Skip to content

Add AES-GCM-SIV AEAD support (RFC 8452)#1

Closed
Rakdos8 wants to merge 1 commit intojordikroon:fix/gh20851from
Rakdos8:fix/openssl-aes-gcm-siv-aead-tag
Closed

Add AES-GCM-SIV AEAD support (RFC 8452)#1
Rakdos8 wants to merge 1 commit intojordikroon:fix/gh20851from
Rakdos8:fix/openssl-aes-gcm-siv-aead-tag

Conversation

@Rakdos8
Copy link
Copy Markdown

@Rakdos8 Rakdos8 commented Apr 25, 2026

@Rakdos8 Rakdos8 mentioned this pull request Apr 25, 2026
Closed
jordikroon
jordikroon reviewed Apr 25, 2026
View reviewed changes
Comment thread ext/openssl/openssl_backend_common.c Outdated
* EVP_CIPH_SIV_MODE (RFC 5297), it takes a single AAD input, so
* aad_supports_vector stays false. LibreSSL does not currently
* define this constant. */
#ifdef EVP_CIPH_GCM_SIV_MODE
Copy link
Copy Markdown
Owner

@jordikroon jordikroon Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you put this below case EVP_CIPH_SIV_MODE? The case will then flow into php_openssl_set_aead_flags without the need to call it once more.

@jordikroon
Copy link
Copy Markdown
Owner

jordikroon commented Apr 25, 2026

Overall looks good. Thank you for this. Just one bullet once that is addressed and tests will give a green light I will merge it into the PR.

@Rakdos8
Add AES-GCM-SIV AEAD support (RFC 8452)
c5ff025 
Builds on the AES-SIV support added in the earlier commits by also
handling EVP_CIPH_GCM_SIV_MODE in php_openssl_load_cipher_mode().
GCM-SIV (OpenSSL >= 3.2, RFC 8452) uses the standard
EVP_CTRL_AEAD_*_TAG controls and falls into the same AEAD switch arm
as SIV. The existing aad_supports_vector = (cipher_mode ==
EVP_CIPH_SIV_MODE) check keeps that flag false for GCM-SIV, since
RFC 8452 takes a single AAD input rather than vector AAD like RFC 5297
SIV. LibreSSL does not currently define EVP_CIPH_GCM_SIV_MODE, hence
the #ifdef guard.

Tests:
  - cipher_tests.inc gains aes-256-gcm-siv vectors from RFC 8452
    Appendix C.2 (empty plaintext, 8-byte plaintext with and without
    AAD).
  - openssl_encrypt_gcm_siv.phpt and openssl_decrypt_gcm_siv.phpt
    consume those vectors, mirroring the SIV equivalents, and cover
    the missing-tag and tampering failure paths.
@Rakdos8 Rakdos8 force-pushed the fix/openssl-aes-gcm-siv-aead-tag branch from 2b81ae6 to c5ff025 Compare April 25, 2026 18:37
@Rakdos8
Copy link
Copy Markdown
Author

Rakdos8 commented Apr 25, 2026
edited
Loading

Good catch, applied. Falls through into the shared block now, much cleaner — the existing aad_supports_vector = (cipher_mode == EVP_CIPH_SIV_MODE) check naturally keeps GCM-SIV out of the SIV-specific path. Force-pushed with the amended commit.

I've seen failed test in the matrix, will see how it goes after this last commit 👍

@bukka
Copy link
Copy Markdown

bukka commented Apr 25, 2026

I merged other PR as it's independent and ready. Please rebase it and keep just siv gcm and will check this one later.

@jordikroon
Copy link
Copy Markdown
Owner

jordikroon commented Apr 25, 2026

Much appreciated. I will close this. Please rebase and target php/php-src master

@jordikroon jordikroon closed this Apr 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jordikroon jordikroon jordikroon left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Rakdos8 @jordikroon @bukka