> -----Original Message----- > From: Victor Wagner [mailto:vi...@wagner.pp.ru] ... > > > > The OFB and CFB cipher modes in OpenVPN have not been > well-tested and > > should be considered experimental at this point. > > > > They are not compiled by default mostly to prevent someone from > > accidentally using them. > > Okay, you see there is some demand for this cipher. > > Can anybody explain why such strange design decision is taken. > > As far as I know cryptography theory, there is absolutely no reason to > prefer CBC to CFB or CNT. ...
I would suspect that the exclusion is due to: A) in CFB/OFB/CNT, the encrypted stream is byte-bounded, as opposed to block-bounded. There may be some assumptions in the code that assume the cipher text is a multiple of block lengths. As such, it is... B) not thoroughly tested, and the choice was made to not release it without such testing. I'm curious as to why you want this support specifically, since these modes aren't really faster than CBC. Are you concerned about the padding? -dave
