crypto/cipher: deprecate NewOFB, NewCFBDecrypter, and NewCFBEncrypter

Updates #69445

Change-Id: Ie9cd13d65f1f989f24731f8b09bbc5124873549f
Reviewed-on: https://go-review.googlesource.com/c/go/+/631019
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>

diff --git a/api/next/69445.txt b/api/next/69445.txt
new file mode 100644 (file)
index 0000000..b6b5626
--- /dev/null
+++ b/api/next/69445.txt
@@ -0,0 +1,3 @@
+pkg crypto/cipher, func NewCFBDecrypter //deprecated #69445
+pkg crypto/cipher, func NewCFBEncrypter //deprecated #69445
+pkg crypto/cipher, func NewOFB //deprecated #69445

diff --git a/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md b/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md
new file mode 100644 (file)
index 0000000..b3ef9dc
--- /dev/null
+++ b/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md
@@ -0,0 +1,5 @@
+[NewOFB], [NewCFBEncrypter], and [NewCFBDecrypter] are now deprecated. OFB and
+CFB mode are not authenticated, which generally enables active attacks to
+manipulate and recover the plaintext. It is recommended that applications use
+[AEAD] modes instead. If an unauthenticated [Stream] mode is required, use
+[NewCTR] instead.

diff --git a/src/crypto/cipher/cfb.go b/src/crypto/cipher/cfb.go
index b9f9efa574679fafbe751ad81f0e7aeb7cc67fee..b493e05fe27ce59fc7654fcd2a10143689ef1300 100644 (file)
--- a/src/crypto/cipher/cfb.go
+++ b/src/crypto/cipher/cfb.go
@@ -54,6 +54,12 @@ func (x *cfb) XORKeyStream(dst, src []byte) {
 // NewCFBEncrypter returns a [Stream] which encrypts with cipher feedback mode,
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
+//
+// Deprecated: CFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewCFBEncrypter(block Block, iv []byte) Stream {
        if fips140only.Enabled {
                panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")
@@ -64,6 +70,12 @@ func NewCFBEncrypter(block Block, iv []byte) Stream {
 // NewCFBDecrypter returns a [Stream] which decrypts with cipher feedback mode,
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
+//
+// Deprecated: CFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewCFBDecrypter(block Block, iv []byte) Stream {
        if fips140only.Enabled {
                panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")

diff --git a/src/crypto/cipher/ofb.go b/src/crypto/cipher/ofb.go
index abdc0225c01663763500c21ae22d232f250b6762..8db5659f7a25ca9c57baa70db267c0d09d5c90d1 100644 (file)
--- a/src/crypto/cipher/ofb.go
+++ b/src/crypto/cipher/ofb.go
@@ -22,6 +22,12 @@ type ofb struct {
 // NewOFB returns a [Stream] that encrypts or decrypts using the block cipher b
 // in output feedback mode. The initialization vector iv's length must be equal
 // to b's block size.
+//
+// Deprecated: OFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// OFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewOFB(b Block, iv []byte) Stream {
        if fips140only.Enabled {
                panic("crypto/cipher: use of OFB is not allowed in FIPS 140-only mode")