9.6.2 External cryptography provider

Systems that include a cryptographic co-processor, typically come with kernel drivers to utilize the operations from software. For this reason GnuTLS provides a layer where each individual algorithm used can be replaced by another implementation, i.e. the one provided by the driver. The FreeBSD, OpenBSD and Linux kernels(15) include already a number of hardware assisted implementations, and also provide an interface to access them, called /dev/crypto. GnuTLS will take advantage of this interface if compiled with special options. That is because in most systems where hardware-assisted cryptographic operations are not available, using this interface might actually reduce performance.

In systems that include cryptographic instructions with the CPU’s instructions set, using the kernel interface will introduce an unneeded layer. For this reason GnuTLS includes such optimizations found in popular processors such as the AES-NI instruction set. This is achieved using a mechanism that overrides parts of crypto backend at runtime, once the cryptographic instructions are detected.

The next section discusses the runtime possibility. The API available for this functionality is in gnutls/crypto.h header file.