From ce63c22761498ce7d02c4d9d8221ee28755cfa80 Mon Sep 17 00:00:00 2001
From: Cedric Staub <cs@squareup.com>
Date: Mon, 19 Nov 2018 17:35:09 -0800
Subject: [PATCH] Fix issue #206

The auth tag len for AES-CBC+HMAC algorithms should match the key size,
see RFC 7518 Section 5.2.4 and Section 5.2.5. Unfortunately this will
(as-is) cause problems with decrypting AES-CBC+HMAC ciphertexts that
were encrypted with this library that used 192-bit and 256-bit key
sizes. A future pull request could add a flag to add some sort of
compabitility flag to allow for decryption to continue working for those
cases.
---
 symmetric.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/symmetric.go b/symmetric.go
index 09b63cef..b6047fc7 100644
--- a/symmetric.go
+++ b/symmetric.go
@@ -103,7 +103,7 @@ func newAESGCM(keySize int) contentCipher {
 func newAESCBC(keySize int) contentCipher {
 	return &aeadContentCipher{
 		keyBytes:     keySize * 2,
-		authtagBytes: 16,
+		authtagBytes: keySize,
 		getAead: func(key []byte) (cipher.AEAD, error) {
 			return josecipher.NewCBCHMAC(key, aes.NewCipher)
 		},