1 files changed, 16 insertions, 14 deletions

diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py
index 189cb5b1..e2c5e381 100644
--- a/src/cryptography/hazmat/primitives/ciphers/aead.py
+++ b/src/cryptography/hazmat/primitives/ciphers/aead.py
@@ -56,12 +56,20 @@ class ChaCha20Poly1305(object):
 
 
 class AESCCM(object):
-    def __init__(self, key):
+    def __init__(self, key, tag_length=16):
         utils._check_bytes("key", key)
         if len(key) not in (16, 24, 32):
             raise ValueError("AESCCM key must be 128, 192, or 256 bits.")
 
         self._key = key
+        if not isinstance(tag_length, int):
+            raise TypeError("tag_length must be an integer")
+
+        if tag_length not in (4, 6, 8, 12, 14, 16):
+            raise ValueError("Invalid tag_length")
+
+        self._tag_length = tag_length
+
         if not backend.aead_cipher_supported(self):
             raise exceptions.UnsupportedAlgorithm(
                 "AESCCM is not supported by this version of OpenSSL",
@@ -78,23 +86,23 @@ class AESCCM(object):
 
         return os.urandom(bit_length // 8)
 
-    def encrypt(self, nonce, data, associated_data, tag_length=16):
+    def encrypt(self, nonce, data, associated_data):
         if associated_data is None:
             associated_data = b""
 
-        self._check_params(nonce, data, associated_data, tag_length)
+        self._check_params(nonce, data, associated_data)
         self._validate_lengths(nonce, len(data))
         return aead._encrypt(
-            backend, self, nonce, data, associated_data, tag_length
+            backend, self, nonce, data, associated_data, self._tag_length
         )
 
-    def decrypt(self, nonce, data, associated_data, tag_length=16):
+    def decrypt(self, nonce, data, associated_data):
         if associated_data is None:
             associated_data = b""
 
-        self._check_params(nonce, data, associated_data, tag_length)
+        self._check_params(nonce, data, associated_data)
         return aead._decrypt(
-            backend, self, nonce, data, associated_data, tag_length
+            backend, self, nonce, data, associated_data, self._tag_length
         )
 
     def _validate_lengths(self, nonce, data_len):
@@ -104,13 +112,7 @@ class AESCCM(object):
         if 2 ** (8 * l) < data_len:
             raise ValueError("Nonce too long for data")
 
-    def _check_params(self, nonce, data, associated_data, tag_length):
-        if not isinstance(tag_length, int):
-            raise TypeError("tag_length must be an integer")
-
-        if tag_length not in (4, 6, 8, 12, 14, 16):
-            raise ValueError("Invalid tag_length")
-
+    def _check_params(self, nonce, data, associated_data):
         utils._check_bytes("nonce", nonce)
         utils._check_bytes("data", data)
         utils._check_bytes("associated_data", associated_data)