Template Version: @(#)sac_nextcase %I% %G% SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Gnutls update to 2.6
1.2. Name of Document Author/Supplier:
Author: Jeff Cai
1.3 Date of This Document:
12 February, 2009
4. Technical Description
1. Introduction
1.1. Project/Component Working Name:
GnuTLS Update for 2.6.3
1.2. Name of Document Author/Supplier:
Author: Jeff Cai
Sponser: Irene Huang
1.3. Date of This Document:
02/06/2009
1.4. Name of Major Document Customer(s)/Consumer(s):
1.4.1. The PAC or CPT you expect to review your project:
Solaris PAC
1.4.2. The ARC(s) you expect to review your project:
LSARC
1.4.3. The Director/VP who is "Sponsoring" this project:
Robert O'Dea
1.4.4. The name of your business unit:
Software - OPG
1.5. Email Aliases:
1.5.1. Responsible Manager: harry.lu at sun.com
1.5.2. Responsible Engineer: jeff.cai at sun.com
1.5.3. Marketing Manager: glynn.foster at sun.com
1.5.4. Interest List: brian.cameron at sun.com
darren.moffat at sun.com
wyllys.ingersoll at sun.com
2. Project Summary
2.1. Project Description:
GnuTLS provides a secure layer, over a reliable transport layer.
Currently the GnuTLS library implements the proposed standards by the
IETF's TLS working group.
This fast-track increments the version of GnuTLS in Solaris
from 2.2.4 to 2.6.3.
3. Technical Description:
3.1. Details:
GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.
A number of projects in the Solaris Desktop such as Evolution, Pidgin,
Ekiga and Vino depend on it.
The latest stable version of GnuTLS is 2.6.3.
GnuTLS 2.6.0 has interface changes, but 2.6.1 through 2.6.3 are
bugfix only releases.
Compared with the previously integrated version, GnuTLS 2.2.4, the new
version adds following features:
* Full OpenPGP support is part of libgnutls, licensed under the LGPL.
* The PSK sub-system has been improved and now supports password
derivation and PSK identity hints.
* The default handshake size limit has been increased to 48kb.
The earlier limit was 16kb. The handshake messages contain all
handshake
messages between a client and a server only if they communicate in
TLS protocol. The reason for restricting the handshake message size
is
to limit Denial of Service attacks.
* New APIs to access the raw X.509 Subject and Issuer DN's and
elements from the certificate credentials structure.
* New APIs to improve working with username/passwords and PSK.
* Names of constants to affect certificate printing changed.
The constants are used for OpenPGP too, which the names didn't
reflect, so the following name change has been made:
Old name New name
GNUTLS_X509_CRT_FULL GNUTLS_CRT_PRINT_FULL
GNUTLS_X509_CRT_ONELINE GNUTLS_CRT_PRINT_ONELINE
GNUTLS_X509_CRT_UNSIGNED_FULL GNUTLS_CRT_PRINT_UNSIGNED_FULL
The old names will be mapped to the new names for some time.
* The function gnutls_openpgp_privkey_get_id has been renamed to
gnutls_openpgp_privkey_get_key_id.
A compatibility mapping exists to avoid breaking API backwards
compatibility.
* Replaced all uses of alloca with malloc and free.
* Remove code to import certificate chains in PKCS#7 format.
The code has not worked since v0.9.0 and apparently nobody has missed
it, so the community decided to remove the code rather than fix it.
If you have
old certificate chains stored in PKCS#7 format, you can convert them
to a list of PEM certificates by using 'certtool --p7-info'.
* Added API to replace and update the crypto backend.
A new header file <gnutls/crypto.h> has been added. It contains
definitions related to replacing the internal crypto functionality.
All definitions and the header itself are experimental but supported.
* gnutls_x509_crt_set_subject_alt_name() was added. It can
either set or append alternative names. It can also handle binary
structures
such as IP addresses.
* New function to set minimum acceptable SRP bits.
* Add interface to deal with public key and signature algorithms.
* New interfaces to get name of public key and signing algorithms.
* New API to get a string corresponding to a error symbol.
* New API to set the public parameters in a certificate request
from a private key.
* New API to set a callback to extract TLS Finished data.
* Fix namespace problem with TLS_MASTER_SIZE and TLS_RANDOM_SIZE.
The new names are GNUTLS_MASTER_SIZE and GNUTLS_RANDOM_SIZE. The old
names are mapped to the new names in compat.h. These mappings will
likely be removed more quickly than other mappings in that file due to
the namespace violation.
* New interface to register a new TLS extension handler.
The new function gnutls_ext_register can be used to register handlers
for specific TLS extension types. The callback functions have the new
types gnutls_ext_recv_func and gnutls_ext_send_func. A type to
classify TLS extensions, gnutls_ext_parse_type_t, has been added as
well.
3.2. Interfaces:
Exported Interfaces
Interface Classification Comments
--------------- --------------
-----------------------
SUNWgnutls Uncommitted Package name
(unchanged)
SUNWgnutls-devel Uncommitted Package name
(unchanged)
/usr/lib/libgnutls.so.26 Volatile C library
(unchanged)
/usr/lib/libgnutlsxx.so.26 Volatile C++ library
(unchanged)
/usr/share/aclocal/libgnutls.m4 Volatile (unchanged)
/usr/lib/pkgconfig/gnutls.pc Volatile (unchanged)
/usr/include/gnutls/gnutls.h Volatile (unchanged)
/usr/include/gnutls/gnutlsxx.h Volatile (unchanged)
/usr/include/gnutls/pkcs12.h Volatile (unchanged)
/usr/include/gnutls/compat.h Volatile (unchanged)
/usr/include/gnutls/x509.h Volatile (unchanged)
/usr/bin/libgnutls-config Volatile (unchanged)
/usr/share/man/man1/libgnutls-config Volatile (unchanged)
/usr/share/man/man3/libgnutls.3 Volatile (unchanged)
/usr/share/man/man3/libgnutlsxx.3 Volatile (unchanged)
/usr/share/doc/SUNWgnutls/AUTHORS Volatile (unchanged)
/usr/share/doc/SUNWgnutls/NEWS.bz2 Volatile (unchanged)
/usr/share/doc/SUNWgnutls/README Volatile (unchanged)
/usr/share/doc/SUNWgnutls/ Volatile (unchanged)
COPYING.LIB.bz2
/usr/include/gnutls/openpgp.h Volatile (added)
/usr/include/gnutls/crypto.h Volatile (added)
Imported Interfaces
Interface Classification Comments
--------------- ---------------
---------------------
/usr/lib/libgcrypt.so.11 Volatile (unchanged)
LSARC/2008/390/
/usr/lib/libtasn1.so.3 Volatile (added)
LSARC/2008/341/
/usr/lib/libz.so.1 Committed (unchanged)
PSARC/2006/537
3.3. Packaging & Delivery:
SUNWgnutls(base package) - base package for binaries
SUNWgnutls-devel (development package) - development package for
header and documents
3.4. Dependencies:
libgnutls depends on libtasn1, libgcrypt and zlib.
3.5 References
Sun Evolution LSARC/2003/298/
libtasn1 LSARC/2008/390/
GnuTLS Update for 2.2.4 LSARC/2008/341/
4. Resources and Schedule:
4.1. Product Approval Committee requested information:
4.1.1. Consolidation Name:
Desktop Cteam/GNOME
4.1.2. Contributing OpCo/BU/Division Name:
Desktop Solutions
4.1.3. Type of PAC Review and Approval expected:
FastTrack
5. References
Project website: http://www.gnu.org/software/gnutls/
GnuTLS 2.4.0 Release News:
http://article.gmane.org/gmane.network.gnutls.general/1282
GnuTLS 2.6.0 Release News:
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3135
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
Desktop
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
