12.6 Cryptographic Backend

Several new systems provide hardware assisted cryptographic algorithm implementations that offer implementations some orders of magnitude faster than the software. For this reason GnuTLS supports by default the /dev/crypto device usually found in FreeBSD and OpenBSD system, to take advantage of installed hardware.

In addition it is possible to override parts of the crypto backend or the whole. It is possible to override them both at runtime and compile time, however here we will discuss the runtime possibility. The API available for this functionality is in gnutls/crypto.h header file.

12.6.1 Override specific algorithms

When an optimized implementation of a single algorithm is available, say a hardware assisted version of AES-CBC then the following functions can be used to register those algorithms.

• gnutls_crypto_single_cipher_register2 To register a cipher algorithm.

  gnutls_crypto_single_digest_register2 To register a hash (digest) or MAC algorithm.

Those registration functions will only replace the specified algorithm and leave the rest of subsystem intact.

12.6.2 Override parts of the backend

In some systems, such as embedded ones, it might be desirable to override big parts of the cryptographic backend, or even all of them. For this reason the following functions are provided.

• gnutls_crypto_cipher_register2 To override the cryptographic algorithms backend.
• gnutls_crypto_digest_register2 To override the digest algorithms backend.
• gnutls_crypto_rnd_register2 To override the random number generator backend.
• gnutls_crypto_bigint_register2 To override the big number number operations backend.
• gnutls_crypto_pk_register2 To override the public key encryption backend. This is tight to the big number operations so either both of them should be updated or care must be taken to use the same format.

If all of them are used then GnuTLS will no longer use libgcrypt.