On 2009.06.01 at 07:45:13 -0500, dave wrote:

> I would suspect that the exclusion is due to:
> 
> A)  in CFB/OFB/CNT, the encrypted stream is byte-bounded, as opposed to
> block-bounded.  There may be some assumptions in the code that assume
> the cipher text is a multiple of block lengths.  As such, it is...

It is valid argument. Is there some quick way to find out suspicious
places in the code? Some amount of false positives is Ok.

> B)  not thoroughly tested, and the choice was made to not release it
> without such testing.

As far as I can see, openvpn can be thoroughly tested in automated
fashion. I have some test farm with half a hundred various OSes (Linux,
Windows, Solaris, FreeBSD on several architectures), and planning to 
do some openvpn testing for this platform anyway. 

If people would suggest me which things to test, I'll try to implement
it in the automated test environment.


> I'm curious as to why you want this support specifically, since these
> modes aren't really faster than CBC.  Are you concerned about the
> padding?

I've stated it clearly. There is no CBC in the Russian National Standard
for symmetric ciphers. CFB is standartized, CNT is standartized, CBC is
not. So, if I want my VPNs to be considered secure by goverment
certification authorites, I have to use CFB or CNT.



> 
> -dave
> 

Reply via email to