Proposal: Remove bundled libaes_siv, use OpenSSL native AES-SIV
Hal Murray
halmurray at sonic.net
Mon Jun 22 06:38:46 UTC 2026
Apologies for not responding to your previous message yet. I've got some
stuff typed in, but I'm crappy at my time management anyway and got
sidetracked on the Pi-3 issue. (It's not ours.) This area is one of the
items that was big enough that I was going to split it out from the email
I'm working on.
So here goes...
Another reason for using the OpenSSL API is that there are newer AEAD
modes that end up with shorter packets.
I'll be happy if any fixes in this area have a configure time switch to
use the old code.
There are 2 reasons to keep the old code. It's much faster and it works
with FIPS.
-------
On faster.
It's just one of the areas I'm interested in. There are some crypto-speed
hacks in attic, mostly lower level. I think there is at least one that
does AEAD, maybe making cookies.
I have some hacks to testing the speed of networks and NTP servers. (A
friend wrote a book on understanding performance issues. I was a
proofreader and played with the code.) The server side of NTP is pretty
simple. With several threads, we should be able to keep up with a gigabit
link. Crypto makes the packets longer so fewer packets per second but
much more CPU. I did enough poking around to be pretty sure that keeping
up with the wire was a reasonable goal.
Some of my hacks tested real NTP servers. Some tests were just echo
servers, but they had an optional spin loop before sending the packet
back. That was to simulate the CPU tme to do the crypto.
The limiting factor for echoing short packets is the CPU time for the
kernel thread processing interrupts. A lot of those cycles go to waking
up a waiting thread. I haven't tried a short spin before waiting so the
server thread on a busy server doesn't have to get woken up. Down hill
with a tailwind, I managed to echo a million packets per second.
It's easy, CPU wise, to test NTP performance. especially the crypto stuff.
The send side can send the same packet over and over -- the setup cost,
including crypto, is moved outside the loop. The receive side doesn't
have to check anything or do any crypto. So a client on a system in the
same ballpark of CPU speed can keep up with a server that is doing all the
work.
It would be nice to have some good/clean performance tests and publish
numbers for each release.
On the other hand, I can't make a good case for why the project really
needs to be interested in bleeding edge server performance.
Do you have a good contact at OpenSSL? If we had good numbers, is there
any chance they would make their code go faster?
---------
On FIPS...
I don't understand the FIPS bureaucracy and/or how OpenSSL interacts with
it.
The FIPS stuff requires a bunch of paperwork. They have to hire a lab to
do something that takes a long time. The result only applies to a
specific version. (I don't know what happens if they patch that version.)
I'm pretty sure that OpenSSL in FIPS mode didn't include the routines you
are calling. There was some discussion on the NTP-WG. That was a year or
2 or ?? ago.
I haven't heard anything about them being added. One sort of common sense
says since they are just using routines that are FIPS approved then they
should be OK. But FIPS is full of paperwork, so maybe it doesn't work
that way. Maybe it would need test vectors and such and actually checked
by the FIPS process.
I think there are some openssl CLI routines to tell you what modes are
available. Have you gone down that rathole? Have you tested your code on
a FIPS system?
--
These are my opinions. I hate spam.
More information about the devel
mailing list