Nikos Mavrogiannopoulos nmav at
Sat Apr 16 19:42:07 CEST 2011

On 04/16/2011 07:19 PM, Andreas Metzler wrote:

> watching gnutls-commits I have been wondering about 
> ------------------------------------------- ** libgnutls: Added
> support for AES-NI if detected. Uses Andy Polyakov's AES-NI code. 
> -------------------------------------------
> Isn't this something that belongs in the crypto backend? Gcrypt (1.5 
> beta) already supports it. I am not critizing, just wondering whether
> I understand things correctly.

Indeed. Ideally this should have been handled in the cryptographic
back-end. However nettle (due to being very low level) doesn't have any
interface to override ciphers on run-time. Libgcrypt also doesn't have
such an interface, thus anyone wanting to contribute such optimized
code has to do within ifdefs in the existing code. For these two reasons
the run-time detection of cryptographic capabilities is kept in
gnutls[0]. That way and by keeping that code separate and independent,
we can use external contributions of optimized implementations quite
easily, even if the code is not under LGPL (but under some other
compatible license).


[0]. I tried to sketch this architecture at:;a=blob;f=doc/gnutls-crypto-layers.png;h=f25c8a1d687e0bd0601bfbcebadd758a9d64886d;hb=HEAD

More information about the Gnutls-devel mailing list