[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-49-g3f71806

[Nikos Mavrogiannopoulos]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=3f7180671228a40e730825e52498045c7c6cca2d

The branch, master has been updated
       via  3f7180671228a40e730825e52498045c7c6cca2d (commit)
      from  e1034a02f0e5f817f7d22182c902648f288f78f3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 3f7180671228a40e730825e52498045c7c6cca2d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Thu Dec 23 17:38:08 2010 +0100

    Added discussion on crypto backend for crypto libraries and /dev/crypto.

-----------------------------------------------------------------------

Summary of changes:
 doc/cha-internals.texi       |   56 +++++++++++++++++++++++++++++++++--------
 doc/gnutls-crypto-layers.dia |  Bin 0 -> 1296 bytes
 doc/gnutls-crypto-layers.pdf |  Bin 0 -> 9363 bytes
 doc/gnutls-crypto-layers.png |  Bin 0 -> 19818 bytes
 4 files changed, 45 insertions(+), 11 deletions(-)
 create mode 100644 doc/gnutls-crypto-layers.dia
 create mode 100644 doc/gnutls-crypto-layers.pdf
 create mode 100644 doc/gnutls-crypto-layers.png

diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 0cf96c3..dabca66 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -319,19 +319,53 @@ is summarized in the following diagram.
 
 @node Cryptographic Backend
 @section Cryptographic Backend
-Several new systems provide hardware assisted cryptographic algorithm
-implementations that offer implementations some orders of magnitude
-faster than the software. For this reason GnuTLS supports by default
-the /dev/crypto device usually found in FreeBSD and OpenBSD system, to
-take advantage of installed hardware. 
-
-In addition it is possible to override parts of the crypto backend or the
-whole. It is possible to override them both at runtime and compile
-time, however here we will discuss the runtime possibility. The API
+Today most new processors, either for embedded or desktop systems
+include either instructions  intended to speed up cryptographic operations,
+or a co-processor with cryptographic capabilities. Taking advantage of 
+those is a challenging task for every cryptographic  application or 
+library. Unfortunately the cryptographic libraries that GnuTLS is based 
+on take no advantage of these properties. For this reason GnuTLS handles 
+this internally by following a layered approach to accessing
+cryptographic operations as in the following figure. 
+
address@hidden,12cm}
+
+The TLS layer uses a cryptographic provider layer, that will in turn either 
+use the default crypto provider - a crypto library, or use an external
+crypto provider, if available.
+
address@hidden Cryptographic Library layer
+The Cryptographic Library layer, can  currently be used either with
+libgcrypt or libnettle, each of one has its advantages and some 
+disadvantages. Libgcrypt is a self-contained library, pretty broad 
+in scope that supports many algorithms. In some processors like VIA, 
+it will also use the available crypto instruction set hence providing
+performance benefit comparing to plain software implementation.
+Libnettle provides only software implementation
+of the basic algorithms required in TLS, and is on average 30% faster
+that libgcrypt on almost all algorithms. For
+this reason libnettle is library used by default in GnuTLS.
+
address@hidden External cryptography provider
+Systems that include a cryptographic co-processor, typically come with
+kernel drivers to utilize the operations from software. For this reason 
+GnuTLS provides a layer where each individual algorithm used can be replaced
+by another implementation, i.e. the one provided by the driver. The
+FreeBSD, OpenBSD and Linux address@hidden 
@url{http://home.gna.org/cryptodev-linux/} 
+for the Linux kernel implementation of @code{/dev/crypto}.} include already 
+a number of hardware assisted implementations, and also provide an interface 
+to access them, called @code{/dev/crypto}.
+GnuTLS will take advantage of this interface if compiled with special
+options. That is because in most systems where hardware-assisted 
+cryptographic operations are not available, using this interface might 
+actually reduce performance.
+
+It is possible to override parts of crypto backend both at runtime and compile
+time. Here we discuss the runtime possibility. The API
 available for this functionality is in @code{gnutls/crypto.h} header
 file.
 
address@hidden Override specific algorithms
address@hidden Override specific algorithms
 When an optimized implementation of a single algorithm is available,
 say a hardware assisted version of @acronym{AES-CBC} then the
 following functions can be used to register those algorithms.
@@ -349,7 +383,7 @@ To register a hash (digest) or MAC algorithm.
 Those registration functions will only replace the specified algorithm
 and leave the rest of subsystem intact.
 
address@hidden Override parts of the backend
address@hidden Override parts of the backend
 In some systems, such as embedded ones, it might be desirable to
 override big parts of the cryptographic backend, or even all of
 them. For this reason the following functions are provided.
diff --git a/doc/gnutls-crypto-layers.dia b/doc/gnutls-crypto-layers.dia
new file mode 100644
index 0000000..4340737
Binary files /dev/null and b/doc/gnutls-crypto-layers.dia differ
diff --git a/doc/gnutls-crypto-layers.pdf b/doc/gnutls-crypto-layers.pdf
new file mode 100644
index 0000000..8b6a838
Binary files /dev/null and b/doc/gnutls-crypto-layers.pdf differ
diff --git a/doc/gnutls-crypto-layers.png b/doc/gnutls-crypto-layers.png
new file mode 100644
index 0000000..aea671e
Binary files /dev/null and b/doc/gnutls-crypto-layers.png differ


hooks/post-receive
-- 
GNU gnutls