On 7/10/19 7:46 PM, Eric Biggers wrote: > > The generic implementation allows authentication tags of 4, 8, 12, 13, 14, 15, > or 16 bytes. See crypto_gcm_setauthsize() in crypto/gcm.c, and see > https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf > section 5.2.1.2 "Output Data". If you disagree that this is the correct > behavior, then we need to fix the generic implementation too. It's been a while, and the refresher was needed, and is appreciated. Our device only allows 16 byte tags. So I have to figure out how to set up the driver to expose/enforce that limitation. That's where we go awry. Thanks much!