The branch master has been updated via 3607b8ad8ee1980a079e985333a196e0c79f8f00 (commit) from 9567fd3819398c6be70508dd6316046da0955b71 (commit)
- Log ----------------------------------------------------------------- commit 3607b8ad8ee1980a079e985333a196e0c79f8f00 Author: Matt Caswell <m...@openssl.org> Date: Tue Nov 23 12:24:39 2021 +0000 Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs The restriction about setting a tag length prior to setting the IV only applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG can be called. Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17111) ----------------------------------------------------------------------- Summary of changes: doc/man3/EVP_EncryptInit.pod | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index f289a842a3..d37c60ba89 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -1300,18 +1300,20 @@ B<EVP_CTRL_AEAD_SET_TAG>. =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag) -Sets the expected tag to C<taglen> bytes from C<tag>. -The tag length can only be set before specifying an IV. +When decrypting, this call sets the expected tag to C<taglen> bytes from C<tag>. C<taglen> must be between 1 and 16 inclusive. +The tag must be set prior to any call to EVP_DecryptFinal() or +EVP_DecryptFinal_ex(). For GCM, this call is only valid when decrypting data. For OCB, this call is valid when decrypting data to set the expected tag, -and before encryption to set the desired tag length. +and when encrypting to set the desired tag length. -In OCB mode, calling this before encryption with C<tag> set to C<NULL> sets the -tag length. If this is not called prior to encryption, a default tag length is -used. +In OCB mode, calling this when encrypting with C<tag> set to C<NULL> sets the +tag length. The tag length can only be set before specifying an IV. If this is +not called prior to setting the IV during encryption, then a default tag length +is used. For OCB AES, the default tag length is 16 (i.e. 128 bits). It is also the maximum tag length for OCB.