[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-49-g3f71806
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-49-g3f71806 |
Date: |
Thu, 23 Dec 2010 16:38:25 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=3f7180671228a40e730825e52498045c7c6cca2d
The branch, master has been updated
via 3f7180671228a40e730825e52498045c7c6cca2d (commit)
from e1034a02f0e5f817f7d22182c902648f288f78f3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3f7180671228a40e730825e52498045c7c6cca2d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Dec 23 17:38:08 2010 +0100
Added discussion on crypto backend for crypto libraries and /dev/crypto.
-----------------------------------------------------------------------
Summary of changes:
doc/cha-internals.texi | 56 +++++++++++++++++++++++++++++++++--------
doc/gnutls-crypto-layers.dia | Bin 0 -> 1296 bytes
doc/gnutls-crypto-layers.pdf | Bin 0 -> 9363 bytes
doc/gnutls-crypto-layers.png | Bin 0 -> 19818 bytes
4 files changed, 45 insertions(+), 11 deletions(-)
create mode 100644 doc/gnutls-crypto-layers.dia
create mode 100644 doc/gnutls-crypto-layers.pdf
create mode 100644 doc/gnutls-crypto-layers.png
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 0cf96c3..dabca66 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -319,19 +319,53 @@ is summarized in the following diagram.
@node Cryptographic Backend
@section Cryptographic Backend
-Several new systems provide hardware assisted cryptographic algorithm
-implementations that offer implementations some orders of magnitude
-faster than the software. For this reason GnuTLS supports by default
-the /dev/crypto device usually found in FreeBSD and OpenBSD system, to
-take advantage of installed hardware.
-
-In addition it is possible to override parts of the crypto backend or the
-whole. It is possible to override them both at runtime and compile
-time, however here we will discuss the runtime possibility. The API
+Today most new processors, either for embedded or desktop systems
+include either instructions intended to speed up cryptographic operations,
+or a co-processor with cryptographic capabilities. Taking advantage of
+those is a challenging task for every cryptographic application or
+library. Unfortunately the cryptographic libraries that GnuTLS is based
+on take no advantage of these properties. For this reason GnuTLS handles
+this internally by following a layered approach to accessing
+cryptographic operations as in the following figure.
+
address@hidden,12cm}
+
+The TLS layer uses a cryptographic provider layer, that will in turn either
+use the default crypto provider - a crypto library, or use an external
+crypto provider, if available.
+
address@hidden Cryptographic Library layer
+The Cryptographic Library layer, can currently be used either with
+libgcrypt or libnettle, each of one has its advantages and some
+disadvantages. Libgcrypt is a self-contained library, pretty broad
+in scope that supports many algorithms. In some processors like VIA,
+it will also use the available crypto instruction set hence providing
+performance benefit comparing to plain software implementation.
+Libnettle provides only software implementation
+of the basic algorithms required in TLS, and is on average 30% faster
+that libgcrypt on almost all algorithms. For
+this reason libnettle is library used by default in GnuTLS.
+
address@hidden External cryptography provider
+Systems that include a cryptographic co-processor, typically come with
+kernel drivers to utilize the operations from software. For this reason
+GnuTLS provides a layer where each individual algorithm used can be replaced
+by another implementation, i.e. the one provided by the driver. The
+FreeBSD, OpenBSD and Linux address@hidden
@url{http://home.gna.org/cryptodev-linux/}
+for the Linux kernel implementation of @code{/dev/crypto}.} include already
+a number of hardware assisted implementations, and also provide an interface
+to access them, called @code{/dev/crypto}.
+GnuTLS will take advantage of this interface if compiled with special
+options. That is because in most systems where hardware-assisted
+cryptographic operations are not available, using this interface might
+actually reduce performance.
+
+It is possible to override parts of crypto backend both at runtime and compile
+time. Here we discuss the runtime possibility. The API
available for this functionality is in @code{gnutls/crypto.h} header
file.
address@hidden Override specific algorithms
address@hidden Override specific algorithms
When an optimized implementation of a single algorithm is available,
say a hardware assisted version of @acronym{AES-CBC} then the
following functions can be used to register those algorithms.
@@ -349,7 +383,7 @@ To register a hash (digest) or MAC algorithm.
Those registration functions will only replace the specified algorithm
and leave the rest of subsystem intact.
address@hidden Override parts of the backend
address@hidden Override parts of the backend
In some systems, such as embedded ones, it might be desirable to
override big parts of the cryptographic backend, or even all of
them. For this reason the following functions are provided.
diff --git a/doc/gnutls-crypto-layers.dia b/doc/gnutls-crypto-layers.dia
new file mode 100644
index 0000000..4340737
Binary files /dev/null and b/doc/gnutls-crypto-layers.dia differ
diff --git a/doc/gnutls-crypto-layers.pdf b/doc/gnutls-crypto-layers.pdf
new file mode 100644
index 0000000..8b6a838
Binary files /dev/null and b/doc/gnutls-crypto-layers.pdf differ
diff --git a/doc/gnutls-crypto-layers.png b/doc/gnutls-crypto-layers.png
new file mode 100644
index 0000000..aea671e
Binary files /dev/null and b/doc/gnutls-crypto-layers.png differ
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-49-g3f71806,
Nikos Mavrogiannopoulos <=