diff --git a/sys/crypto/aesni/aesni.h b/sys/crypto/aesni/aesni.h
index 0594176a452..3d5adec79ee 100644
--- a/sys/crypto/aesni/aesni.h
+++ b/sys/crypto/aesni/aesni.h
@@ -104,7 +104,7 @@ void AES_GCM_encrypt(const unsigned char *in, unsigned char *out,
     const unsigned char *key, int nr);
 int AES_GCM_decrypt(const unsigned char *in, unsigned char *out,
     const unsigned char *addt, const unsigned char *ivec,
-    unsigned char *tag, uint32_t nbytes, uint32_t abytes, int ibytes,
+    const unsigned char *tag, uint32_t nbytes, uint32_t abytes, int ibytes,
     const unsigned char *key, int nr);
 
 int aesni_cipher_setup_common(struct aesni_session *ses, const uint8_t *key,
diff --git a/sys/crypto/aesni/aesni_ghash.c b/sys/crypto/aesni/aesni_ghash.c
index f7be6c08975..54c8815ce01 100644
--- a/sys/crypto/aesni/aesni_ghash.c
+++ b/sys/crypto/aesni/aesni_ghash.c
@@ -528,7 +528,7 @@ AES_GCM_encrypt(const unsigned char *in, unsigned char *out,
 int
 AES_GCM_decrypt(const unsigned char *in, unsigned char *out,
 	const unsigned char *addt, const unsigned char *ivec,
-	unsigned char *tag, uint32_t nbytes, uint32_t abytes, int ibytes,
+	const unsigned char *tag, uint32_t nbytes, uint32_t abytes, int ibytes,
 	const unsigned char *key, int nr)
 {
 	int i, j ,k;
@@ -677,7 +677,7 @@ AES_GCM_decrypt(const unsigned char *in, unsigned char *out,
 	X = _mm_shuffle_epi8(X, BSWAP_MASK);
 	T = _mm_xor_si128(X, T);
 
-	if (!m128icmp(T, _mm_loadu_si128((__m128i*)tag)))
+	if (!m128icmp(T, _mm_loadu_si128((const __m128i*)tag)))
 		return 0; //in case the authentication failed
 
 	ctr1 = _mm_shuffle_epi8(Y, BSWAP_EPI64);