On 2009.06.01 at 07:45:13 -0500, dave wrote: > I would suspect that the exclusion is due to: > > A) in CFB/OFB/CNT, the encrypted stream is byte-bounded, as opposed to > block-bounded. There may be some assumptions in the code that assume > the cipher text is a multiple of block lengths. As such, it is...
It is valid argument. Is there some quick way to find out suspicious places in the code? Some amount of false positives is Ok. > B) not thoroughly tested, and the choice was made to not release it > without such testing. As far as I can see, openvpn can be thoroughly tested in automated fashion. I have some test farm with half a hundred various OSes (Linux, Windows, Solaris, FreeBSD on several architectures), and planning to do some openvpn testing for this platform anyway. If people would suggest me which things to test, I'll try to implement it in the automated test environment. > I'm curious as to why you want this support specifically, since these > modes aren't really faster than CBC. Are you concerned about the > padding? I've stated it clearly. There is no CBC in the Russian National Standard for symmetric ciphers. CFB is standartized, CNT is standartized, CBC is not. So, if I want my VPNs to be considered secure by goverment certification authorites, I have to use CFB or CNT. > > -dave >
