diff --git a/api/next/69445.txt b/api/next/69445.txt new file mode 100644 index 00000000000..b6b56265e80 --- /dev/null +++ b/api/next/69445.txt @@ -0,0 +1,3 @@ +pkg crypto/cipher, func NewCFBDecrypter //deprecated #69445 +pkg crypto/cipher, func NewCFBEncrypter //deprecated #69445 +pkg crypto/cipher, func NewOFB //deprecated #69445 diff --git a/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md b/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md new file mode 100644 index 00000000000..b3ef9dcc2a6 --- /dev/null +++ b/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md @@ -0,0 +1,5 @@ +[NewOFB], [NewCFBEncrypter], and [NewCFBDecrypter] are now deprecated. OFB and +CFB mode are not authenticated, which generally enables active attacks to +manipulate and recover the plaintext. It is recommended that applications use +[AEAD] modes instead. If an unauthenticated [Stream] mode is required, use +[NewCTR] instead. diff --git a/src/crypto/cipher/cfb.go b/src/crypto/cipher/cfb.go index b9f9efa5746..b493e05fe27 100644 --- a/src/crypto/cipher/cfb.go +++ b/src/crypto/cipher/cfb.go @@ -54,6 +54,12 @@ func (x *cfb) XORKeyStream(dst, src []byte) { // NewCFBEncrypter returns a [Stream] which encrypts with cipher feedback mode, // using the given [Block]. The iv must be the same length as the [Block]'s block // size. +// +// Deprecated: CFB mode is not authenticated, which generally enables active +// attacks to manipulate and recover the plaintext. It is recommended that +// applications use [AEAD] modes instead. The standard library implementation of +// CFB is also unoptimized and not validated as part of the FIPS 140-3 module. +// If an unauthenticated [Stream] mode is required, use [NewCTR] instead. func NewCFBEncrypter(block Block, iv []byte) Stream { if fips140only.Enabled { panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode") @@ -64,6 +70,12 @@ func NewCFBEncrypter(block Block, iv []byte) Stream { // NewCFBDecrypter returns a [Stream] which decrypts with cipher feedback mode, // using the given [Block]. The iv must be the same length as the [Block]'s block // size. +// +// Deprecated: CFB mode is not authenticated, which generally enables active +// attacks to manipulate and recover the plaintext. It is recommended that +// applications use [AEAD] modes instead. The standard library implementation of +// CFB is also unoptimized and not validated as part of the FIPS 140-3 module. +// If an unauthenticated [Stream] mode is required, use [NewCTR] instead. func NewCFBDecrypter(block Block, iv []byte) Stream { if fips140only.Enabled { panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode") diff --git a/src/crypto/cipher/ofb.go b/src/crypto/cipher/ofb.go index abdc0225c01..8db5659f7a2 100644 --- a/src/crypto/cipher/ofb.go +++ b/src/crypto/cipher/ofb.go @@ -22,6 +22,12 @@ type ofb struct { // NewOFB returns a [Stream] that encrypts or decrypts using the block cipher b // in output feedback mode. The initialization vector iv's length must be equal // to b's block size. +// +// Deprecated: OFB mode is not authenticated, which generally enables active +// attacks to manipulate and recover the plaintext. It is recommended that +// applications use [AEAD] modes instead. The standard library implementation of +// OFB is also unoptimized and not validated as part of the FIPS 140-3 module. +// If an unauthenticated [Stream] mode is required, use [NewCTR] instead. func NewOFB(b Block, iv []byte) Stream { if fips140only.Enabled { panic("crypto/cipher: use of OFB is not allowed in FIPS 140-only mode")