crypto: fix crash in CCM mode without data
OpenSSL requires calling the update function exactly once in CCM mode, and EVP_CTRL_AEAD_GET_TAG
will fail if that doesn't happen. We do protect against calling the update function too many times, but calling it zero times isn't really a valid use case, so we never checked that.