@c gnutls_cipher_algorithm_t
@table @code
@item GNUTLS_@-CIPHER_@-UNKNOWN
Value to identify an unknown/unsupported algorithm.
@item GNUTLS_@-CIPHER_@-NULL
The NULL (identity) encryption algorithm.
@item GNUTLS_@-CIPHER_@-ARCFOUR_@-128
ARCFOUR stream cipher with 128-bit keys.
@item GNUTLS_@-CIPHER_@-3DES_@-CBC
3DES in CBC mode.
@item GNUTLS_@-CIPHER_@-AES_@-128_@-CBC
AES in CBC mode with 128-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-256_@-CBC
AES in CBC mode with 256-bit keys.
@item GNUTLS_@-CIPHER_@-ARCFOUR_@-40
ARCFOUR stream cipher with 40-bit keys.
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-128_@-CBC
Camellia in CBC mode with 128-bit keys.
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-256_@-CBC
Camellia in CBC mode with 256-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-192_@-CBC
AES in CBC mode with 192-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-128_@-GCM
AES in GCM mode with 128-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-256_@-GCM
AES in GCM mode with 256-bit keys.
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-192_@-CBC
Camellia in CBC mode with 192-bit keys.
@item GNUTLS_@-CIPHER_@-SALSA20_@-256
Salsa20 with 256-bit keys.
@item GNUTLS_@-CIPHER_@-ESTREAM_@-SALSA20_@-256
Estream's Salsa20 variant with 256-bit keys.
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-128_@-GCM
CAMELLIA in GCM mode with 128-bit keys.
@item GNUTLS_@-CIPHER_@-CAMELLIA_@-256_@-GCM
CAMELLIA in GCM mode with 256-bit keys.
@item GNUTLS_@-CIPHER_@-RC2_@-40_@-CBC
RC2 in CBC mode with 40-bit keys.
@item GNUTLS_@-CIPHER_@-DES_@-CBC
DES in CBC mode (56-bit keys).
@item GNUTLS_@-CIPHER_@-AES_@-128_@-CCM
AES in CCM mode with 128-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-256_@-CCM
AES in CCM mode with 256-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-128_@-CCM_@-8
AES in CCM mode with 64-bit tag and 128-bit keys.
@item GNUTLS_@-CIPHER_@-AES_@-256_@-CCM_@-8
AES in CCM mode with 64-bit tag and 256-bit keys.
@item GNUTLS_@-CIPHER_@-CHACHA20_@-POLY1305
The Chacha20 cipher with the Poly1305 authenticator (AEAD).
@item GNUTLS_@-CIPHER_@-IDEA_@-PGP_@-CFB
IDEA in CFB mode (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-3DES_@-PGP_@-CFB
3DES in CFB mode (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-CAST5_@-PGP_@-CFB
CAST5 in CFB mode (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-BLOWFISH_@-PGP_@-CFB
Blowfish in CFB mode (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-SAFER_@-SK128_@-PGP_@-CFB
Safer-SK in CFB mode with 128-bit keys (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-AES128_@-PGP_@-CFB
AES in CFB mode with 128-bit keys (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-AES192_@-PGP_@-CFB
AES in CFB mode with 192-bit keys (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-AES256_@-PGP_@-CFB
AES in CFB mode with 256-bit keys (placeholder - unsupported).
@item GNUTLS_@-CIPHER_@-TWOFISH_@-PGP_@-CFB
Twofish in CFB mode (placeholder - unsupported).
@end table
@c gnutls_kx_algorithm_t
@table @code
@item GNUTLS_@-KX_@-UNKNOWN
Unknown key-exchange algorithm.
@item GNUTLS_@-KX_@-RSA
RSA key-exchange algorithm.
@item GNUTLS_@-KX_@-DHE_@-DSS
DHE-DSS key-exchange algorithm.
@item GNUTLS_@-KX_@-DHE_@-RSA
DHE-RSA key-exchange algorithm.
@item GNUTLS_@-KX_@-ANON_@-DH
Anon-DH key-exchange algorithm.
@item GNUTLS_@-KX_@-SRP
SRP key-exchange algorithm.
@item GNUTLS_@-KX_@-RSA_@-EXPORT
RSA-EXPORT key-exchange algorithm (defunc).
@item GNUTLS_@-KX_@-SRP_@-RSA
SRP-RSA key-exchange algorithm.
@item GNUTLS_@-KX_@-SRP_@-DSS
SRP-DSS key-exchange algorithm.
@item GNUTLS_@-KX_@-PSK
PSK key-exchange algorithm.
@item GNUTLS_@-KX_@-DHE_@-PSK
DHE-PSK key-exchange algorithm.
@item GNUTLS_@-KX_@-ANON_@-ECDH
Anon-ECDH key-exchange algorithm.
@item GNUTLS_@-KX_@-ECDHE_@-RSA
ECDHE-RSA key-exchange algorithm.
@item GNUTLS_@-KX_@-ECDHE_@-ECDSA
ECDHE-ECDSA key-exchange algorithm.
@item GNUTLS_@-KX_@-ECDHE_@-PSK
ECDHE-PSK key-exchange algorithm.
@item GNUTLS_@-KX_@-RSA_@-PSK
RSA-PSK key-exchange algorithm.
@end table
@c gnutls_params_type_t
@table @code
@item GNUTLS_@-PARAMS_@-RSA_@-EXPORT
Session RSA-EXPORT parameters (defunc).
@item GNUTLS_@-PARAMS_@-DH
Session Diffie-Hellman parameters.
@item GNUTLS_@-PARAMS_@-ECDH
Session Elliptic-Curve Diffie-Hellman parameters.
@end table
@c gnutls_credentials_type_t
@table @code
@item GNUTLS_@-CRD_@-CERTIFICATE
Certificate credential.
@item GNUTLS_@-CRD_@-ANON
Anonymous credential.
@item GNUTLS_@-CRD_@-SRP
SRP credential.
@item GNUTLS_@-CRD_@-PSK
PSK credential.
@item GNUTLS_@-CRD_@-IA
IA credential.
@end table
@c gnutls_mac_algorithm_t
@table @code
@item GNUTLS_@-MAC_@-UNKNOWN
Unknown MAC algorithm.
@item GNUTLS_@-MAC_@-NULL
NULL MAC algorithm (empty output).
@item GNUTLS_@-MAC_@-MD5
HMAC-MD5 algorithm.
@item GNUTLS_@-MAC_@-SHA1
HMAC-SHA-1 algorithm.
@item GNUTLS_@-MAC_@-RMD160
HMAC-RMD160 algorithm.
@item GNUTLS_@-MAC_@-MD2
HMAC-MD2 algorithm.
@item GNUTLS_@-MAC_@-SHA256
HMAC-SHA-256 algorithm.
@item GNUTLS_@-MAC_@-SHA384
HMAC-SHA-384 algorithm.
@item GNUTLS_@-MAC_@-SHA512
HMAC-SHA-512 algorithm.
@item GNUTLS_@-MAC_@-SHA224
HMAC-SHA-224 algorithm.
@item GNUTLS_@-MAC_@-SHA3_@-224
-- undescribed --
@item GNUTLS_@-MAC_@-SHA3_@-256
-- undescribed --
@item GNUTLS_@-MAC_@-SHA3_@-384
-- undescribed --
@item GNUTLS_@-MAC_@-SHA3_@-512
-- undescribed --
@item GNUTLS_@-MAC_@-MD5_@-SHA1
Combined MD5+SHA1 MAC placeholder.
@item GNUTLS_@-MAC_@-AEAD
MAC implicit through AEAD cipher.
@item GNUTLS_@-MAC_@-UMAC_@-96
The UMAC-96 MAC algorithm.
@item GNUTLS_@-MAC_@-UMAC_@-128
The UMAC-128 MAC algorithm.
@end table
@c gnutls_digest_algorithm_t
@table @code
@item GNUTLS_@-DIG_@-UNKNOWN
Unknown hash algorithm.
@item GNUTLS_@-DIG_@-NULL
NULL hash algorithm (empty output).
@item GNUTLS_@-DIG_@-MD5
MD5 algorithm.
@item GNUTLS_@-DIG_@-SHA1
SHA-1 algorithm.
@item GNUTLS_@-DIG_@-RMD160
RMD160 algorithm.
@item GNUTLS_@-DIG_@-MD2
MD2 algorithm.
@item GNUTLS_@-DIG_@-SHA256
SHA-256 algorithm.
@item GNUTLS_@-DIG_@-SHA384
SHA-384 algorithm.
@item GNUTLS_@-DIG_@-SHA512
SHA-512 algorithm.
@item GNUTLS_@-DIG_@-SHA224
SHA-224 algorithm.
@item GNUTLS_@-DIG_@-SHA3_@-224
SHA3-224 algorithm.
@item GNUTLS_@-DIG_@-SHA3_@-256
SHA3-256 algorithm.
@item GNUTLS_@-DIG_@-SHA3_@-384
SHA3-384 algorithm.
@item GNUTLS_@-DIG_@-SHA3_@-512
SHA3-512 algorithm.
@item GNUTLS_@-DIG_@-MD5_@-SHA1
Combined MD5+SHA1 algorithm.
@end table
@c gnutls_compression_method_t
@table @code
@item GNUTLS_@-COMP_@-UNKNOWN
Unknown compression method.
@item GNUTLS_@-COMP_@-NULL
The NULL compression method (no compression).
@item GNUTLS_@-COMP_@-DEFLATE
The DEFLATE compression method from zlib.
@item GNUTLS_@-COMP_@-ZLIB
Same as @code{GNUTLS_COMP_DEFLATE} .
@end table
@c gnutls_init_flags_t
@table @code
@item GNUTLS_@-SERVER
Connection end is a server.
@item GNUTLS_@-CLIENT
Connection end is a client.
@item GNUTLS_@-DATAGRAM
Connection is datagram oriented (DTLS). Since 3.0.0.
@item GNUTLS_@-NONBLOCK
Connection should not block. Since 3.0.0.
@item GNUTLS_@-NO_@-EXTENSIONS
Do not enable any TLS extensions by default (since 3.1.2).
@item GNUTLS_@-NO_@-REPLAY_@-PROTECTION
Disable any replay protection in DTLS. This must only be used if replay protection is achieved using other means. Since 3.2.2.
@item GNUTLS_@-NO_@-SIGNAL
In systems where SIGPIPE is delivered on send, it will be disabled. That flag has effect in systems which support the MSG_NOSIGNAL sockets flag (since 3.4.2).
@item GNUTLS_@-ALLOW_@-ID_@-CHANGE
Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0.
@item GNUTLS_@-ENABLE_@-FALSE_@-START
Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0.
@item GNUTLS_@-FORCE_@-CLIENT_@-CERT
When in client side and only a single cert is specified, send that certificate irrespective of the issuers expected by the server. Since 3.5.0.
@item GNUTLS_@-NO_@-TICKETS
Flag to indicate that the session should not use resumption with session tickets.
@end table
@c gnutls_alert_level_t
@table @code
@item GNUTLS_@-AL_@-WARNING
Alert of warning severity.
@item GNUTLS_@-AL_@-FATAL
Alert of fatal severity.
@end table
@c gnutls_alert_description_t
@table @code
@item GNUTLS_@-A_@-CLOSE_@-NOTIFY
Close notify.
@item GNUTLS_@-A_@-UNEXPECTED_@-MESSAGE
Unexpected message.
@item GNUTLS_@-A_@-BAD_@-RECORD_@-MAC
Bad record MAC.
@item GNUTLS_@-A_@-DECRYPTION_@-FAILED
Decryption failed.
@item GNUTLS_@-A_@-RECORD_@-OVERFLOW
Record overflow.
@item GNUTLS_@-A_@-DECOMPRESSION_@-FAILURE
Decompression failed.
@item GNUTLS_@-A_@-HANDSHAKE_@-FAILURE
Handshake failed.
@item GNUTLS_@-A_@-SSL3_@-NO_@-CERTIFICATE
No certificate.
@item GNUTLS_@-A_@-BAD_@-CERTIFICATE
Certificate is bad.
@item GNUTLS_@-A_@-UNSUPPORTED_@-CERTIFICATE
Certificate is not supported.
@item GNUTLS_@-A_@-CERTIFICATE_@-REVOKED
Certificate was revoked.
@item GNUTLS_@-A_@-CERTIFICATE_@-EXPIRED
Certificate is expired.
@item GNUTLS_@-A_@-CERTIFICATE_@-UNKNOWN
Unknown certificate.
@item GNUTLS_@-A_@-ILLEGAL_@-PARAMETER
Illegal parameter.
@item GNUTLS_@-A_@-UNKNOWN_@-CA
CA is unknown.
@item GNUTLS_@-A_@-ACCESS_@-DENIED
Access was denied.
@item GNUTLS_@-A_@-DECODE_@-ERROR
Decode error.
@item GNUTLS_@-A_@-DECRYPT_@-ERROR
Decrypt error.
@item GNUTLS_@-A_@-EXPORT_@-RESTRICTION
Export restriction.
@item GNUTLS_@-A_@-PROTOCOL_@-VERSION
Error in protocol version.
@item GNUTLS_@-A_@-INSUFFICIENT_@-SECURITY
Insufficient security.
@item GNUTLS_@-A_@-INTERNAL_@-ERROR
Internal error.
@item GNUTLS_@-A_@-INAPPROPRIATE_@-FALLBACK
Inappropriate fallback,
@item GNUTLS_@-A_@-USER_@-CANCELED
User canceled.
@item GNUTLS_@-A_@-NO_@-RENEGOTIATION
No renegotiation is allowed.
@item GNUTLS_@-A_@-UNSUPPORTED_@-EXTENSION
An unsupported extension was
sent.
@item GNUTLS_@-A_@-CERTIFICATE_@-UNOBTAINABLE
Could not retrieve the
specified certificate.
@item GNUTLS_@-A_@-UNRECOGNIZED_@-NAME
The server name sent was not
recognized.
@item GNUTLS_@-A_@-UNKNOWN_@-PSK_@-IDENTITY
The SRP/PSK username is missing
or not known.
@item GNUTLS_@-A_@-NO_@-APPLICATION_@-PROTOCOL
The ALPN protocol requested is
not supported by the peer.
@item GNUTLS_@-A_@-MAX
-- undescribed --
@end table
@c gnutls_handshake_description_t
@table @code
@item GNUTLS_@-HANDSHAKE_@-HELLO_@-REQUEST
Hello request.
@item GNUTLS_@-HANDSHAKE_@-CLIENT_@-HELLO
Client hello.
@item GNUTLS_@-HANDSHAKE_@-SERVER_@-HELLO
Server hello.
@item GNUTLS_@-HANDSHAKE_@-HELLO_@-VERIFY_@-REQUEST
DTLS Hello verify request.
@item GNUTLS_@-HANDSHAKE_@-NEW_@-SESSION_@-TICKET
New session ticket.
@item GNUTLS_@-HANDSHAKE_@-CERTIFICATE_@-PKT
Certificate packet.
@item GNUTLS_@-HANDSHAKE_@-SERVER_@-KEY_@-EXCHANGE
Server key exchange.
@item GNUTLS_@-HANDSHAKE_@-CERTIFICATE_@-REQUEST
Certificate request.
@item GNUTLS_@-HANDSHAKE_@-SERVER_@-HELLO_@-DONE
Server hello done.
@item GNUTLS_@-HANDSHAKE_@-CERTIFICATE_@-VERIFY
Certificate verify.
@item GNUTLS_@-HANDSHAKE_@-CLIENT_@-KEY_@-EXCHANGE
Client key exchange.
@item GNUTLS_@-HANDSHAKE_@-FINISHED
Finished.
@item GNUTLS_@-HANDSHAKE_@-CERTIFICATE_@-STATUS
Certificate status (OCSP).
@item GNUTLS_@-HANDSHAKE_@-SUPPLEMENTAL
Supplemental.
@item GNUTLS_@-HANDSHAKE_@-CHANGE_@-CIPHER_@-SPEC
Change Cipher Spec.
@item GNUTLS_@-HANDSHAKE_@-CLIENT_@-HELLO_@-V2
SSLv2 Client Hello.
@end table
@c gnutls_certificate_status_t
@table @code
@item GNUTLS_@-CERT_@-INVALID
The certificate is not signed by one of the
known authorities or the signature is invalid (deprecated by the flags
@code{GNUTLS_CERT_SIGNATURE_FAILURE} and @code{GNUTLS_CERT_SIGNER_NOT_FOUND} ).
@item GNUTLS_@-CERT_@-REVOKED
Certificate is revoked by its authority. In X.509 this will be
set only if CRLs are checked.
@item GNUTLS_@-CERT_@-SIGNER_@-NOT_@-FOUND
The certificate's issuer is not known.
This is the case if the issuer is not included in the trusted certificate list.
@item GNUTLS_@-CERT_@-SIGNER_@-NOT_@-CA
The certificate's signer was not a CA. This
may happen if this was a version 1 certificate, which is common with
some CAs, or a version 3 certificate without the basic constrains extension.
@item GNUTLS_@-CERT_@-INSECURE_@-ALGORITHM
The certificate was signed using an insecure
algorithm such as MD2 or MD5. These algorithms have been broken and
should not be trusted.
@item GNUTLS_@-CERT_@-NOT_@-ACTIVATED
The certificate is not yet activated.
@item GNUTLS_@-CERT_@-EXPIRED
The certificate has expired.
@item GNUTLS_@-CERT_@-SIGNATURE_@-FAILURE
The signature verification failed.
@item GNUTLS_@-CERT_@-REVOCATION_@-DATA_@-SUPERSEDED
The revocation data are old and have been superseded.
@item GNUTLS_@-CERT_@-UNEXPECTED_@-OWNER
The owner is not the expected one.
@item GNUTLS_@-CERT_@-REVOCATION_@-DATA_@-ISSUED_@-IN_@-FUTURE
The revocation data have a future issue date.
@item GNUTLS_@-CERT_@-SIGNER_@-CONSTRAINTS_@-FAILURE
The certificate's signer constraints were
violated.
@item GNUTLS_@-CERT_@-MISMATCH
The certificate presented isn't the expected one (TOFU)
@item GNUTLS_@-CERT_@-PURPOSE_@-MISMATCH
The certificate or an intermediate does not match the intended purpose (extended key usage).
@item GNUTLS_@-CERT_@-MISSING_@-OCSP_@-STATUS
The certificate requires the server to send the certifiate status, but no status was received.
@item GNUTLS_@-CERT_@-INVALID_@-OCSP_@-STATUS
The received OCSP status response is invalid.
@item GNUTLS_@-CERT_@-UNKNOWN_@-CRIT_@-EXTENSIONS
The certificate has extensions marked as critical which are not supported.
@end table
@c gnutls_certificate_request_t
@table @code
@item GNUTLS_@-CERT_@-IGNORE
Ignore certificate.
@item GNUTLS_@-CERT_@-REQUEST
Request certificate.
@item GNUTLS_@-CERT_@-REQUIRE
Require certificate.
@end table
@c gnutls_openpgp_crt_status_t
@table @code
@item GNUTLS_@-OPENPGP_@-CERT
Send entire certificate.
@item GNUTLS_@-OPENPGP_@-CERT_@-FINGERPRINT
Send only certificate fingerprint.
@end table
@c gnutls_close_request_t
@table @code
@item GNUTLS_@-SHUT_@-RDWR
Disallow further receives/sends.
@item GNUTLS_@-SHUT_@-WR
Disallow further sends.
@end table
@c gnutls_protocol_t
@table @code
@item GNUTLS_@-SSL3
SSL version 3.0.
@item GNUTLS_@-TLS1_@-0
TLS version 1.0.
@item GNUTLS_@-TLS1
Same as @code{GNUTLS_TLS1_0} .
@item GNUTLS_@-TLS1_@-1
TLS version 1.1.
@item GNUTLS_@-TLS1_@-2
TLS version 1.2.
@item GNUTLS_@-DTLS0_@-9
DTLS version 0.9 (Cisco AnyConnect / OpenSSL 0.9.8e).
@item GNUTLS_@-DTLS1_@-0
DTLS version 1.0.
@item GNUTLS_@-DTLS1_@-2
DTLS version 1.2.
@item GNUTLS_@-DTLS_@-VERSION_@-MIN
-- undescribed --
@item GNUTLS_@-DTLS_@-VERSION_@-MAX
-- undescribed --
@item GNUTLS_@-TLS_@-VERSION_@-MAX
-- undescribed --
@item GNUTLS_@-VERSION_@-UNKNOWN
Unknown SSL/TLS version.
@end table
@c gnutls_certificate_type_t
@table @code
@item GNUTLS_@-CRT_@-UNKNOWN
Unknown certificate type.
@item GNUTLS_@-CRT_@-X509
X.509 Certificate.
@item GNUTLS_@-CRT_@-OPENPGP
OpenPGP certificate.
@item GNUTLS_@-CRT_@-RAW
Raw public key (SubjectPublicKey)
@end table
@c gnutls_x509_crt_fmt_t
@table @code
@item GNUTLS_@-X509_@-FMT_@-DER
X.509 certificate in DER format (binary).
@item GNUTLS_@-X509_@-FMT_@-PEM
X.509 certificate in PEM format (text).
@end table
@c gnutls_certificate_print_formats_t
@table @code
@item GNUTLS_@-CRT_@-PRINT_@-FULL
Full information about certificate.
@item GNUTLS_@-CRT_@-PRINT_@-ONELINE
Information about certificate in one line.
@item GNUTLS_@-CRT_@-PRINT_@-UNSIGNED_@-FULL
All info for an unsigned certificate.
@item GNUTLS_@-CRT_@-PRINT_@-COMPACT
Information about certificate name in one line, plus identification of the public key.
@item GNUTLS_@-CRT_@-PRINT_@-FULL_@-NUMBERS
Full information about certificate and include easy to parse public key parameters.
@end table
@c gnutls_pk_algorithm_t
@table @code
@item GNUTLS_@-PK_@-UNKNOWN
Unknown public-key algorithm.
@item GNUTLS_@-PK_@-RSA
RSA public-key algorithm.
@item GNUTLS_@-PK_@-DSA
DSA public-key algorithm.
@item GNUTLS_@-PK_@-DH
Diffie-Hellman algorithm. Used to generate parameters.
@item GNUTLS_@-PK_@-ECDSA
Elliptic curve algorithm. These parameters are compatible with the ECDSA and ECDH algorithm.
@item GNUTLS_@-PK_@-ECDH_@-X25519
Elliptic curve algorithm, restricted to ECDH as per rfc7748.
@item GNUTLS_@-PK_@-RSA_@-PSS
RSA public-key algorithm, with PSS padding.
@item GNUTLS_@-PK_@-EDDSA_@-ED25519
Edwards curve Digital signature algorithm. Used with SHA512 on signatures.
@item GNUTLS_@-PK_@-MAX
-- undescribed --
@end table
@c gnutls_sign_algorithm_t
@table @code
@item GNUTLS_@-SIGN_@-UNKNOWN
Unknown signature algorithm.
@item GNUTLS_@-SIGN_@-RSA_@-SHA1
Digital signature algorithm RSA with SHA-1
@item GNUTLS_@-SIGN_@-RSA_@-SHA
Same as @code{GNUTLS_SIGN_RSA_SHA1} .
@item GNUTLS_@-SIGN_@-DSA_@-SHA1
Digital signature algorithm DSA with SHA-1
@item GNUTLS_@-SIGN_@-DSA_@-SHA
Same as @code{GNUTLS_SIGN_DSA_SHA1} .
@item GNUTLS_@-SIGN_@-RSA_@-MD5
Digital signature algorithm RSA with MD5.
@item GNUTLS_@-SIGN_@-RSA_@-MD2
Digital signature algorithm RSA with MD2.
@item GNUTLS_@-SIGN_@-RSA_@-RMD160
Digital signature algorithm RSA with RMD-160.
@item GNUTLS_@-SIGN_@-RSA_@-SHA256
Digital signature algorithm RSA with SHA-256.
@item GNUTLS_@-SIGN_@-RSA_@-SHA384
Digital signature algorithm RSA with SHA-384.
@item GNUTLS_@-SIGN_@-RSA_@-SHA512
Digital signature algorithm RSA with SHA-512.
@item GNUTLS_@-SIGN_@-RSA_@-SHA224
Digital signature algorithm RSA with SHA-224.
@item GNUTLS_@-SIGN_@-DSA_@-SHA224
Digital signature algorithm DSA with SHA-224
@item GNUTLS_@-SIGN_@-DSA_@-SHA256
Digital signature algorithm DSA with SHA-256
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA1
ECDSA with SHA1.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA224
Digital signature algorithm ECDSA with SHA-224.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA256
Digital signature algorithm ECDSA with SHA-256.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA384
Digital signature algorithm ECDSA with SHA-384.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA512
Digital signature algorithm ECDSA with SHA-512.
@item GNUTLS_@-SIGN_@-DSA_@-SHA384
Digital signature algorithm DSA with SHA-384
@item GNUTLS_@-SIGN_@-DSA_@-SHA512
Digital signature algorithm DSA with SHA-512
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA3_@-224
Digital signature algorithm ECDSA with SHA3-224.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA3_@-256
Digital signature algorithm ECDSA with SHA3-256.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA3_@-384
Digital signature algorithm ECDSA with SHA3-384.
@item GNUTLS_@-SIGN_@-ECDSA_@-SHA3_@-512
Digital signature algorithm ECDSA with SHA3-512.
@item GNUTLS_@-SIGN_@-DSA_@-SHA3_@-224
Digital signature algorithm DSA with SHA3-224.
@item GNUTLS_@-SIGN_@-DSA_@-SHA3_@-256
Digital signature algorithm DSA with SHA3-256.
@item GNUTLS_@-SIGN_@-DSA_@-SHA3_@-384
Digital signature algorithm DSA with SHA3-384.
@item GNUTLS_@-SIGN_@-DSA_@-SHA3_@-512
Digital signature algorithm DSA with SHA3-512.
@item GNUTLS_@-SIGN_@-RSA_@-SHA3_@-224
Digital signature algorithm RSA with SHA3-224.
@item GNUTLS_@-SIGN_@-RSA_@-SHA3_@-256
Digital signature algorithm RSA with SHA3-256.
@item GNUTLS_@-SIGN_@-RSA_@-SHA3_@-384
Digital signature algorithm RSA with SHA3-384.
@item GNUTLS_@-SIGN_@-RSA_@-SHA3_@-512
Digital signature algorithm RSA with SHA3-512.
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-SHA256
Digital signature algorithm RSA with SHA-256, with PSS padding.
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-SHA384
Digital signature algorithm RSA with SHA-384, with PSS padding.
@item GNUTLS_@-SIGN_@-RSA_@-PSS_@-SHA512
Digital signature algorithm RSA with SHA-512, with PSS padding.
@item GNUTLS_@-SIGN_@-EDDSA_@-ED25519
Digital signature algorithm EdDSA with Ed25519 curve.
@item GNUTLS_@-SIGN_@-RSA_@-RAW
Digital signature algorithm RSA with DigestInfo formatted data
@item GNUTLS_@-SIGN_@-MAX
-- undescribed --
@end table
@c gnutls_ecc_curve_t
@table @code
@item GNUTLS_@-ECC_@-CURVE_@-INVALID
Cannot be known
@item GNUTLS_@-ECC_@-CURVE_@-SECP224R1
the SECP224R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-SECP256R1
the SECP256R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-SECP384R1
the SECP384R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-SECP521R1
the SECP521R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-SECP192R1
the SECP192R1 curve
@item GNUTLS_@-ECC_@-CURVE_@-X25519
the X25519 curve (ECDH only)
@item GNUTLS_@-ECC_@-CURVE_@-ED25519
the Ed25519 curve
@item GNUTLS_@-ECC_@-CURVE_@-MAX
-- undescribed --
@end table
@c gnutls_group_t
@table @code
@item GNUTLS_@-GROUP_@-INVALID
Indicates unknown/invalid group
@item GNUTLS_@-GROUP_@-SECP192R1
the SECP192R1 curve group (legacy, only for TLS 1.2 compatibility)
@item GNUTLS_@-GROUP_@-SECP224R1
the SECP224R1 curve group (legacy, only for TLS 1.2 compatibility)
@item GNUTLS_@-GROUP_@-SECP256R1
the SECP256R1 curve group
@item GNUTLS_@-GROUP_@-SECP384R1
the SECP384R1 curve group
@item GNUTLS_@-GROUP_@-SECP521R1
the SECP521R1 curve group
@item GNUTLS_@-GROUP_@-X25519
the X25519 curve group
@item GNUTLS_@-GROUP_@-FFDHE2048
the FFDHE2048 group
@item GNUTLS_@-GROUP_@-FFDHE3072
the FFDHE3072 group
@item GNUTLS_@-GROUP_@-FFDHE4096
the FFDHE4096 group
@item GNUTLS_@-GROUP_@-FFDHE8192
the FFDHE8192 group
@item GNUTLS_@-GROUP_@-MAX
-- undescribed --
@end table
@c gnutls_sec_param_t
@table @code
@item GNUTLS_@-SEC_@-PARAM_@-UNKNOWN
Cannot be known
@item GNUTLS_@-SEC_@-PARAM_@-INSECURE
Less than 42 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-EXPORT
42 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-VERY_@-WEAK
64 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-WEAK
72 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-LOW
80 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-LEGACY
96 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-MEDIUM
112 bits of security (used to be @code{GNUTLS_SEC_PARAM_NORMAL} )
@item GNUTLS_@-SEC_@-PARAM_@-HIGH
128 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-ULTRA
192 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-FUTURE
256 bits of security
@item GNUTLS_@-SEC_@-PARAM_@-MAX
-- undescribed --
@end table
@c gnutls_channel_binding_t
@table @code
@item GNUTLS_@-CB_@-TLS_@-UNIQUE
"tls-unique" (RFC 5929) channel binding
@end table
@c gnutls_server_name_type_t
@table @code
@item GNUTLS_@-NAME_@-DNS
Domain Name System name type.
@end table
@c gnutls_session_flags_t
@table @code
@item GNUTLS_@-SFLAGS_@-SAFE_@-RENEGOTIATION
Safe renegotiation (RFC5746) was used
@item GNUTLS_@-SFLAGS_@-EXT_@-MASTER_@-SECRET
The extended master secret (RFC7627) extension was used
@item GNUTLS_@-SFLAGS_@-ETM
The encrypt then MAC (RFC7366) extension was used
@item GNUTLS_@-SFLAGS_@-HB_@-LOCAL_@-SEND
The heartbeat negotiation allows the local side to send heartbeat messages
@item GNUTLS_@-SFLAGS_@-HB_@-PEER_@-SEND
The heartbeat negotiation allows the peer to send heartbeat messages
@item GNUTLS_@-SFLAGS_@-FALSE_@-START
The appdata set with @code{gnutls_handshake_set_appdata()} were sent during handshake (false start)
@item GNUTLS_@-SFLAGS_@-RFC7919
The RFC7919 Diffie-Hellman parameters were negotiated
@end table
@c gnutls_supplemental_data_format_type_t
@table @code
@item GNUTLS_@-SUPPLEMENTAL_@-UNKNOWN
Unknown data format
@end table
@c gnutls_srtp_profile_t
@table @code
@item GNUTLS_@-SRTP_@-AES128_@-CM_@-HMAC_@-SHA1_@-80
128 bit AES with a 80 bit HMAC-SHA1
@item GNUTLS_@-SRTP_@-AES128_@-CM_@-HMAC_@-SHA1_@-32
128 bit AES with a 32 bit HMAC-SHA1
@item GNUTLS_@-SRTP_@-NULL_@-HMAC_@-SHA1_@-80
NULL cipher with a 80 bit HMAC-SHA1
@item GNUTLS_@-SRTP_@-NULL_@-HMAC_@-SHA1_@-32
NULL cipher with a 32 bit HMAC-SHA1
@end table
@c gnutls_alpn_flags_t
@table @code
@item GNUTLS_@-ALPN_@-MANDATORY
Require ALPN negotiation. The connection will be
aborted if no matching ALPN protocol is found.
@item GNUTLS_@-ALPN_@-SERVER_@-PRECEDENCE
The choices set by the server
will take precedence over the client's.
@end table
@c gnutls_vdata_types_t
@table @code
@item GNUTLS_@-DT_@-UNKNOWN
Unknown data type.
@item GNUTLS_@-DT_@-DNS_@-HOSTNAME
The data contain a null-terminated DNS hostname; the hostname will be
matched using the RFC6125 rules. If the data contain a textual IP (v4 or v6) address it will
be marched against the IPAddress Alternative name, unless the verification flag @code{GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES}
is specified.
@item GNUTLS_@-DT_@-KEY_@-PURPOSE_@-OID
The data contain a null-terminated key purpose OID. It will be matched
against the certificate's Extended Key Usage extension.
@item GNUTLS_@-DT_@-RFC822NAME
The data contain a null-terminated email address; the email will be
matched against the RFC822Name Alternative name of the certificate, or the EMAIL DN component if the
former isn't available. Prior to matching the email address will be converted to ACE
(ASCII-compatible-encoding).
@item GNUTLS_@-DT_@-IP_@-ADDRESS
The data contain a raw IP address (4 or 16 bytes). If will be matched
against the IPAddress Alternative name; option available since 3.6.0.
@end table
@c gnutls_certificate_flags
@table @code
@item GNUTLS_@-CERTIFICATE_@-SKIP_@-KEY_@-CERT_@-MATCH
Skip the key and certificate matching check.
@item GNUTLS_@-CERTIFICATE_@-API_@-V2
If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero.
@end table
@c gnutls_psk_key_flags
@table @code
@item GNUTLS_@-PSK_@-KEY_@-RAW
PSK-key in raw format.
@item GNUTLS_@-PSK_@-KEY_@-HEX
PSK-key in hex format.
@end table
@c gnutls_x509_subject_alt_name_t
@table @code
@item GNUTLS_@-SAN_@-DNSNAME
DNS-name SAN.
@item GNUTLS_@-SAN_@-RFC822NAME
E-mail address SAN.
@item GNUTLS_@-SAN_@-URI
URI SAN.
@item GNUTLS_@-SAN_@-IPADDRESS
IP address SAN.
@item GNUTLS_@-SAN_@-OTHERNAME
OtherName SAN.
@item GNUTLS_@-SAN_@-DN
DN SAN.
@item GNUTLS_@-SAN_@-MAX
-- undescribed --
@item GNUTLS_@-SAN_@-OTHERNAME_@-XMPP
Virtual SAN, used by certain functions for convenience.
@item GNUTLS_@-SAN_@-OTHERNAME_@-KRB5PRINCIPAL
Virtual SAN, used by certain functions for convenience.
@end table
@c gnutls_privkey_type_t
@table @code
@item GNUTLS_@-PRIVKEY_@-X509
X.509 private key, @code{gnutls_x509_privkey_t} .
@item GNUTLS_@-PRIVKEY_@-OPENPGP
OpenPGP private key, @code{gnutls_openpgp_privkey_t} .
@item GNUTLS_@-PRIVKEY_@-PKCS11
PKCS11 private key, @code{gnutls_pkcs11_privkey_t} .
@item GNUTLS_@-PRIVKEY_@-EXT
External private key, operating using callbacks.
@end table
@c gnutls_pin_flag_t
@table @code
@item GNUTLS_@-PIN_@-USER
The PIN for the user.
@item GNUTLS_@-PIN_@-SO
The PIN for the security officer (admin).
@item GNUTLS_@-PIN_@-FINAL_@-TRY
This is the final try before blocking.
@item GNUTLS_@-PIN_@-COUNT_@-LOW
Few tries remain before token blocks.
@item GNUTLS_@-PIN_@-CONTEXT_@-SPECIFIC
The PIN is for a specific action and key like signing.
@item GNUTLS_@-PIN_@-WRONG
Last given PIN was not correct.
@end table
@subheading int
@anchor{int}
@deftypefun {typedef} {int} (* @var{gnutls_pin_callback_t})
@var{gnutls_pin_callback_t}: -- undescribed --
Callback function type for PKCS@code{11} or TPM PIN entry. It is set by
functions like @code{gnutls_pkcs11_set_pin_function()} .
The callback should provides the PIN code to unlock the token with
label @code{token_label} , specified by the URL @code{token_url} .
The PIN code, as a NUL-terminated ASCII string, should be copied
into the @code{pin} buffer (of maximum size @code{pin_max} ), and return 0 to
indicate success. Alternatively, the callback may return a
negative gnutls error code to indicate failure and cancel PIN entry
(in which case, the contents of the @code{pin} parameter are ignored).
When a PIN is required, the callback will be invoked repeatedly
(and indefinitely) until either the returned PIN code is correct,
the callback returns failure, or the token refuses login (e.g. when
the token is locked due to too many incorrect PINs!). For the
first such invocation, the @code{attempt} counter will have value zero;
it will increase by one for each subsequent attempt.
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
@strong{Since:} 2.12.0
@end deftypefun
@c gnutls_ext_parse_type_t
@table @code
@item GNUTLS_@-EXT_@-ANY
Any extension type (internal use only).
@item GNUTLS_@-EXT_@-APPLICATION
Application extension.
@item GNUTLS_@-EXT_@-TLS
TLS-internal extension.
@item GNUTLS_@-EXT_@-MANDATORY
Extension parsed even if resuming (or extensions are disabled).
@item GNUTLS_@-EXT_@-NONE
Never parsed
@end table
@c gnutls_ext_flags_t
@table @code
@item GNUTLS_@-EXT_@-FLAG_@-OVERRIDE_@-INTERNAL
If specified the extension registered will override the internal; this does not work with extensions existing prior to 3.6.0.
@end table
@c gnutls_certificate_import_flags
@table @code
@item GNUTLS_@-X509_@-CRT_@-LIST_@-IMPORT_@-FAIL_@-IF_@-EXCEED
Fail if the
certificates in the buffer are more than the space allocated for
certificates. The error code will be @code{GNUTLS_E_SHORT_MEMORY_BUFFER} .
@item GNUTLS_@-X509_@-CRT_@-LIST_@-FAIL_@-IF_@-UNSORTED
Fail if the certificates
in the buffer are not ordered starting from subject to issuer.
The error code will be @code{GNUTLS_E_CERTIFICATE_LIST_UNSORTED} .
@item GNUTLS_@-X509_@-CRT_@-LIST_@-SORT
Sort the certificate chain if unsorted.
@end table
@c gnutls_x509_crt_flags
@table @code
@item GNUTLS_@-X509_@-CRT_@-FLAG_@-IGNORE_@-SANITY
Ignore any sanity checks at the
import of the certificate; i.e., ignore checks such as version/field
matching and strict time field checks. Intended to be used for debugging.
@end table
@c gnutls_keyid_flags_t
@table @code
@item GNUTLS_@-KEYID_@-USE_@-SHA1
Use SHA1 as the key ID algorithm (default).
@item GNUTLS_@-KEYID_@-USE_@-SHA256
Use SHA256 as the key ID algorithm.
@item GNUTLS_@-KEYID_@-USE_@-SHA512
Use SHA512 as the key ID algorithm.
@item GNUTLS_@-KEYID_@-USE_@-BEST_@-KNOWN
Use the best known algorithm to calculate key ID. Using that option will make your program behavior depend on the version of gnutls linked with. That option has a cap of 64-bytes key IDs.
@end table
@c gnutls_certificate_verify_flags
@table @code
@item GNUTLS_@-VERIFY_@-DISABLE_@-CA_@-SIGN
If set a signer does not have to be
a certificate authority. This flag should normally be disabled,
unless you know what this means.
@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-IP_@-MATCHES
When verifying a hostname
prevent textual IP addresses from matching IP addresses in the
certificate. Treat the input only as a DNS name.
@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-SAME
If a certificate is not signed by
anyone trusted but exists in the trusted CA list do not treat it
as trusted.
@item GNUTLS_@-VERIFY_@-ALLOW_@-ANY_@-X509_@-V1_@-CA_@-CRT
Allow CA certificates that
have version 1 (both root and intermediate). This might be
dangerous since those haven't the basicConstraints
extension.
@item GNUTLS_@-VERIFY_@-ALLOW_@-SIGN_@-RSA_@-MD2
Allow certificates to be signed
using the broken MD2 algorithm.
@item GNUTLS_@-VERIFY_@-ALLOW_@-SIGN_@-RSA_@-MD5
Allow certificates to be signed
using the broken MD5 algorithm.
@item GNUTLS_@-VERIFY_@-DISABLE_@-TIME_@-CHECKS
Disable checking of activation
and expiration validity periods of certificate chains. Don't set
this unless you understand the security implications.
@item GNUTLS_@-VERIFY_@-DISABLE_@-TRUSTED_@-TIME_@-CHECKS
If set a signer in the trusted
list is never checked for expiration or activation.
@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-X509_@-V1_@-CA_@-CRT
Do not allow trusted CA
certificates that have version 1. This option is to be used
to deprecate all certificates of version 1.
@item GNUTLS_@-VERIFY_@-DISABLE_@-CRL_@-CHECKS
Disable checking for validity
using certificate revocation lists or the available OCSP data.
@item GNUTLS_@-VERIFY_@-ALLOW_@-UNSORTED_@-CHAIN
A certificate chain is tolerated
if unsorted (the case with many TLS servers out there). This is the
default since GnuTLS 3.1.4.
@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-UNSORTED_@-CHAIN
Do not tolerate an unsorted
certificate chain.
@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-WILDCARDS
When including a hostname
check in the verification, do not consider any wildcards.
@item GNUTLS_@-VERIFY_@-USE_@-TLS1_@-RSA
This indicates that a (raw) RSA signature is provided
as in the TLS 1.0 protocol. Not all functions accept this flag.
@item GNUTLS_@-VERIFY_@-IGNORE_@-UNKNOWN_@-CRIT_@-EXTENSIONS
This signals the verification
process, not to fail on unknown critical extensions.
@item GNUTLS_@-VERIFY_@-ALLOW_@-SIGN_@-WITH_@-SHA1
Allow certificates to be signed
using the broken SHA1 hash algorithm.
@end table
@c gnutls_certificate_verification_profiles_t
@table @code
@item GNUTLS_@-PROFILE_@-VERY_@-WEAK
A verification profile that
corresponds to @code{GNUTLS_SEC_PARAM_VERY_WEAK} (64 bits)
@item GNUTLS_@-PROFILE_@-LOW
A verification profile that
corresponds to @code{GNUTLS_SEC_PARAM_LOW} (80 bits)
@item GNUTLS_@-PROFILE_@-LEGACY
A verification profile that
corresponds to @code{GNUTLS_SEC_PARAM_LEGACY} (96 bits)
@item GNUTLS_@-PROFILE_@-MEDIUM
A verification profile that
corresponds to @code{GNUTLS_SEC_PARAM_MEDIUM} (112 bits)
@item GNUTLS_@-PROFILE_@-HIGH
A verification profile that
corresponds to @code{GNUTLS_SEC_PARAM_HIGH} (128 bits)
@item GNUTLS_@-PROFILE_@-ULTRA
A verification profile that
corresponds to @code{GNUTLS_SEC_PARAM_ULTRA} (256 bits)
@item GNUTLS_@-PROFILE_@-SUITEB128
A verification profile that
applies the SUITEB128 rules
@item GNUTLS_@-PROFILE_@-SUITEB192
A verification profile that
applies the SUITEB192 rules
@end table
@c gnutls_pkcs_encrypt_flags_t
@table @code
@item GNUTLS_@-PKCS_@-PLAIN
Unencrypted private key.
@item GNUTLS_@-PKCS_@-PKCS12_@-3DES
PKCS-12 3DES.
@item GNUTLS_@-PKCS_@-PKCS12_@-ARCFOUR
PKCS-12 ARCFOUR.
@item GNUTLS_@-PKCS_@-PKCS12_@-RC2_@-40
PKCS-12 RC2-40.
@item GNUTLS_@-PKCS_@-PBES2_@-3DES
PBES2 3DES.
@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-128
PBES2 AES-128.
@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-192
PBES2 AES-192.
@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-256
PBES2 AES-256.
@item GNUTLS_@-PKCS_@-NULL_@-PASSWORD
Some schemas distinguish between an empty and a NULL password.
@item GNUTLS_@-PKCS_@-PBES2_@-DES
PBES2 single DES.
@item GNUTLS_@-PKCS_@-PBES1_@-DES_@-MD5
-- undescribed --
@end table
@c gnutls_keygen_types_t
@table @code
@item GNUTLS_@-KEYGEN_@-SEED
Specifies the seed to be used in key generation.
@item GNUTLS_@-KEYGEN_@-DIGEST
The size field specifies the hash algorithm to be used in key generation.
@item GNUTLS_@-KEYGEN_@-SPKI
data points to a @code{gnutls_x509_spki_t} structure; it is not used after the key generation call.
@end table
@c gnutls_pkcs12_bag_type_t
@table @code
@item GNUTLS_@-BAG_@-EMPTY
Empty PKCS-12 bag.
@item GNUTLS_@-BAG_@-PKCS8_@-ENCRYPTED_@-KEY
PKCS-12 bag with PKCS-8 encrypted key.
@item GNUTLS_@-BAG_@-PKCS8_@-KEY
PKCS-12 bag with PKCS-8 key.
@item GNUTLS_@-BAG_@-CERTIFICATE
PKCS-12 bag with certificate.
@item GNUTLS_@-BAG_@-CRL
PKCS-12 bag with CRL.
@item GNUTLS_@-BAG_@-SECRET
PKCS-12 bag with secret PKCS-9 keys.
@item GNUTLS_@-BAG_@-ENCRYPTED
Encrypted PKCS-12 bag.
@item GNUTLS_@-BAG_@-UNKNOWN
Unknown PKCS-12 bag.
@end table
@subheading int
@anchor{int}
@deftypefun {typedef} {int} (* @var{gnutls_pkcs11_token_callback_t})
@var{gnutls_pkcs11_token_callback_t}: -- undescribed --
Token callback function. The callback will be used to ask the user
to re-insert the token with given (null terminated) label. The
callback should return zero if token has been inserted by user and
a negative error code otherwise. It might be called multiple times
if the token is not detected and the retry counter will be
increased.
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code
on error.
@strong{Since:} 2.12.0
@end deftypefun
@c gnutls_pkcs11_obj_flags
@table @code
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-LOGIN
Force login in the token for the operation (seek+store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-TRUSTED
object marked as trusted (seek+store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-SENSITIVE
object marked as sensitive -unexportable (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-LOGIN_@-SO
force login as a security officer in the token for the operation (seek+store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-PRIVATE
marked as private -requires PIN to access (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-NOT_@-PRIVATE
marked as not private (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-ANY
When retrieving an object, do not set any requirements (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-TRUSTED
When retrieving an object, only retrieve the marked as trusted (alias to @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} ).
In @code{gnutls_pkcs11_crt_is_known()} it implies @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE} if @code{GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY} is not given.
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-DISTRUSTED
When writing an object, mark it as distrusted (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-DISTRUSTED
When retrieving an object, only retrieve the marked as distrusted (seek).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-COMPARE
When checking an object's presence, fully compare it before returning any result (seek).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-PRESENT_@-IN_@-TRUSTED_@-MODULE
The object must be present in a marked as trusted module (seek).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-CA
Mark the object as a CA (seek+store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-KEY_@-WRAP
Mark the generated key pair as wrapping and unwrapping keys (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-COMPARE_@-KEY
When checking an object's presence, compare the key before returning any result (seek).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-OVERWRITE_@-TRUSTMOD_@-EXT
When an issuer is requested, override its extensions with the ones present in the trust module (seek).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-ALWAYS_@-AUTH
Mark the key pair as requiring authentication (pin entry) before every operation (seek+store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-EXTRACTABLE
Mark the key pair as being extractable (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-NEVER_@-EXTRACTABLE
If set, the object was never marked as extractable (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-CRT
When searching, restrict to certificates only (seek).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-WITH_@-PRIVKEY
-- undescribed --
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-PUBKEY
When searching, restrict to public key objects only (seek).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-NO_@-STORE_@-PUBKEY
When generating a keypair don't store the public key (store).
@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-PRIVKEY
When searching, restrict to private key objects only (seek).
@end table
@c gnutls_pkcs11_url_type_t
@table @code
@item GNUTLS_@-PKCS11_@-URL_@-GENERIC
A generic-purpose URL.
@item GNUTLS_@-PKCS11_@-URL_@-LIB
A URL that specifies the library used as well.
@item GNUTLS_@-PKCS11_@-URL_@-LIB_@-VERSION
A URL that specifies the library and its version.
@end table
@c gnutls_pkcs11_obj_info_t
@table @code
@item GNUTLS_@-PKCS11_@-OBJ_@-ID_@-HEX
The object ID in hex. Null-terminated text.
@item GNUTLS_@-PKCS11_@-OBJ_@-LABEL
The object label. Null-terminated text.
@item GNUTLS_@-PKCS11_@-OBJ_@-TOKEN_@-LABEL
The token's label. Null-terminated text.
@item GNUTLS_@-PKCS11_@-OBJ_@-TOKEN_@-SERIAL
The token's serial number. Null-terminated text.
@item GNUTLS_@-PKCS11_@-OBJ_@-TOKEN_@-MANUFACTURER
The token's manufacturer. Null-terminated text.
@item GNUTLS_@-PKCS11_@-OBJ_@-TOKEN_@-MODEL
The token's model. Null-terminated text.
@item GNUTLS_@-PKCS11_@-OBJ_@-ID
The object ID. Raw bytes.
@item GNUTLS_@-PKCS11_@-OBJ_@-LIBRARY_@-VERSION
The library's version. Null-terminated text.
@item GNUTLS_@-PKCS11_@-OBJ_@-LIBRARY_@-DESCRIPTION
The library's description. Null-terminated text.
@item GNUTLS_@-PKCS11_@-OBJ_@-LIBRARY_@-MANUFACTURER
The library's manufacturer name. Null-terminated text.
@end table
@c gnutls_pkcs11_token_info_t
@table @code
@item GNUTLS_@-PKCS11_@-TOKEN_@-LABEL
The token's label (string)
@item GNUTLS_@-PKCS11_@-TOKEN_@-SERIAL
The token's serial number (string)
@item GNUTLS_@-PKCS11_@-TOKEN_@-MANUFACTURER
The token's manufacturer (string)
@item GNUTLS_@-PKCS11_@-TOKEN_@-MODEL
The token's model (string)
@item GNUTLS_@-PKCS11_@-TOKEN_@-MODNAME
The token's module name (string - since 3.4.3)
@end table
@c gnutls_pkcs11_obj_type_t
@table @code
@item GNUTLS_@-PKCS11_@-OBJ_@-UNKNOWN
Unknown PKCS11 object.
@item GNUTLS_@-PKCS11_@-OBJ_@-X509_@-CRT
X.509 certificate.
@item GNUTLS_@-PKCS11_@-OBJ_@-PUBKEY
Public key.
@item GNUTLS_@-PKCS11_@-OBJ_@-PRIVKEY
Private key.
@item GNUTLS_@-PKCS11_@-OBJ_@-SECRET_@-KEY
Secret key.
@item GNUTLS_@-PKCS11_@-OBJ_@-DATA
Data object.
@item GNUTLS_@-PKCS11_@-OBJ_@-X509_@-CRT_@-EXTENSION
X.509 certificate extension (supported by p11-kit trust module only).
@end table
@c gnutls_pubkey_flags_t
@table @code
@item GNUTLS_@-PUBKEY_@-DISABLE_@-CALLBACKS
The following flag disables call to PIN callbacks. Only
relevant to TPM keys.
@item GNUTLS_@-PUBKEY_@-GET_@-OPENPGP_@-FINGERPRINT
request an OPENPGP fingerprint instead of the default.
@end table
@c gnutls_abstract_export_flags_t
@table @code
@item GNUTLS_@-EXPORT_@-FLAG_@-NO_@-LZ
do not prepend a leading zero to exported values
@end table
@c gnutls_privkey_flags_t
@table @code
@item GNUTLS_@-PRIVKEY_@-IMPORT_@-AUTO_@-RELEASE
When importing a private key, automatically
release it when the structure it was imported is released.
@item GNUTLS_@-PRIVKEY_@-IMPORT_@-COPY
Copy required values during import.
@item GNUTLS_@-PRIVKEY_@-DISABLE_@-CALLBACKS
The following flag disables call to PIN callbacks etc.
Only relevant to TPM keys.
@item GNUTLS_@-PRIVKEY_@-SIGN_@-FLAG_@-TLS1_@-RSA
Make an RSA signature on the hashed data as in the TLS protocol.
@item GNUTLS_@-PRIVKEY_@-FLAG_@-PROVABLE
When generating a key involving prime numbers, use provable primes; a seed may be required.
@item GNUTLS_@-PRIVKEY_@-FLAG_@-EXPORT_@-COMPAT
Keys generated or imported as provable require an extended format which cannot be read by previous versions
of gnutls or other applications. By setting this flag the key will be exported in a backwards compatible way,
even if the information about the seed used will be lost.
@item GNUTLS_@-PRIVKEY_@-SIGN_@-FLAG_@-RSA_@-PSS
Make an RSA signature on the hashed data with the PSS padding.
@item GNUTLS_@-PRIVKEY_@-FLAG_@-REPRODUCIBLE
Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt).
@item GNUTLS_@-PRIVKEY_@-FLAG_@-CA
The generated private key is going to be used as a CA (relevant for RSA-PSS keys).
@end table
@c gnutls_rnd_level_t
@table @code
@item GNUTLS_@-RND_@-NONCE
Non-predictable random number. Fatal in parts
of session if broken, i.e., vulnerable to statistical analysis.
@item GNUTLS_@-RND_@-RANDOM
Pseudo-random cryptographic random number.
Fatal in session if broken. Example use: temporal keys.
@item GNUTLS_@-RND_@-KEY
Fatal in many sessions if broken. Example use:
Long-term keys.
@end table
@c gnutls_ocsp_print_formats_t
@table @code
@item GNUTLS_@-OCSP_@-PRINT_@-FULL
Full information about OCSP request/response.
@item GNUTLS_@-OCSP_@-PRINT_@-COMPACT
More compact information about OCSP request/response.
@end table
@c gnutls_ocsp_resp_status_t
@table @code
@item GNUTLS_@-OCSP_@-RESP_@-SUCCESSFUL
Response has valid confirmations.
@item GNUTLS_@-OCSP_@-RESP_@-MALFORMEDREQUEST
Illegal confirmation request
@item GNUTLS_@-OCSP_@-RESP_@-INTERNALERROR
Internal error in issuer
@item GNUTLS_@-OCSP_@-RESP_@-TRYLATER
Try again later
@item GNUTLS_@-OCSP_@-RESP_@-SIGREQUIRED
Must sign the request
@item GNUTLS_@-OCSP_@-RESP_@-UNAUTHORIZED
Request unauthorized
@end table
@c gnutls_ocsp_cert_status_t
@table @code
@item GNUTLS_@-OCSP_@-CERT_@-GOOD
Positive response to status inquiry.
@item GNUTLS_@-OCSP_@-CERT_@-REVOKED
Certificate has been revoked.
@item GNUTLS_@-OCSP_@-CERT_@-UNKNOWN
The responder doesn't know about the
certificate.
@end table
@c gnutls_x509_crl_reason_t
@table @code
@item GNUTLS_@-X509_@-CRLREASON_@-UNSPECIFIED
Unspecified reason.
@item GNUTLS_@-X509_@-CRLREASON_@-KEYCOMPROMISE
Private key compromised.
@item GNUTLS_@-X509_@-CRLREASON_@-CACOMPROMISE
CA compromised.
@item GNUTLS_@-X509_@-CRLREASON_@-AFFILIATIONCHANGED
Affiliation has changed.
@item GNUTLS_@-X509_@-CRLREASON_@-SUPERSEDED
Certificate superseded.
@item GNUTLS_@-X509_@-CRLREASON_@-CESSATIONOFOPERATION
Operation has ceased.
@item GNUTLS_@-X509_@-CRLREASON_@-CERTIFICATEHOLD
Certificate is on hold.
@item GNUTLS_@-X509_@-CRLREASON_@-REMOVEFROMCRL
Will be removed from delta CRL.
@item GNUTLS_@-X509_@-CRLREASON_@-PRIVILEGEWITHDRAWN
Privilege withdrawn.
@item GNUTLS_@-X509_@-CRLREASON_@-AACOMPROMISE
AA compromised.
@end table
@c gnutls_ocsp_verify_reason_t
@table @code
@item GNUTLS_@-OCSP_@-VERIFY_@-SIGNER_@-NOT_@-FOUND
Signer cert not found.
@item GNUTLS_@-OCSP_@-VERIFY_@-SIGNER_@-KEYUSAGE_@-ERROR
Signer keyusage bits incorrect.
@item GNUTLS_@-OCSP_@-VERIFY_@-UNTRUSTED_@-SIGNER
Signer is not trusted.
@item GNUTLS_@-OCSP_@-VERIFY_@-INSECURE_@-ALGORITHM
Signature using insecure algorithm.
@item GNUTLS_@-OCSP_@-VERIFY_@-SIGNATURE_@-FAILURE
Signature mismatch.
@item GNUTLS_@-OCSP_@-VERIFY_@-CERT_@-NOT_@-ACTIVATED
Signer cert is not yet activated.
@item GNUTLS_@-OCSP_@-VERIFY_@-CERT_@-EXPIRED
Signer cert has expired.
@end table
@c gnutls_tpmkey_fmt_t
@table @code
@item GNUTLS_@-TPMKEY_@-FMT_@-RAW
The portable data format.
@item GNUTLS_@-TPMKEY_@-FMT_@-DER
An alias for the raw format.
@item GNUTLS_@-TPMKEY_@-FMT_@-CTK_@-PEM
A custom data format used by some TPM tools.
@end table
@c dane_cert_usage_t
@table @code
@item DANE_@-CERT_@-USAGE_@-CA
CA constraint. The certificate/key
presented must have signed the verified key.
@item DANE_@-CERT_@-USAGE_@-EE
The key or the certificate of the end
entity.
@item DANE_@-CERT_@-USAGE_@-LOCAL_@-CA
The remote CA is local and possibly
untrusted by the verifier.
@item DANE_@-CERT_@-USAGE_@-LOCAL_@-EE
The remote end-entity key is local
and possibly untrusted by the verifier (not signed by a CA).
@end table
@c dane_cert_type_t
@table @code
@item DANE_@-CERT_@-X509
An X.509 certificate.
@item DANE_@-CERT_@-PK
A public key.
@end table
@c dane_match_type_t
@table @code
@item DANE_@-MATCH_@-EXACT
The full content.
@item DANE_@-MATCH_@-SHA2_@-256
A SHA-256 hash of the content.
@item DANE_@-MATCH_@-SHA2_@-512
A SHA-512 hash of the content.
@end table
@c dane_query_status_t
@table @code
@item DANE_@-QUERY_@-UNKNOWN
There was no query.
@item DANE_@-QUERY_@-DNSSEC_@-VERIFIED
The query was verified using DNSSEC.
@item DANE_@-QUERY_@-BOGUS
The query has wrong DNSSEC signature.
@item DANE_@-QUERY_@-NO_@-DNSSEC
The query has no DNSSEC data.
@end table
@c dane_state_flags_t
@table @code
@item DANE_@-F_@-IGNORE_@-LOCAL_@-RESOLVER
Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
@item DANE_@-F_@-INSECURE
Ignore any DNSSEC signature verification errors.
@item DANE_@-F_@-IGNORE_@-DNSSEC
Do not try to initialize DNSSEC as we will not use it (will then not try to load the DNSSEC root certificate). Useful if the TLSA data does not come from DNS.
@end table
@c dane_verify_flags_t
@table @code
@item DANE_@-VFLAG_@-FAIL_@-IF_@-NOT_@-CHECKED
If irrelevant to this certificate DANE entries are received fail instead of succeeding.
@item DANE_@-VFLAG_@-ONLY_@-CHECK_@-EE_@-USAGE
The provided certificates will be verified only against any EE field. Combine with @code{DANE_VFLAG_FAIL_IF_NOT_CHECKED} to fail if EE entries are not present.
@item DANE_@-VFLAG_@-ONLY_@-CHECK_@-CA_@-USAGE
The provided certificates will be verified only against any CA field. Combine with @code{DANE_VFLAG_FAIL_IF_NOT_CHECKED} to fail if CA entries are not present.
@end table
@c dane_verify_status_t
@table @code
@item DANE_@-VERIFY_@-CA_@-CONSTRAINTS_@-VIOLATED
The CA constraints were violated.
@item DANE_@-VERIFY_@-CERT_@-DIFFERS
The certificate obtained via DNS differs.
@item DANE_@-VERIFY_@-UNKNOWN_@-DANE_@-INFO
No known DANE data was found in the DNS record.
@end table
@c gnutls_pkcs7_sign_flags
@table @code
@item GNUTLS_@-PKCS7_@-EMBED_@-DATA
The signed data will be embedded in the structure.
@item GNUTLS_@-PKCS7_@-INCLUDE_@-TIME
The signing time will be included in the structure.
@item GNUTLS_@-PKCS7_@-INCLUDE_@-CERT
The signer's certificate will be included in the cert list.
@item GNUTLS_@-PKCS7_@-WRITE_@-SPKI
Use the signer's key identifier instead of name.
@end table