doc: warn about short GCM tags visibly

As was pointed out by Félix Charette (@Sideni), the existing runtime
deprecation warning may not provide enough visibility of the underlying
issue. This commit adds a (not so pretty) warning to the documentation
of the relevant API function `setAuthTag()`. The warning will be removed
when `DEP0182` will be moved to End-of-Life status, presumably with the
next major release.

Refs: #52327
Refs: #17523

Author: tniessen

doc/api/crypto.md

@@ -962,6 +962,14 @@ for `CCM` mode or before [`decipher.final()`][] for `GCM` and `OCB` modes and
 `chacha20-poly1305`.
 `decipher.setAuthTag()` can only be called once.
 
+Because the `node:crypto` module was originally designed to closely mirror
+OpenSSL's behavior, this function permits short GCM authentication tags unless
+an explicit authentication tag length was passed to
+[`crypto.createDecipheriv()`][] when the `decipher` object was created. This
+behavior is deprecated and subject to change (see [DEP0182][]). <strong class="critical">In the meantime, applications should either set the
+`authTagLength` option when calling `createDecipheriv()` or check the actual
+authentication tag length before passing it to `setAuthTag()`.</strong>
+
 When passing a string as the authentication tag, please consider
 [caveats when using strings as inputs to cryptographic APIs][].
 
@@ -6508,6 +6516,7 @@ See the [list of SSL OP Flags][] for details.
 [CVE-2021-44532]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
 [Caveats]: #support-for-weak-or-compromised-algorithms
 [Crypto constants]: #crypto-constants
+[DEP0182]: deprecations.md#dep0182-short-gcm-authentication-tags-without-explicit-authtaglength
 [FIPS module configuration file]: https://www.openssl.org/docs/man3.0/man5/fips_config.html
 [FIPS provider from OpenSSL 3]: https://www.openssl.org/docs/man3.0/man7/crypto.html#FIPS-provider
 [HTML 5.2]: https://www.w3.org/TR/html52/changes.html#features-removed