Don't require tag before ciphertext in AESGCM mode

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index e4d97dbebd7cb8e9aaf9998dd9f7115bb53cc435..1bfb5d92b340172c8e97ec8d391b9d3e757b60a7 100644 (file)
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -969,8 +969,6 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
        if (!gctx->iv_set)
                return -1;
-       if (!ctx->encrypt && gctx->taglen < 0)
-               return -1;
        if (in)
                {
                if (out == NULL)
@@ -1012,6 +1010,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                {
                if (!ctx->encrypt)
                        {
+                       if (gctx->taglen < 0)
+                               return -1;
                        if (CRYPTO_gcm128_finish(&gctx->gcm,
                                        ctx->buf, gctx->taglen) != 0)
                                return -1;