From 7de1357dde68933f9b1fa60eb69c7caf1f336f7a Mon Sep 17 00:00:00 2001
From: Jordi Kroon <jkroon@onyourmarks.agency>
Date: Tue, 6 Jan 2026 23:39:48 +0100
Subject: [PATCH 1/5] properly initialize AEAD cipher flags in OpenSSL backend

---
 ext/openssl/openssl_backend_common.c |  7 +++++
 ext/openssl/tests/gh20851.phpt       | 43 ++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 ext/openssl/tests/gh20851.phpt

diff --git a/ext/openssl/openssl_backend_common.c b/ext/openssl/openssl_backend_common.c
index 611359cccaba6..9b86c1d6dee20 100644
--- a/ext/openssl/openssl_backend_common.c
+++ b/ext/openssl/openssl_backend_common.c
@@ -1637,6 +1637,13 @@ void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EV
 {
 	int cipher_mode = EVP_CIPHER_mode(cipher_type);
 	memset(mode, 0, sizeof(struct php_openssl_cipher_mode));
+
+	#if defined(EVP_CIPH_FLAG_AEAD_CIPHER)
+		if (EVP_CIPHER_flags(cipher_type) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+			php_openssl_set_aead_flags(mode);
+		}
+	#endif
+
 	switch (cipher_mode) {
 		case EVP_CIPH_GCM_MODE:
 		case EVP_CIPH_CCM_MODE:
diff --git a/ext/openssl/tests/gh20851.phpt b/ext/openssl/tests/gh20851.phpt
new file mode 100644
index 0000000000000..d3dff888d2761
--- /dev/null
+++ b/ext/openssl/tests/gh20851.phpt
@@ -0,0 +1,43 @@
+--TEST--
+openssl: AES-256-SIV AEAD tag and AAD roundtrip
+--EXTENSIONS--
+openssl
+--FILE--
+<?php
+$algo = 'aes-256-siv';
+$key = str_repeat('1', 64);
+$tag = '';
+$input = 'Hello world!';
+
+$ciphertext = openssl_encrypt(
+    'Hello world!',
+    $algo,
+    $key,
+    OPENSSL_RAW_DATA,
+    '',      // IV is empty for this cipher in PHP
+    $tag     // gets filled with the SIV
+);
+
+echo 'input: ' . $input . PHP_EOL;
+echo 'tag: ' . bin2hex($tag) . PHP_EOL;
+echo 'ciphertext: ' . bin2hex($ciphertext) . PHP_EOL;
+echo 'combined: ' . bin2hex($tag . $ciphertext) . PHP_EOL;
+
+$dec = openssl_decrypt(
+    $ciphertext,
+    $algo,
+    $key,
+    OPENSSL_RAW_DATA,
+    '',
+    $tag
+);
+
+echo 'decrypted: ' . var_export($dec, true) . PHP_EOL;
+?>
+--EXPECTF--
+input: Hello world!
+tag: f6c98e3e785947502a09994d2757f9c1
+ciphertext: a430a41a9bc089fa45ad27be
+combined: f6c98e3e785947502a09994d2757f9c1a430a41a9bc089fa45ad27be
+decrypted: 'Hello world!'
+

From 59cba53d9ad97d8be956c73ef0fbad7decce7df8 Mon Sep 17 00:00:00 2001
From: Jordi Kroon <jkroon@onyourmarks.agency>
Date: Wed, 7 Jan 2026 20:09:13 +0100
Subject: [PATCH 2/5] allow null AAD parameter in openssl_encrypt/decrypt

---
 ext/openssl/openssl.c                         |  4 +-
 ext/openssl/openssl.stub.php                  |  4 +-
 ext/openssl/openssl_arginfo.h                 |  6 +--
 ext/openssl/openssl_backend_common.c          |  4 +-
 .../{gh20851.phpt => gh20851_aad_empty.phpt}  |  8 +++-
 ext/openssl/tests/gh20851_aad_null.phpt       | 47 +++++++++++++++++++
 6 files changed, 63 insertions(+), 10 deletions(-)
 rename ext/openssl/tests/{gh20851.phpt => gh20851_aad_empty.phpt} (90%)
 create mode 100644 ext/openssl/tests/gh20851_aad_null.phpt

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 2c09b89e31200..557903495fe3a 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4481,7 +4481,7 @@ PHP_FUNCTION(openssl_encrypt)
 	zend_string *ret;
 	zval *tag = NULL;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss|lszsl", &data, &data_len, &method, &method_len,
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss|lszs!l", &data, &data_len, &method, &method_len,
 					&password, &password_len, &options, &iv, &iv_len, &tag, &aad, &aad_len, &tag_len) == FAILURE) {
 		RETURN_THROWS();
 	}
@@ -4503,7 +4503,7 @@ PHP_FUNCTION(openssl_decrypt)
 	size_t data_len, method_len, password_len, iv_len = 0, tag_len = 0, aad_len = 0;
 	zend_string *ret;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss|lss!s", &data, &data_len, &method, &method_len,
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss|lss!s!", &data, &data_len, &method, &method_len,
 					&password, &password_len, &options, &iv, &iv_len, &tag, &tag_len, &aad, &aad_len) == FAILURE) {
 		RETURN_THROWS();
 	}
diff --git a/ext/openssl/openssl.stub.php b/ext/openssl/openssl.stub.php
index 94902a4acf0da..0111cc0cc7bc0 100644
--- a/ext/openssl/openssl.stub.php
+++ b/ext/openssl/openssl.stub.php
@@ -662,9 +662,9 @@ function openssl_digest(string $data, string $digest_algo, bool $binary = false)
 /**
  * @param string $tag
  */
-function openssl_encrypt(#[\SensitiveParameter] string $data, string $cipher_algo, #[\SensitiveParameter] string $passphrase, int $options = 0, string $iv = "", &$tag = null, string $aad = "", int $tag_length = 16): string|false {}
+function openssl_encrypt(#[\SensitiveParameter] string $data, string $cipher_algo, #[\SensitiveParameter] string $passphrase, int $options = 0, string $iv = "", &$tag = null, ?string $aad = "", int $tag_length = 16): string|false {}
 
-function openssl_decrypt(string $data, string $cipher_algo, #[\SensitiveParameter] string $passphrase, int $options = 0, string $iv = "", ?string $tag = null, string $aad = ""): string|false {}
+function openssl_decrypt(string $data, string $cipher_algo, #[\SensitiveParameter] string $passphrase, int $options = 0, string $iv = "", ?string $tag = null, ?string $aad = ""): string|false {}
 
 function openssl_cipher_iv_length(string $cipher_algo): int|false {}
 
diff --git a/ext/openssl/openssl_arginfo.h b/ext/openssl/openssl_arginfo.h
index 796582c185bb6..fad3050b4ea34 100644
--- a/ext/openssl/openssl_arginfo.h
+++ b/ext/openssl/openssl_arginfo.h
@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 8233a8abc8ab7145d905d0fa51478edfe1e55a06 */
+ * Stub hash: a571945d38a3460de017405454b61609811fe1b1 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_export_to_file, 0, 2, _IS_BOOL, 0)
 	ZEND_ARG_OBJ_TYPE_MASK(0, certificate, OpenSSLCertificate, MAY_BE_STRING, NULL)
@@ -337,7 +337,7 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_encrypt, 0, 3, MAY_BE_ST
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, options, IS_LONG, 0, "0")
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, iv, IS_STRING, 0, "\"\"")
 	ZEND_ARG_INFO_WITH_DEFAULT_VALUE(1, tag, "null")
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, aad, IS_STRING, 0, "\"\"")
+	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, aad, IS_STRING, 1, "\"\"")
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, tag_length, IS_LONG, 0, "16")
 ZEND_END_ARG_INFO()
 
@@ -348,7 +348,7 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_decrypt, 0, 3, MAY_BE_ST
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, options, IS_LONG, 0, "0")
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, iv, IS_STRING, 0, "\"\"")
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, tag, IS_STRING, 1, "null")
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, aad, IS_STRING, 0, "\"\"")
+	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, aad, IS_STRING, 1, "\"\"")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_cipher_iv_length, 0, 1, MAY_BE_LONG|MAY_BE_FALSE)
diff --git a/ext/openssl/openssl_backend_common.c b/ext/openssl/openssl_backend_common.c
index 9b86c1d6dee20..4885c63c7b893 100644
--- a/ext/openssl/openssl_backend_common.c
+++ b/ext/openssl/openssl_backend_common.c
@@ -1804,7 +1804,9 @@ zend_result php_openssl_cipher_update(const EVP_CIPHER *cipher_type,
 		return FAILURE;
 	}
 
-	if (mode->is_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, (const unsigned char *) aad, (int) aad_len)) {
+	/* Only pass AAD to OpenSSL if caller provided it.
+	   This makes NULL mean zero AAD items, while "" with len 0 means one empty AAD item. */
+	if (mode->is_aead && aad != NULL && !EVP_CipherUpdate(cipher_ctx, NULL, &i, (const unsigned char *)aad, (int)aad_len)) {
 		php_openssl_store_errors();
 		php_error_docref(NULL, E_WARNING, "Setting of additional application data failed");
 		return FAILURE;
diff --git a/ext/openssl/tests/gh20851.phpt b/ext/openssl/tests/gh20851_aad_empty.phpt
similarity index 90%
rename from ext/openssl/tests/gh20851.phpt
rename to ext/openssl/tests/gh20851_aad_empty.phpt
index d3dff888d2761..685e7dbb8f964 100644
--- a/ext/openssl/tests/gh20851.phpt
+++ b/ext/openssl/tests/gh20851_aad_empty.phpt
@@ -7,6 +7,7 @@ openssl
 $algo = 'aes-256-siv';
 $key = str_repeat('1', 64);
 $tag = '';
+$aad = '';
 $input = 'Hello world!';
 
 $ciphertext = openssl_encrypt(
@@ -15,7 +16,9 @@ $ciphertext = openssl_encrypt(
     $key,
     OPENSSL_RAW_DATA,
     '',      // IV is empty for this cipher in PHP
-    $tag     // gets filled with the SIV
+    $tag,     // gets filled with the SIV
+    $aad,
+    16
 );
 
 echo 'input: ' . $input . PHP_EOL;
@@ -29,7 +32,8 @@ $dec = openssl_decrypt(
     $key,
     OPENSSL_RAW_DATA,
     '',
-    $tag
+    $tag,
+    $aad
 );
 
 echo 'decrypted: ' . var_export($dec, true) . PHP_EOL;
diff --git a/ext/openssl/tests/gh20851_aad_null.phpt b/ext/openssl/tests/gh20851_aad_null.phpt
new file mode 100644
index 0000000000000..3528cd219c6cc
--- /dev/null
+++ b/ext/openssl/tests/gh20851_aad_null.phpt
@@ -0,0 +1,47 @@
+--TEST--
+openssl: AES-256-SIV AEAD tag and AAD roundtrip
+--EXTENSIONS--
+openssl
+--FILE--
+<?php
+$algo = 'aes-256-siv';
+$key = str_repeat('1', 64);
+$tag = '';
+$aad = null;
+$input = 'Hello world!';
+
+$ciphertext = openssl_encrypt(
+    'Hello world!',
+    $algo,
+    $key,
+    OPENSSL_RAW_DATA,
+    '', // IV is empty for this cipher in PHP
+    $tag, // gets filled with the SIV
+    $aad,
+    16
+);
+
+echo 'input: ' . $input . PHP_EOL;
+echo 'tag: ' . bin2hex($tag) . PHP_EOL;
+echo 'ciphertext: ' . bin2hex($ciphertext) . PHP_EOL;
+echo 'combined: ' . bin2hex($tag . $ciphertext) . PHP_EOL;
+
+$dec = openssl_decrypt(
+    $ciphertext,
+    $algo,
+    $key,
+    OPENSSL_RAW_DATA,
+    '',
+    $tag,
+    $aad
+);
+
+echo 'decrypted: ' . var_export($dec, true) . PHP_EOL;
+?>
+--EXPECTF--
+input: Hello world!
+tag: c06f0df087e2784c5560ce5d0b378311
+ciphertext: 72fffba74d7bc3ddcceeb6d1
+combined: c06f0df087e2784c5560ce5d0b37831172fffba74d7bc3ddcceeb6d1
+decrypted: 'Hello world!'
+

From ca12f45a76f3242953e7e27a9b64e509e9f518e2 Mon Sep 17 00:00:00 2001
From: Jordi Kroon <jkroon@onyourmarks.agency>
Date: Mon, 12 Jan 2026 20:07:15 +0100
Subject: [PATCH 3/5] Check for EVP_CIPH_SIV_MODE in switch

---
 ext/openssl/openssl_backend_common.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/ext/openssl/openssl_backend_common.c b/ext/openssl/openssl_backend_common.c
index 4885c63c7b893..60c303e0f5f36 100644
--- a/ext/openssl/openssl_backend_common.c
+++ b/ext/openssl/openssl_backend_common.c
@@ -1638,16 +1638,13 @@ void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EV
 	int cipher_mode = EVP_CIPHER_mode(cipher_type);
 	memset(mode, 0, sizeof(struct php_openssl_cipher_mode));
 
-	#if defined(EVP_CIPH_FLAG_AEAD_CIPHER)
-		if (EVP_CIPHER_flags(cipher_type) & EVP_CIPH_FLAG_AEAD_CIPHER) {
-			php_openssl_set_aead_flags(mode);
-		}
-	#endif
-
 	switch (cipher_mode) {
 		case EVP_CIPH_GCM_MODE:
 		case EVP_CIPH_CCM_MODE:
-		/* We check for EVP_CIPH_OCB_MODE, because LibreSSL does not support it. */
+		/* We check for EVP_CIPH_SIV_MODE and EVP_CIPH_SIV_MODE, because LibreSSL does not support it. */
+#ifdef EVP_CIPH_SIV_MODE
+		case EVP_CIPH_SIV_MODE:
+#endif
 #ifdef EVP_CIPH_OCB_MODE
 		case EVP_CIPH_OCB_MODE:
 			/* For OCB mode, explicitly set the tag length even when decrypting,

From 8ebc8fc3214c7d3c19fc0ac9bc823c5df1ad3e83 Mon Sep 17 00:00:00 2001
From: Jordi Kroon <jkroon@onyourmarks.agency>
Date: Tue, 13 Jan 2026 21:52:16 +0100
Subject: [PATCH 4/5] Update tests and introduce aad_supports_vector

---
 ext/openssl/openssl_backend_common.c       |  7 +++
 ext/openssl/php_openssl_backend.h          |  1 +
 ext/openssl/tests/cipher_tests.inc         | 53 ++++++++++++++++++++++
 ext/openssl/tests/gh20851_aad_empty.phpt   | 47 -------------------
 ext/openssl/tests/gh20851_aad_null.phpt    | 47 -------------------
 ext/openssl/tests/openssl_decrypt_siv.phpt | 43 ++++++++++++++++++
 ext/openssl/tests/openssl_encrypt_siv.phpt | 51 +++++++++++++++++++++
 7 files changed, 155 insertions(+), 94 deletions(-)
 delete mode 100644 ext/openssl/tests/gh20851_aad_empty.phpt
 delete mode 100644 ext/openssl/tests/gh20851_aad_null.phpt
 create mode 100644 ext/openssl/tests/openssl_decrypt_siv.phpt
 create mode 100644 ext/openssl/tests/openssl_encrypt_siv.phpt

diff --git a/ext/openssl/openssl_backend_common.c b/ext/openssl/openssl_backend_common.c
index 60c303e0f5f36..6bcd8c2beb03c 100644
--- a/ext/openssl/openssl_backend_common.c
+++ b/ext/openssl/openssl_backend_common.c
@@ -1644,6 +1644,7 @@ void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EV
 		/* We check for EVP_CIPH_SIV_MODE and EVP_CIPH_SIV_MODE, because LibreSSL does not support it. */
 #ifdef EVP_CIPH_SIV_MODE
 		case EVP_CIPH_SIV_MODE:
+			mode->aad_supports_vector = true;
 #endif
 #ifdef EVP_CIPH_OCB_MODE
 		case EVP_CIPH_OCB_MODE:
@@ -1795,6 +1796,12 @@ zend_result php_openssl_cipher_update(const EVP_CIPHER *cipher_type,
 {
 	int i = 0;
 
+	/* For AEAD modes that do not support vector AAD, treat NULL AAD as zero-length AAD */
+	if (!mode->aad_supports_vector && aad == NULL) {
+		aad_len = 0;
+		aad = "";
+	}
+
 	if (mode->is_single_run_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, NULL, (int)data_len)) {
 		php_openssl_store_errors();
 		php_error_docref(NULL, E_WARNING, "Setting of data length failed");
diff --git a/ext/openssl/php_openssl_backend.h b/ext/openssl/php_openssl_backend.h
index 00da5e74fc1b8..a111ddfeddee1 100644
--- a/ext/openssl/php_openssl_backend.h
+++ b/ext/openssl/php_openssl_backend.h
@@ -348,6 +348,7 @@ struct php_openssl_cipher_mode {
 	bool is_single_run_aead;
 	bool set_tag_length_always;
 	bool set_tag_length_when_encrypting;
+	bool aad_supports_vector;
 	int aead_get_tag_flag;
 	int aead_set_tag_flag;
 	int aead_ivlen_flag;
diff --git a/ext/openssl/tests/cipher_tests.inc b/ext/openssl/tests/cipher_tests.inc
index f543a42c9f45a..9d17e847bfa23 100644
--- a/ext/openssl/tests/cipher_tests.inc
+++ b/ext/openssl/tests/cipher_tests.inc
@@ -160,6 +160,59 @@ $php_openssl_cipher_tests = array(
             'ct'  => '1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1A0124B0A55BAE884ED93481529C76B6A',
         ),
     ),
+    'aes-128-siv' => array(
+        array(
+            'key' => 'fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0' .
+                     '0f0e0d0c0b0a09080706050403020100',
+            'iv'  => '',
+            'aad' => '',
+            'tag' => 'baba5b99dfc42fa9810fb2eb71ac2e9c',
+            'pt'  => 'b1677d933fa706f7ef349f9dd569c028' .
+                     '279a5e2219728e77cfe916d5db979942' .
+                     '5d8fb93b0e26dbc85ed14c050dc9f054' .
+                     'd9153c2be1e9b99ae7a109aba1e5a7f1' .
+                     'f2131786da90fe998d3571c144d066c3',
+            'ct'  => '91416054151e844965ad20a2057e2baa' .
+                     '0e785269b152ba9d4dc834777e0d5376' .
+                     'db611856ae0d5d826f446c8eef47acb4' .
+                     '83dccb37da9481648a4907fd3d65335b' .
+                     'd9585361c0c1834ac2b975f3238ea7c6',
+       ),
+       array(
+            'key' => 'fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0' .
+                     '0f0e0d0c0b0a09080706050403020100',
+            'iv'  => '',
+            'aad' => null,
+            'tag' => '606ac96568128a278b02e3e04de97b7e',
+            'pt'  => 'ea597a2f9fb0b5c4d5a6f215047b58a3' .
+                     '3d2c885bf67cbb09239239f5aecafd6f' .
+                     'd2401391154b024b05cd938b40fdc749' .
+                     'ebccb3f48a3156c0bad69cfc5035360d' .
+                     '21ad626dc866cc539f2d0e34b6824fc3',
+            'ct'  => '9c75fa0345b35e2d6cbcc91ed3fc7feb' .
+                     '84fea50c35766db0c847fb627385107b' .
+                     '4f257548d8b80ccd04261fa651fb89cc' .
+                     'e6815ecf0c8c4586ce68544ddce4c3af' .
+                     '01e9587282256569194b1dca788fd987',
+       ),
+       array(
+            'key' => 'fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0' .
+                     '0f0e0d0c0b0a09080706050403020100',
+            'iv'  => '',
+            'aad' => 'c0ef488e684e6fc95e0bd1da59861259',
+            'tag' => 'a24cd6dcc0791bd7719a7f4fcb16de81',
+            'pt'  => 'b1677d933fa706f7ef349f9dd569c028' .
+                     '279a5e2219728e77cfe916d5db979942' .
+                     '5d8fb93b0e26dbc85ed14c050dc9f054' .
+                     'd9153c2be1e9b99ae7a109aba1e5a7f1' .
+                     'f2131786da90fe998d3571c144d066c3',
+            'ct'  => 'ea597a2f9fb0b5c4d5a6f215047b58a3' .
+                     '3d2c885bf67cbb09239239f5aecafd6f' .
+                     'd2401391154b024b05cd938b40fdc749' .
+                     'ebccb3f48a3156c0bad69cfc5035360d' .
+                     '21ad626dc866cc539f2d0e34b6824fc3',
+       ),
+    ),
     'chacha20-poly1305' => array(
         array(
             'key' => '808182838485868788898a8b8c8d8e8f' .
diff --git a/ext/openssl/tests/gh20851_aad_empty.phpt b/ext/openssl/tests/gh20851_aad_empty.phpt
deleted file mode 100644
index 685e7dbb8f964..0000000000000
--- a/ext/openssl/tests/gh20851_aad_empty.phpt
+++ /dev/null
@@ -1,47 +0,0 @@
---TEST--
-openssl: AES-256-SIV AEAD tag and AAD roundtrip
---EXTENSIONS--
-openssl
---FILE--
-<?php
-$algo = 'aes-256-siv';
-$key = str_repeat('1', 64);
-$tag = '';
-$aad = '';
-$input = 'Hello world!';
-
-$ciphertext = openssl_encrypt(
-    'Hello world!',
-    $algo,
-    $key,
-    OPENSSL_RAW_DATA,
-    '',      // IV is empty for this cipher in PHP
-    $tag,     // gets filled with the SIV
-    $aad,
-    16
-);
-
-echo 'input: ' . $input . PHP_EOL;
-echo 'tag: ' . bin2hex($tag) . PHP_EOL;
-echo 'ciphertext: ' . bin2hex($ciphertext) . PHP_EOL;
-echo 'combined: ' . bin2hex($tag . $ciphertext) . PHP_EOL;
-
-$dec = openssl_decrypt(
-    $ciphertext,
-    $algo,
-    $key,
-    OPENSSL_RAW_DATA,
-    '',
-    $tag,
-    $aad
-);
-
-echo 'decrypted: ' . var_export($dec, true) . PHP_EOL;
-?>
---EXPECTF--
-input: Hello world!
-tag: f6c98e3e785947502a09994d2757f9c1
-ciphertext: a430a41a9bc089fa45ad27be
-combined: f6c98e3e785947502a09994d2757f9c1a430a41a9bc089fa45ad27be
-decrypted: 'Hello world!'
-
diff --git a/ext/openssl/tests/gh20851_aad_null.phpt b/ext/openssl/tests/gh20851_aad_null.phpt
deleted file mode 100644
index 3528cd219c6cc..0000000000000
--- a/ext/openssl/tests/gh20851_aad_null.phpt
+++ /dev/null
@@ -1,47 +0,0 @@
---TEST--
-openssl: AES-256-SIV AEAD tag and AAD roundtrip
---EXTENSIONS--
-openssl
---FILE--
-<?php
-$algo = 'aes-256-siv';
-$key = str_repeat('1', 64);
-$tag = '';
-$aad = null;
-$input = 'Hello world!';
-
-$ciphertext = openssl_encrypt(
-    'Hello world!',
-    $algo,
-    $key,
-    OPENSSL_RAW_DATA,
-    '', // IV is empty for this cipher in PHP
-    $tag, // gets filled with the SIV
-    $aad,
-    16
-);
-
-echo 'input: ' . $input . PHP_EOL;
-echo 'tag: ' . bin2hex($tag) . PHP_EOL;
-echo 'ciphertext: ' . bin2hex($ciphertext) . PHP_EOL;
-echo 'combined: ' . bin2hex($tag . $ciphertext) . PHP_EOL;
-
-$dec = openssl_decrypt(
-    $ciphertext,
-    $algo,
-    $key,
-    OPENSSL_RAW_DATA,
-    '',
-    $tag,
-    $aad
-);
-
-echo 'decrypted: ' . var_export($dec, true) . PHP_EOL;
-?>
---EXPECTF--
-input: Hello world!
-tag: c06f0df087e2784c5560ce5d0b378311
-ciphertext: 72fffba74d7bc3ddcceeb6d1
-combined: c06f0df087e2784c5560ce5d0b37831172fffba74d7bc3ddcceeb6d1
-decrypted: 'Hello world!'
-
diff --git a/ext/openssl/tests/openssl_decrypt_siv.phpt b/ext/openssl/tests/openssl_decrypt_siv.phpt
new file mode 100644
index 0000000000000..6fc299546e208
--- /dev/null
+++ b/ext/openssl/tests/openssl_decrypt_siv.phpt
@@ -0,0 +1,43 @@
+--TEST--
+openssl_decrypt() with SIV cipher algorithm tests
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php
+if (!in_array('aes-128-siv', openssl_get_cipher_methods()))
+    die("skip: aes-128-siv not available");
+?>
+--FILE--
+<?php
+require_once __DIR__ . "/cipher_tests.inc";
+$method = 'aes-128-siv';
+$tests = openssl_get_cipher_tests($method);
+
+foreach ($tests as $idx => $test) {
+    echo "TEST $idx\n";
+    $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
+        $test['iv'], $test['tag'], $test['aad']);
+    var_dump($test['pt'] === $pt);
+}
+
+// failed because no AAD
+echo "TEST AAD\n";
+var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
+    $test['iv'], $test['tag']));
+// failed because wrong tag
+echo "TEST WRONGTAG\n";
+var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
+    $test['iv'], str_repeat('x', 16), $test['aad']));
+
+?>
+--EXPECTF--
+TEST 0
+bool(true)
+TEST 1
+bool(true)
+TEST 2
+bool(true)
+TEST AAD
+bool(false)
+TEST WRONGTAG
+bool(false)
diff --git a/ext/openssl/tests/openssl_encrypt_siv.phpt b/ext/openssl/tests/openssl_encrypt_siv.phpt
new file mode 100644
index 0000000000000..43a5c5b34b5ad
--- /dev/null
+++ b/ext/openssl/tests/openssl_encrypt_siv.phpt
@@ -0,0 +1,51 @@
+--TEST--
+openssl_encrypt() with SIV cipher algorithm tests
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php
+if (!in_array('aes-128-siv', openssl_get_cipher_methods()))
+	die("skip: aes-128-siv not available");
+?>
+--FILE--
+<?php
+require_once __DIR__ . "/cipher_tests.inc";
+$method = 'aes-128-siv';
+$tests = openssl_get_cipher_tests($method);
+
+foreach ($tests as $idx => $test) {
+    echo "TEST $idx\n";
+    $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA,
+        $test['iv'], $tag, $test['aad'], strlen($test['tag']));
+    var_dump($test['ct'] === $ct);
+    var_dump($test['tag'] === $tag);
+}
+
+// Empty tag should not be equivalent to null tag
+echo "TEST AAD\n";
+var_dump(openssl_encrypt('data', $method, 'password', 0, '', $tag, '') !== openssl_encrypt('data', $method, 'password', 0, '', $tag, null));
+
+// Failing to retrieve tag (max is 16 bytes)
+var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 32), $tag, '', 20));
+
+// Failing when no tag supplied
+var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 32)));
+?>
+--EXPECTF--
+TEST 0
+bool(true)
+bool(true)
+TEST 1
+bool(true)
+bool(true)
+TEST 2
+bool(true)
+bool(true)
+TEST AAD
+bool(true)
+
+Warning: openssl_encrypt(): Retrieving verification tag failed in %s on line %d
+bool(false)
+
+Warning: openssl_encrypt(): A tag should be provided when using AEAD mode in %s on line %d
+bool(false)

From dd214a0be49cad7a4544320c623628f1a6ca5bbd Mon Sep 17 00:00:00 2001
From: Jordi Kroon <jkroon@onyourmarks.agency>
Date: Tue, 13 Jan 2026 22:03:02 +0100
Subject: [PATCH 5/5] Fix switch statement

---
 ext/openssl/openssl_backend_common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/openssl/openssl_backend_common.c b/ext/openssl/openssl_backend_common.c
index 6bcd8c2beb03c..d9da0a4d514b9 100644
--- a/ext/openssl/openssl_backend_common.c
+++ b/ext/openssl/openssl_backend_common.c
@@ -1644,7 +1644,6 @@ void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EV
 		/* We check for EVP_CIPH_SIV_MODE and EVP_CIPH_SIV_MODE, because LibreSSL does not support it. */
 #ifdef EVP_CIPH_SIV_MODE
 		case EVP_CIPH_SIV_MODE:
-			mode->aad_supports_vector = true;
 #endif
 #ifdef EVP_CIPH_OCB_MODE
 		case EVP_CIPH_OCB_MODE:
@@ -1655,6 +1654,7 @@ void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EV
 			php_openssl_set_aead_flags(mode);
 			mode->set_tag_length_when_encrypting = cipher_mode == EVP_CIPH_CCM_MODE;
 			mode->is_single_run_aead = cipher_mode == EVP_CIPH_CCM_MODE;
+			mode->aad_supports_vector = cipher_mode == EVP_CIPH_SIV_MODE;
 			break;
 #ifdef NID_chacha20_poly1305
 		default: