prose updates for GCM tag
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 9697a4a..b0ea96e 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -320,8 +320,8 @@
assert res != 0
if operation == self._DECRYPT:
if not mode.tag or len(mode.tag) < 4:
- raise ValueError("Authentication tag must be provided "
- "and 4 bytes or longer when decrypting")
+ raise ValueError("Authentication tag must be provided and "
+ "be 4 bytes or longer when decrypting")
res = self._backend.lib.EVP_CIPHER_CTX_ctrl(
ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG,
len(mode.tag), mode.tag
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 85d7d5b..f009bb7 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -354,10 +354,12 @@
.. note::
- `NIST SP-800-38D`_ recommends that GCM tags be 128, 120, 122, 104, or
- 96-bits in length. Tags are shortened by truncating bytes. Longer tags
- provide better security margins. If you must shorten the tag the minimum
- allowed length is 4 bytes (32 bits).
+ Cryptography will emit a 128-bit tag when finalizing encryption.
+ You can shorten a tag by truncating it to the desired length, but this
+ is **not recommended** as it lowers the security margins of the
+ authentication (`NIST SP-800-38D`_ recommends 96-bit or greater).
+ If you must shorten the tag the minimum allowed length is 4 bytes
+ (32 bit).
:param bytes tag: The tag bytes to verify during decryption. When encrypting
this must be None.