1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 25 May 2013 for version
3.2.1 of GnuTLS.
Copyright (C) 2001-2013 Free Software Foundation, Inc.\\
Copyright (C) 2001-2013 Nikos Mavrogiannopoulos
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 4.13.90, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.2.1: Cryptographic Backend</title>
<meta name="description" content="GnuTLS 3.2.1: Cryptographic Backend">
<meta name="keywords" content="GnuTLS 3.2.1: Cryptographic Backend">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Internal-architecture-of-GnuTLS.html#Internal-architecture-of-GnuTLS" rel="up" title="Internal architecture of GnuTLS">
<link href="Upgrading-from-previous-versions.html#Upgrading-from-previous-versions" rel="next" title="Upgrading from previous versions">
<link href="TLS-Extension-Handling.html#TLS-Extension-Handling" rel="previous" title="TLS Extension Handling">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.indentedblock {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smallindentedblock {margin-left: 3.2em; font-size: smaller}
div.smalllisp {margin-left: 3.2em}
kbd {font-style:oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nocodebreak {white-space:nowrap}
span.nolinebreak {white-space:nowrap}
span.roman {font-family:serif; font-weight:normal}
span.sansserif {font-family:sans-serif; font-weight:normal}
ul.no-bullet {list-style: none}
body {
margin: 2%;
padding: 0 5%;
background: #ffffff;
}
h1,h2,h3,h4,h5 {
font-weight: bold;
padding: 5px 5px 5px 5px;
background-color: #c2e0ff;
color: #336699;
}
h1 {
padding: 2em 2em 2em 5%;
color: white;
background: #336699;
text-align: center;
letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
margin: 0 5%;
padding: 0.5em;
}
pre.example,pre.verbatim {
padding-bottom: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 1px 1px 1px 5px;
margin: 1em auto;
width: 90%;
}
div.node {
margin: 0 -5% 0 -2%;
padding: 0.5em 0.5em;
margin-top: 0.5em;
margin-bottom: 0.5em;
font-weight: bold;
}
dd, li {
padding-top: 0.1em;
padding-bottom: 0.1em;
}
div.float {
margin-bottom: 0.5em;
text-align: center;
}
table {
text-align: left;
margin-left:auto;
margin-right:auto;
width: 50%;
}
th {
padding: 0;
color: #336699;
background-color: #c2e0ff;
border: solid #000000;
border-width: 0px;
margin: 1em auto;
text-align: center;
margin-left:auto;
margin-right:auto;
}
td {
padding: 0;
border: solid #000000;
background-color: #f0faff;
border-width: 0px;
margin: 1em auto;
text-align: left;
margin-left:auto;
margin-right:auto;
padding-left: 1em;
}
dl {
text-align: left;
margin-left:auto;
margin-right:auto;
width: 50%;
padding-left: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 5px 1px 1px 1px;
margin: 1em auto;
}
-->
</style>
</head>
<body lang="en" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000">
<a name="Cryptographic-Backend"></a>
<div class="header">
<p>
Previous: <a href="TLS-Extension-Handling.html#TLS-Extension-Handling" accesskey="p" rel="previous">TLS Extension Handling</a>, Up: <a href="Internal-architecture-of-GnuTLS.html#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal architecture of GnuTLS</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Cryptographic-Backend-1"></a>
<h3 class="section">10.5 Cryptographic Backend</h3>
<p>Today most new processors, either for embedded or desktop systems
include either instructions intended to speed up cryptographic operations,
or a co-processor with cryptographic capabilities. Taking advantage of
those is a challenging task for every cryptographic application or
library. Unfortunately the cryptographic library that GnuTLS is based
on takes no advantage of these capabilities. For this reason GnuTLS handles
this internally by following a layered approach to accessing
cryptographic operations as in <a href="#fig_003acrypto_002dlayers">Figure 10.4</a>.
</p>
<div class="float"><a name="fig_003acrypto_002dlayers"></a>
<img src="gnutls-crypto-layers.png" alt="gnutls-crypto-layers">
<div class="float-caption"><p><strong>Figure 10.4: </strong>GnuTLS cryptographic back-end design.</p></div></div>
<p>The TLS layer uses a cryptographic provider layer, that will in turn either
use the default crypto provider – a software crypto library, or use an external
crypto provider, if available in the local system. The reason of handling
the external cryptographic provider in GnuTLS and not delegating it to
the cryptographic libraries, is that none of the supported cryptographic
libraries support <code>/dev/crypto</code> or CPU-optimized cryptography in
an efficient way.
</p>
<a name="Cryptographic-library-layer"></a>
<h4 class="subheading">Cryptographic library layer</h4>
<p>The Cryptographic library layer, currently supports only
libnettle. Older versions of GnuTLS used to support libgcrypt,
but it was switched with nettle mainly for performance reasons<a name="DOCF13" href="#FOOT13"><sup>13</sup></a>
and secondary because it is a simpler library to use.
In the future other cryptographic libraries might be supported as well.
</p>
<a name="External-cryptography-provider"></a>
<h4 class="subheading">External cryptography provider</h4>
<p>Systems that include a cryptographic co-processor, typically come with
kernel drivers to utilize the operations from software. For this reason
GnuTLS provides a layer where each individual algorithm used can be replaced
by another implementation, i.e., the one provided by the driver. The
FreeBSD, OpenBSD and Linux kernels<a name="DOCF14" href="#FOOT14"><sup>14</sup></a> include already
a number of hardware assisted implementations, and also provide an interface
to access them, called <code>/dev/crypto</code>.
GnuTLS will take advantage of this interface if compiled with special
options. That is because in most systems where hardware-assisted
cryptographic operations are not available, using this interface might
actually harm performance.
</p>
<p>In systems that include cryptographic instructions with the CPU’s
instructions set, using the kernel interface will introduce an
unneeded layer. For this reason GnuTLS includes such optimizations
found in popular processors such as the AES-NI or VIA PADLOCK instruction sets.
This is achieved using a mechanism that detects CPU capabilities and
overrides parts of crypto back-end at runtime.
The next section discusses the registration of a detected algorithm
optimization. For more information please consult the <acronym>GnuTLS</acronym>
source code in <code>lib/accelerated/</code>.
</p>
<a name="Overriding-specific-algorithms"></a>
<h4 class="subsubheading">Overriding specific algorithms</h4>
<p>When an optimized implementation of a single algorithm is available,
say a hardware assisted version of <acronym>AES-CBC</acronym> then the
following (internal) functions, from <code>crypto-backend.h</code>, can
be used to register those algorithms.
</p>
<ul>
<li> <code>gnutls_crypto_single_cipher_register</code>:
To register a cipher algorithm.
</li><li> <code>gnutls_crypto_single_digest_register</code>:
To register a hash (digest) or MAC algorithm.
</li></ul>
<p>Those registration functions will only replace the specified algorithm
and leave the rest of subsystem intact.
</p>
<a name="Overriding-the-cryptographic-library"></a>
<h4 class="subsubheading">Overriding the cryptographic library</h4>
<p>In some systems, that might contain a broad acceleration engine, it
might be desirable to override big parts of the cryptographic back-end,
or even all of them. The following functions are provided for this reason.
</p>
<ul>
<li> <code>gnutls_crypto_cipher_register</code>:
To override the cryptographic algorithms back-end.
</li><li> <code>gnutls_crypto_digest_register</code>:
To override the digest algorithms back-end.
</li><li> <code>gnutls_crypto_rnd_register</code>:
To override the random number generator back-end.
</li><li> <code>gnutls_crypto_bigint_register</code>:
To override the big number number operations back-end.
</li><li> <code>gnutls_crypto_pk_register</code>:
To override the public key encryption back-end. This is tied to the
big number operations so either none or both of them should be overridden.
</li></ul>
<div class="footnote">
<hr>
<h4 class="footnotes-heading">Footnotes</h4>
<h3><a name="FOOT13" href="#DOCF13">(13)</a></h3>
<p>See
<a href="http://lists.gnu.org/archive/html/gnutls-devel/2011-02/msg00079.html">http://lists.gnu.org/archive/html/gnutls-devel/2011-02/msg00079.html</a>.</p>
<h3><a name="FOOT14" href="#DOCF14">(14)</a></h3>
<p>Check <a href="http://home.gna.org/cryptodev-linux/">http://home.gna.org/cryptodev-linux/</a>
for the Linux kernel implementation of <code>/dev/crypto</code>.</p>
</div>
<hr>
<div class="header">
<p>
Previous: <a href="TLS-Extension-Handling.html#TLS-Extension-Handling" accesskey="p" rel="previous">TLS Extension Handling</a>, Up: <a href="Internal-architecture-of-GnuTLS.html#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal architecture of GnuTLS</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|
