AES-GCM decrypt with OpenSSL 1.1.1 - when to set the tag?
Matt Caswell
matt at openssl.org
Tue Nov 23 12:33:28 UTC 2021
On 23/11/2021 10:49, Lynch, Andrew via openssl-users wrote:
> An external code review has now pointed out to us that we should set the
> tag before the IV, according to OpenSSL documentation.
>
> https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_CTX_ctrl.html#GCM-and-OCB-Modes
> <https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_CTX_ctrl.html#GCM-and-OCB-Modes>
>
> They must be referring to the sentence “The tag length can only be set
> before specifying an IV.” But what exactly does this mean?
> EVP_CTRL_AEAD_SET_TAG sets both the tag length and the value in a single
> call, unlike EVP_CTRL_AEAD_SET_IVLEN which only sets the IV length. We
> do not have the tag value until the end of the message has been received.
>
> I guess the sample code happens to work because 16 byte is the default
> tag size, so it is already “set” correctly before the IV is specified.
>
> How can we convince the reviewers that this is a non-issue?
This looks like an error in the docs to me. The restriction about
setting the tag length prior to specifying the IV is only relevant to
OCB mode. In OCB mode you must set the taglen (if it is different to the
default) prior to specifying the IV for both encryption and decryption.
When doing so you can just set the tag to NULL to indicate that you are
only specifying the taglen.
I've raised a PR to correct the docs here:
https://github.com/openssl/openssl/pull/17111
Hopefully that is sufficient to convince your reviewers.
Matt
More information about the openssl-users
mailing list