| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
10.5.2 External cryptography provider
Systems that include a cryptographic co-processor, typically come with
kernel drivers to utilize the operations from software. For this reason
GnuTLS provides a layer where each individual algorithm used can be replaced
by another implementation, i.e., the one provided by the driver. The
FreeBSD, OpenBSD and Linux kernels(17) include already
a number of hardware assisted implementations, and also provide an interface
to access them, called /dev/crypto.
GnuTLS will take advantage of this interface if compiled with special
options. That is because in most systems where hardware-assisted
cryptographic operations are not available, using this interface might
actually harm performance.
In systems that include cryptographic instructions with the CPU’s
instructions set, using the kernel interface will introduce an
unneeded layer. For this reason GnuTLS includes such optimizations
found in popular processors such as the AES-NI or VIA PADLOCK instruction sets.
This is achieved using a mechanism that detects CPU capabilities and
overrides parts of crypto backend at runtime.
The next section discusses the registration of a detected algorithm
optimization. For more information please consult the GnuTLS
source code in lib/accelerated/.
Overriding specific algorithms
When an optimized implementation of a single algorithm is available,
say a hardware assisted version of AES-CBC then the
following (internal) functions, from crypto-backend.h, can
be used to register those algorithms.
-
gnutls_crypto_single_cipher_register: To register a cipher algorithm. -
gnutls_crypto_single_digest_register: To register a hash (digest) or MAC algorithm.
Those registration functions will only replace the specified algorithm and leave the rest of subsystem intact.
Overriding the cryptographic library
In some systems, that might contain a broad acceleration engine, it might be desirable to override big parts of the cryptographic backend, or even all of them. T following functions are provided for this reason.
-
gnutls_crypto_cipher_register: To override the cryptographic algorithms backend. -
gnutls_crypto_digest_register: To override the digest algorithms backend. -
gnutls_crypto_rnd_register: To override the random number generator backend. -
gnutls_crypto_bigint_register: To override the big number number operations backend. -
gnutls_crypto_pk_register: To override the public key encryption backend. This is tied to the big number operations so either none or both of them should be overriden.
| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated on January 4, 2012 using texi2html 5.0.