Is it legal to set the tag using EVP_CTRL_GCM_SET_TAG after the calls to EVP_DecryptUpdate? This would be convenient for example if the incoming ciphertext is being streamed, and the tag is located at the end of the stream.
Its hard to say at the moment, but I am guessing NO. From OpenSSL's wiki page EVP Authenticated Encryption and Decryption:
The tag verify is performed when you call the final EVP_DecryptUpdate and is reflected by the return value: there is no call to EVP_DecryptFinal.
GCM is an online mode, meaning you can stream it. However, the EVP interfaces are generic and they support other authenticated encryption modes, like CCM. CCM mode requires the size of the tag in advance because its used to format the header. CCM is an offline mode because the size of the tag a plain text needs to be known in advance. I'm making the leap that CCM restricts all other similar modes.
Also, OpenSSL is a SSL/TLS library, and not a general purpose crypto library. TLS negotiates the cipher suite and tag length as part of the handshake protocol. TLS does not have the use case you describe, so there's no operational requirement for OpenSSL to support it.
Related, the "OpenSSL is a SSL/TLS library" is the reason some goodies are sometimes missing from the library. Its a governance issue.
Related question: is EVP_CTRL_GCM_SET_TAG officially documented somewhere?
This answer to this question is NO:
$ cd openssl-src
$ grep -IR EVP_CTRL_GCM_SET_TAG *
include/openssl/evp.h:# define EVP_CTRL_GCM_SET_TAG EVP_CTRL_AEAD_SET_TAG
$
IF EVP_CTRL_GCM_SET_TAG was documented, then you would see a hit with the file extension *.pod. The pod files are the sources for the man pages.
But there is some wiki documentation from above. Matt Caswell wrote it and he is one of the OpenSSL devs. Though the man pages are the official documentation, the wiki is just as good in this instance.
