[openssl-dev] GCM tag in manual and examples

[Dr. Stephen Henson]

On Tue, Aug 22, 2017, Lukasz Kostyra wrote:

> Hello,
> 
> I've been trying recently to work with OpenSSL and use it to encrypt and
> decrypt data with AES cipher in GCM mode. While reading the documentation, I
> noticed an inconsistency between example code and manual.
> 
> My concern is the function used to set GCM tag when decrypting some data. In
> current version of the manual[1] it is written that EVP_CIPHER_CTX_ctrl
> function with EVP_CTRL_GCM_SET_TAG argument can be legally used only before
> any data is processed by OpenSSL - "Sets the expected tag to taglen bytes
> from tag. This call is only legal when decrypting data and must be made
> before any data is processed (e.g. before any EVP_DecryptUpdate() call).
> 
> However, looking at an example code on wiki[2] it appears that user can set
> a tag after calls to EVP_DecryptUpdate. The tag must be set only before
> calling EVP_DecryptFinal, which according how to GCM mode works should be a
> correct behavior. Running an example code confirms, that user doesn't have
> to set the tag before any processing calls, only before EVP_DecryptFinal.
> 
> This inconsistency was checked in 1.0.2, but appearently it appears on 1.1.0
> and on master documentation as well (with EVP_CTRL macro being different, as
> it also involves OCB mode now). Is it just a case of missing correction in
> documentation? Or maybe the documentation is correct, but there is a bug in
> OpenSSL?
> 

It's a bug in the documentation. The code used to require the tag first but
that was fixed but the documentation wasn't.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org