Hi,
I observed that openssl(3.2.1) currently doesn't provide a way(this is my understanding :P) to do complete record processing in one go instead of doing it in multiple APIs/functions. This record processing feature allows for HW implementations to do complete SSL record processing without too much of SW code. When i say complete record processing,
On TX,
Padding addition, MAC and Encrypt operation in one go in the SSL engine
On RX,
Remove padding, MAC verification and decrypt the SSL record
We plan to implement a complete record processing engine which does these operations along with pipeline support. As per my understanding, the following process can be used to achieve it.
- define a new struct record_functions_st rec_eng_tls_1_funcs as shown below.
struct record_functions_st rec_eng_tls_1_funcs = {
tls1_cipher, // This API becomes the core function where plain text is changed into a SSL record including padding, MAC and encryption
NULL, // No MAC API as we do both in the above function
/* Rest all function pointers are almost same */
};
Introduce a new macro for enabling complete record processing (say OPENSSL_RECORD_PROCESSING_ENGINE). When this macro is enabled, set record_layer->funcs to rec_eng_tls_1_funcs, otherwise set it to tls_1_funcs.
The Ciphers will be marked as EVP_CIPH_FLAG_AEAD_CIPHER to allow both MAC and encryption to be handled in the tls1_cipher() API.
Please suggest if the approach looks ok or if any changes are needed.
Thanks in advance
Ravichandra
