Proposal: Remove bundled libaes_siv, use OpenSSL native AES-SIV

Hal Murray halmurray at sonic.net
Tue Jun 30 23:31:08 UTC 2026


Please don't delete the old library.  I'd like some of the timing tools in 
the attic to still work.  You can move building and checking it to under 
the attic flag.

You didn't say anything about breaking FIPS.  The auditors may not be 
happy, but NTS works, and there is at least a reasonable story for the 
auditors if they aren't pigheaded.  Your code will break that.

You could clone the library and change all the CMAC calls to EVP_whatever.
1/2 :)  It would be interesting to compare timing on those two.


> Key length ambiguity: fixed...
Great.  Thanks.

> EVP_CIPHER_CTX_reset(): keeping it..

The man page says it is freeing up stuff.  That's clearly stupid.  It's just going to have to allocate it again.  I'll see what the OpenSSL guys have to say about this area.

> I have spent too many hours putting _close() and _reset() calls BACK INTO
> PROJECTS because they are required to make cryptography run on an
> accelerator.

Was that because of bugs in the accelerator code?  and/or poor internal API that it was working with?  (poor API and/or poor documentation)

What does an accelerator cost?  How well do they work on small chunks?  Can I get one on eBay?  Is it really an accelerator, or just a way of moving the secret key to a place where it isn't exposed if a bad guy breaks into the system?


> Bigger picture: libaes_siv only does SIV-CMAC. No GCM-SIV at all. RFC
> 8915 defines AES-128-GCM-SIV and AES-256-GCM-SIV as valid AEAD choices.

Nit picking:
  RFC 8915 doesn't say anything about GCM.  (No hits on a text search.)

  You are probably thinking of this page:
    https://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml
  Looks like that table needs another column with a Y/N for OK to use with NTS.

Yes, it would be nice if we supported the GCM modes.  But they are not required.

It's been on my list for a while, but I never saw a clean solution that would still work with FIPS.

And we have at least one user interested in FIPS since they reported problems.  That led to adding a fips=no in libntp/macencrypt.c for the code that uses MD5 to hash IPv6 addresses down to 32 bits.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list