Commit 663f63ee authored by Ard Biesheuvel's avatar Ard Biesheuvel Committed by Herbert Xu
Browse files

crypto: salsa20 - remove Salsa20 stream cipher algorithm 



Salsa20 is not used anywhere in the kernel, is not suitable for disk
encryption, and widely considered to have been superseded by ChaCha20.
So let's remove it.

Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
Acked-by: default avatarMike Snitzer <snitzer@redhat.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 87cd723f

Documentation/admin-guide/device-mapper/dm-integrity.rst

+2 −2
Original line number Diff line number Diff line
@@ -143,8 +143,8 @@ recalculate 
journal_crypt:algorithm(:key)	(the key is optional)

	Encrypt the journal using given algorithm to make sure that the

	attacker can't read the journal. You can use a block cipher here

	(such as "cbc(aes)") or a stream cipher (for example "chacha20",

	"salsa20" or "ctr(aes)").

	(such as "cbc(aes)") or a stream cipher (for example "chacha20"

	or "ctr(aes)").



	The journal contains history of last writes to the block device,

	an attacker reading the journal could see the last sector numbers

crypto/Kconfig

+0 −12
Original line number Diff line number Diff line
@@ -1400,18 +1400,6 @@ config CRYPTO_KHAZAD 
	  See also:

	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>



config CRYPTO_SALSA20

	tristate "Salsa20 stream cipher algorithm"

	select CRYPTO_SKCIPHER

	help

	  Salsa20 stream cipher algorithm.



	  Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT

	  Stream Cipher Project. See <https://www.ecrypt.eu.org/stream/>



	  The Salsa20 stream cipher algorithm is designed by Daniel J.

	  Bernstein <djb@cr.yp.to>. See <https://cr.yp.to/snuffle.html>



config CRYPTO_CHACHA20

	tristate "ChaCha stream cipher algorithms"

	select CRYPTO_LIB_CHACHA_GENERIC

crypto/Makefile

+0 −1
Original line number Diff line number Diff line
@@ -138,7 +138,6 @@ obj-$(CONFIG_CRYPTO_TEA) += tea.o 
obj-$(CONFIG_CRYPTO_KHAZAD) += khazad.o

obj-$(CONFIG_CRYPTO_ANUBIS) += anubis.o

obj-$(CONFIG_CRYPTO_SEED) += seed.o

obj-$(CONFIG_CRYPTO_SALSA20) += salsa20_generic.o

obj-$(CONFIG_CRYPTO_CHACHA20) += chacha_generic.o

obj-$(CONFIG_CRYPTO_POLY1305) += poly1305_generic.o

obj-$(CONFIG_CRYPTO_DEFLATE) += deflate.o

crypto/salsa20_generic.c

deleted100644 → 0
+0 −212
Original line number Diff line number Diff line 
/*

 * Salsa20: Salsa20 stream cipher algorithm

 *

 * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>

 *

 * Derived from:

 * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>

 *

 * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream

 * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.

 * More information about eSTREAM and Salsa20 can be found here:

 *   https://www.ecrypt.eu.org/stream/

 *   https://cr.yp.to/snuffle.html

 *

 * This program is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License as published by the Free

 * Software Foundation; either version 2 of the License, or (at your option)

 * any later version.

 *

 */



#include <asm/unaligned.h>

#include <crypto/internal/skcipher.h>

#include <linux/module.h>



#define SALSA20_IV_SIZE        8

#define SALSA20_MIN_KEY_SIZE  16

#define SALSA20_MAX_KEY_SIZE  32

#define SALSA20_BLOCK_SIZE    64



struct salsa20_ctx {

	u32 initial_state[16];

};



static void salsa20_block(u32 *state, __le32 *stream)

{

	u32 x[16];

	int i;



	memcpy(x, state, sizeof(x));



	for (i = 0; i < 20; i += 2) {

		x[ 4] ^= rol32((x[ 0] + x[12]),  7);

		x[ 8] ^= rol32((x[ 4] + x[ 0]),  9);

		x[12] ^= rol32((x[ 8] + x[ 4]), 13);

		x[ 0] ^= rol32((x[12] + x[ 8]), 18);

		x[ 9] ^= rol32((x[ 5] + x[ 1]),  7);

		x[13] ^= rol32((x[ 9] + x[ 5]),  9);

		x[ 1] ^= rol32((x[13] + x[ 9]), 13);

		x[ 5] ^= rol32((x[ 1] + x[13]), 18);

		x[14] ^= rol32((x[10] + x[ 6]),  7);

		x[ 2] ^= rol32((x[14] + x[10]),  9);

		x[ 6] ^= rol32((x[ 2] + x[14]), 13);

		x[10] ^= rol32((x[ 6] + x[ 2]), 18);

		x[ 3] ^= rol32((x[15] + x[11]),  7);

		x[ 7] ^= rol32((x[ 3] + x[15]),  9);

		x[11] ^= rol32((x[ 7] + x[ 3]), 13);

		x[15] ^= rol32((x[11] + x[ 7]), 18);

		x[ 1] ^= rol32((x[ 0] + x[ 3]),  7);

		x[ 2] ^= rol32((x[ 1] + x[ 0]),  9);

		x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);

		x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);

		x[ 6] ^= rol32((x[ 5] + x[ 4]),  7);

		x[ 7] ^= rol32((x[ 6] + x[ 5]),  9);

		x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);

		x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);

		x[11] ^= rol32((x[10] + x[ 9]),  7);

		x[ 8] ^= rol32((x[11] + x[10]),  9);

		x[ 9] ^= rol32((x[ 8] + x[11]), 13);

		x[10] ^= rol32((x[ 9] + x[ 8]), 18);

		x[12] ^= rol32((x[15] + x[14]),  7);

		x[13] ^= rol32((x[12] + x[15]),  9);

		x[14] ^= rol32((x[13] + x[12]), 13);

		x[15] ^= rol32((x[14] + x[13]), 18);

	}



	for (i = 0; i < 16; i++)

		stream[i] = cpu_to_le32(x[i] + state[i]);



	if (++state[8] == 0)

		state[9]++;

}



static void salsa20_docrypt(u32 *state, u8 *dst, const u8 *src,

			    unsigned int bytes)

{

	__le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)];



	while (bytes >= SALSA20_BLOCK_SIZE) {

		salsa20_block(state, stream);

		crypto_xor_cpy(dst, src, (const u8 *)stream,

			       SALSA20_BLOCK_SIZE);

		bytes -= SALSA20_BLOCK_SIZE;

		dst += SALSA20_BLOCK_SIZE;

		src += SALSA20_BLOCK_SIZE;

	}

	if (bytes) {

		salsa20_block(state, stream);

		crypto_xor_cpy(dst, src, (const u8 *)stream, bytes);

	}

}



static void salsa20_init(u32 *state, const struct salsa20_ctx *ctx,

			 const u8 *iv)

{

	memcpy(state, ctx->initial_state, sizeof(ctx->initial_state));

	state[6] = get_unaligned_le32(iv + 0);

	state[7] = get_unaligned_le32(iv + 4);

}



static int salsa20_setkey(struct crypto_skcipher *tfm, const u8 *key,

			  unsigned int keysize)

{

	static const char sigma[16] = "expand 32-byte k";

	static const char tau[16] = "expand 16-byte k";

	struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);

	const char *constants;



	if (keysize != SALSA20_MIN_KEY_SIZE &&

	    keysize != SALSA20_MAX_KEY_SIZE)

		return -EINVAL;



	ctx->initial_state[1] = get_unaligned_le32(key + 0);

	ctx->initial_state[2] = get_unaligned_le32(key + 4);

	ctx->initial_state[3] = get_unaligned_le32(key + 8);

	ctx->initial_state[4] = get_unaligned_le32(key + 12);

	if (keysize == 32) { /* recommended */

		key += 16;

		constants = sigma;

	} else { /* keysize == 16 */

		constants = tau;

	}

	ctx->initial_state[11] = get_unaligned_le32(key + 0);

	ctx->initial_state[12] = get_unaligned_le32(key + 4);

	ctx->initial_state[13] = get_unaligned_le32(key + 8);

	ctx->initial_state[14] = get_unaligned_le32(key + 12);

	ctx->initial_state[0]  = get_unaligned_le32(constants + 0);

	ctx->initial_state[5]  = get_unaligned_le32(constants + 4);

	ctx->initial_state[10] = get_unaligned_le32(constants + 8);

	ctx->initial_state[15] = get_unaligned_le32(constants + 12);



	/* space for the nonce; it will be overridden for each request */

	ctx->initial_state[6] = 0;

	ctx->initial_state[7] = 0;



	/* initial block number */

	ctx->initial_state[8] = 0;

	ctx->initial_state[9] = 0;



	return 0;

}



static int salsa20_crypt(struct skcipher_request *req)

{

	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);

	const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);

	struct skcipher_walk walk;

	u32 state[16];

	int err;



	err = skcipher_walk_virt(&walk, req, false);



	salsa20_init(state, ctx, req->iv);



	while (walk.nbytes > 0) {

		unsigned int nbytes = walk.nbytes;



		if (nbytes < walk.total)

			nbytes = round_down(nbytes, walk.stride);



		salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,

				nbytes);

		err = skcipher_walk_done(&walk, walk.nbytes - nbytes);

	}



	return err;

}



static struct skcipher_alg alg = {

	.base.cra_name		= "salsa20",

	.base.cra_driver_name	= "salsa20-generic",

	.base.cra_priority	= 100,

	.base.cra_blocksize	= 1,

	.base.cra_ctxsize	= sizeof(struct salsa20_ctx),

	.base.cra_module	= THIS_MODULE,



	.min_keysize		= SALSA20_MIN_KEY_SIZE,

	.max_keysize		= SALSA20_MAX_KEY_SIZE,

	.ivsize			= SALSA20_IV_SIZE,

	.chunksize		= SALSA20_BLOCK_SIZE,

	.setkey			= salsa20_setkey,

	.encrypt		= salsa20_crypt,

	.decrypt		= salsa20_crypt,

};



static int __init salsa20_generic_mod_init(void)

{

	return crypto_register_skcipher(&alg);

}



static void __exit salsa20_generic_mod_fini(void)

{

	crypto_unregister_skcipher(&alg);

}



subsys_initcall(salsa20_generic_mod_init);

module_exit(salsa20_generic_mod_fini);



MODULE_LICENSE("GPL");

MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");

MODULE_ALIAS_CRYPTO("salsa20");

MODULE_ALIAS_CRYPTO("salsa20-generic");

crypto/tcrypt.c

+1 −10
Original line number Diff line number Diff line
@@ -71,7 +71,7 @@ static const char *check[] = { 
	"blowfish", "twofish", "serpent", "sha384", "sha512", "md4", "aes",

	"cast6", "arc4", "michael_mic", "deflate", "crc32c", "tea", "xtea",

	"khazad", "wp512", "wp384", "wp256", "tnepres", "xeta",  "fcrypt",

	"camellia", "seed", "salsa20", "rmd160",

	"camellia", "seed", "rmd160",

	"lzo", "lzo-rle", "cts", "sha3-224", "sha3-256", "sha3-384",

	"sha3-512", "streebog256", "streebog512",

	NULL
@@ -1835,10 +1835,6 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb) 
		ret += tcrypt_test("sha224");

		break;



	case 34:

		ret += tcrypt_test("salsa20");

		break;



	case 35:

		ret += tcrypt_test("gcm(aes)");

		break;
@@ -2153,11 +2149,6 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb) 
				speed_template_32_48_64);

		break;



	case 206:

		test_cipher_speed("salsa20", ENCRYPT, sec, NULL, 0,

				  speed_template_16_32);

		break;



	case 207:

		test_cipher_speed("ecb(serpent)", ENCRYPT, sec, NULL, 0,

				  speed_template_16_32);