Proposal: Remove bundled libaes_siv, use OpenSSL native AES-SIV

Mark Atwood mark.atwood at ntpsec.org
Tue Jun 30 19:39:41 UTC 2026


Hal, thanks for the feedback.

cast-qual: fixed, using memcpy to a local buffer instead of casting away const (d396a3b9a).

Key length ambiguity: fixed. Added an explicit aead parameter (the IANA algorithm ID) to the API. The wrapper uses that to pick the cipher now, not key length. Has to work this way anyway -- AES-128-GCM-SIV and AES-256-SIV-CMAC both take 32-byte keys but are completely different algorithms.

EVP_CIPHER_CTX_reset(): keeping it. The OpenSSL API says to call it when reusing a context for a new operation. We are. Cost is maybe 20ns vs 1-3us for the actual crypto, and it keeps provider implementations (hardware engines) happy.  I have spent too many hours putting _close() and _reset() calls BACK INTO PROJECTS because they are required to make cryptography run on an accelerator.  Those API calls are there for good reasons, that are not apparent on software only paths.

Bigger picture: libaes_siv only does SIV-CMAC. No GCM-SIV at all. RFC 8915 defines AES-128-GCM-SIV and AES-256-GCM-SIV as valid AEAD choices. We need to interop with peers that negotiate those, so thus we need OpenSSL. And GCM-SIV is faster anyway -- around 1.1us on hardware with AES-NI vs 1.5-2.4us for libaes_siv's SIV-CMAC.  I can provide perf tables.

The branch builds clean with --enable-Werror, waf check passes.

..m


More information about the devel mailing list