[gnutls-devel] plans for plugin support?
benedikt.knoppix at web.de
Mon Jun 1 18:26:39 CEST 2015
On 01.06.2015 at 15:23 Nikos Mavrogiannopoulos wrote:
> Hi Benedikt, We have such a plugin API for public key and signature
> algorithms. The supported plugins are PKCS #11 modules or even custom
> ones when imported with gnutls_privkey_import_ext3().
If I understand this correctly these functions can only be used from
within an application, that links with GnuTLS? What I mean with a plugin
mechanism, is a shared object that is loaded by GnuTLS at runtime. This
shared object registers an external crypto provider  for GnuTLS.
This could be used if an applications wants to use an external crypto
provider as the default implementation for some crypto algorithms (e.g.
a provider that uses a crypto card to accelerate specific crypto
algorithms) . Of course, the application can use
gnutls_crypto_register_cipher/digest() to use another implementation.
However with these functions the application has to write the glue code
himself. If this glue code is moved in a shared object the application
does only need to load this shared object. For an application this would
also allow to easily change the cryptographic backend of GnuTLS at
> For symmetric key algorithms we support cryptodev (i.e., /dev/crypto)
> on systems that support it. Are there any other plugin mechanisms you
> are interested at?
If I understand this correctly /dev/crypto is a kernel device. I am more
interested in /lib/accelerated, because the external provider does not
I could write my code in a module under /lib/accelerated. However my
code needs to call dlopen(), because the only right way  to enable
the external provider is through another library.
Is this something you would accept?
However this would not solve the problem that an application can not
change the crypto backend to another provider. I would still prefer a
plugin concept, where an application (or GnuTLS for the application) can
load a shared object, that setups the external provider. This would give
the maximum flexibility.
: E.g. opens the library of the external crypto provider with
dlopen() and then overrides specific crypto algorithms of the default
backend with the implementation from the external provider.
: This could be interesting for a testing application that wants to
compare different crypto implementations with GnuTLS.
: I do not want to reinvent the wheel.
More information about the Gnutls-devel