[gnutls-dev] Work in progress: GnuTLS 2.2 release notes on API changes

Simon Josefsson simon at josefsson.org
Thu Nov 15 11:03:17 CET 2007


Updated release notes wrt to the API/ABI changes below.

After consideration, I believe we should revert the change to deprecate
gnutls_set_default_priority().  It is a widely used function and
gnutls_set_default_priority2() doesn't offer any significant difference
for most applications.  I think people will think that we just change
the API for no reason if we make this change.  What do others think?
Nikos is this ok with you?

Further, I believe we could improve the gnutls_set_default_priority2()
API.  Right now it is difficult to use from applications.  Each
application would need to have a configuration file token (e.g.,
'gnutls-priority: EXPORT') or command line parameter (e.g.,
--gnutls-priority PERFORMANCE) that map to the GnuTLS enum types.  A
serious problem is that there would be no consistency between GnuTLS
applications on what the enum names should be and their meaning.

I think it would be better if we had a function like:

  int gnutls_set_priority (gnutls_session_t session,
                           const char *priority);

It would take strings that can be set by users in application
configuration files or command line parameters.  GnuTLS could define a
couple of strings:

  DEFAULT
  EXPORT
  PERFORMANCE
  SECURITY

etc.  Eventually we could even support something like OpenSSL's priority
strings, which allow things similar to 'DEFAULT:-AES' to use the
defaults, but remove all AES ciphers.

This interface seems more flexible than the
gnutls_set_default_priority2() interface.

Thoughts?  Nikos?

/Simon

API changes in GnuTLS 2.2
=========================

To adapt to changes in the TLS extension specifications for OpenPGP
and SRP, the GnuTLS API had to be modified.  Since we had to modify
the API, we decided to do some long pending API cleanups as well.
Generally, most applications do not need to be modified.  Just
re-compile it against the latest GnuTLS release should work.  However,
applications that use the OpenPGP or SRP features needs to be
modified.  Below is a list of the modified APIs and discussion of what
you need to modify in your application.

General changes
---------------

The functions `gnutls_set_default_priority',
`gnutls_set_default_export_priority' have been replaced by
`gnutls_set_default_priority2'.  There are compatibility mappings from
the old names to the new.  (XXX: do we really need to do this?  Seems
frivolous to me, at least `gnutls_set_default_priority' is very common,
and could be kept around and supported in the future.)

The function `gnutls_x509_crt_to_xml' was removed, it has not done
anything (except returning an error code) since around GnuTLS 1.2.
Nobody has complained, so users doesn't seem to miss the
functionality.  We don't know of any libraries to convert X.509
certificates into XML format, but we decided (long ago) that GnuTLS
isn't the right place for this kind of functionality.

SRP related changes
-------------------

The callback gnutls_srp_client_credentials_function has a new
prototype, and its semantic has changed.  You need to rewrite the
callback, see the updated function documentation and examples for more
information.

The alert codes GNUTLS_A_MISSING_SRP_USERNAME and
GNUTLS_A_UNKNOWN_SRP_USERNAME are no longer used by the SRP
specification, instead the GNUTLS_A_UNKNOWN_PSK_IDENTITY alert should
be used.  There are #define's to map the old names to the new.

OpenPGP related changes
-----------------------

The functions `gnutls_certificate_set_openpgp_key_file',
`gnutls_certificate_set_openpgp_key_mem',
`gnutls_certificate_set_openpgp_keyring_mem', and
`gnutls_certificate_set_openpgp_keyring_file' has an added parameter
of the (new) type `gnutls_openpgp_crt_fmt_t'.  The type specify the
format of the data (binary or base64).

The function `gnutls_certificate_set_openpgp_keyserver' have been
removed.  There is no replacement functionality inside GnuTLS.  If you
need keyserver functionality, consider using the GnuPG tools.

All functions, types, and error codes related to OpenPGP trustdb
format have been removed.  The trustdb format is a non-standard
GnuPG-specific format, and we recommend you to use key rings instead.
The following have been removed:

 gnutls_certificate_set_openpgp_trustdb
 gnutls_openpgp_trustdb_init
 gnutls_openpgp_trustdb_deinit
 gnutls_openpgp_trustdb_import
 gnutls_openpgp_key_verify_trustdb
 gnutls_openpgp_trustdb_t
 GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED

To improve terminology and align with the X.509 interface, some
functions have been renamed.  Compatibility mappings exists.  The old
and new names of the affected functions and types are:

        Old name                                New name
 gnutls_openpgp_key_init                 gnutls_openpgp_crt_init
 gnutls_openpgp_key_deinit               gnutls_openpgp_crt_deinit
 gnutls_openpgp_key_import               gnutls_openpgp_crt_import
 gnutls_openpgp_key_export               gnutls_openpgp_crt_export
 gnutls_openpgp_key_get_key_usage        gnutls_openpgp_crt_get_key_usage
 gnutls_openpgp_key_get_fingerprint      gnutls_openpgp_crt_get_fingerprint
 gnutls_openpgp_key_get_pk_algorithm     gnutls_openpgp_crt_get_pk_algorithm
 gnutls_openpgp_key_get_name             gnutls_openpgp_crt_get_name
 gnutls_openpgp_key_get_version          gnutls_openpgp_crt_get_version
 gnutls_openpgp_key_get_creation_time    gnutls_openpgp_crt_get_creation_time
 gnutls_openpgp_key_get_expiration_time  gnutls_openpgp_crt_get_expiration_time
 gnutls_openpgp_key_get_id               gnutls_openpgp_crt_get_id
 gnutls_openpgp_key_check_hostname       gnutls_openpgp_crt_check_hostname
 gnutls_openpgp_send_key                 gnutls_openpgp_send_cert
 gnutls_openpgp_key_status_t             gnutls_openpgp_crt_status_t
 GNUTLS_OPENPGP_KEY                      GNUTLS_OPENPGP_CERT
 GNUTLS_OPENPGP_KEY_FINGERPRINT          GNUTLS_OPENPGP_CERT_FINGERPRINT
 gnutls_openpgp_key_t                    gnutls_openpgp_crt_t



More information about the Gnutls-dev mailing list