From 12bbae8ba25713a0ebadefef7e64bb1134a64063 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Fri, 21 Sep 2012 20:14:16 +0200
Subject: [PATCH] Stress that the salsa20 hash function is not for general use.

---
 ChangeLog      |  5 +++++
 nettle.texinfo | 15 +++++++++------
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index efb578e0..05c463c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-09-21  Niels Möller  <nisse@lysator.liu.se>
+
+	* nettle.texinfo (Cipher functions): Stress that the salsa20 hash
+	function is not suitable as a general hash function.
+
 2012-09-20  Simon Josefsson  <simon@josefsson.org>
 
 	* pbkdf2-hmac-sha1.c, pbkdf2-hmac-sha256.c: New files.
diff --git a/nettle.texinfo b/nettle.texinfo
index c73861bf..bfaf0a6f 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -1275,12 +1275,15 @@ in this way to ridicule United States export restrictions which treated hash
 functions as nice and harmless, but ciphers as dangerous munitions.
 
 Salsa20 uses the same idea, but with a new specialized hash function to
-mix key, block counter, and a couple of constants (input and output are
-the same size, making it not directly applicable for use as a general
-hash function). It's also designed for speed; on x86_64, it is currently
-the fastest cipher offered by nettle. It uses a block size of 512 bits
-(64 octets) and there are two specified key sizes, 128 and 256 bits (16
-and 32 octets).
+mix key, block counter, and a couple of constants. It's also designed
+for speed; on x86_64, it is currently the fastest cipher offered by
+nettle. It uses a block size of 512 bits (64 octets) and there are two
+specified key sizes, 128 and 256 bits (16 and 32 octets).
+
+@strong{Caution:} The hash function used in Salsa20 is @emph{not}
+directly applicable for use as a general hash function. It's @emph{not}
+collision resistant if arbitrary inputs are allowed, and furthermore,
+the input and output is of fixed size.
 
 When using Salsa20 to process a message, one specifies both a key and a
 @dfn{nonce}, the latter playing a similar rôle to the initialization
-- 
GitLab