Support 64 and 96 bit tags in OCB, using the nonce formatting rule

added in the latest CFRG internet draft.

2 files changed, 3 insertions, 2 deletions

diff --git a/src/modes/aead/ocb/ocb.cpp b/src/modes/aead/ocb/ocb.cpp
index 34ea4b9ad..fd66bb2e9 100644
--- a/src/modes/aead/ocb/ocb.cpp
+++ b/src/modes/aead/ocb/ocb.cpp
@@ -130,7 +130,7 @@ OCB_Mode::OCB_Mode(BlockCipher* cipher, size_t tag_size) :
       throw std::invalid_argument("OCB requires a 128 bit cipher so cannot be used with " +
                                   m_cipher->name());
 
-   if(m_tag_size != 16) // fixme: 64, 96 bits also supported
+   if(m_tag_size != 8 && m_tag_size != 12 && m_tag_size != 16)
       throw std::invalid_argument("OCB cannot produce a " + std::to_string(m_tag_size) +
                                   " byte tag");
 
@@ -188,6 +188,7 @@ OCB_Mode::update_nonce(const byte nonce[], size_t nonce_len)
    secure_vector<byte> nonce_buf(BS);
 
    copy_mem(&nonce_buf[BS - nonce_len], nonce, nonce_len);
+   nonce_buf[0] = ((tag_size() * 8) % 128) << 1;
    nonce_buf[BS - nonce_len - 1] = 1;
 
    const byte bottom = nonce_buf[15] & 0x3F;
diff --git a/src/modes/aead/ocb/ocb.h b/src/modes/aead/ocb/ocb.h
index 9eb40e2cf..b4f24f281 100644
--- a/src/modes/aead/ocb/ocb.h
+++ b/src/modes/aead/ocb/ocb.h
@@ -22,7 +22,7 @@ class L_computer;
 * that OCB is patented, but is freely licensed in some circumstances.
 *
 * @see "The OCB Authenticated-Encryption Algorithm" internet draft
-        http://tools.ietf.org/html/draft-irtf-cfrg-ocb-01
+        http://tools.ietf.org/html/draft-irtf-cfrg-ocb-03
 * @see Free Licenses http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm
 * @see OCB home page http://www.cs.ucdavis.edu/~rogaway/ocb
 */