Suggestions to add complete record processing in OpenSSL

[Ravichandra]

Hi,
  I observed that openssl(3.2.1) currently doesn't provide a way(this is my
understanding :P) to do complete record processing in one go instead of
doing it in multiple APIs/functions. This record processing feature allows
for HW implementations to do complete SSL record processing without too
much of SW code. When i say complete record processing,

On TX,
Padding addition, MAC and Encrypt operation in one go in the SSL engine

On RX,
Remove padding, MAC verification and decrypt the SSL record

We plan to implement a complete record processing engine which does these
operations along with pipeline support. As per my understanding, the
following process can be used to achieve it.

   1. define a new struct record_functions_st rec_eng_tls_1_funcs as shown
   below.

struct record_functions_st rec_eng_tls_1_funcs = {

    tls1_cipher, // This API becomes the core function where plain
text is changed into a SSL record including padding, MAC and
encryption

    NULL, // No MAC API as we do both in the above function

    /* Rest all function pointers are almost same */

};


   2.

   Introduce a new macro for enabling complete record processing (say
OPENSSL_RECORD_PROCESSING_ENGINE). When this macro is enabled, set
record_layer->funcs to rec_eng_tls_1_funcs, otherwise set it to
tls_1_funcs.
   3.

   The Ciphers will be marked as EVP_CIPH_FLAG_AEAD_CIPHER to allow
both MAC and encryption to be handled in the tls1_cipher() API.

Please suggest if the approach looks ok or if any changes are needed.

Thanks in advance
Ravichandra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240523/cb9547bb/attachment.htm>