From 1dbd23dc2566b3fe9113bf09fd9e190dfd4651b6 Mon Sep 17 00:00:00 2001

From: Petr Lautrbach <plautrba@redhat.com>

Date: Fri, 30 Jul 2021 14:14:37 +0200

Subject: [PATCH] Use SHA-2 instead of SHA-1

Content-type: text/plain

The use of SHA-1 in RHEL9 is deprecated

---

 libselinux/include/selinux/label.h            |   6 +-

 libselinux/include/selinux/restorecon.h       |   4 +-

 libselinux/man/man3/selabel_digest.3          |   4 +-

 libselinux/man/man3/selabel_open.3            |   2 +-

 libselinux/man/man3/selinux_restorecon.3      |  18 +-

 .../man/man3/selinux_restorecon_xattr.3       |   2 +-

 libselinux/src/Makefile                       |   2 +-

 libselinux/src/label_file.c                   |  40 +--

 libselinux/src/label_internal.h               |  10 +-

 libselinux/src/label_support.c                |  10 +-

 libselinux/src/selinux_restorecon.c           |  24 +-

 libselinux/src/sha1.c                         | 220 -------------

 libselinux/src/sha1.h                         |  85 -----

 libselinux/src/sha256.c                       | 294 ++++++++++++++++++

 libselinux/src/sha256.h                       |  89 ++++++

 libselinux/utils/selabel_digest.c             |  26 +-

 .../selabel_get_digests_all_partial_matches.c |  28 +-

 17 files changed, 471 insertions(+), 393 deletions(-)

 delete mode 100644 libselinux/src/sha1.c

 delete mode 100644 libselinux/src/sha1.h

 create mode 100644 libselinux/src/sha256.c

 create mode 100644 libselinux/src/sha256.h

diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h

index e8983606d93b..a35d84d63b0a 100644

--- a/libselinux/include/selinux/label.h

+++ b/libselinux/include/selinux/label.h

@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,

 					 const char *key, const char **aliases, int type);

 /**

- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to

+ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to

  *		    generate the digest. The SELABEL_OPT_DIGEST option must

  *		    be set in selabel_open() to initiate the digest generation.

  * @handle: specifies backend instance to query

- * @digest: returns a pointer to the SHA1 digest.

+ * @digest: returns a pointer to the SHA256 digest.

  * @digest_len: returns length of digest in bytes.

- * @specfiles: a list of specfiles used in the SHA1 digest generation.

+ * @specfiles: a list of specfiles used in the SHA256 digest generation.

  *	       The list is NULL terminated and will hold @num_specfiles entries.

  * @num_specfiles: number of specfiles in the list.

  *

diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h

index b10fe684eff9..8df4744505b3 100644

--- a/libselinux/include/selinux/restorecon.h

+++ b/libselinux/include/selinux/restorecon.h

@@ -41,8 +41,8 @@ extern int selinux_restorecon_parallel(const char *pathname,

  * restorecon_flags options

  */

 /*

- * Force the checking of labels even if the stored SHA1 digest

- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).

+ * Force the checking of labels even if the stored SHA256 digest

+ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).

  */

 #define SELINUX_RESTORECON_IGNORE_DIGEST		0x00001

 /*

diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3

index 56a008f00df0..5f7c42533d0e 100644

--- a/libselinux/man/man3/selabel_digest.3

+++ b/libselinux/man/man3/selabel_digest.3

@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used

 .BR selabel_digest ()

 performs an operation on the handle

 .IR hnd ,

-returning the results of the SHA1 digest pointed to by

+returning the results of the SHA256 digest pointed to by

 .IR digest ,

 whose length will be

 .IR digest_len .

-The list of specfiles used in the SHA1 digest calculation is returned in

+The list of specfiles used in the SHA256 digest calculation is returned in

 .I specfiles

 with the number of entries in

 .IR num_specfiles .

diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3

index 0e03e1be111e..14ab888d2e03 100644

--- a/libselinux/man/man3/selabel_open.3

+++ b/libselinux/man/man3/selabel_open.3

@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via

 Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.

 .TP

 .B SELABEL_OPT_DIGEST

-A non-null value for this option enables the generation of an SHA1 digest of

+A non-null value for this option enables the generation of an SHA256 digest of

 the spec files loaded as described in

 .BR selabel_digest (3)

 .

diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3

index 218aaf6d2ae5..5f6d4b386429 100644

--- a/libselinux/man/man3/selinux_restorecon.3

+++ b/libselinux/man/man3/selinux_restorecon.3

@@ -36,7 +36,7 @@ If this is a directory and the

 .B SELINUX_RESTORECON_RECURSE

 has been set (for descending through directories), then

 .BR selinux_restorecon ()

-will write an SHA1 digest of specfile entries calculated by

+will write an SHA256 digest of specfile entries calculated by

 .BR selabel_get_digests_all_partial_matches (3)

 to an extended attribute of

 .IR security.sehash

@@ -55,7 +55,7 @@ will take place.

 .br

 The

 .IR restorecon_flags

-that can be used to manage the usage of the SHA1 digest are:

+that can be used to manage the usage of the SHA256 digest are:

 .RS

 .B SELINUX_RESTORECON_SKIP_DIGEST

 .br

@@ -73,8 +73,8 @@ Do not check or update any extended attribute

 entries.

 .sp

 .B SELINUX_RESTORECON_IGNORE_DIGEST

-force the checking of labels even if the stored SHA1 digest matches the

-specfile entries SHA1 digest. The specfile entries digest will be written to the

+force the checking of labels even if the stored SHA256 digest matches the

+specfile entries SHA256 digest. The specfile entries digest will be written to the

 .IR security.sehash

 extended attribute once relabeling has been completed successfully provided the

 .B SELINUX_RESTORECON_NOCHANGE

@@ -95,7 +95,7 @@ default specfile context.

 .sp

 .B SELINUX_RESTORECON_RECURSE

 change file and directory labels recursively (descend directories)

-and if successful write an SHA1 digest of the specfile entries to an

+and if successful write an SHA256 digest of the specfile entries to an

 extended attribute as described in the

 .B NOTES

 section.

@@ -179,12 +179,12 @@ for fetching the ignored (skipped) error count after

 or

 .BR selinux_restorecon_parallel (3)

 completes with success. In case any errors were skipped during the file tree

-walk, the specfile entries SHA1 digest will not have been written to the

+walk, the specfile entries SHA256 digest will not have been written to the

 .IR security.sehash

 extended attribute.

 .RE

 .sp

-The behavior regarding the checking and updating of the SHA1 digest described

+The behavior regarding the checking and updating of the SHA256 digest described

 above is the default behavior. It is possible to change this by first calling

 .BR selabel_open (3)

 and not enabling the

@@ -247,7 +247,7 @@ To improve performance when relabeling file systems recursively (e.g. the

 .B SELINUX_RESTORECON_RECURSE

 flag is set)

 .BR selinux_restorecon ()

-will write a calculated SHA1 digest of the specfile entries returned by

+will write a calculated SHA256 digest of the specfile entries returned by

 .BR selabel_get_digests_all_partial_matches (3)

 to an extended attribute named

 .IR security.sehash

@@ -269,7 +269,7 @@ Should any of the specfile entries have changed, then when

 .BR selinux_restorecon ()

 is run again with the

 .B SELINUX_RESTORECON_RECURSE

-flag set, new SHA1 digests will be calculated and all files automatically

+flag set, new SHA256 digests will be calculated and all files automatically

 relabeled depending on the settings of the

 .B SELINUX_RESTORECON_SET_SPECFILE_CTX

 flag (provided

diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3

index c56326814b94..098c840fc59b 100644

--- a/libselinux/man/man3/selinux_restorecon_xattr.3

+++ b/libselinux/man/man3/selinux_restorecon_xattr.3

@@ -119,7 +119,7 @@ By default

 .BR selinux_restorecon_xattr (3)

 will use the default set of specfiles described in

 .BR files_contexts (5)

-to calculate the SHA1 digests to be used for comparison.

+to calculate the SHA256 digests to be used for comparison.

 To change this default behavior

 .BR selabel_open (3)

 must be called specifying the required

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile

index 70ba063ada5d..0c803d8d4aae 100644

--- a/libselinux/src/Makefile

+++ b/libselinux/src/Makefile

@@ -125,7 +125,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \

 	-DBUILD_HOST

 SRCS= callbacks.c freecon.c label.c label_file.c \

 	label_backends_android.c regex.c label_support.c \

-	matchpathcon.c setrans_client.c sha1.c booleans.c

+	matchpathcon.c setrans_client.c sha256.c booleans.c

 else

 LABEL_BACKEND_ANDROID=y

 endif

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c

index 74ae9b9feb70..33d395e414f0 100644

--- a/libselinux/src/label_file.c

+++ b/libselinux/src/label_file.c

@@ -1010,7 +1010,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,

 /*

  * Returns true if the digest of all partial matched contexts is the same as

- * the one saved by setxattr, otherwise returns false. The length of the SHA1

+ * the one saved by setxattr, otherwise returns false. The length of the SHA256

  * digest will always be returned. The caller must free any returned digests.

  */

 static bool get_digests_all_partial_matches(struct selabel_handle *rec,

@@ -1019,39 +1019,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,

 					    uint8_t **xattr_digest,

 					    size_t *digest_len)

 {

-	uint8_t read_digest[SHA1_HASH_SIZE];

+	uint8_t read_digest[SHA256_HASH_SIZE];

 	ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,

-				     read_digest, SHA1_HASH_SIZE

+				     read_digest, SHA256_HASH_SIZE

 #ifdef __APPLE__

 				     , 0, 0

 #endif /* __APPLE __ */

 				    );

-	uint8_t hash_digest[SHA1_HASH_SIZE];

+	uint8_t hash_digest[SHA256_HASH_SIZE];

 	bool status = selabel_hash_all_partial_matches(rec, pathname,

 						       hash_digest);

 	*xattr_digest = NULL;

 	*calculated_digest = NULL;

-	*digest_len = SHA1_HASH_SIZE;

+	*digest_len = SHA256_HASH_SIZE;

-	if (read_size == SHA1_HASH_SIZE) {

-		*xattr_digest = calloc(1, SHA1_HASH_SIZE + 1);

+	if (read_size == SHA256_HASH_SIZE) {

+		*xattr_digest = calloc(1, SHA256_HASH_SIZE + 1);

 		if (!*xattr_digest)

 			goto oom;

-		memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE);

+		memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE);

 	}

 	if (status) {

-		*calculated_digest = calloc(1, SHA1_HASH_SIZE + 1);

+		*calculated_digest = calloc(1, SHA256_HASH_SIZE + 1);

 		if (!*calculated_digest)

 			goto oom;

-		memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE);

+		memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE);

 	}

-	if (status && read_size == SHA1_HASH_SIZE &&

-	    memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)

+	if (status && read_size == SHA256_HASH_SIZE &&

+	    memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)

 		return true;

 	return false;

@@ -1071,22 +1071,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key

 		return false;

 	}

-	Sha1Context context;

-	Sha1Initialise(&context);

+	Sha256Context context;

+	Sha256Initialise(&context);

 	size_t i;

 	for (i = 0; i < total_matches; i++) {

 		char* regex_str = matches[i]->regex_str;

 		mode_t mode = matches[i]->mode;

 		char* ctx_raw = matches[i]->lr.ctx_raw;

-		Sha1Update(&context, regex_str, strlen(regex_str) + 1);

-		Sha1Update(&context, &mode, sizeof(mode_t));

-		Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1);

+		Sha256Update(&context, regex_str, strlen(regex_str) + 1);

+		Sha256Update(&context, &mode, sizeof(mode_t));

+		Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1);

 	}

-	SHA1_HASH sha1_hash;

-	Sha1Finalise(&context, &sha1_hash);

-	memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE);

+	SHA256_HASH sha256_hash;

+	Sha256Finalise(&context, &sha256_hash);

+	memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE);

 	free(matches);

 	return true;

diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h

index 782c6aa8cc0c..304e8d96490a 100644

--- a/libselinux/src/label_internal.h

+++ b/libselinux/src/label_internal.h

@@ -13,7 +13,7 @@

 #include <stdio.h>

 #include <selinux/selinux.h>

 #include <selinux/label.h>

-#include "sha1.h"

+#include "sha256.h"

 #if defined(ANDROID) || defined(__APPLE__)

 // Android and Mac do not have fgets_unlocked()

@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,

  */

 /*

- * Calculate an SHA1 hash of all the files used to build the specs.

+ * Calculate an SHA256 hash of all the files used to build the specs.

  * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To

  * calculate the hash the hashbuf will hold a concatenation of all the files

  * used. This is released once the value has been calculated.

  */

-#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE

+#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE

 #define DIGEST_FILES_MAX 8

 struct selabel_digest {

-	unsigned char *digest;	/* SHA1 digest of specfiles */

+	unsigned char *digest;	/* SHA256 digest of specfiles */

 	unsigned char *hashbuf;	/* buffer to hold specfiles */

 	size_t hashbuf_size;	/* buffer size */

 	size_t specfile_cnt;	/* how many specfiles processed */

@@ -110,7 +110,7 @@ struct selabel_handle {

 	 */

 	char *spec_file;

-	/* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */

+	/* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */

 	struct selabel_digest *digest;

 };

diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c

index 54fd49a5b7b9..4003eb8dc7af 100644

--- a/libselinux/src/label_support.c

+++ b/libselinux/src/label_support.c

@@ -115,7 +115,7 @@ int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)

 /* Once all the specfiles are in the hash_buf, generate the hash. */

 void  digest_gen_hash(struct selabel_digest *digest)

 {

-	Sha1Context context;

+	Sha256Context context;

 	size_t remaining_size;

 	const unsigned char *ptr;

@@ -123,19 +123,19 @@ void  digest_gen_hash(struct selabel_digest *digest)

 	if (!digest)

 		return;

-	Sha1Initialise(&context);

+	Sha256Initialise(&context);

 	/* Process in blocks of UINT32_MAX bytes */

 	remaining_size = digest->hashbuf_size;

 	ptr = digest->hashbuf;

 	while (remaining_size > UINT32_MAX) {

-		Sha1Update(&context, ptr, UINT32_MAX);

+		Sha256Update(&context, ptr, UINT32_MAX);

 		remaining_size -= UINT32_MAX;

 		ptr += UINT32_MAX;

 	}

-	Sha1Update(&context, ptr, remaining_size);

+	Sha256Update(&context, ptr, remaining_size);

-	Sha1Finalise(&context, (SHA1_HASH *)digest->digest);

+	Sha256Finalise(&context, (SHA256_HASH *)digest->digest);

 	free(digest->hashbuf);

 	digest->hashbuf = NULL;

 	return;

diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c

index 6b5f6921b82b..24604776974e 100644

--- a/libselinux/src/selinux_restorecon.c

+++ b/libselinux/src/selinux_restorecon.c

@@ -37,7 +37,7 @@

 #include "callbacks.h"

 #include "selinux_internal.h"

 #include "label_file.h"

-#include "sha1.h"

+#include "sha256.h"

 #define STAR_COUNT 1024

@@ -305,7 +305,7 @@ static uint64_t exclude_non_seclabel_mounts(void)

 static int add_xattr_entry(const char *directory, bool delete_nonmatch,

 			   bool delete_all)

 {

-	char *sha1_buf = NULL;

+	char *sha256_buf = NULL;

 	size_t i, digest_len = 0;

 	int rc;

 	enum digest_result digest_result;

@@ -329,15 +329,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,

 	}

 	/* Convert entry to a hex encoded string. */

-	sha1_buf = malloc(digest_len * 2 + 1);

-	if (!sha1_buf) {

+	sha256_buf = malloc(digest_len * 2 + 1);

+	if (!sha256_buf) {

 		free(xattr_digest);

 		free(calculated_digest);

 		goto oom;

 	}

 	for (i = 0; i < digest_len; i++)

-		sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);

+		sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]);

 	digest_result = match ? MATCH : NOMATCH;

@@ -357,7 +357,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,

 	/* Now add entries to link list. */

 	new_entry = malloc(sizeof(struct dir_xattr));

 	if (!new_entry) {

-		free(sha1_buf);

+		free(sha256_buf);

 		goto oom;

 	}

 	new_entry->next = NULL;

@@ -365,15 +365,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,

 	new_entry->directory = strdup(directory);

 	if (!new_entry->directory) {

 		free(new_entry);

-		free(sha1_buf);

+		free(sha256_buf);

 		goto oom;

 	}

-	new_entry->digest = strdup(sha1_buf);

+	new_entry->digest = strdup(sha256_buf);

 	if (!new_entry->digest) {

 		free(new_entry->directory);

 		free(new_entry);

-		free(sha1_buf);

+		free(sha256_buf);

 		goto oom;

 	}

@@ -387,7 +387,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,

 		dir_xattr_last = new_entry;

 	}

-	free(sha1_buf);

+	free(sha256_buf);

 	return 0;

 oom:

@@ -775,7 +775,7 @@ err:

 struct dir_hash_node {

 	char *path;

-	uint8_t digest[SHA1_HASH_SIZE];

+	uint8_t digest[SHA256_HASH_SIZE];

 	struct dir_hash_node *next;

 };

 /*

@@ -1281,7 +1281,7 @@ static int selinux_restorecon_common(const char *pathname_orig,

 			if (setxattr(current->path,

 			    RESTORECON_PARTIAL_MATCH_DIGEST,

 			    current->digest,

-			    SHA1_HASH_SIZE, 0) < 0) {

+			    SHA256_HASH_SIZE, 0) < 0) {

 				selinux_log(SELINUX_ERROR,

 					    "setxattr failed: %s: %m\n",

 					    current->path);

diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c

deleted file mode 100644

index 9d51e04ac331..000000000000

--- a/libselinux/src/sha1.c

+++ /dev/null

@@ -1,220 +0,0 @@

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  LibSha1

-//

-//  Implementation of SHA1 hash function.

-//  Original author:  Steve Reid <sreid@sea-to-sky.net>

-//  Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,

-//  and Ralph Giles <giles@ghostscript.com>

-//  Modified by WaterJuice retaining Public Domain license.

-//

-//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org

-//  Modified to:

-//    - stop symbols being exported for libselinux shared library - October 2015

-//								       Richard Haines <richard_c_haines@btinternet.com>

-//    - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment issues.

-//      Fixes:

-//        sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]

-//             CHAR64LONG16*       block = (CHAR64LONG16*) workspace;

-//                                                                     William Roberts <william.c.roberts@intel.com>

-//    - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  IMPORTS

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-

-#include "sha1.h"

-#include <memory.h>

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  TYPES

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-

-typedef union

-{

-    uint8_t     c [64];

-    uint32_t    l [16];

-} CHAR64LONG16;

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  INTERNAL FUNCTIONS

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-

-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))

-

-// blk0() and blk() perform the initial expand.

-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \

-    |(rol(block->l[i],8)&0x00FF00FF))

-

-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \

-    ^block->l[(i+2)&15]^block->l[i&15],1))

-

-// (R0+R1), R2, R3, R4 are the different operations used in SHA1

-#define R0(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)

-#define R1(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)

-#define R2(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)

-#define R3(v,w,x,y,z,i)  do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)

-#define R4(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)

-

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  TransformFunction

-//

-//  Hash a single 512-bit block. This is the core of the algorithm

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-static

-void

-    TransformFunction

-    (

-        uint32_t            state[5],

-        const uint8_t       buffer[64]

-    )

-{

-    uint32_t            a;

-    uint32_t            b;

-    uint32_t            c;

-    uint32_t            d;

-    uint32_t            e;

-    CHAR64LONG16        workspace;

-    CHAR64LONG16*       block = &workspace;

-

-    memcpy(block, buffer, 64);

-

-    // Copy context->state[] to working vars

-    a = state[0];

-    b = state[1];

-    c = state[2];

-    d = state[3];

-    e = state[4];

-

-    // 4 rounds of 20 operations each. Loop unrolled.

-    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);

-    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);

-    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);

-    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);

-    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);

-    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);

-    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);

-    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);

-    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);

-    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);

-    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);

-    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);

-    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);

-    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);

-    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);

-    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);

-    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);

-    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);

-    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);

-    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);

-

-    // Add the working vars back into context.state[]

-    state[0] += a;

-    state[1] += b;

-    state[2] += c;

-    state[3] += d;

-    state[4] += e;

-}

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  PUBLIC FUNCTIONS

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  Sha1Initialise

-//

-//  Initialises an SHA1 Context. Use this to initialise/reset a context.

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-void 

-    Sha1Initialise

-    (

-        Sha1Context*                Context

-    )

-{

-    // SHA1 initialization constants

-    Context->State[0] = 0x67452301;

-    Context->State[1] = 0xEFCDAB89;

-    Context->State[2] = 0x98BADCFE;

-    Context->State[3] = 0x10325476;

-    Context->State[4] = 0xC3D2E1F0;

-    Context->Count[0] = 0;

-    Context->Count[1] = 0;

-}

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  Sha1Update

-//

-//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on

-//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-void 

-    Sha1Update

-    (

-        Sha1Context*        Context,

-        const void*         Buffer,

-        uint32_t            BufferSize

-    )

-{

-    uint32_t    i;

-    uint32_t    j;

-

-    j = (Context->Count[0] >> 3) & 63;

-    if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))

-    {

-        Context->Count[1]++;

-    }

-

-    Context->Count[1] += (BufferSize >> 29);

-    if ((j + BufferSize) > 63)

-    {

-        i = 64 - j;

-        memcpy(&Context->Buffer[j], Buffer, i);

-        TransformFunction(Context->State, Context->Buffer);

-        for (; i + 63 < BufferSize; i += 64)

-        {

-            TransformFunction(Context->State, (const uint8_t*)Buffer + i);

-        }

-        j = 0;

-    }

-    else

-    {

-        i = 0;

-    }

-

-    memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);

-}

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  Sha1Finalise

-//

-//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After

-//  calling this, Sha1Initialised must be used to reuse the context.

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-void 

-    Sha1Finalise

-    (

-        Sha1Context*                Context,

-        SHA1_HASH*                  Digest

-    )

-{

-    uint32_t    i;

-    uint8_t     finalcount[8];

-

-    for (i = 0; i < 8; i++)

-    {

-        finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]

-         >> ((3-(i & 3)) * 8) ) & 255);  // Endian independent

-    }

-    Sha1Update(Context, (const uint8_t*)"\x80", 1);

-    while ((Context->Count[0] & 504) != 448)

-    {

-        Sha1Update(Context, (const uint8_t*)"\0", 1);

-    }

-

-    Sha1Update(Context, finalcount, 8);  // Should cause a Sha1TransformFunction()

-    for (i = 0; i < SHA1_HASH_SIZE; i++)

-    {

-        Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);

-    }

-}

diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h

deleted file mode 100644

index f83a6e7ed7ba..000000000000

--- a/libselinux/src/sha1.h

+++ /dev/null

@@ -1,85 +0,0 @@

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  LibSha1

-//

-//  Implementation of SHA1 hash function.

-//  Original author:  Steve Reid <sreid@sea-to-sky.net>

-//  Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,

-//  and Ralph Giles <giles@ghostscript.com>

-//  Modified by WaterJuice retaining Public Domain license.

-//

-//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-

-#ifndef _sha1_h_

-#define _sha1_h_

-

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-//  IMPORTS

-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-