Re: [PATCH 5/5] crypto: remove Salsa20 stream cipher algorithm

Milan Broz <gmazyland@xxxxxxxxx> · Thu, 21 Jan 2021 19:23:14 +0100

On 21/01/2021 19:09, Ard Biesheuvel wrote:
> On Thu, 21 Jan 2021 at 19:05, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>>
>> On Thu, Jan 21, 2021 at 02:07:33PM +0100, Ard Biesheuvel wrote:
>>> Salsa20 is not used anywhere in the kernel, is not suitable for disk
>>> encryption, and widely considered to have been superseded by ChaCha20.
>>> So let's remove it.
>>>
>>> Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
>>> ---
>>>  Documentation/admin-guide/device-mapper/dm-integrity.rst |    4 +-
>>>  crypto/Kconfig                                           |   12 -
>>>  crypto/Makefile                                          |    1 -
>>>  crypto/salsa20_generic.c                                 |  212 ----
>>>  crypto/tcrypt.c                                          |   11 +-
>>>  crypto/testmgr.c                                         |    6 -
>>>  crypto/testmgr.h                                         | 1162 --------------------
>>>  7 files changed, 3 insertions(+), 1405 deletions(-)
>>>
>>> diff --git a/Documentation/admin-guide/device-mapper/dm-integrity.rst b/Documentation/admin-guide/device-mapper/dm-integrity.rst
>>> index 4e6f504474ac..d56112e2e354 100644
>>> --- a/Documentation/admin-guide/device-mapper/dm-integrity.rst
>>> +++ b/Documentation/admin-guide/device-mapper/dm-integrity.rst
>>> @@ -143,8 +143,8 @@ recalculate
>>>  journal_crypt:algorithm(:key)        (the key is optional)
>>>       Encrypt the journal using given algorithm to make sure that the
>>>       attacker can't read the journal. You can use a block cipher here
>>> -     (such as "cbc(aes)") or a stream cipher (for example "chacha20",
>>> -     "salsa20" or "ctr(aes)").
>>> +     (such as "cbc(aes)") or a stream cipher (for example "chacha20"
>>> +     or "ctr(aes)").
>>
>> You should check with the dm-integrity maintainers how likely it is that people
>> are using salsa20 with dm-integrity.  It's possible that people are using it,
>> especially since the documentation says that dm-integrity can use a stream
>> cipher and specifically gives salsa20 as an example.
>>
> 
> Good point - cc'ed them now.

I would say - just remove it. I do not see any users, we do not even test this combination in userspace testsuite.
It is just an example in doc.

>From my POV these stream crypto ciphers should be never used there (but cc to Mikulas, it was his patch :-)

Milan