Proposal: Remove bundled libaes_siv, use OpenSSL native AES-SIV

Mark Atwood mark.atwood at ntpsec.org
Mon Jun 22 01:31:04 UTC 2026


We bundle Akamai's libaes_siv library for AES-SIV-CMAC (RFC 5297), used by NTS for cookie encryption and wire authentication.

When this was added, OpenSSL didn't have native AES-SIV support. That's no longer true.

OpenSSL 3.0+ includes native AES-SIV via EVP_CIPHER_fetch(NULL, "AES-256-SIV", NULL). Since we already require OpenSSL 3.0+ for NTS (TLS 1.3 requirement), all platforms that can run NTS today have native AES-SIV available.

The bundled libaes_siv has a problem: it uses deprecated CMAC_CTX_* APIs that still work in OpenSSL 3.x but will be removed in 4.0. It also doesn't route through OpenSSL's provider layer, which blocks FIPS mode and alternative crypto backends like wolfProvider.

Proposal:
- Delete libaes_siv/ directory
- Replace the 4 call sites (nts_cookie.c, nts_extens.c) with EVP AES-SIV
- Drop the LibreSSL exemption (libaes_siv already doesn't support LibreSSL, so NTS on LibreSSL was never working anyway)

Benefits:
- Provider-aware (enables wolfProvider, FIPS)
- Future-proof (no deprecated APIs)
- Less code to maintain

The CI matrix confirms all current targets have OpenSSL 3.0+:
- Debian 12 (stable), Ubuntu 22.04+, RHEL 9+, FreeBSD 14+ base
- Older distros (Debian 11, Ubuntu 20.04, RHEL 8) already build with --disable-nts

Thoughts?

Mark


More information about the devel mailing list