[gnutls-devel] gnutls 3.3.0pre0

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Mar 27 17:54:46 CET 2014 

Hello,
 I've just released gnutls 3.3.0pre0. This is a pre-release of the next
stable branch, which adds new features, optimizations and cleanups to
the GnuTLS library.


* Version 3.3.0 (pre-release 2014-03-27)

** libgnutls: The initialization of the library was moved to a
constructor. That is, gnutls_global_init() is no longer required
unless linking with a static library or a system that does not
support library constructors.

** libgnutls: static libraries are not built by default.

** libgnutls: PKCS #11 initialization is delayed to first usage.
That avoids long delays in gnutls initialization due to broken PKCS #11
modules.

** libgnutls: The PKCS #11 subsystem is re-initialized "automatically"
on the first PKCS #11 API call after a fork. 

** libgnutls: certificate verification profiles were introduced
that can be specified as flags to verification functions. They
are enumerations in gnutls_certificate_verification_profiles_t
and can be converted to flags using GNUTLS_PROFILE_TO_VFLAGS()

** libgnutls: Added the SYSTEM priority string initial keyword.
That allows a compile-time specified configuration file to be
used to read the priorities. That can be used to impose system
specific policies.

** libgnutls: Increased the default security level of priority
strings (NORMAL and PFS strings require at minimum a 1008 DH prime), 
and set a verification profile by default.  The LEGACY keyword is 
introduced to set the old defaults.

** libgnutls: Added support for the name constraints PKIX extension.
Currently only DNS names and e-mails are supported (no URIs, IPs
or DNs).

** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to 
SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL.

** libgnutls: Added new API in x509-ext.h to handle X.509 extensions.
This API handles the X.509 extensions in isolation, allowing to parse
similarly formatted extensions stored in other structures.

** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS
can be used to specify a particular subgroup as the number of bits in
gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256).

** libgnutls: DH parameter generation is now delegated to nettle.
That unfortunately has the side-effect that DH parameters longer than
3072 bits, cannot be generated (not without a nettle update).

** libgnutls: Separated nonce RNG from the main RNG. The nonce
random number generator is based on salsa20/12.

** libgnutls: The buffer alignment provided to crypto backend is
enforced to be 16-byte aligned, when compiled with cryptodev
support. That allows certain cryptodev drivers to operate more
efficiently.

** libgnutls: Depend on p11-kit 0.20.0 or later.

** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension
has been removed. It was not approved by IETF.

** libgnutls: The experimental xssl library is removed from the gnutls
distribution.

** libgnutls: Reduced the number of gnulib modules used.

** certtool: Timestamps for serial numbers were increased to 8 bytes,
and in batch mode to 12 (appended with 4 random bytes).

** libgnutls: Added --enable-fips140-mode configuration option
(unsupported).
That option enables (when running on FIPS140-enabled system):
 o RSA, DSA and DH key generation as in FIPS-186-4 (using provable
primes)
 o The DRBG-CTR-AES256 deterministic random generator from SP800-90A.
 o Self-tests on initialization on ciphers/MACs, public key algorithms 
   and the random generator.
 o HMAC-SHA256 verification of the library on load.
 o MD5 is included for TLS purposes but cannot be used by the high level
   hashing functions.
 o All ciphers except AES are disabled.
 o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5).
 o All keys (temporal and long term) are zeroized after use.
 o Security levels are adjusted to the FIPS140-2 recommendations (rather
   than ECRYPT).

** API and ABI modifications:
gnutls_privkey_generate: Added
gnutls_pkcs11_crt_is_known: Added
gnutls_fips140_mode_enabled: Added
gnutls_sec_param_to_symmetric_bits: Added
gnutls_pubkey_export_ecc_x962: Added (replaces
gnutls_pubkey_get_pk_ecc_x962)
gnutls_pubkey_export_ecc_raw: Added (replaces
gnutls_pubkey_get_pk_ecc_raw)
gnutls_pubkey_export_dsa_raw: Added (replaces
gnutls_pubkey_get_pk_dsa_raw)
gnutls_pubkey_export_rsa_raw: Added (replaces
gnutls_pubkey_get_pk_rsa_raw)
gnutls_pubkey_verify_params: Added
gnutls_privkey_export_ecc_raw: Added
gnutls_privkey_export_dsa_raw: Added
gnutls_privkey_export_rsa_raw: Added
gnutls_privkey_import_ecc_raw: Added
gnutls_privkey_import_dsa_raw: Added
gnutls_privkey_import_rsa_raw: Added
gnutls_privkey_verify_params: Added
gnutls_x509_name_constraints_init: Added
gnutls_x509_name_constraints_deinit: Added
gnutls_x509_crt_get_name_constraints: Added
gnutls_x509_name_constraints_add_permitted: Added
gnutls_x509_name_constraints_add_excluded: Added
gnutls_x509_crt_set_name_constraints: Added
gnutls_x509_name_constraints_get_permitted: Added
gnutls_x509_name_constraints_get_excluded: Added
gnutls_x509_name_constraints_check: Added
gnutls_x509_name_constraints_check_crt: Added
gnutls_x509_crl_get_extension_data2: Added
gnutls_x509_crt_get_extension_data2: Added
gnutls_x509_crq_get_extension_data2: Added
gnutls_subject_alt_names_init: Added
gnutls_subject_alt_names_deinit: Added
gnutls_subject_alt_names_get: Added
gnutls_subject_alt_names_set: Added
gnutls_x509_ext_import_subject_alt_names: Added
gnutls_x509_ext_export_subject_alt_names: Added
gnutls_x509_crl_dist_points_init: Added
gnutls_x509_crl_dist_points_deinit: Added
gnutls_x509_crl_dist_points_get: Added
gnutls_x509_crl_dist_points_set: Added
gnutls_x509_ext_import_crl_dist_points: Added
gnutls_x509_ext_export_crl_dist_points: Added
gnutls_x509_ext_import_name_constraints: Added
gnutls_x509_ext_export_name_constraints: Added
gnutls_x509_aia_init: Added
gnutls_x509_aia_deinit: Added
gnutls_x509_aia_get: Added
gnutls_x509_aia_set: Added
gnutls_x509_ext_import_aia: Added
gnutls_x509_ext_export_aia: Added
gnutls_x509_ext_import_subject_key_id: Added
gnutls_x509_ext_export_subject_key_id: Added
gnutls_x509_ext_export_authority_key_id: Added
gnutls_x509_ext_import_authority_key_id: Added
gnutls_x509_aki_init: Added
gnutls_x509_aki_get_id: Added
gnutls_x509_aki_get_cert_issuer: Added
gnutls_x509_aki_set_id: Added
gnutls_x509_aki_set_cert_issuer: Added
gnutls_x509_aki_deinit: Added
gnutls_x509_ext_import_private_key_usage_period: Added
gnutls_x509_ext_export_private_key_usage_period: Added
gnutls_x509_ext_import_basic_constraints: Added
gnutls_x509_ext_export_basic_constraints: Added
gnutls_x509_ext_import_key_usage: Added
gnutls_x509_ext_export_key_usage: Added
gnutls_x509_ext_import_proxy: Added
gnutls_x509_ext_export_proxy: Added
gnutls_x509_policies_init: Added
gnutls_x509_policies_deinit: Added
gnutls_x509_policies_get: Added
gnutls_x509_policies_set: Added
gnutls_x509_ext_import_policies: Added
gnutls_x509_ext_export_policies: Added
gnutls_x509_key_purpose_init: Added
gnutls_x509_key_purpose_deinit: Added
gnutls_x509_key_purpose_set: Added
gnutls_x509_key_purpose_get: Added
gnutls_x509_ext_import_key_purposes: Added
gnutls_x509_ext_export_key_purposes: Added
gnutls_digest_self_test: Added (conditionally)
gnutls_mac_self_test: Added (conditionally)
gnutls_pk_self_test: Added (conditionally)
gnutls_cipher_self_test: Added (conditionally)
gnutls_global_set_mem_functions: Deprecated


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.xz
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.lz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.xz.sig
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.lz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos

More information about the Gnutls-devel mailing list