When decrypting using OCB mode, setting a custom tag size fails unless EVP_CTRL_AEAD_SET_TAG is called twice (first with NULL, and then the second time with the actual tag buffer).

This fails unexpectedly when decrypting:

assert(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_size, tag));

This succeeds when decrypting:

assert(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_size, NULL));
assert(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_size, tag));

The documentation indicates that this double call should only be necessary when encrypting, not when decrypting:

In OCB mode, calling this before encryption with tag set to NULL sets
the tag length. If this is not called prior to encryption, a default tag
length is used.

I think this is probably a bug?