On 23/11/2021 10:49, Lynch, Andrew via openssl-users wrote:
An external code review has now pointed out to us that we should set the
tag before the IV, according to OpenSSL documentation.
https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_CTX_ctrl.html#GCM-and-OCB-Modes
<https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_CTX_ctrl.html#GCM-and-OCB-Modes>
They must be referring to the sentence “The tag length can only be set
before specifying an IV.” But what exactly does this mean?
EVP_CTRL_AEAD_SET_TAG sets both the tag length and the value in a single
call, unlike EVP_CTRL_AEAD_SET_IVLEN which only sets the IV length. We
do not have the tag value until the end of the message has been received.
I guess the sample code happens to work because 16 byte is the default
tag size, so it is already “set” correctly before the IV is specified.
How can we convince the reviewers that this is a non-issue?
This looks like an error in the docs to me. The restriction about
setting the tag length prior to specifying the IV is only relevant to
OCB mode. In OCB mode you must set the taglen (if it is different to the
default) prior to specifying the IV for both encryption and decryption.
When doing so you can just set the tag to NULL to indicate that you are
only specifying the taglen.
I've raised a PR to correct the docs here:
https://github.com/openssl/openssl/pull/17111
Hopefully that is sufficient to convince your reviewers.
Matt
