crypto/cipher: deprecate NewOFB, NewCFBDecrypter, and NewCFBEncrypter

Updates #69445

Change-Id: Ie9cd13d65f1f989f24731f8b09bbc5124873549f
Reviewed-on: https://go-review.googlesource.com/c/go/+/631019
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>

api/next/69445.txt

@@ -0,0 +1,3 @@
+pkg crypto/cipher, func NewCFBDecrypter //deprecated #69445
+pkg crypto/cipher, func NewCFBEncrypter //deprecated #69445
+pkg crypto/cipher, func NewOFB //deprecated #69445

doc/next/6-stdlib/99-minor/crypto/cipher/69445.md

@@ -0,0 +1,5 @@
+[NewOFB], [NewCFBEncrypter], and [NewCFBDecrypter] are now deprecated. OFB and
+CFB mode are not authenticated, which generally enables active attacks to
+manipulate and recover the plaintext. It is recommended that applications use
+[AEAD] modes instead. If an unauthenticated [Stream] mode is required, use
+[NewCTR] instead.

src/crypto/cipher/cfb.go

@@ -54,6 +54,12 @@ func (x *cfb) XORKeyStream(dst, src []byte) {
 // NewCFBEncrypter returns a [Stream] which encrypts with cipher feedback mode,
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
+//
+// Deprecated: CFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewCFBEncrypter(block Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")
@@ -64,6 +70,12 @@ func NewCFBEncrypter(block Block, iv []byte) Stream {
 // NewCFBDecrypter returns a [Stream] which decrypts with cipher feedback mode,
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
+//
+// Deprecated: CFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewCFBDecrypter(block Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")

src/crypto/cipher/ofb.go

@@ -22,6 +22,12 @@ type ofb struct {
 // NewOFB returns a [Stream] that encrypts or decrypts using the block cipher b
 // in output feedback mode. The initialization vector iv's length must be equal
 // to b's block size.
+//
+// Deprecated: OFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// OFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewOFB(b Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of OFB is not allowed in FIPS 140-only mode")