AES SIV cipher algorithms implemented incorrectly in openssl module

[onyn]

Description

The following code:

<?php
$algo = 'aes-256-siv';
echo 'Cipher ' . $algo . ' supported: '
    . in_array($algo, openssl_get_cipher_methods()) . PHP_EOL
    . 'Key len: ' . openssl_cipher_key_length($algo) . PHP_EOL
    . 'IV len: ' . openssl_cipher_iv_length($algo) . PHP_EOL;

$key = str_repeat('1', 64);
$enc = openssl_encrypt('Hello world!', $algo, $key, OPENSSL_RAW_DATA);
echo 'ciphertext: ' . bin2hex($enc) . PHP_EOL;

$dec = openssl_decrypt($enc, $algo, $key, OPENSSL_RAW_DATA);
echo 'decrypted: ' . var_export($dec, true) . PHP_EOL;

Resulted in this output:

Cipher aes-256-siv supported: 1
Key len: 64
IV len: 0
ciphertext: 72fffba74d7bc3ddcceeb6d1
decrypted: false

But I expected this output instead:

Cipher aes-256-siv supported: 1
Key len: 64
IV len: 0
ciphertext: c06f0df087e2784c5560ce5d0b37831172fffba74d7bc3ddcceeb6d1
decrypted: 'Hello world!'

Explanation:

AES in SIV mode generates IV on its own (hence name SIV -> Synthetic Initialization Vector). But output of openssl_encrypt contains only actual ciphertext (correct, however) without IV. And this ruins decryption, because without IV it's not possible to decrypt.

I wrote similar java code, that encryts "Hello world!" with aes-256-siv and got result "c06f0df087e2784c5560ce5d0b37831172fffba74d7bc3ddcceeb6d1". This string contains IV and ciphertext concatenated together: IV c06f0df087e2784c5560ce5d0b378311, ciphertext 72fffba74d7bc3ddcceeb6d1.

I hoped that I could at least consume encrypted data from java. But passing IV to openssl_decrypt emits warning: PHP Warning: openssl_decrypt(): IV passed is 16 bytes long which is longer than the 0 expected by selected cipher, truncating in /home/onyn/siv.php on line 18. Well, no miracle happened. Also passing IV with ciphertext together not worked.

This bug affects all reported by openssl_get_cipher_methods variants: aes-128-siv, aes-192-siv and aes-256-siv.

Also note, that AES SIV is an AEAD cipher, so $aad argument must be respected. But in my tests it was silently ignored.

PHP Version

PHP 8.5.1 (cli) (built: Dec 18 2025 23:39:41) (NTS)
Copyright (c) The PHP Group
Built by Debian
Zend Engine v4.5.1, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.1, Copyright (c), by Zend Technologies

Operating System

Ubuntu 24.04

[jordikroon]

I was not able to obtain the same ciphertext from the expected output. But I was able to verify that the output matches in my test case.

from cryptography.hazmat.primitives.ciphers.aead import AESSIV
import binascii

algo = "aes-256-siv"

plaintext = b"Hello world!"
aad = b""
key = b"1" * 64

aessiv = AESSIV(key)
combined = aessiv.encrypt(plaintext, [aad])

tag = combined[:16]
ciphertext = combined[16:]

print("tag:", tag.hex())
print("ciphertext:", ciphertext.hex())
print("combined:", combined.hex())

decrypted = aessiv.decrypt(combined, [aad])
print("decrypted:", decrypted.decode("utf-8"))

Gave me:

tag: f6c98e3e785947502a09994d2757f9c1
ciphertext: a430a41a9bc089fa45ad27be
combined: f6c98e3e785947502a09994d2757f9c1a430a41a9bc089fa45ad27be
decrypted: 'Hello world!'

[onyn]

I was not able to obtain the same ciphertext from the expected output

Pass None instead of [aad]. Empty string still valid as aad input and affects output.