pgcrypto: Add support for CFB mode in AES encryption

Cipher Feedback Mode, CFB, is a self-synchronizing stream cipher which is very similar to CBC performed in reverse. Since OpenSSL supports it, we can easily plug it into the existing cipher selection code without any need for infrastructure changes. This patch was simultaneously submitted by Umar Hayat and Vladyslav Nebozhyn, the latter whom suggested the feauture. The committed patch is Umar's version. Author: Umar Hayat <postgresql.wizard@gmail.com> Reviewed-by: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: Álvaro Herrera <alvherre@alvh.no-ip.org> Discussion: https://postgr.es/m/CAPBGcbxo9ASzq14VTpQp3mnUJ5omdgTWUJOvWV0L6nNigWE5jw@mail.gmail.com
2025-08-30 06:01:21 +03:00 · 2025-02-14 21:18:37 +01:00
parent 760bf588de
commit 9ad1b3d01f
4 changed files with 217 additions and 1 deletions
--- a/doc/src/sgml/pgcrypto.sgml
+++ b/doc/src/sgml/pgcrypto.sgml
@@ -1082,6 +1082,11 @@ decrypt_iv(data bytea, key bytea, iv bytea, type text) returns bytea
    <literal>cbc</literal> &mdash; next block depends on previous (default)
    </para>
   </listitem>
+   <listitem>
+    <para>
+    <literal>cfb</literal> &mdash; next block depends on previous encrypted block
+    </para>
+   </listitem>
   <listitem>
    <para>
    <literal>ecb</literal> &mdash; each block is encrypted separately (for
@@ -1112,7 +1117,8 @@ encrypt(data, 'fooz', 'bf-cbc/pad:pkcs')
  </para>
  <para>
   In <function>encrypt_iv</function> and <function>decrypt_iv</function>, the
-   <parameter>iv</parameter> parameter is the initial value for the CBC mode;
+   <parameter>iv</parameter> parameter is the initial value for the CBC and
+   CFB mode;
   it is ignored for ECB.
   It is clipped or padded with zeroes if not exactly block size.
   It defaults to all zeroes in the functions without this parameter.