.7.4 (released 2022-03-17)
> 	** libgnutls: Added support for certificate compression as defined in RFC8879
> 	   (#1301). New API functions (gnutls_compress_certificate_get_selected_method
> 	   and gnutls_compress_certificate_set_methods) allow client and server to set
> 	   their preferences.
> 	** certtool: Added option --compress-cert that allows user to specify
> 	   compression methods for certificate compression.
> 	** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
> 	   option to enforce stricter certificate sanity checks that are compliant with
> 	   RFC5280.
> 	** libgnutls: Removed IA5String type from DirectoryString within issuer
> 	   and subject name to make DirectoryString RFC5280 compliant.
> 	** libgnutls: Added function (gnutls_record_send_file) to send file content from
> 	   open file descriptor (!1486). The implementation is optimized if KTLS (kernel
> 	   TLS) is enabled.
> 	** libgnutls: Added function (gnutls_ciphersuite_get) to retrieve the name of
> 	   current ciphersuite from TLS session (#1291).
> 	** libgnutls: The run-time dependency on tpm2-tss is now re-implemented using
> 	   dlopen, so GnuTLS does not indirectly link to other crypto libraries until
> 	   TPM2 functionality is utilized (!1544).
> 	** API and ABI modifications:
> 	GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
> 	GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
> 	gnutls_compress_certificate_get_selected_method: Added
> 	gnutls_compress_certificate_set_methods: Added
> 	gnutls_ciphersuite_get: New function
> 	gnutls_record_send_file: New function
> 	libgnutlsxx: Soname bumped due to ABI breakage introduced in 3.7.1
>     * Version 3.7.3 (released 2022-01-17)
> 	** libgnutls: The allowlisting configuration mode has been added to the system-wide
> 	   settings. In this mode, all the algorithms are initially marked as insecure
> 	   or disabled, while the applications can re-enable them either through the
> 	   [overrides] section of the configuration file or the new API (#1172).
> 	** The build infrastructure no longer depends on GNU AutoGen for generating
> 	   command-line option handling, template file parsing in certtool, and
> 	   documentation generation (#773, #774). This change also removes run-time or
> 	   bundled dependency on the libopts library, and requires Python 3.6 or later
> 	   to regenerate the distribution tarball.
> 	   Note that this brings in known backward incompatibility in command-line
> 	   tools, such as long options are now case sensitive, while previously they
> 	   were treated in a case insensitive manner: for example --RSA is no longer a
> 	   valid option of certtool. The existing scripts using GnuTLS tools may need
> 	   adjustment for this change.
> 	** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
> 	   used as a gnutls_privkey_t (#594). The code was originally written for the
> 	   OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
> 	   tpm2tss-genkey tool from tpm2-tss-engine:
> 	   https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
> 	   or the tpm2_encodeobject tool from unreleased tpm2-tools.
> 	** libgnutls: The library now transparently enables Linux KTLS
> 	   (kernel TLS) when the feature is compiled in with --enable-ktls configuration
> 	   option (#1113). If the KTLS initialization fails it automatically falls back
> 	   to the user space implementation.
> 	** certtool: The certtool command can now read the Certificate Transparency
> 	   (RFC 6962) SCT extension (#232).  New API functions are also provided to
> 	   access and manipulate the extension values.
> 	** certtool: The certtool command can now generate, manipulate, and evaluate
> 	   x25519 and x448 public keys, private keys, and certificates.
> 	** libgnutls: Disabling a hashing algorithm through "insecure-hash"
> 	   configuration directive now also disables TLS ciphersuites that use it as a
> 	   PRF algorithm.
> 	** libgnutls: PKCS#12 files are now created with modern algorithms by default
> 	   (!1499).  Previously certtool used PKCS12-3DES-SHA1 for key derivation and
> 	   HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
> 	   PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
> 	   default PBKDF2 iteration count has been increased to 600000.
> 	** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
> 	   HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
> 	   conform with the latest TC-26 requirements (#1225).
> 	** libgnutls: The library now provides a means to report the status of approved
> 	   cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this
> 	   complements the existing mechanism to prohibit the use of unapproved
> 	   algorithms by making the library unusable state.
> 	** gnutls-cli: The gnutls-cli command now provides a --list-config option to
> 	   print the library configuration (!1508).
> 	** libgnutls: Fixed possible race condition in
> 	   gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
> 	   among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low]
> 	** API and ABI modifications:
> 	GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
> 	GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
> 	gnutls_ecc_curve_set_enabled: Added.
> 	gnutls_sign_set_secure: Added.
> 	gnutls_sign_set_secure_for_certs: Added.
> 	gnutls_digest_set_secure: Added.
> 	gnutls_protocol_set_enabled: Added.
> 	gnutls_fips140_context_init: New function
> 	gnutls_fips140_context_deinit: New function
> 	gnutls_fips140_push_context: New function
> 	gnutls_fips140_pop_context: New function
> 	gnutls_fips140_get_operation_state: New function
> 	gnutls_fips140_operation_state_t: New enum
> 	gnutls_transport_is_ktls_enabled: New function
> 	gnutls_get_library_configuration: New function
>     * Version 3.7.2 (released 2021-05-29)
> 	** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
> 	   to disable TLS 1.3 middlebox compatibility mode
> 	** libgnutls: The Linux kernel AF_ALG based acceleration has been added.
> 	   This can be enabled with --enable-afalg configure option, when libkcapi
> 	   package is installed (#308).
> 	** libgnutls: Fixed timing of early data exchange. Previously, the client was
> 	   sending early data after receiving Server Hello, which not only negates the
> 	   benefit of 0-RTT, but also works under certain assumptions hold (e.g., the
> 	   same ciphersuite is selected in initial and resumption handshake) (#1146).
> 	** certtool: When signing a CSR, CRL distribution point (CDP) is no longer
> 	   copied from the signing CA by default (#1126).
> 	** libgnutls: The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
> 	   GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now
> 	   deprecated and will be removed in the future releases.
> 	** certtool: When producing certificates and certificate requests, subject DN
> 	   components that are provided individually will now be ordered by
> 	   assumed scale (e.g. Country before State, Organization before
> 	   OrganizationalUnit).  This change also affects the order in which
> 	   certtool prompts interactively.  Please rely on the template
> 	   mechanism for automated use of certtool! (#1243)
> 	** API and ABI modifications:
> 	gnutls_early_cipher_get: Added
> 	gnutls_early_prf_hash_get: Added
> 	** guile: Writes to a session record port no longer throw an exception upon
> 	   GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
>     * Version 3.7.1 (released 2021-03-10)
> 	** libgnutls: Fixed potential use-after-free in sending "key_share"
> 	   and "pre_shared_key" extensions. When sending those extensions, the
> 	   client may dereference a pointer no longer valid after
> 	   realloc. This happens only when the client sends a large Client
> 	   Hello message, e.g., when HRR is sent in a resumed session
> 	   previously negotiated large FFDHE parameters, because the initial
> 	   allocation of the buffer is large enough without having to call
> 	   realloc (#1151).  [GNUTLS-SA-2021-03-10, CVSS: low]
> 	** libgnutls: Fixed a regression in handling duplicated certs in a
> 	   chain (#1131).
> 	** libgnutls: Fixed sending of session ID in TLS 1.3 middlebox
> 	   compatibiltiy mode. In that mode the client shall always send a
> 	   non-zero session ID to make the handshake resemble the TLS 1.2
> 	   resumption; this was not true in the previous versions (#1074).
> 	** libgnutls: W32 performance improvement with a new sendmsg()-like
> 	   transport implementation (!1377).
> 	** libgnutls: Removed dependency on the external 'fipscheck' package,
> 	   when compiled with --enable-fips140-mode (#1101).
> 	** libgnutls: Added padlock acceleration for AES-192-CBC (#1004).
> 	** API and ABI modifications:
> 	No changes since last version.
>     * Version 3.7.0 (released 2020-12-02)
> 	** libgnutls: Depend on nettle 3.6 (!1322).
> 	** libgnutls: Added a new API that provides a callback function to
> 	   retrieve missing certificates from incomplete certificate chains
> 	   (#202, #968, #1100).
> 	** libgnutls: Added a new API that provides a callback function to
> 	   output the complete path to the trusted root during certificate
> 	   chain verification (#1012).
> 	** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the
> 	   terminating null bytes, while the data field is null terminated.
> 	   The affected API functions are: gnutls_ocsp_req_get_extension,
> 	   gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
> 	   (#805).
> 	** libgnutls: Added a new set of API to enable QUIC implementation (#826, #849,
> 	   #850).
> 	** libgnutls: The crypto implementation override APIs deprecated in 3.6.9 are
> 	   now no-op (#790).
> 	** libgnutls: Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161).
> 	** libgnutls: Support for padlock has been fixed to make it work with Zhaoxin
> 	   CPU (#1079).
> 	** libgnutls: The maximum PIN length for PKCS #11 has been increased from 31
> 	   bytes to 255 bytes (#932).
> 	** API and ABI modifications:
> 	gnutls_x509_trust_list_set_getissuer_function: Added
> 	gnutls_x509_trust_list_get_ptr: Added
> 	gnutls_x509_trust_list_set_ptr: Added
> 	gnutls_session_set_verify_output_function: Added
> 	gnutls_record_encryption_level_t: New enum
> 	gnutls_handshake_read_func: New callback type
> 	gnutls_handshake_set_read_function: New function
> 	gnutls_handshake_write: New function
> 	gnutls_handshake_secret_func: New callback type
> 	gnutls_handshake_set_secret_function: New function
> 	gnutls_alert_read_func: New callback type
> 	gnutls_alert_set_read_function: New function
> 	gnutls_crypto_register_cipher: Deprecated; no-op
> 	gnutls_crypto_register_aead_cipher: Deprecated; no-op
> 	gnutls_crypto_register_mac: Deprecated; no-op
> 	gnutls_crypto_register_digest: Deprecated; no-op
> 
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>  config/rootfiles/common/gnutls | 42 +++++++++++++++++++++++++++++++---
>  lfs/gnutls                     |  4 ++--
>  2 files changed, 41 insertions(+), 5 deletions(-)
> 
> diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
> index e59c1a84f..25173efd3 100644
> --- a/config/rootfiles/common/gnutls
> +++ b/config/rootfiles/common/gnutls
> @@ -33,15 +33,16 @@ usr/lib/libgnutls-dane.so.0.4.1
>  #usr/lib/libgnutls.la
>  #usr/lib/libgnutls.so
>  usr/lib/libgnutls.so.30
> -usr/lib/libgnutls.so.30.28.2
> +usr/lib/libgnutls.so.30.33.1
>  #usr/lib/libgnutlsxx.la
>  #usr/lib/libgnutlsxx.so
> -usr/lib/libgnutlsxx.so.28
> -usr/lib/libgnutlsxx.so.28.1.0
> +usr/lib/libgnutlsxx.so.30
> +usr/lib/libgnutlsxx.so.30.0.0
>  #usr/lib/pkgconfig/gnutls-dane.pc
>  #usr/lib/pkgconfig/gnutls.pc
>  #usr/share/doc/gnutls
>  #usr/share/doc/gnutls/gnutls-client-server-use-case.png
> +#usr/share/doc/gnutls/gnutls-crypto-layers.png
>  #usr/share/doc/gnutls/gnutls-handshake-sequence.png
>  #usr/share/doc/gnutls/gnutls-handshake-state.png
>  #usr/share/doc/gnutls/gnutls-internals.png
> @@ -51,6 +52,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/doc/gnutls/gnutls-x509.png
>  #usr/share/doc/gnutls/pkcs11-vision.png
>  #usr/share/info/gnutls-client-server-use-case.png
> +#usr/share/info/gnutls-crypto-layers.png
>  #usr/share/info/gnutls-guile.info
>  #usr/share/info/gnutls-handshake-sequence.png
>  #usr/share/info/gnutls-handshake-state.png
> @@ -119,11 +121,13 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_aead_cipher_encryptv.3
>  #usr/share/man/man3/gnutls_aead_cipher_encryptv2.3
>  #usr/share/man/man3/gnutls_aead_cipher_init.3
> +#usr/share/man/man3/gnutls_aead_cipher_set_key.3
>  #usr/share/man/man3/gnutls_alert_get.3
>  #usr/share/man/man3/gnutls_alert_get_name.3
>  #usr/share/man/man3/gnutls_alert_get_strname.3
>  #usr/share/man/man3/gnutls_alert_send.3
>  #usr/share/man/man3/gnutls_alert_send_appropriate.3
> +#usr/share/man/man3/gnutls_alert_set_read_function.3
>  #usr/share/man/man3/gnutls_alpn_get_selected_protocol.3
>  #usr/share/man/man3/gnutls_alpn_set_protocols.3
>  #usr/share/man/man3/gnutls_anon_allocate_client_credentials.3
> @@ -234,6 +238,9 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_cipher_suite_get_name.3
>  #usr/share/man/man3/gnutls_cipher_suite_info.3
>  #usr/share/man/man3/gnutls_cipher_tag.3
> +#usr/share/man/man3/gnutls_ciphersuite_get.3
> +#usr/share/man/man3/gnutls_compress_certificate_get_selected_method.3
> +#usr/share/man/man3/gnutls_compress_certificate_set_methods.3
>  #usr/share/man/man3/gnutls_compression_get.3
>  #usr/share/man/man3/gnutls_compression_get_id.3
>  #usr/share/man/man3/gnutls_compression_get_name.3
> @@ -282,6 +289,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_digest_get_name.3
>  #usr/share/man/man3/gnutls_digest_get_oid.3
>  #usr/share/man/man3/gnutls_digest_list.3
> +#usr/share/man/man3/gnutls_digest_set_secure.3
>  #usr/share/man/man3/gnutls_dtls_cookie_send.3
>  #usr/share/man/man3/gnutls_dtls_cookie_verify.3
>  #usr/share/man/man3/gnutls_dtls_get_data_mtu.3
> @@ -291,6 +299,8 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_dtls_set_data_mtu.3
>  #usr/share/man/man3/gnutls_dtls_set_mtu.3
>  #usr/share/man/man3/gnutls_dtls_set_timeouts.3
> +#usr/share/man/man3/gnutls_early_cipher_get.3
> +#usr/share/man/man3/gnutls_early_prf_hash_get.3
>  #usr/share/man/man3/gnutls_ecc_curve_get.3
>  #usr/share/man/man3/gnutls_ecc_curve_get_id.3
>  #usr/share/man/man3/gnutls_ecc_curve_get_name.3
> @@ -298,6 +308,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_ecc_curve_get_pk.3
>  #usr/share/man/man3/gnutls_ecc_curve_get_size.3
>  #usr/share/man/man3/gnutls_ecc_curve_list.3
> +#usr/share/man/man3/gnutls_ecc_curve_set_enabled.3
>  #usr/share/man/man3/gnutls_encode_ber_digest_info.3
>  #usr/share/man/man3/gnutls_encode_gost_rs_value.3
>  #usr/share/man/man3/gnutls_encode_rs_value.3
> @@ -312,8 +323,14 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_ext_register.3
>  #usr/share/man/man3/gnutls_ext_set_data.3
>  #usr/share/man/man3/gnutls_fingerprint.3
> +#usr/share/man/man3/gnutls_fips140_context_deinit.3
> +#usr/share/man/man3/gnutls_fips140_context_init.3
> +#usr/share/man/man3/gnutls_fips140_get_operation_state.3
>  #usr/share/man/man3/gnutls_fips140_mode_enabled.3
> +#usr/share/man/man3/gnutls_fips140_pop_context.3
> +#usr/share/man/man3/gnutls_fips140_push_context.3
>  #usr/share/man/man3/gnutls_fips140_set_mode.3
> +#usr/share/man/man3/gnutls_get_library_config.3
>  #usr/share/man/man3/gnutls_get_system_config_file.3
>  #usr/share/man/man3/gnutls_global_deinit.3
>  #usr/share/man/man3/gnutls_global_init.3
> @@ -338,7 +355,10 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_handshake_set_post_client_hello_function.3
>  #usr/share/man/man3/gnutls_handshake_set_private_extensions.3
>  #usr/share/man/man3/gnutls_handshake_set_random.3
> +#usr/share/man/man3/gnutls_handshake_set_read_function.3
> +#usr/share/man/man3/gnutls_handshake_set_secret_function.3
>  #usr/share/man/man3/gnutls_handshake_set_timeout.3
> +#usr/share/man/man3/gnutls_handshake_write.3
>  #usr/share/man/man3/gnutls_hash.3
>  #usr/share/man/man3/gnutls_hash_copy.3
>  #usr/share/man/man3/gnutls_hash_deinit.3
> @@ -655,6 +675,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_protocol_get_name.3
>  #usr/share/man/man3/gnutls_protocol_get_version.3
>  #usr/share/man/man3/gnutls_protocol_list.3
> +#usr/share/man/man3/gnutls_protocol_set_enabled.3
>  #usr/share/man/man3/gnutls_psk_allocate_client_credentials.3
>  #usr/share/man/man3/gnutls_psk_allocate_server_credentials.3
>  #usr/share/man/man3/gnutls_psk_client_get_hint.3
> @@ -738,6 +759,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_record_send.3
>  #usr/share/man/man3/gnutls_record_send2.3
>  #usr/share/man/man3/gnutls_record_send_early_data.3
> +#usr/share/man/man3/gnutls_record_send_file.3
>  #usr/share/man/man3/gnutls_record_send_range.3
>  #usr/share/man/man3/gnutls_record_set_max_early_data_size.3
>  #usr/share/man/man3/gnutls_record_set_max_recv_size.3
> @@ -783,6 +805,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_session_set_verify_cert.3
>  #usr/share/man/man3/gnutls_session_set_verify_cert2.3
>  #usr/share/man/man3/gnutls_session_set_verify_function.3
> +#usr/share/man/man3/gnutls_session_set_verify_output_function.3
>  #usr/share/man/man3/gnutls_session_supplemental_register.3
>  #usr/share/man/man3/gnutls_session_ticket_enable_client.3
>  #usr/share/man/man3/gnutls_session_ticket_enable_server.3
> @@ -801,6 +824,8 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_sign_is_secure.3
>  #usr/share/man/man3/gnutls_sign_is_secure2.3
>  #usr/share/man/man3/gnutls_sign_list.3
> +#usr/share/man/man3/gnutls_sign_set_secure.3
> +#usr/share/man/man3/gnutls_sign_set_secure_for_certs.3
>  #usr/share/man/man3/gnutls_sign_supports_pk_algorithm.3
>  #usr/share/man/man3/gnutls_srp_allocate_client_credentials.3
>  #usr/share/man/man3/gnutls_srp_allocate_server_credentials.3
> @@ -857,6 +882,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_transport_get_int2.3
>  #usr/share/man/man3/gnutls_transport_get_ptr.3
>  #usr/share/man/man3/gnutls_transport_get_ptr2.3
> +#usr/share/man/man3/gnutls_transport_is_ktls_enabled.3
>  #usr/share/man/man3/gnutls_transport_set_errno.3
>  #usr/share/man/man3/gnutls_transport_set_errno_function.3
>  #usr/share/man/man3/gnutls_transport_set_fastopen.3
> @@ -1113,6 +1139,8 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_x509_crt_sign2.3
>  #usr/share/man/man3/gnutls_x509_crt_verify.3
>  #usr/share/man/man3/gnutls_x509_crt_verify_data2.3
> +#usr/share/man/man3/gnutls_x509_ct_sct_get.3
> +#usr/share/man/man3/gnutls_x509_ct_sct_get_version.3
>  #usr/share/man/man3/gnutls_x509_dn_deinit.3
>  #usr/share/man/man3/gnutls_x509_dn_export.3
>  #usr/share/man/man3/gnutls_x509_dn_export2.3
> @@ -1124,6 +1152,10 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_x509_dn_oid_known.3
>  #usr/share/man/man3/gnutls_x509_dn_oid_name.3
>  #usr/share/man/man3/gnutls_x509_dn_set_str.3
> +#usr/share/man/man3/gnutls_x509_ext_ct_export_scts.3
> +#usr/share/man/man3/gnutls_x509_ext_ct_import_scts.3
> +#usr/share/man/man3/gnutls_x509_ext_ct_scts_deinit.3
> +#usr/share/man/man3/gnutls_x509_ext_ct_scts_init.3
>  #usr/share/man/man3/gnutls_x509_ext_deinit.3
>  #usr/share/man/man3/gnutls_x509_ext_export_aia.3
>  #usr/share/man/man3/gnutls_x509_ext_export_authority_key_id.3
> @@ -1233,12 +1265,16 @@ usr/lib/libgnutlsxx.so.28.1.0
>  #usr/share/man/man3/gnutls_x509_trust_list_get_issuer.3
>  #usr/share/man/man3/gnutls_x509_trust_list_get_issuer_by_dn.3
>  #usr/share/man/man3/gnutls_x509_trust_list_get_issuer_by_subject_key_id.3
> +#usr/share/man/man3/gnutls_x509_trust_list_get_ptr.3
>  #usr/share/man/man3/gnutls_x509_trust_list_init.3
>  #usr/share/man/man3/gnutls_x509_trust_list_iter_deinit.3
>  #usr/share/man/man3/gnutls_x509_trust_list_iter_get_ca.3
>  #usr/share/man/man3/gnutls_x509_trust_list_remove_cas.3
>  #usr/share/man/man3/gnutls_x509_trust_list_remove_trust_file.3
>  #usr/share/man/man3/gnutls_x509_trust_list_remove_trust_mem.3
> +#usr/share/man/man3/gnutls_x509_trust_list_set_getissuer_function.3
> +#usr/share/man/man3/gnutls_x509_trust_list_set_ptr.3
>  #usr/share/man/man3/gnutls_x509_trust_list_verify_crt.3
>  #usr/share/man/man3/gnutls_x509_trust_list_verify_crt2.3
>  #usr/share/man/man3/gnutls_x509_trust_list_verify_named_crt.3
> +
> diff --git a/lfs/gnutls b/lfs/gnutls
> index 169c8ce85..9c418890a 100644
> --- a/lfs/gnutls
> +++ b/lfs/gnutls
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 3.6.16
> +VER        = 3.7.6
>  
>  THISAPP    = gnutls-$(VER)
>  DL_FILE    = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = 2c40e199e4e107a81d22b84305cf27b3ca2a2b5d505a3fbd398dcfaec0ae30c71cae8a8b290523d3ad8636b2fb6b9da2a496315c20555265c681225b9b6bf6a4
> +$(DL_FILE)_BLAKE2 = 9f3cce8dfc0b88f2c42d1d2633417dac649a265407b620b6d15967e5210debb99d287ef31d2b9dc37a527ac1e5b9db4c240b98a63293078fbd2e26ac694bf3d3
>  
>  install : $(TARGET)
>