Hi, Brian & all Export control has been done for GNUTLS together with gnome-2-14, the EC form can be found here :) http://jds.ireland/vermillion/legal/export-control/gnome-2-14-form.txt. This one is for gnutls 1.2.10.
Checking the release notes of all the following releases, we found that only support for DHE-PSK cipher suites is added. DHE-PSK is "Authentication using the PSK protocol and Di???e Hellman key exchange. This method o???ers perfect forward secrecy." I reckon that we may have to fill out something like a short export control short form (http://its.central/Forms/general/swclass.form.short.html) for this. But we may like to hear about your opinions first. --Irene ??? 2006-10-31?????? 16:30 -0600???Brian Cameron????????? > Jedy: > > Yes, these changes do sound like they could have encryption impact. I > would recommend that you review the GnuTLS code against the existing > Export Control License for GnuTLS, which I believe is here: > > http://jds.ireland/cinnabar/legal/export-control/forms/evo14x_export_form.txt > > Please let us know if the Export Control License needs to be updated. > Note that section B requires that you specify which protocols are > supported so if new protocols were added, then this needs to be updated. > > I'd recommend sending ef-core at sun.com if you need help filing out the > export control form, or if you have questions about how certain > algorithms should be reported. I'd recommend doing some research first > so you understand as much as possible before contacting them. They > tend to get annoyed if you are responsible for code that has encryption > and seem unfamiliar with what your code does. > > Brian > > > > The version of gnutls which we currently use is 1.2.10, an the latest > > stable version is 1.4.4. Here is a list of important updates about > > encryption I found from its NEWS. > > > > > > * Version 1.3.0 (2005-11-15) > > > > ** Support for TLS Pre-Shared Key (TLS-PSK) ciphersuites have been > > added. > > This add several new APIs, see below. Read the updated manual for > > more information. A new self test "pskself" has been added, that will > > test this functionality. > > More information about TLS-PSK, please refer to > > http://www.ietf.org/rfc/rfc4279.txt > > > > ** Removed the RIPEMD ciphersuites. > > Mor information about RIPEMD, please refer to > > http://wiki.tcl.tk/10919 > > > > > > * Version 1.3.1 (released 2005-12-08) > > > > ** Support for DHE-PSK cipher suites has been added. > > This method offers perfect forward secrecy. > > > > > > * Version 1.4.0 (released 2006-05-15) > > > > ** Remove GnuTLS 0.8.x compatibility functions. > > > > > > > > There are a lot of API/ABI changes too, so a list of full updates > > between 1.2.9 and 1.4.4 is attached. > > > > Do there changes affect the way > > encryption is handled/managed? Any idea? > > > > Regards, > > > > Jedy Wang > > On Thu, 2006-10-26 at 12:04 -0500, Brian Cameron wrote: > >> Jedy: > >> > >> You mention that this new program we are removing interacts with keys. > >> How does this affect export control license forms, if at all? > >> > >> Whenever we make modifications to our builds that affects the way > >> encryption is handled/managed, we should highlight the details and > >> discuss on this list. Any change to modules like GnuTLS, > >> gnome-keyring, and any other desktop modules that we know have > >> encryption logic should be carefully looked at and we should have a > >> clear understanding of the encryption impact. Could you describe? > >> in more detail what affect (if any) this change makes to encryption. > >> > >> In the desktop stack, the three modules with identified encryption > >> logic are: gnome-keyring, GnuTLS, and D-Bus. That's all I am aware > >> of. Is anybody else aware of any other uses of encryption in the > >> JDS stack? > >> > >> Note that areas where encryption is managed by the server (evolution > >> IMAP/POP passwords, etc.) do not need to be mentioned. Nor does > >> NSS/NSPR used by mozilla/firefox, or PAM used by GDM/xscreensaver since > >> these (like PKCS) are managed by the Solaris ON team and not by the > >> desktop team. However any plugins into these frameworks (such as PAM > >> plugins, SASL modules, etc.) that are delivered by the JDS stack should > >> be mentioned (I don't believe there are any, but just trying to be > >> clear). > >> > >> Note that in our JDS builds we rip out the gnome-keyring encryption > >> logic and replace it with calls to PKCS. Therefore we don't have > >> export license control issues with gnome-keyring directly and instead > >> depend on license control for the PKCS library. That said, we still > >> need to review changes to gnome-keyring to ensure there isn't any new > >> encryption logic that likewise needs to be modified to use PKCS. > >> > >> GnuTLS does contain encryption code and needs to be the most carefully > >> looked at module in this regards. If things change (like, say, support > >> of higher bit encryption rates or new/changed/extended encryption > >> protocols) then we should be aware. > >> > >> D-Bus uses SHA-1 hashing, which isn't strictly encryption. D-Bus also > >> supports SASL, so users can plug-in their own authentication > >> mechanisms to be used for D-Bus connection authentication. D-Bus > >> does not include any SASL modules. We probably should modify D-Bus > >> to use the similar function in libmd.so (provided by ON) to avoid > >> multiple implementation of SHA-1 on the system. Anybody want to > >> help with this? > >> > >> ORBit2 also supports authentication mechanisms that are similar > >> to xauth. I don't believe there is any encryption logic here, but > >> probably good to keep an eye on code, in general, that does any > >> sort of authentication handshaking like this. > >> > >> Should we make the above sort of statement a bit more clear in our > >> JDS code review process? That security/encryption changes should > >> be reviewed a bit more closely. In fact, I'd also suggest that > >> bumping the version # modules known to contain encryption logic > >> (GnuTLS, gnome-keyring, D-Bus) should also be given a bit more careful > >> review than we do for other modules. > >> > >> Brian > >> > >> > >>>> I think you need to be more detailed about what that tool does, and why > >>>> there > >>>> are no current dependencies on it. Saying that 'Evolution doesn't need > >>>> it' is > >>>> insufficient. > >>> > >>> psktool Simple PSK password tool > >>> Very simple program that generates random keys for use with > >>> TLS-PSK. The keys are stored in hexadecimal format in a file. > >>> > >>> Because it's not included in the old version of gnutls which we shipped > >>> before so no one uses it right now. > >>> > >>> Regards, > >>> > >>> Jedy Wang > >>>> Glynn > >> > >> ------------------------------------------------------------------------ > >> > >> GNU TLS NEWS -- History of user-visible changes. -*- > >> outline -*- > >> Copyright (C) 2004, 2005, 2006 Simon Josefsson > >> Copyright (C) 2000, 2001, 2002, 2003, 2004 Nikos Mavroyanopoulos > >> See the end for copying conditions. > >> > >> * Version 1.4.4 (released 2006-09-12) > >> > >> ** Relax the test that caught signatures that exploit the variant of > >> ** Bleichenbacher's Crypto 06 rump session attack on our > >> ** verification logic flaw. > >> In particular, we now permit the digestAlgorithm.parameters field to > >> be present but empty, whereas in 1.4.3 we actually checked that the > >> field was absent. > >> > >> ** Revert the removal of debug information for the GNUTLS-SA-2006-3 > >> problem. > >> The messages are only printed in debug mode, which is not recommended > >> for normal use, and thus logging this situation cannot be abused as an > >> oracle in typical recommended situations. > >> > >> ** API and ABI modifications: > >> No changes since last version. > >> > >> * Version 1.4.3 (released 2006-09-08) > >> > >> ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's > >> ** Crypto 06 rump session attack. > >> In particular, we check that the digestAlgorithm.parameters field is > >> empty, to avoid that it can contain "garbage" that may be used to > >> alter the numeric properties of the signature. See > >> <http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html> (which is > >> not exactly the same as the problem we fix here). Reported by Yutaka > >> OIWA <y.oiwa at aist.go.jp>. > >> > >> See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more > >> up to date information. > >> > >> ** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack. > >> See <http://www.bell-labs.com/user/bleichen/papers/pkcs.ps.gz>. > >> Reported by Werner Koch <wk at gnupg.org>. > >> > >> See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more > >> up to date information. > >> > >> ** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key. > >> > >> ** API and ABI modifications: > >> No changes since last version. > >> > >> * Version 1.4.2 (released 2006-08-12) > >> > >> ** Fix a crash (strcmp() on a NULL value) in the certificate verification > >> logic. > >> This can happen if you call gnutls_certificate_verify_peers2 and have > >> a certain mix of local CA certificates and the peer send special > >> certificates, that together trigger certain behaviour. It is not > >> known at this point whether the crash can be triggered without the > >> special local CA certificate, and thus turn this into a remote crash > >> of clients that verify server certificates when they talk to a server > >> with the special server certificate. See GNUTLS-SA-2006-2 on > >> http://www.gnu.org/software/gnutls/security.html for more up to date > >> information. Reported by satyakumar <satyam_kkd at hyd.hellosoft.com>. > >> > >> ** Change SRP and Cert-Type extensions to match IANA registry. > >> > >> ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support. > >> > >> ** Make --without-included-libtasn1 work. > >> Reported by Daniel Black <dragonheart at gentoo.org>. > >> > >> ** API and ABI modifications: > >> No changes since last version. > >> > >> * Version 1.4.1 (released 2006-06-14) > >> > >> ** Replaced inactive ifdefs to enable openpgp support in test programs. > >> > >> ** Fixed bug in OpenPGP authentication handshake. > >> > >> ** Fixed typographical in man pages. > >> > >> ** Build fixes of the manual. > >> > >> ** Added Swedish translation. > >> > >> ** API and ABI modifications: > >> No changes since last version. > >> > >> * Version 1.4.0 (released 2006-05-15) > >> > >> ** Remove GnuTLS 0.8.x compatibility functions. > >> > >> ** The libgcrypt RNG is initialized in gnutls_global_init(). > >> > >> ** TLS/IA API changes from Emile van Bergen. > >> A dummy credential structure is not needed now, if you wish to use the > >> low-level TLS/IA API, simply call gnutls_ia_enable to enable TLS/IA on > >> a session. > >> > >> ** The self-tests are now run under valgrind, if it is installed. > >> > >> ** Libtasn1 is updated to 0.3.4, and that version is now required. > >> > >> ** The command line tools now use getaddrinfo and support IPv6. > >> > >> ** API and ABI modifications: > >> _gnutls_x509_get_raw_crt_activation_time, > >> _gnutls_x509_get_raw_crt_expiration_time: Removed. > >> gnutls_ia_require_inner_phase: Removed, replaced by gnutls_ia_enable. > >> gnutls_ia_enable: Added. > >> > >> * Version 1.3.5 (released 2006-03-08) > >> > >> ** Error messages are now translated using GNU Gettext. > >> > >> ** The function gnutls_x509_crt_to_xml now return an internal error. > >> This means that the code to convert X.509 certificates to XML format > >> does not work any more. The reason is that the function called > >> libtasn1 internal functions. It seems unclean for libtasn1 to export > >> the APIs needed here. Instead it would be better to implement XML > >> support inside libtasn1 properly. If you need this functionality > >> strongly, please consider looking into implementing this suggested > >> approach instead. As a workaround, you may also modify lib/x509/xml.c > >> (change '#if 1' to '#if 0') and build using --with-included-libtasn1. > >> > >> ** Libraries are now built with libtool's -no-undefined. > >> This helps producing libraries for Windows using mingw32. > >> > >> ** Doc fixes to explain that gnutls_record_send can block. > >> > >> ** Libtasn1 0.3.1 or later is now required. > >> The include copy has been updated too. > >> > >> ** gnutls-cli can now recognize services and port numbers with the -p > >> option. > >> > >> ** API and ABI modifications: > >> No changes since last version. > >> > >> * Version 1.3.4 (released 2006-02-09) > >> > >> ** Fix read of out bounds bug in DER parser. > >> Reported by Evgeny Legerov <admin at gleg.net>, and debugging help from > >> Protover SSL. Libtasn1 0.2.18 is now required, which contains the > >> previous bug fix. The included libtasn1 version in GnuTLS has been > >> updated. > >> > >> ** Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no > >> longer invalidate a session if the underlying send fails, but it will > >> prevent future writes. That is to allow reading the already received data. > >> Patches and bug reports by Yoann Vandoorselaere <yoann at prelude-ids.org> > >> > >> ** Corrected bugs in gnutls_certificate_set_x509_crl() and > >> gnutls_certificate_set_x509_trust(), that caused memory corruption if > >> more than one certificates were added. Report and patch by Max Kellermann. > >> > >> ** Fix build problems of OpenCDK on AIX. > >> Thanks to "Heiden, John" <JHeiden at UTNet.UToledo.Edu>. > >> > >> ** API and ABI modifications: > >> No changes since last version. > >> > >> * Version 1.3.3 (released 2006-01-12) > >> > >> ** New API to access the TLS master secret. > >> When possible, you should use the TLS PRF functions instead. > >> Suggested by Jouni Malinen <jkmaline at cc.hut.fi>. > >> > >> ** Improved handling when multiple libraries use GnuTLS at the same time. > >> Now gnutls_global_init() can be called multiple times, and > >> gnutls_global_deinit() will only deallocate the structure when it has > >> been called as many times as gnutls_global_init() was called. > >> > >> ** Added a self test of TLS resume functionality. > >> > >> ** Fix crash in TLS resume code, caused by TLS/IA changes. > >> > >> ** Documentation fixes about thread unsafety, prompted by > >> ** discussion with bryanh at giraffe-data.com (Bryan Henderson). > >> In particular, gnutls_global_init() and gnutls_global_deinit() are not > >> thread safe. Careful callers may want to protect the call using a > >> mutex. The problem could also be ignored, which would cause a memory > >> leak under rare conditions when two threads invoke the function > >> roughly at the same time. > >> > >> ** Add 'const' keywords in various places, from Frediano ZIGLIO. > >> > >> ** The code was indented again, including the external header files. > >> > >> ** API and ABI modifications: > >> New functions to retrieve the master secret value: > >> gnutls_session_get_master_secret > >> > >> Add a 'const' keyword to existing API: > >> gnutls_x509_crq_get_challenge_password > >> > >> * Version 1.3.2 (released 2005-12-15) > >> > >> ** GnuTLS now support TLS Inner application (TLS/IA). > >> This is per draft-funk-tls-inner-application-extension-01. This > >> functionality is added to libgnutls-extra, so it is licensed under the > >> GNU General Public License. > >> > >> ** New APIs to access the TLS Pseudo-Random-Function (PRF). > >> The PRF is used by some protocols building on TLS, such as EAP-PEAP > >> and EAP-TTLS. One function to access the raw PRF and one to access > >> the PRF seeded with the client/server random fields are provided. > >> Suggested by Jouni Malinen <jkmaline at cc.hut.fi>. > >> > >> ** New APIs to acceess the client and server random fields in a session. > >> These fields can be useful by protocols using TLS. Note that these > >> fields are typically used as input to the TLS PRF, and if this is your > >> intended use, you should use the TLS PRF API that use the > >> client/server random field directly. Suggested by Jouni Malinen > >> <jkmaline at cc.hut.fi>. > >> > >> ** Internal type cleanups. > >> The uint8, uint16, uint32 types have been replaced by uint8_t, > >> uint16_t, uint32_t. Gnulib is used to guarantee the presence of > >> correct types on platforms that lack them. The uint type have been > >> replaced by unsigned. > >> > >> ** API and ABI modifications: > >> New functions to invoke the TLS Pseudo-Random-Function (PRF): > >> gnutls_prf > >> gnutls_prf_raw > >> > >> New functions to retrieve the session's client and server random values: > >> gnutls_session_get_server_random > >> gnutls_session_get_client_random > >> > >> New function, to perform TLS/IA handshake: > >> gnutls_ia_handshake > >> > >> New function to decide whether to do a TLS/IA handshake: > >> gnutls_ia_handshake_p > >> > >> New functions to allocate a TLS/IA credential: > >> gnutls_ia_allocate_client_credentials > >> gnutls_ia_free_client_credentials > >> gnutls_ia_allocate_server_credentials > >> gnutls_ia_free_server_credentials > >> > >> New functions to handle the AVP callback: > >> gnutls_ia_set_client_avp_function > >> gnutls_ia_set_client_avp_ptr > >> gnutls_ia_get_client_avp_ptr > >> gnutls_ia_set_server_avp_function > >> gnutls_ia_set_server_avp_ptr > >> gnutls_ia_get_server_avp_ptr > >> > >> New functions, to toggle TLS/IA application phases: > >> gnutls_ia_require_inner_phase > >> > >> New function to mix session keys with inner secret: > >> gnutls_ia_permute_inner_secret > >> > >> Low-level API (used internally by gnutls_ia_handshake): > >> gnutls_ia_endphase_send > >> gnutls_ia_send > >> gnutls_ia_recv > >> > >> New functions that can be used after successful TLS/IA negotiation: > >> gnutls_ia_generate_challenge > >> gnutls_ia_extract_inner_secret > >> > >> Enum type with TLS/IA modes: > >> gnutls_ia_mode_t > >> > >> Enum type with TLS/IA packet types: > >> gnutls_ia_apptype_t > >> > >> Enum values for TLS/IA alerts: > >> GNUTLS_A_INNER_APPLICATION_FAILURE > >> GNUTLS_A_INNER_APPLICATION_VERIFICATION > >> > >> New error codes, to signal when an application phase has finished: > >> GNUTLS_E_WARNING_IA_IPHF_RECEIVED > >> GNUTLS_E_WARNING_IA_FPHF_RECEIVED > >> > >> New error code to signal TLS/IA verify failure: > >> GNUTLS_E_IA_VERIFY_FAILED > >> > >> * Version 1.3.1 (released 2005-12-08) > >> > >> ** Support for DHE-PSK cipher suites has been added. > >> This method offers perfect forward secrecy. > >> > >> ** Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to > >> Otto Maddox <ottomaddox at fastmail.fm> and Nozomu Ando <nand at mac.com>. > >> > >> ** Corrected a bug in certtool for 64 bit machines. Reported > >> by Max Kellermann <max at duempel.org>. > >> > >> ** New function to set a X.509 private key and certificate pairs, and/or > >> CRLs, from an PKCS#12 file, suggested by Emile van Bergen > >> <emile at e-advies.nl>. > >> > >> The integrity of the PKCS#12 file is protected through a password > >> based MAC; public-key based signatures for integrity protection are > >> not supported. PKCS#12 bags may be encrypted using password derived > >> symmetric keys, public-key based encryption is not supported. The > >> PKCS#8 keys may be encrypted using passwords. The API use the same > >> password for all operations. We believe that any more flexibility > >> create too much complexity that would hurt overall security, but may > >> add more PKCS#12 related APIs if real-world experience indicate > >> otherwise. > >> > >> ** gnutls_x509_privkey_import_pkcs8 now accept unencrypted PEM PKCS#8 keys, > >> reported by Emile van Bergen <emile at e-advies.nl>. > >> This will enable "certtool -k -8" to parse those keys. > >> > >> ** Certtool now generate keys in unencrypted PKCS#8 format for empty > >> passwords. > >> Use "certtool -p -8" and press press enter at the prompt. Earlier, > >> certtool would have encrypted the key using an empty password. > >> > >> ** Certtool now accept --password for --key-info and encrypted PKCS#8 keys. > >> Earlier it would have prompted the user for it, even if --password was > >> supplied. > >> > >> ** Added self test of PKCS#8 parsing. > >> Unencrypted and encrypted (pbeWithSHAAnd3-KeyTripleDES-CBC and > >> pbeWithSHAAnd40BitRC2-CBC) formats are tested. The test is in > >> tests/pkcs8. > >> > >> ** API and ABI modifications: > >> New function to set X.509 credentials from a PKCS#12 file: > >> gnutls_certificate_set_x509_simple_pkcs12_file > >> > >> New gnutls_kx_algorithm_t enum type: > >> GNUTLS_KX_DHE_PSK > >> > >> New API to return session data (basically same as gnutls_session_get_data): > >> gnutls_session_get_data2 > >> > >> New API to set PSK Diffie-Hellman parameters: > >> gnutls_psk_set_server_dh_params > >> > >> * Version 1.3.0 (2005-11-15) > >> > >> ** Support for TLS Pre-Shared Key (TLS-PSK) ciphersuites have been added. > >> This add several new APIs, see below. Read the updated manual for > >> more information. A new self test "pskself" has been added, that will > >> test this functionality. > >> > >> ** The session resumption data are now system independent. > >> > >> ** The code has been re-indented to conform to the GNU coding style. > >> > >> ** Removed the RIPEMD ciphersuites. > >> > >> ** Added a discussion of the internals of gnutls in manual. > >> > >> ** Fixes for Tru64 UNIX 4.0D that lack MAP_FAILED, from Albert Chin. > >> > >> ** Remove trailing comma in enums, for IBM C v6, from Albert Chin. > >> > >> ** Make sure config.h is included first in a few files, from Albert Chin. > >> > >> ** Don't use C++ comments ("//") as they are invalid, from Albert Chin. > >> > >> ** Don't install SRP programs and man pages if > >> --disable-srp-authentication, > >> from Albert Chin. > >> > >> ** API and ABI modifications: > >> New gnutls_kx_algorithm_t key exchange type: GNUTLS_KX_PSK > >> > >> New gnutls_credentials_type_t credential type: > >> GNUTLS_CRD_PSK > >> > >> New credential types: > >> gnutls_psk_server_credentials_t > >> gnutls_psk_client_credentials_t > >> > >> New functions to allocate PSK credentials: > >> gnutls_psk_allocate_client_credentials > >> gnutls_psk_free_client_credentials > >> gnutls_psk_free_server_credentials > >> gnutls_psk_allocate_server_credentials > >> > >> New enum type for PSK key flags: > >> gnutls_psk_key_flags > >> > >> New function prototypes for credential callback: > >> gnutls_psk_client_credentials_function > >> gnutls_psk_server_credentials_function > >> > >> New function to set PSK username and key: > >> gnutls_psk_set_client_credentials > >> > >> New function to set PSK passwd file: > >> gnutls_psk_set_server_credentials_file > >> > >> New function to extract PSK user in server: > >> gnutls_psk_server_get_username > >> > >> New functions to set PSK callback: > >> gnutls_psk_set_server_credentials_function > >> gnutls_psk_set_client_credentials_function > >> > >> Use size_t instead of int for output size parameter: > >> gnutls_srp_base64_encode > >> gnutls_srp_base64_decode > >> ----------------------------------------------------- > >> * Version 1.2.9 (2005-11-07) > >> - Documentation was updated and improved. > >> - RSA-MD2 is now supported for verifying digital signatures. > >> - Due to cryptographic advances, verifying untrusted X.509 > >> certificates signed with RSA-MD2 or RSA-MD5 will now fail with a > >> GNUTLS_CERT_INSECURE_ALGORITHM verification output. For > >> applications that must remain interoperable, you can use the > >> GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 > >> flags when verifying certificates. Naturally, this is not > >> recommended default behaviour for applications. To enable the > >> broken algorithms, call gnutls_certificate_set_verify_flags with the > >> proper flag, to change the verification mode used by > >> gnutls_certificate_verify_peers2. > >> - Make it possible to send empty data through gnutls_record_send, > >> to align with the send(2) API. > >> - Some changes in the certificate receiving part of handshake to prevent > >> some possible errors with non-blocking servers. > >> - Added numeric version symbols to permit simple CPP-based feature > >> tests, suggested by Daniel Stenberg <daniel at haxx.se>. > >> - The (experimental) low-level crypto alternative to libgcrypt used > >> earlier (Nettle) has been replaced with crypto code from gnulib. > >> This leads to easier re-use of these components in other projects, > >> leading to more review and simpler maintenance. The new configure > >> parameter --with-builtin-crypto replace the old --with-nettle, and > >> must be used if you wish to enable this functionality. See README > >> under "Experimental" for more information. Internally, GnuTLS has > >> been updated to use the new "Generic Crypto" API in gl/gc.h. The > >> API is similar to the old crypto/gc.h, because the gnulib code were > >> based on GnuTLS's gc.h. > >> - Fix compiler warning in the "anonself" self test. > >> - API and ABI modifications: > >> gnutls_x509_crt_list_verify: Added 'const' to prototype in <gnutls/x509.h>. > >> This doesn't reflect a change in behaviour, > >> so we don't break backwards compatibility. > >> GNUTLS_MAC_MD2: New gnutls_mac_algorithm_t value. > >> GNUTLS_DIG_MD2: New gnutls_digest_algorithm_t value. > >> GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2, > >> GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: New gnutls_certificate_verify_flags > >> values. > >> Use when calling > >> gnutls_x509_crt_list_verify, > >> gnutls_x509_crt_verify, or > >> gnutls_certificate_set_verify_flags. > >> GNUTLS_CERT_INSECURE_ALGORITHM: New gnutls_certificate_status_t value, > >> used when broken signature algorithms > >> is used (currently RSA-MD2/MD5). > >> LIBGNUTLS_VERSION_MAJOR, > >> LIBGNUTLS_VERSION_MINOR, > >> LIBGNUTLS_VERSION_PATCH, > >> LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS > >> version number, can be used for feature existence > >> tests. > >> >
