Dr. Stephen Henson wrote (on Wed 21-Jan-2015 at 14:53 +0000): > On Tue, Jan 20, 2015, 'Chris Hall' wrote: ... > > I find that the EVP_aes_256_gcm for decrypt requires the Tag to be > > set before the first call of EVP_DecryptUpdate(), and > > EVP_DecryptFinal_ex() with then return 0 if the Tag is found to > > be incorrect. > Unless you're using an old version of OpenSSL you should be able to > specify the tag after any EVP_DecryptUpdate calls but it still has to > be before EVP_DecryptFinal(). > > This was addressed by commit 96f7fafa24313106b121782f1dcf7928dd0838ed Thanks. It's very kind of EVP_DecryptFinal() to check the Tag, but I could do with a way of getting hold of the Tag generated. In particular, I want to append signed copy of the Tag to the message, so the receiver may not even know what the Tag is. I suppose I could send the Tag between the encrypted message and the trailing signature, but I don't particularly want to reveal the Tag. Also, this is messing with the message format to fit the library ! Thanks, Chris