AES-GCM decrypt with OpenSSL 1.1.1 - when to set the tag?

Lynch, Andrew andrew.lynch at
Tue Nov 23 10:49:52 UTC 2021


We have an application that uses OpenSSL 1.1.1k to receive AES256-GCM encrypted messages.  The streamed data starts with a  12 byte IV, then the ciphertext and ends with the 16 byte tag.  Our decryption code is based directly on the sample code in the Wiki and the distribution.

First call EVP_DecryptInit_ex, set the IV length, provide key and IV.  Some number of EVP_DecryptUpdate calls.  Finally set the tag and call EVP_DecryptFinal_ex.

An external code review has now pointed out to us that we should set the tag before the IV, according to OpenSSL documentation.

They must be referring to the sentence "The tag length can only be set before specifying an IV."  But what exactly does this mean?  EVP_CTRL_AEAD_SET_TAG sets both the tag length and the value in a single call, unlike EVP_CTRL_AEAD_SET_IVLEN which only sets the IV length.  We do not have the tag value until the end of the message has been received.

I guess the sample code happens to work because 16 byte is the default tag size, so it is already "set" correctly before the IV is specified.

How can we convince the reviewers that this is a non-issue?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list