crypto/cipher: deprecate NewOFB, NewCFBDecrypter, and NewCFBEncrypter

Updates #69445 Change-Id: Ie9cd13d65f1f989f24731f8b09bbc5124873549f Reviewed-on: https://go-review.googlesource.com/c/go/+/631019 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Bypass: Filippo Valsorda <filippo@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org>
golang · Nov 22, 2024 · de76c0d · de76c0d
1 parent 4b7f7cd
commit de76c0d
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 0 deletions.
diff --git a/api/next/69445.txt b/api/next/69445.txt
@@ -0,0 +1,3 @@
+pkg crypto/cipher, func NewCFBDecrypter //deprecated #69445
+pkg crypto/cipher, func NewCFBEncrypter //deprecated #69445
+pkg crypto/cipher, func NewOFB //deprecated #69445
diff --git a/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md b/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md
@@ -0,0 +1,5 @@
+[NewOFB], [NewCFBEncrypter], and [NewCFBDecrypter] are now deprecated. OFB and
+CFB mode are not authenticated, which generally enables active attacks to
+manipulate and recover the plaintext. It is recommended that applications use
+[AEAD] modes instead. If an unauthenticated [Stream] mode is required, use
+[NewCTR] instead.
diff --git a/src/crypto/cipher/cfb.go b/src/crypto/cipher/cfb.go
@@ -54,6 +54,12 @@ func (x *cfb) XORKeyStream(dst, src []byte) {
 // NewCFBEncrypter returns a [Stream] which encrypts with cipher feedback mode,
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
+//
+// Deprecated: CFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewCFBEncrypter(block Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")
@@ -64,6 +70,12 @@ func NewCFBEncrypter(block Block, iv []byte) Stream {
 // NewCFBDecrypter returns a [Stream] which decrypts with cipher feedback mode,
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
+//
+// Deprecated: CFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewCFBDecrypter(block Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")

diff --git a/src/crypto/cipher/ofb.go b/src/crypto/cipher/ofb.go
@@ -22,6 +22,12 @@ type ofb struct {
 // NewOFB returns a [Stream] that encrypts or decrypts using the block cipher b
 // in output feedback mode. The initialization vector iv's length must be equal
 // to b's block size.
+//
+// Deprecated: OFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// OFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewOFB(b Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of OFB is not allowed in FIPS 140-only mode")