diff --git a/.gitignore b/.gitignore
index e766aa5..f8649bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libselinux-3.2.tar.gz
+SOURCES/libselinux-3.3.tar.gz
diff --git a/.libselinux.metadata b/.libselinux.metadata
index c81fb15..db6fb6a 100644
--- a/.libselinux.metadata
+++ b/.libselinux.metadata
@@ -1 +1 @@
-59d7e9a2db64ba994e2da976b4374871535cd196 SOURCES/libselinux-3.2.tar.gz
+70128f2395fc86b09c57db979972b4823b35e614 SOURCES/libselinux-3.3.tar.gz
diff --git a/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
new file mode 100644
index 0000000..ed63a8c
--- /dev/null
+++ b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
@@ -0,0 +1,1333 @@
+From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 30 Jul 2021 14:14:37 +0200
+Subject: [PATCH] Use SHA-2 instead of SHA-1
+
+The use of SHA-1 in RHEL9 is deprecated
+---
+ libselinux/include/selinux/label.h | 6 +-
+ libselinux/include/selinux/restorecon.h | 4 +-
+ libselinux/man/man3/selabel_digest.3 | 4 +-
+ libselinux/man/man3/selabel_open.3 | 2 +-
+ libselinux/man/man3/selinux_restorecon.3 | 16 +-
+ .../man/man3/selinux_restorecon_xattr.3 | 2 +-
+ libselinux/src/Makefile | 2 +-
+ libselinux/src/label_file.c | 40 +--
+ libselinux/src/label_internal.h | 10 +-
+ libselinux/src/label_support.c | 8 +-
+ libselinux/src/selinux_restorecon.c | 24 +-
+ libselinux/src/sha1.c | 220 -------------
+ libselinux/src/sha1.h | 85 -----
+ libselinux/src/sha256.c | 294 ++++++++++++++++++
+ libselinux/src/sha256.h | 89 ++++++
+ libselinux/utils/selabel_digest.c | 26 +-
+ .../selabel_get_digests_all_partial_matches.c | 28 +-
+ 17 files changed, 469 insertions(+), 391 deletions(-)
+ delete mode 100644 libselinux/src/sha1.c
+ delete mode 100644 libselinux/src/sha1.h
+ create mode 100644 libselinux/src/sha256.c
+ create mode 100644 libselinux/src/sha256.h
+
+diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
+index e8983606d93b..a35d84d63b0a 100644
+--- a/libselinux/include/selinux/label.h
++++ b/libselinux/include/selinux/label.h
+@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
+ const char *key, const char **aliases, int type);
+
+ /**
+- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
++ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to
+ * generate the digest. The SELABEL_OPT_DIGEST option must
+ * be set in selabel_open() to initiate the digest generation.
+ * @handle: specifies backend instance to query
+- * @digest: returns a pointer to the SHA1 digest.
++ * @digest: returns a pointer to the SHA256 digest.
+ * @digest_len: returns length of digest in bytes.
+- * @specfiles: a list of specfiles used in the SHA1 digest generation.
++ * @specfiles: a list of specfiles used in the SHA256 digest generation.
+ * The list is NULL terminated and will hold @num_specfiles entries.
+ * @num_specfiles: number of specfiles in the list.
+ *
+diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
+index 466de39aac72..ca8ce768587a 100644
+--- a/libselinux/include/selinux/restorecon.h
++++ b/libselinux/include/selinux/restorecon.h
+@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname,
+ * restorecon_flags options
+ */
+ /*
+- * Force the checking of labels even if the stored SHA1 digest
+- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
++ * Force the checking of labels even if the stored SHA256 digest
++ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).
+ */
+ #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001
+ /*
+diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
+index 56a008f00df0..5f7c42533d0e 100644
+--- a/libselinux/man/man3/selabel_digest.3
++++ b/libselinux/man/man3/selabel_digest.3
+@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used
+ .BR selabel_digest ()
+ performs an operation on the handle
+ .IR hnd ,
+-returning the results of the SHA1 digest pointed to by
++returning the results of the SHA256 digest pointed to by
+ .IR digest ,
+ whose length will be
+ .IR digest_len .
+-The list of specfiles used in the SHA1 digest calculation is returned in
++The list of specfiles used in the SHA256 digest calculation is returned in
+ .I specfiles
+ with the number of entries in
+ .IR num_specfiles .
+diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
+index 971ebc1acd41..2cf2eb8a1410 100644
+--- a/libselinux/man/man3/selabel_open.3
++++ b/libselinux/man/man3/selabel_open.3
+@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via
+ Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
+ .TP
+ .B SELABEL_OPT_DIGEST
+-A non-null value for this option enables the generation of an SHA1 digest of
++A non-null value for this option enables the generation of an SHA256 digest of
+ the spec files loaded as described in
+ .BR selabel_digest (3)
+ .
+diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
+index ad637406a30d..c4576fe79ff6 100644
+--- a/libselinux/man/man3/selinux_restorecon.3
++++ b/libselinux/man/man3/selinux_restorecon.3
+@@ -28,7 +28,7 @@ If this is a directory and the
+ .B SELINUX_RESTORECON_RECURSE
+ has been set (for descending through directories), then
+ .BR selinux_restorecon ()
+-will write an SHA1 digest of specfile entries calculated by
++will write an SHA256 digest of specfile entries calculated by
+ .BR selabel_get_digests_all_partial_matches (3)
+ to an extended attribute of
+ .IR security.sehash
+@@ -47,7 +47,7 @@ will take place.
+ .br
+ The
+ .IR restorecon_flags
+-that can be used to manage the usage of the SHA1 digest are:
++that can be used to manage the usage of the SHA256 digest are:
+ .RS
+ .B SELINUX_RESTORECON_SKIP_DIGEST
+ .br
+@@ -65,8 +65,8 @@ Do not check or update any extended attribute
+ entries.
+ .sp
+ .B SELINUX_RESTORECON_IGNORE_DIGEST
+-force the checking of labels even if the stored SHA1 digest matches the
+-specfile entries SHA1 digest. The specfile entries digest will be written to the
++force the checking of labels even if the stored SHA256 digest matches the
++specfile entries SHA256 digest. The specfile entries digest will be written to the
+ .IR security.sehash
+ extended attribute once relabeling has been completed successfully provided the
+ .B SELINUX_RESTORECON_NOCHANGE
+@@ -84,7 +84,7 @@ default specfile context.
+ .sp
+ .B SELINUX_RESTORECON_RECURSE
+ change file and directory labels recursively (descend directories)
+-and if successful write an SHA1 digest of the specfile entries to an
++and if successful write an SHA256 digest of the specfile entries to an
+ extended attribute as described in the
+ .B NOTES
+ section.
+@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the
+ same inode have different contexts, as errors.
+ .RE
+ .sp
+-The behavior regarding the checking and updating of the SHA1 digest described
++The behavior regarding the checking and updating of the SHA256 digest described
+ above is the default behavior. It is possible to change this by first calling
+ .BR selabel_open (3)
+ and not enabling the
+@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the
+ .B SELINUX_RESTORECON_RECURSE
+ flag is set)
+ .BR selinux_restorecon ()
+-will write a calculated SHA1 digest of the specfile entries returned by
++will write a calculated SHA256 digest of the specfile entries returned by
+ .BR selabel_get_digests_all_partial_matches (3)
+ to an extended attribute named
+ .IR security.sehash
+@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when
+ .BR selinux_restorecon ()
+ is run again with the
+ .B SELINUX_RESTORECON_RECURSE
+-flag set, new SHA1 digests will be calculated and all files automatically
++flag set, new SHA256 digests will be calculated and all files automatically
+ relabeled depending on the settings of the
+ .B SELINUX_RESTORECON_SET_SPECFILE_CTX
+ flag (provided
+diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3
+index c56326814b94..098c840fc59b 100644
+--- a/libselinux/man/man3/selinux_restorecon_xattr.3
++++ b/libselinux/man/man3/selinux_restorecon_xattr.3
+@@ -119,7 +119,7 @@ By default
+ .BR selinux_restorecon_xattr (3)
+ will use the default set of specfiles described in
+ .BR files_contexts (5)
+-to calculate the SHA1 digests to be used for comparison.
++to calculate the SHA256 digests to be used for comparison.
+ To change this default behavior
+ .BR selabel_open (3)
+ must be called specifying the required
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 52c40f018f51..674a5ed3a6f8 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
+ -DBUILD_HOST
+ SRCS= callbacks.c freecon.c label.c label_file.c \
+ label_backends_android.c regex.c label_support.c \
+- matchpathcon.c setrans_client.c sha1.c booleans.c
++ matchpathcon.c setrans_client.c sha256.c booleans.c
+ else
+ LABEL_BACKEND_ANDROID=y
+ endif
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 2e28d0474d73..c1306c9979e7 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -1005,7 +1005,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
+
+ /*
+ * Returns true if the digest of all partial matched contexts is the same as
+- * the one saved by setxattr, otherwise returns false. The length of the SHA1
++ * the one saved by setxattr, otherwise returns false. The length of the SHA256
+ * digest will always be returned. The caller must free any returned digests.
+ */
+ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+@@ -1014,39 +1014,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+ uint8_t **xattr_digest,
+ size_t *digest_len)
+ {
+- uint8_t read_digest[SHA1_HASH_SIZE];
++ uint8_t read_digest[SHA256_HASH_SIZE];
+ ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,
+- read_digest, SHA1_HASH_SIZE
++ read_digest, SHA256_HASH_SIZE
+ #ifdef __APPLE__
+ , 0, 0
+ #endif /* __APPLE __ */
+ );
+- uint8_t hash_digest[SHA1_HASH_SIZE];
++ uint8_t hash_digest[SHA256_HASH_SIZE];
+ bool status = selabel_hash_all_partial_matches(rec, pathname,
+ hash_digest);
+
+ *xattr_digest = NULL;
+ *calculated_digest = NULL;
+- *digest_len = SHA1_HASH_SIZE;
++ *digest_len = SHA256_HASH_SIZE;
+
+- if (read_size == SHA1_HASH_SIZE) {
+- *xattr_digest = calloc(1, SHA1_HASH_SIZE + 1);
++ if (read_size == SHA256_HASH_SIZE) {
++ *xattr_digest = calloc(1, SHA256_HASH_SIZE + 1);
+ if (!*xattr_digest)
+ goto oom;
+
+- memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE);
++ memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE);
+ }
+
+ if (status) {
+- *calculated_digest = calloc(1, SHA1_HASH_SIZE + 1);
++ *calculated_digest = calloc(1, SHA256_HASH_SIZE + 1);
+ if (!*calculated_digest)
+ goto oom;
+
+- memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE);
++ memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE);
+ }
+
+- if (status && read_size == SHA1_HASH_SIZE &&
+- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
++ if (status && read_size == SHA256_HASH_SIZE &&
++ memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)
+ return true;
+
+ return false;
+@@ -1066,22 +1066,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
+ return false;
+ }
+
+- Sha1Context context;
+- Sha1Initialise(&context);
++ Sha256Context context;
++ Sha256Initialise(&context);
+ size_t i;
+ for (i = 0; i < total_matches; i++) {
+ char* regex_str = matches[i]->regex_str;
+ mode_t mode = matches[i]->mode;
+ char* ctx_raw = matches[i]->lr.ctx_raw;
+
+- Sha1Update(&context, regex_str, strlen(regex_str) + 1);
+- Sha1Update(&context, &mode, sizeof(mode_t));
+- Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1);
++ Sha256Update(&context, regex_str, strlen(regex_str) + 1);
++ Sha256Update(&context, &mode, sizeof(mode_t));
++ Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1);
+ }
+
+- SHA1_HASH sha1_hash;
+- Sha1Finalise(&context, &sha1_hash);
+- memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE);
++ SHA256_HASH sha256_hash;
++ Sha256Finalise(&context, &sha256_hash);
++ memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE);
+
+ free(matches);
+ return true;
+diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
+index 782c6aa8cc0c..304e8d96490a 100644
+--- a/libselinux/src/label_internal.h
++++ b/libselinux/src/label_internal.h
+@@ -13,7 +13,7 @@
+ #include <stdio.h>
+ #include <selinux/selinux.h>
+ #include <selinux/label.h>
+-#include "sha1.h"
++#include "sha256.h"
+
+ #if defined(ANDROID) || defined(__APPLE__)
+ // Android and Mac do not have fgets_unlocked()
+@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,
+ */
+
+ /*
+- * Calculate an SHA1 hash of all the files used to build the specs.
++ * Calculate an SHA256 hash of all the files used to build the specs.
+ * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To
+ * calculate the hash the hashbuf will hold a concatenation of all the files
+ * used. This is released once the value has been calculated.
+ */
+-#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE
++#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE
+ #define DIGEST_FILES_MAX 8
+ struct selabel_digest {
+- unsigned char *digest; /* SHA1 digest of specfiles */
++ unsigned char *digest; /* SHA256 digest of specfiles */
+ unsigned char *hashbuf; /* buffer to hold specfiles */
+ size_t hashbuf_size; /* buffer size */
+ size_t specfile_cnt; /* how many specfiles processed */
+@@ -110,7 +110,7 @@ struct selabel_handle {
+ */
+ char *spec_file;
+
+- /* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */
++ /* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */
+ struct selabel_digest *digest;
+ };
+
+diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
+index 94ed6e4273cb..f53d73b609ab 100644
+--- a/libselinux/src/label_support.c
++++ b/libselinux/src/label_support.c
+@@ -115,15 +115,15 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+ /* Once all the specfiles are in the hash_buf, generate the hash. */
+ void digest_gen_hash(struct selabel_digest *digest)
+ {
+- Sha1Context context;
++ Sha256Context context;
+
+ /* If SELABEL_OPT_DIGEST not set then just return */
+ if (!digest)
+ return;
+
+- Sha1Initialise(&context);
+- Sha1Update(&context, digest->hashbuf, digest->hashbuf_size);
+- Sha1Finalise(&context, (SHA1_HASH *)digest->digest);
++ Sha256Initialise(&context);
++ Sha256Update(&context, digest->hashbuf, digest->hashbuf_size);
++ Sha256Finalise(&context, (SHA256_HASH *)digest->digest);
+ free(digest->hashbuf);
+ digest->hashbuf = NULL;
+ return;
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 04d956504952..100c77108a27 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -37,7 +37,7 @@
+ #include "callbacks.h"
+ #include "selinux_internal.h"
+ #include "label_file.h"
+-#include "sha1.h"
++#include "sha256.h"
+
+ #define STAR_COUNT 1024
+
+@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void)
+ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ bool delete_all)
+ {
+- char *sha1_buf = NULL;
++ char *sha256_buf = NULL;
+ size_t i, digest_len = 0;
+ int rc, digest_result;
+ bool match;
+@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ }
+
+ /* Convert entry to a hex encoded string. */
+- sha1_buf = malloc(digest_len * 2 + 1);
+- if (!sha1_buf) {
++ sha256_buf = malloc(digest_len * 2 + 1);
++ if (!sha256_buf) {
+ free(xattr_digest);
+ free(calculated_digest);
+ goto oom;
+ }
+
+ for (i = 0; i < digest_len; i++)
+- sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
++ sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]);
+
+ digest_result = match ? MATCH : NOMATCH;
+
+@@ -344,7 +344,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ /* Now add entries to link list. */
+ new_entry = malloc(sizeof(struct dir_xattr));
+ if (!new_entry) {
+- free(sha1_buf);
++ free(sha256_buf);
+ goto oom;
+ }
+ new_entry->next = NULL;
+@@ -352,15 +352,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ new_entry->directory = strdup(directory);
+ if (!new_entry->directory) {
+ free(new_entry);
+- free(sha1_buf);
++ free(sha256_buf);
+ goto oom;
+ }
+
+- new_entry->digest = strdup(sha1_buf);
++ new_entry->digest = strdup(sha256_buf);
+ if (!new_entry->digest) {
+ free(new_entry->directory);
+ free(new_entry);
+- free(sha1_buf);
++ free(sha256_buf);
+ goto oom;
+ }
+
+@@ -374,7 +374,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ dir_xattr_last = new_entry;
+ }
+
+- free(sha1_buf);
++ free(sha256_buf);
+ return 0;
+
+ oom:
+@@ -741,7 +741,7 @@ err:
+
+ struct dir_hash_node {
+ char *path;
+- uint8_t digest[SHA1_HASH_SIZE];
++ uint8_t digest[SHA256_HASH_SIZE];
+ struct dir_hash_node *next;
+ };
+ /*
+@@ -1091,7 +1091,7 @@ int selinux_restorecon(const char *pathname_orig,
+ if (setxattr(current->path,
+ RESTORECON_PARTIAL_MATCH_DIGEST,
+ current->digest,
+- SHA1_HASH_SIZE, 0) < 0) {
++ SHA256_HASH_SIZE, 0) < 0) {
+ selinux_log(SELINUX_ERROR,
+ "setxattr failed: %s: %m\n",
+ current->path);
+diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
+deleted file mode 100644
+index a848467785f3..000000000000
+--- a/libselinux/src/sha1.c
++++ /dev/null
+@@ -1,220 +0,0 @@
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// LibSha1
+-//
+-// Implementation of SHA1 hash function.
+-// Original author: Steve Reid <sreid@sea-to-sky.net>
+-// Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
+-// and Ralph Giles <giles@ghostscript.com>
+-// Modified by WaterJuice retaining Public Domain license.
+-//
+-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-// Modified to:
+-// - stop symbols being exported for libselinux shared library - October 2015
+-// Richard Haines <richard_c_haines@btinternet.com>
+-// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses.
+-// Fixes:
+-// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
+-// CHAR64LONG16* block = (CHAR64LONG16*) workspace;
+-// William Roberts <william.c.roberts@intel.com>
+-// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// IMPORTS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include "sha1.h"
+-#include <memory.h>
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// TYPES
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-typedef union
+-{
+- uint8_t c [64];
+- uint32_t l [16];
+-} CHAR64LONG16;
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// INTERNAL FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+-
+-// blk0() and blk() perform the initial expand.
+-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+- |(rol(block->l[i],8)&0x00FF00FF))
+-
+-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+- ^block->l[(i+2)&15]^block->l[i&15],1))
+-
+-// (R0+R1), R2, R3, R4 are the different operations used in SHA1
+-#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
+-#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
+-#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
+-#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
+-#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
+-
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// TransformFunction
+-//
+-// Hash a single 512-bit block. This is the core of the algorithm
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-static
+-void
+- TransformFunction
+- (
+- uint32_t state[5],
+- const uint8_t buffer[64]
+- )
+-{
+- uint32_t a;
+- uint32_t b;
+- uint32_t c;
+- uint32_t d;
+- uint32_t e;
+- CHAR64LONG16 workspace;
+- CHAR64LONG16* block = &workspace;
+-
+- memcpy(block, buffer, 64);
+-
+- // Copy context->state[] to working vars
+- a = state[0];
+- b = state[1];
+- c = state[2];
+- d = state[3];
+- e = state[4];
+-
+- // 4 rounds of 20 operations each. Loop unrolled.
+- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+-
+- // Add the working vars back into context.state[]
+- state[0] += a;
+- state[1] += b;
+- state[2] += c;
+- state[3] += d;
+- state[4] += e;
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// PUBLIC FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Initialise
+-//
+-// Initialises an SHA1 Context. Use this to initialise/reset a context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Initialise
+- (
+- Sha1Context* Context
+- )
+-{
+- // SHA1 initialization constants
+- Context->State[0] = 0x67452301;
+- Context->State[1] = 0xEFCDAB89;
+- Context->State[2] = 0x98BADCFE;
+- Context->State[3] = 0x10325476;
+- Context->State[4] = 0xC3D2E1F0;
+- Context->Count[0] = 0;
+- Context->Count[1] = 0;
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Update
+-//
+-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
+-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Update
+- (
+- Sha1Context* Context,
+- const void* Buffer,
+- uint32_t BufferSize
+- )
+-{
+- uint32_t i;
+- uint32_t j;
+-
+- j = (Context->Count[0] >> 3) & 63;
+- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
+- {
+- Context->Count[1]++;
+- }
+-
+- Context->Count[1] += (BufferSize >> 29);
+- if ((j + BufferSize) > 63)
+- {
+- i = 64 - j;
+- memcpy(&Context->Buffer[j], Buffer, i);
+- TransformFunction(Context->State, Context->Buffer);
+- for (; i + 63 < BufferSize; i += 64)
+- {
+- TransformFunction(Context->State, (const uint8_t*)Buffer + i);
+- }
+- j = 0;
+- }
+- else
+- {
+- i = 0;
+- }
+-
+- memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Finalise
+-//
+-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
+-// calling this, Sha1Initialised must be used to reuse the context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Finalise
+- (
+- Sha1Context* Context,
+- SHA1_HASH* Digest
+- )
+-{
+- uint32_t i;
+- uint8_t finalcount[8];
+-
+- for (i = 0; i < 8; i++)
+- {
+- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
+- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent
+- }
+- Sha1Update(Context, (const uint8_t*)"\x80", 1);
+- while ((Context->Count[0] & 504) != 448)
+- {
+- Sha1Update(Context, (const uint8_t*)"\0", 1);
+- }
+-
+- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction()
+- for (i = 0; i < SHA1_HASH_SIZE; i++)
+- {
+- Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+- }
+-}
+diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
+deleted file mode 100644
+index f83a6e7ed7ba..000000000000
+--- a/libselinux/src/sha1.h
++++ /dev/null
+@@ -1,85 +0,0 @@
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// LibSha1
+-//
+-// Implementation of SHA1 hash function.
+-// Original author: Steve Reid <sreid@sea-to-sky.net>
+-// Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
+-// and Ralph Giles <giles@ghostscript.com>
+-// Modified by WaterJuice retaining Public Domain license.
+-//
+-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#ifndef _sha1_h_
+-#define _sha1_h_
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// IMPORTS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include <stdint.h>
+-#include <stdio.h>
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// TYPES
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly.
+-typedef struct
+-{
+- uint32_t State[5];
+- uint32_t Count[2];
+- uint8_t Buffer[64];
+-} Sha1Context;
+-
+-#define SHA1_HASH_SIZE ( 160 / 8 )
+-
+-typedef struct
+-{
+- uint8_t bytes [SHA1_HASH_SIZE];
+-} SHA1_HASH;
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// PUBLIC FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Initialise
+-//
+-// Initialises an SHA1 Context. Use this to initialise/reset a context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Initialise
+- (
+- Sha1Context* Context
+- );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Update
+-//
+-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
+-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Update
+- (
+- Sha1Context* Context,
+- const void* Buffer,
+- uint32_t BufferSize
+- );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Finalise
+-//
+-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
+-// calling this, Sha1Initialised must be used to reuse the context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Finalise
+- (
+- Sha1Context* Context,
+- SHA1_HASH* Digest
+- );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-#endif //_sha1_h_
+diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c
+new file mode 100644
+index 000000000000..fe2aeef07f53
+--- /dev/null
++++ b/libselinux/src/sha256.c
+@@ -0,0 +1,294 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// WjCryptLib_Sha256
++//
++// Implementation of SHA256 hash function.
++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++// Modified by WaterJuice retaining Public Domain license.
++//
++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include "sha256.h"
++#include <memory.h>
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// MACROS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
++
++#define MIN(x, y) ( ((x)<(y))?(x):(y) )
++
++#define STORE32H(x, y) \
++ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
++ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
++
++#define LOAD32H(x, y) \
++ { x = ((uint32_t)((y)[0] & 255)<<24) | \
++ ((uint32_t)((y)[1] & 255)<<16) | \
++ ((uint32_t)((y)[2] & 255)<<8) | \
++ ((uint32_t)((y)[3] & 255)); }
++
++#define STORE64H(x, y) \
++ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
++ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
++ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
++ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// CONSTANTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// The K array
++static const uint32_t K[64] = {
++ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
++ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
++ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
++ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
++ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
++ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
++ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
++ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
++ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
++ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
++ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
++ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
++ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
++};
++
++#define BLOCK_SIZE 64
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// INTERNAL FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// Various logical functions
++#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
++#define Maj( x, y, z ) (((x | y) & z) | (x & y))
++#define S( x, n ) ror((x),(n))
++#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
++#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
++#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
++#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
++#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
++
++#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
++ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
++ t1 = Sigma0(a) + Maj(a, b, c); \
++ d += t0; \
++ h = t0 + t1;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// TransformFunction
++//
++// Compress 512-bits
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++static
++void
++ TransformFunction
++ (
++ Sha256Context* Context,
++ uint8_t const* Buffer
++ )
++{
++ uint32_t S[8];
++ uint32_t W[64];
++ uint32_t t0;
++ uint32_t t1;
++ uint32_t t;
++ int i;
++
++ // Copy state into S
++ for( i=0; i<8; i++ )
++ {
++ S[i] = Context->state[i];
++ }
++
++ // Copy the state into 512-bits into W[0..15]
++ for( i=0; i<16; i++ )
++ {
++ LOAD32H( W[i], Buffer + (4*i) );
++ }
++
++ // Fill W[16..63]
++ for( i=16; i<64; i++ )
++ {
++ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
++ }
++
++ // Compress
++ for( i=0; i<64; i++ )
++ {
++ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
++ t = S[7];
++ S[7] = S[6];
++ S[6] = S[5];
++ S[5] = S[4];
++ S[4] = S[3];
++ S[3] = S[2];
++ S[2] = S[1];
++ S[1] = S[0];
++ S[0] = t;
++ }
++
++ // Feedback
++ for( i=0; i<8; i++ )
++ {
++ Context->state[i] = Context->state[i] + S[i];
++ }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Initialise
++//
++// Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Initialise
++ (
++ Sha256Context* Context // [out]
++ )
++{
++ Context->curlen = 0;
++ Context->length = 0;
++ Context->state[0] = 0x6A09E667UL;
++ Context->state[1] = 0xBB67AE85UL;
++ Context->state[2] = 0x3C6EF372UL;
++ Context->state[3] = 0xA54FF53AUL;
++ Context->state[4] = 0x510E527FUL;
++ Context->state[5] = 0x9B05688CUL;
++ Context->state[6] = 0x1F83D9ABUL;
++ Context->state[7] = 0x5BE0CD19UL;
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Update
++//
++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Update
++ (
++ Sha256Context* Context, // [in out]
++ void const* Buffer, // [in]
++ uint32_t BufferSize // [in]
++ )
++{
++ uint32_t n;
++
++ if( Context->curlen > sizeof(Context->buf) )
++ {
++ return;
++ }
++
++ while( BufferSize > 0 )
++ {
++ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
++ {
++ TransformFunction( Context, (uint8_t*)Buffer );
++ Context->length += BLOCK_SIZE * 8;
++ Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
++ BufferSize -= BLOCK_SIZE;
++ }
++ else
++ {
++ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
++ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
++ Context->curlen += n;
++ Buffer = (uint8_t*)Buffer + n;
++ BufferSize -= n;
++ if( Context->curlen == BLOCK_SIZE )
++ {
++ TransformFunction( Context, Context->buf );
++ Context->length += 8*BLOCK_SIZE;
++ Context->curlen = 0;
++ }
++ }
++ }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Finalise
++//
++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++// calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Finalise
++ (
++ Sha256Context* Context, // [in out]
++ SHA256_HASH* Digest // [out]
++ )
++{
++ int i;
++
++ if( Context->curlen >= sizeof(Context->buf) )
++ {
++ return;
++ }
++
++ // Increase the length of the message
++ Context->length += Context->curlen * 8;
++
++ // Append the '1' bit
++ Context->buf[Context->curlen++] = (uint8_t)0x80;
++
++ // if the length is currently above 56 bytes we append zeros
++ // then compress. Then we can fall back to padding zeros and length
++ // encoding like normal.
++ if( Context->curlen > 56 )
++ {
++ while( Context->curlen < 64 )
++ {
++ Context->buf[Context->curlen++] = (uint8_t)0;
++ }
++ TransformFunction(Context, Context->buf);
++ Context->curlen = 0;
++ }
++
++ // Pad up to 56 bytes of zeroes
++ while( Context->curlen < 56 )
++ {
++ Context->buf[Context->curlen++] = (uint8_t)0;
++ }
++
++ // Store length
++ STORE64H( Context->length, Context->buf+56 );
++ TransformFunction( Context, Context->buf );
++
++ // Copy output
++ for( i=0; i<8; i++ )
++ {
++ STORE32H( Context->state[i], Digest->bytes+(4*i) );
++ }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Calculate
++//
++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++// buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Calculate
++ (
++ void const* Buffer, // [in]
++ uint32_t BufferSize, // [in]
++ SHA256_HASH* Digest // [in]
++ )
++{
++ Sha256Context context;
++
++ Sha256Initialise( &context );
++ Sha256Update( &context, Buffer, BufferSize );
++ Sha256Finalise( &context, Digest );
++}
+diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h
+new file mode 100644
+index 000000000000..406ed869cd82
+--- /dev/null
++++ b/libselinux/src/sha256.h
+@@ -0,0 +1,89 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// WjCryptLib_Sha256
++//
++// Implementation of SHA256 hash function.
++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++// Modified by WaterJuice retaining Public Domain license.
++//
++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#pragma once
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include <stdint.h>
++#include <stdio.h>
++
++typedef struct
++{
++ uint64_t length;
++ uint32_t state[8];
++ uint32_t curlen;
++ uint8_t buf[64];
++} Sha256Context;
++
++#define SHA256_HASH_SIZE ( 256 / 8 )
++
++typedef struct
++{
++ uint8_t bytes [SHA256_HASH_SIZE];
++} SHA256_HASH;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Initialise
++//
++// Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Initialise
++ (
++ Sha256Context* Context // [out]
++ );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Update
++//
++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Update
++ (
++ Sha256Context* Context, // [in out]
++ void const* Buffer, // [in]
++ uint32_t BufferSize // [in]
++ );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Finalise
++//
++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++// calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Finalise
++ (
++ Sha256Context* Context, // [in out]
++ SHA256_HASH* Digest // [out]
++ );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Calculate
++//
++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++// buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Calculate
++ (
++ void const* Buffer, // [in]
++ uint32_t BufferSize, // [in]
++ SHA256_HASH* Digest // [in]
++ );
+diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
+index 49408a0ba8d8..67befadd23c5 100644
+--- a/libselinux/utils/selabel_digest.c
++++ b/libselinux/utils/selabel_digest.c
+@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ "Where:\n\t"
+ "-b The backend - \"file\", \"media\", \"x\", \"db\" or "
+ "\"prop\"\n\t"
+- "-v Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
+- " on the list of specfiles to compare the SHA1 digests.\n\t"
++ "-v Run \"cat <specfile_list> | openssl dgst -sha256 -hex\"\n\t"
++ " on the list of specfiles to compare the SHA256 digests.\n\t"
+ "-B Use base specfiles only (valid for \"-b file\" only).\n\t"
+ "-i Do not request a digest.\n\t"
+ "-f Optional file containing the specs (defaults to\n\t"
+@@ -62,12 +62,12 @@ int main(int argc, char **argv)
+ int backend = 0, rc, opt, validate = 0;
+ char *baseonly = NULL, *file = NULL, *digest = (char *)1;
+ char **specfiles = NULL;
+- unsigned char *sha1_digest = NULL;
++ unsigned char *sha256_digest = NULL;
+ size_t i, num_specfiles;
+
+ char cmd_buf[4096];
+ char *cmd_ptr;
+- char *sha1_buf;
++ char *sha256_buf;
+
+ struct selabel_handle *hnd;
+ struct selinux_opt selabel_option[] = {
+@@ -137,7 +137,7 @@ int main(int argc, char **argv)
+ return -1;
+ }
+
+- rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
++ rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles,
+ &num_specfiles);
+
+ if (rc) {
+@@ -152,19 +152,19 @@ int main(int argc, char **argv)
+ goto err;
+ }
+
+- sha1_buf = malloc(digest_len * 2 + 1);
+- if (!sha1_buf) {
++ sha256_buf = malloc(digest_len * 2 + 1);
++ if (!sha256_buf) {
+ fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
+ strerror(errno));
+ rc = -1;
+ goto err;
+ }
+
+- printf("SHA1 digest: ");
++ printf("SHA256 digest: ");
+ for (i = 0; i < digest_len; i++)
+- sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]);
++ sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]);
+
+- printf("%s\n", sha1_buf);
++ printf("%s\n", sha256_buf);
+ printf("calculated using the following specfile(s):\n");
+
+ if (specfiles) {
+@@ -177,13 +177,13 @@ int main(int argc, char **argv)
+ cmd_ptr += strlen(specfiles[i]) + 1;
+ printf("%s\n", specfiles[i]);
+ }
+- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
++ sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex");
+
+ if (validate)
+- rc = run_check_digest(cmd_buf, sha1_buf);
++ rc = run_check_digest(cmd_buf, sha256_buf);
+ }
+
+- free(sha1_buf);
++ free(sha256_buf);
+ err:
+ selabel_close(hnd);
+ return rc;
+diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
+index e28833d2ce97..900f018c0091 100644
+--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
++++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
+@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ "-v Validate file_contxts entries against loaded policy.\n\t"
+ "-r Recursively descend directories.\n\t"
+ "-f Optional file_contexts file (defaults to current policy).\n\t"
+- "path Path to check current SHA1 digest against file_contexts entries.\n\n"
+- "This will check the directory selinux.sehash SHA1 digest for "
++ "path Path to check current SHA256 digest against file_contexts entries.\n\n"
++ "This will check the directory selinux.sehash SHA256 digest for "
+ "<path> against\na newly generated digest based on the "
+ "file_context entries for that node\n(using the regx, mode "
+ "and path entries).\n", progname);
+@@ -37,7 +37,7 @@ int main(int argc, char **argv)
+ char *paths[2] = { NULL, NULL };
+ uint8_t *xattr_digest = NULL;
+ uint8_t *calculated_digest = NULL;
+- char *sha1_buf = NULL;
++ char *sha256_buf = NULL;
+
+ struct selabel_handle *hnd;
+ struct selinux_opt selabel_option[] = {
+@@ -105,27 +105,27 @@ int main(int argc, char **argv)
+ &xattr_digest,
+ &digest_len);
+
+- sha1_buf = calloc(1, digest_len * 2 + 1);
+- if (!sha1_buf) {
++ sha256_buf = calloc(1, digest_len * 2 + 1);
++ if (!sha256_buf) {
+ fprintf(stderr, "Could not calloc buffer ERROR: %s\n",
+ strerror(errno));
+ return -1;
+ }
+
+ if (status) { /* They match */
+- printf("xattr and file_contexts SHA1 digests match for: %s\n",
++ printf("xattr and file_contexts SHA256 digests match for: %s\n",
+ ftsent->fts_path);
+
+ if (calculated_digest) {
+ for (i = 0; i < digest_len; i++)
+- sprintf((&sha1_buf[i * 2]),
++ sprintf((&sha256_buf[i * 2]),
+ "%02x",
+ calculated_digest[i]);
+- printf("SHA1 digest: %s\n", sha1_buf);
++ printf("SHA256 digest: %s\n", sha256_buf);
+ }
+ } else {
+ if (!calculated_digest) {
+- printf("No SHA1 digest available for: %s\n",
++ printf("No SHA256 digest available for: %s\n",
+ ftsent->fts_path);
+ printf("as file_context entry is \"<<none>>\"\n");
+ goto cleanup;
+@@ -135,25 +135,25 @@ int main(int argc, char **argv)
+ ftsent->fts_path);
+
+ for (i = 0; i < digest_len; i++)
+- sprintf((&sha1_buf[i * 2]), "%02x",
++ sprintf((&sha256_buf[i * 2]), "%02x",
+ calculated_digest[i]);
+- printf("generated SHA1 digest: %s\n", sha1_buf);
++ printf("generated SHA256 digest: %s\n", sha256_buf);
+
+ if (!xattr_digest) {
+ printf("however there is no selinux.sehash xattr entry.\n");
+ } else {
+ printf("however it does NOT match the current entry of:\n");
+ for (i = 0; i < digest_len; i++)
+- sprintf((&sha1_buf[i * 2]),
++ sprintf((&sha256_buf[i * 2]),
+ "%02x",
+ xattr_digest[i]);
+- printf("%s\n", sha1_buf);
++ printf("%s\n", sha256_buf);
+ }
+ }
+ cleanup:
+ free(xattr_digest);
+ free(calculated_digest);
+- free(sha1_buf);
++ free(sha256_buf);
+ break;
+ }
+ default:
+--
+2.32.0
+
diff --git a/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch b/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch
deleted file mode 100644
index 3d123e5..0000000
--- a/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From f63263c2d002fc8a4e681ea1a1b1db1e455acc49 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Thu, 22 Apr 2021 08:43:56 +0200
-Subject: [PATCH] libselinux: do not duplicate make target when going into
- subdirectory
-
-When running "make install-pywrap", make displays:
-
- make[1]: Entering directory '/root/selinux/libselinux'
- make -C src install-pywrap install-pywrap
- make[2]: Entering directory '/root/selinux/libselinux/src'
-
-The duplicated "install-pywrap" is not expected. Remove it from the
-Makefile.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- libselinux/Makefile | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/libselinux/Makefile b/libselinux/Makefile
-index ac16c15e8d0a..439bc6a9b7fd 100644
---- a/libselinux/Makefile
-+++ b/libselinux/Makefile
-@@ -50,24 +50,24 @@ all install relabel clean distclean indent:
- done
-
- swigify: all
-- $(MAKE) -C src swigify $@
-+ $(MAKE) -C src $@
-
- pywrap:
-- $(MAKE) -C src pywrap $@
-+ $(MAKE) -C src $@
-
- rubywrap:
-- $(MAKE) -C src rubywrap $@
-+ $(MAKE) -C src $@
-
- install-pywrap:
-- $(MAKE) -C src install-pywrap $@
-+ $(MAKE) -C src $@
-
- install-rubywrap:
-- $(MAKE) -C src install-rubywrap $@
-+ $(MAKE) -C src $@
-
- clean-pywrap:
-- $(MAKE) -C src clean-pywrap $@
-+ $(MAKE) -C src $@
-
- clean-rubywrap:
-- $(MAKE) -C src clean-rubywrap $@
-+ $(MAKE) -C src $@
-
- test:
---
-2.32.0
-
diff --git a/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch b/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch
deleted file mode 100644
index 9eb5b1b..0000000
--- a/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From a88d24522fe74100478122c298aa4ace1af876fd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 10 May 2021 12:12:38 +0200
-Subject: [PATCH] libselinux: selinux_check_passwd_access_internal(): respect
- deny_unknown
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-`selinux_check_passwd_access_internal()`, and thereby
-`checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not
-respect the policy defined setting of `deny_unknown`, like
-`selinux_check_access(3)` does.
-This means in case the security class `passwd` is not defined, success
-is returned instead of failure, i.e. permission denied.
-
-Most policies should define the `passwd` class and the two affected
-public functions are marked deprecated.
-
-Align the behavior with `selinux_check_access(3)` and respect
-the deny_unknown setting in case the security class is not defined.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/checkAccess.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
-index b337ea64f977..022cd6b5ecab 100644
---- a/libselinux/src/checkAccess.c
-+++ b/libselinux/src/checkAccess.c
-@@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested)
- passwd_class = string_to_security_class("passwd");
- if (passwd_class == 0) {
- freecon(user_context);
-- return 0;
-+ if (security_deny_unknown() == 0)
-+ return 0;
-+ return -1;
- }
-
- retval = security_compute_av_raw(user_context,
---
-2.32.0
-
diff --git a/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch b/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch
deleted file mode 100644
index 4fc315c..0000000
--- a/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From f1bc162cc272e01631e8f6d890fae71e1cb96e03 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Fri, 30 Apr 2021 21:37:02 +0200
-Subject: [PATCH] libselinux: silence -Wstringop-overflow warning from gcc
- 10.3.1
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When building libselinux on Fedora 33 with gcc 10.3.1, the compiler
-reports:
-
- label_file.c: In function ‘lookup_all.isra’:
- label_file.c:940:4: error: ‘strncpy’ specified bound depends on the
- length of the source argument [-Werror=stringop-overflow=]
- 940 | strncpy(clean_key, key, len - 1);
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- label_file.c:927:8: note: length computed here
- 927 | len = strlen(key);
- | ^~~~~~~~~~~
- cc1: all warnings being treated as errors
-
-As clean_key is the result of malloc(len), there is no issue here. But
-using strncpy can be considered as strange, because the size of the
-string is already known and the NUL terminator is always added later, in
-function ‘lookup_all.isra.
-
-Replace strncpy with memcpy to silence this gcc false-positive warning.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libselinux/src/label_file.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 726394ca4332..cfce23e0119e 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -909,7 +909,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
- if (!clean_key)
- goto finish;
-
-- strncpy(clean_key, key, len - 1);
-+ memcpy(clean_key, key, len - 1);
- }
-
- clean_key[len - 1] = '\0';
---
-2.32.0
-
diff --git a/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch b/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch
deleted file mode 100644
index 4041dc4..0000000
--- a/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From ae34b3ca3c605f8648b10722330ef3fbc872f3d6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:35 +0200
-Subject: [PATCH] libselinux: sidtab_hash(): do not discard const qualifier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not discard the const qualifier of the function argument, and drop
-the redundant local variable `keyp`.
-
-avc_sidtab.c: In function ‘sidtab_hash’:
-avc_sidtab.c:23:9: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
- 23 | keyp = (char *)key;
- | ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/avc_sidtab.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
-index 9669264d651a..8dc875608762 100644
---- a/libselinux/src/avc_sidtab.c
-+++ b/libselinux/src/avc_sidtab.c
-@@ -15,14 +15,13 @@
-
- static inline unsigned sidtab_hash(const char * key)
- {
-- char *p, *keyp;
-+ const char *p;
- unsigned int size;
- unsigned int val;
-
- val = 0;
-- keyp = (char *)key;
-- size = strlen(keyp);
-- for (p = keyp; (unsigned int)(p - keyp) < size; p++)
-+ size = strlen(key);
-+ for (p = key; (unsigned int)(p - key) < size; p++)
- val =
- (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
- return val & (SIDTAB_SIZE - 1);
---
-2.32.0
-
diff --git a/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch b/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch
deleted file mode 100644
index c370725..0000000
--- a/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From d23421c65a4e53bef900d9e015833015fa123765 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:40 +0200
-Subject: [PATCH] libselinux: selinux_file_context_cmp(): do not discard const
- qualifier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-matchpathcon.c: In function ‘selinux_file_context_cmp’:
-matchpathcon.c:487:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
- 487 | rest_a = strchr((char *)a, ':');
- | ^
-matchpathcon.c:488:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
- 488 | rest_b = strchr((char *)b, ':');
- | ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/matchpathcon.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index 2ec66650cae0..9e1fab593266 100644
---- a/libselinux/src/matchpathcon.c
-+++ b/libselinux/src/matchpathcon.c
-@@ -477,15 +477,15 @@ void matchpathcon_checkmatches(char *str __attribute__((unused)))
- int selinux_file_context_cmp(const char * a,
- const char * b)
- {
-- char *rest_a, *rest_b; /* Rest of the context after the user */
-+ const char *rest_a, *rest_b; /* Rest of the context after the user */
- if (!a && !b)
- return 0;
- if (!a)
- return -1;
- if (!b)
- return 1;
-- rest_a = strchr((char *)a, ':');
-- rest_b = strchr((char *)b, ':');
-+ rest_a = strchr(a, ':');
-+ rest_b = strchr(b, ':');
- if (!rest_a && !rest_b)
- return 0;
- if (!rest_a)
---
-2.32.0
-
diff --git a/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch b/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch
deleted file mode 100644
index 0dca8cd..0000000
--- a/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 3950b1afedd1a5247dcb0eb4acffc3fe045a9fb3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:42 +0200
-Subject: [PATCH] libselinux: label_common(): do not discard const qualifier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As the const qualifier is discarded in label_common(), do not return a
-const qualified pointer pointer from the local function `lookup_all()`.
-
-label_file.c: In function ‘lookup_common’:
-label_file.c:994:24: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
- 994 | struct spec *result = (struct spec*)matches[0];
- | ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_file.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index cfce23e0119e..b080fcf1305b 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -845,7 +845,7 @@ static void closef(struct selabel_handle *rec)
- // Finds all the matches of |key| in the given context. Returns the result in
- // the allocated array and updates the match count. If match_count is NULL,
- // stops early once the 1st match is found.
--static const struct spec **lookup_all(struct selabel_handle *rec,
-+static struct spec **lookup_all(struct selabel_handle *rec,
- const char *key,
- int type,
- bool partial,
-@@ -861,7 +861,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
- unsigned int sofar = 0;
- char *sub = NULL;
-
-- const struct spec **result = NULL;
-+ struct spec **result = NULL;
- if (match_count) {
- *match_count = 0;
- result = calloc(data->nspec, sizeof(struct spec*));
-@@ -987,11 +987,11 @@ static struct spec *lookup_common(struct selabel_handle *rec,
- const char *key,
- int type,
- bool partial) {
-- const struct spec **matches = lookup_all(rec, key, type, partial, NULL);
-+ struct spec **matches = lookup_all(rec, key, type, partial, NULL);
- if (!matches) {
- return NULL;
- }
-- struct spec *result = (struct spec*)matches[0];
-+ struct spec *result = matches[0];
- free(matches);
- return result;
- }
-@@ -1054,7 +1054,7 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
- assert(digest);
-
- size_t total_matches;
-- const struct spec **matches = lookup_all(rec, key, 0, true, &total_matches);
-+ struct spec **matches = lookup_all(rec, key, 0, true, &total_matches);
- if (!matches) {
- return false;
- }
---
-2.32.0
-
diff --git a/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch b/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch
deleted file mode 100644
index a60225c..0000000
--- a/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 7ca82e0db464052c1ed51e77b2d61ede82dfe3ee Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:44 +0200
-Subject: [PATCH] libselinux: Sha1Finalise(): do not discard const qualifier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Mark the argument `Buffer` of `Sha1Update()` const, since it is not
-modified.
-
-sha1.c: In function ‘Sha1Finalise’:
-sha1.c:208:25: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
- 208 | Sha1Update(Context, (uint8_t*)"\x80", 1);
- | ^
-sha1.c:211:29: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
- 211 | Sha1Update(Context, (uint8_t*)"\0", 1);
- | ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/sha1.c | 10 +++++-----
- libselinux/src/sha1.h | 2 +-
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
-index 9a8ce01dceda..664bbcf26eef 100644
---- a/libselinux/src/sha1.c
-+++ b/libselinux/src/sha1.c
-@@ -151,7 +151,7 @@ void
- Sha1Update
- (
- Sha1Context* Context,
-- void* Buffer,
-+ const void* Buffer,
- uint32_t BufferSize
- )
- {
-@@ -172,7 +172,7 @@ void
- TransformFunction(Context->State, Context->Buffer);
- for (; i + 63 < BufferSize; i += 64)
- {
-- TransformFunction(Context->State, (uint8_t*)Buffer + i);
-+ TransformFunction(Context->State, (const uint8_t*)Buffer + i);
- }
- j = 0;
- }
-@@ -181,7 +181,7 @@ void
- i = 0;
- }
-
-- memcpy(&Context->Buffer[j], &((uint8_t*)Buffer)[i], BufferSize - i);
-+ memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
- }
-
- ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-@@ -205,10 +205,10 @@ void
- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent
- }
-- Sha1Update(Context, (uint8_t*)"\x80", 1);
-+ Sha1Update(Context, (const uint8_t*)"\x80", 1);
- while ((Context->Count[0] & 504) != 448)
- {
-- Sha1Update(Context, (uint8_t*)"\0", 1);
-+ Sha1Update(Context, (const uint8_t*)"\0", 1);
- }
-
- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction()
-diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
-index eac3c195351a..f83a6e7ed7ba 100644
---- a/libselinux/src/sha1.h
-+++ b/libselinux/src/sha1.h
-@@ -64,7 +64,7 @@ void
- Sha1Update
- (
- Sha1Context* Context,
-- void* Buffer,
-+ const void* Buffer,
- uint32_t BufferSize
- );
-
---
-2.32.0
-
diff --git a/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch b/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch
deleted file mode 100644
index 39366bd..0000000
--- a/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 11194b982bb32c05548c38e4c81b1f166083f7e9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:46 +0200
-Subject: [PATCH] libselinux: sefcontext_compile: mark local variable static
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `policy_file` is only used in sefcontext_compile.c.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/utils/sefcontext_compile.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
-index dcb0085ad67e..6c32172d9944 100644
---- a/libselinux/utils/sefcontext_compile.c
-+++ b/libselinux/utils/sefcontext_compile.c
-@@ -14,7 +14,7 @@
- #include "../src/label_file.h"
- #include "../src/regex.h"
-
--const char *policy_file;
-+static const char *policy_file;
- static int ctx_err;
-
- static int validate_context(char **ctxp)
---
-2.32.0
-
diff --git a/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch b/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch
deleted file mode 100644
index 39a1ea4..0000000
--- a/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 533e9d6ce07c8909c9c020cd6920a2384f7eee22 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:48 +0200
-Subject: [PATCH] libselinux: avcstat: use standard length modifier for
- unsigned long long
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The format width specifier `L` is only standardized for floating point
-types. Use `ll` for fixed-width data types.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/utils/avcstat.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c
-index da2392870c51..cc9a48dd4c3a 100644
---- a/libselinux/utils/avcstat.c
-+++ b/libselinux/utils/avcstat.c
-@@ -205,7 +205,7 @@ int main(int argc, char **argv)
- die("unable to parse \'%s\': no data", avcstatfile);
-
- if (cumulative || !i)
-- printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n",
-+ printf("%10llu %10llu %10llu %10llu %10llu %10llu\n",
- tot.lookups, tot.hits, tot.misses,
- tot.allocations, tot.reclaims, tot.frees);
- else {
-@@ -215,7 +215,7 @@ int main(int argc, char **argv)
- rel.allocations = tot.allocations - last.allocations;
- rel.reclaims = tot.reclaims - last.reclaims;
- rel.frees = tot.frees - last.frees;
-- printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n",
-+ printf("%10llu %10llu %10llu %10llu %10llu %10llu\n",
- rel.lookups, rel.hits, rel.misses,
- rel.allocations, rel.reclaims, rel.frees);
- }
---
-2.32.0
-
diff --git a/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch b/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch
deleted file mode 100644
index 28b1188..0000000
--- a/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 7464272caa1a69e3fc7971d1d80b6afd4785abef Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:51 +0200
-Subject: [PATCH] libselinux: selinux_restorecon: mark local variable static
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `dir_xattr_list` is only used inside `selinux_restorecon.c`.
-
-selinux_restorecon.c:65:19: warning: no previous extern declaration for non-static variable 'dir_xattr_list' [-Wmissing-variable-declarations]
-struct dir_xattr *dir_xattr_list;
- ^
-selinux_restorecon.c:65:1: note: declare 'static' if the variable is not intended to be used outside of this translation unit
-struct dir_xattr *dir_xattr_list;
-^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/selinux_restorecon.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 63fb8dc53c28..249c361fa988 100644
---- a/libselinux/src/selinux_restorecon.c
-+++ b/libselinux/src/selinux_restorecon.c
-@@ -62,7 +62,7 @@ static uint64_t fc_count = 0; /* Number of files processed so far */
- static uint64_t efile_count; /* Estimated total number of files */
-
- /* Store information on directories with xattr's. */
--struct dir_xattr *dir_xattr_list;
-+static struct dir_xattr *dir_xattr_list;
- static struct dir_xattr *dir_xattr_last;
-
- /* restorecon_flags for passing to restorecon_sb() */
---
-2.32.0
-
diff --git a/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch b/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch
deleted file mode 100644
index 5187561..0000000
--- a/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From d0c02882b7fdcf5e6478f9a82ac2946174f4bca4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:53 +0200
-Subject: [PATCH] libselinux: selabel_get_digests_all_partial_matches: free
- memory after FTS_D block
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Free all memory from `selabel_get_digests_all_partial_matches()` in case
-of success and failure.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- .../utils/selabel_get_digests_all_partial_matches.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-index 0c2edc67771d..e28833d2ce97 100644
---- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
-+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-@@ -128,7 +128,7 @@ int main(int argc, char **argv)
- printf("No SHA1 digest available for: %s\n",
- ftsent->fts_path);
- printf("as file_context entry is \"<<none>>\"\n");
-- break;
-+ goto cleanup;
- }
-
- printf("The file_context entries for: %s\n",
-@@ -149,11 +149,11 @@ int main(int argc, char **argv)
- xattr_digest[i]);
- printf("%s\n", sha1_buf);
- }
--
-- free(xattr_digest);
-- free(calculated_digest);
-- free(sha1_buf);
- }
-+ cleanup:
-+ free(xattr_digest);
-+ free(calculated_digest);
-+ free(sha1_buf);
- break;
- }
- default:
---
-2.32.0
-
diff --git a/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch b/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch
deleted file mode 100644
index 4a6f921..0000000
--- a/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d0e16077d4ded64bbc878d29e0dc22b1f5e0912f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:55 +0200
-Subject: [PATCH] libselinux: getconlist: free memory on multiple level
- arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not leak memory if the program argument `l` got passed more than
-once.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/utils/getconlist.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
-index 76654b75151a..0bb2846937ca 100644
---- a/libselinux/utils/getconlist.c
-+++ b/libselinux/utils/getconlist.c
-@@ -26,6 +26,7 @@ int main(int argc, char **argv)
- while ((opt = getopt(argc, argv, "l:")) > 0) {
- switch (opt) {
- case 'l':
-+ free(level);
- level = strdup(optarg);
- if (!level) {
- fprintf(stderr, "memory allocation failure: %d(%s)\n",
---
-2.32.0
-
diff --git a/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch b/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch
deleted file mode 100644
index a78e2ec..0000000
--- a/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 319429ba3358c32a566f2c59898d01f2f36fdc95 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:57 +0200
-Subject: [PATCH] libselinux: exclude_non_seclabel_mounts(): drop unused
- variable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `num` is never read from.
-
-Found by clang-analyer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/selinux_restorecon.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 249c361fa988..6fb9e1ff486d 100644
---- a/libselinux/src/selinux_restorecon.c
-+++ b/libselinux/src/selinux_restorecon.c
-@@ -230,7 +230,6 @@ static int exclude_non_seclabel_mounts(void)
- struct utsname uts;
- FILE *fp;
- size_t len;
-- ssize_t num;
- int index = 0, found = 0, nfile = 0;
- char *mount_info[4];
- char *buf = NULL, *item;
-@@ -245,7 +244,7 @@ static int exclude_non_seclabel_mounts(void)
- if (!fp)
- return 0;
-
-- while ((num = getline(&buf, &len, fp)) != -1) {
-+ while (getline(&buf, &len, fp) != -1) {
- found = 0;
- index = 0;
- item = strtok(buf, " ");
---
-2.32.0
-
diff --git a/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch b/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch
deleted file mode 100644
index e1df68b..0000000
--- a/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 782fa6ea38f323c60fc437577af515ce44627452 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:59 +0200
-Subject: [PATCH] libselinux: context_new(): drop dead assignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `i` is not used inside this loop, and it later
-unconditionally set to 0.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/context.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/context.c b/libselinux/src/context.c
-index ce4258806c53..b2144c7cf76c 100644
---- a/libselinux/src/context.c
-+++ b/libselinux/src/context.c
-@@ -37,7 +37,7 @@ context_t context_new(const char *str)
- }
- n->current_str = n->component[0] = n->component[1] = n->component[2] =
- n->component[3] = 0;
-- for (i = count = 0, p = str; *p; p++) {
-+ for (count = 0, p = str; *p; p++) {
- switch (*p) {
- case ':':
- count++;
---
-2.32.0
-
diff --git a/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch b/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch
deleted file mode 100644
index 0f9fadd..0000000
--- a/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 9c26043af6e4947e0e3e7fb789452da0c66e11c9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:01 +0200
-Subject: [PATCH] libselinux: label_x::init(): drop dead assignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `lineno` is only used in the preceding loop and is always
-set prior that to 0.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_x.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/libselinux/src/label_x.c b/libselinux/src/label_x.c
-index 9674529931a7..e9fa063fafff 100644
---- a/libselinux/src/label_x.c
-+++ b/libselinux/src/label_x.c
-@@ -146,7 +146,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
- if (process_line(path, line_buf, pass, ++lineno, rec))
- goto finish;
- }
-- lineno = 0;
-
- if (pass == 0) {
- if (data->nspec == 0) {
---
-2.32.0
-
diff --git a/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch b/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch
deleted file mode 100644
index 3fd23ed..0000000
--- a/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 04335ab146d18f5865bed3516d5cbc9057a3df89 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:03 +0200
-Subject: [PATCH] libselinux: label_media::init(): drop dead assignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `lineno` is only used in the preceding loop and it always
-set prior that to 0.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_media.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/libselinux/src/label_media.c b/libselinux/src/label_media.c
-index d202e5d5ab83..eb27deaf510e 100644
---- a/libselinux/src/label_media.c
-+++ b/libselinux/src/label_media.c
-@@ -119,7 +119,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
- if (process_line(path, line_buf, pass, ++lineno, rec))
- goto finish;
- }
-- lineno = 0;
-
- if (pass == 0) {
- if (data->nspec == 0) {
---
-2.32.0
-
diff --git a/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch b/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch
deleted file mode 100644
index ff787d6..0000000
--- a/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 411c5a54587b1459528fb8e6b66d0bebf1a5fb39 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:05 +0200
-Subject: [PATCH] libselinux: setexecfilecon(): drop dead assignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `rc` is always unconditionally assigned by the next call of
-`setexeccon()` and never read in between.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/setexecfilecon.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/libselinux/src/setexecfilecon.c b/libselinux/src/setexecfilecon.c
-index e72ba0d98880..2c6505a96a48 100644
---- a/libselinux/src/setexecfilecon.c
-+++ b/libselinux/src/setexecfilecon.c
-@@ -37,7 +37,6 @@ int setexecfilecon(const char *filename, const char *fallback_type)
- newcon = strdup(context_str(con));
- if (!newcon)
- goto out;
-- rc = 0;
- }
-
- rc = setexeccon(newcon);
---
-2.32.0
-
diff --git a/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch b/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch
deleted file mode 100644
index eeecd9c..0000000
--- a/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From db69a3d3622005d3ffd62498eac8da1ded264874 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:07 +0200
-Subject: [PATCH] libselinux: getdefaultcon: free memory on multiple same
- arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not leak memory if program arguments get specified more than once.
-
-Found by clang-anlyzer.
-
-getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'level' [unix.Malloc]
- fprintf(stderr,
- ^~~~~~~~~~~~~~~
-getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'role' [unix.Malloc]
- fprintf(stderr,
- ^~~~~~~~~~~~~~~
-getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'service' [unix.Malloc]
- fprintf(stderr,
- ^~~~~~~~~~~~~~~
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/utils/getdefaultcon.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/libselinux/utils/getdefaultcon.c b/libselinux/utils/getdefaultcon.c
-index 96a5a8c23656..957c1cb2e307 100644
---- a/libselinux/utils/getdefaultcon.c
-+++ b/libselinux/utils/getdefaultcon.c
-@@ -28,12 +28,15 @@ int main(int argc, char **argv)
- while ((opt = getopt(argc, argv, "l:r:s:v")) > 0) {
- switch (opt) {
- case 'l':
-+ free(level);
- level = strdup(optarg);
- break;
- case 'r':
-+ free(role);
- role = strdup(optarg);
- break;
- case 's':
-+ free(service);
- service = strdup(optarg);
- break;
- case 'v':
---
-2.32.0
-
diff --git a/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch b/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch
deleted file mode 100644
index e9e5446..0000000
--- a/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 6e5d16a012e1845774da106846b87090d39ea8f3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:09 +0200
-Subject: [PATCH] libselinux: store_stem(): do not free possible non-heap
- object
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-GCC 11 complains:
-
-In file included from label_file.c:24:
-In function ‘store_stem’,
- inlined from ‘load_mmap’ at label_file.c:277:12,
- inlined from ‘process_file’ at label_file.c:551:5:
-label_file.h:289:25: error: ‘free’ called on pointer ‘*mmap_area.next_addr’ with nonzero offset 4 [-Werror=free-nonheap-object]
- 289 | free(buf);
- | ^~~~~~~~~
-
-Free the pointer on failure at the caller instead of inside `store_stem()`.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_file.h | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
-index baed3341b6b3..9f6337012216 100644
---- a/libselinux/src/label_file.h
-+++ b/libselinux/src/label_file.h
-@@ -286,7 +286,6 @@ static inline int store_stem(struct saved_data *data, char *buf, int stem_len)
- tmp_arr = realloc(data->stem_arr,
- sizeof(*tmp_arr) * alloc_stems);
- if (!tmp_arr) {
-- free(buf);
- return -1;
- }
- data->alloc_stems = alloc_stems;
-@@ -308,6 +307,7 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf)
- int stem_len = get_stem_from_spec(buf);
- int stemid;
- char *stem;
-+ int r;
-
- if (!stem_len)
- return -1;
-@@ -321,7 +321,11 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf)
- if (!stem)
- return -1;
-
-- return store_stem(data, stem, stem_len);
-+ r = store_stem(data, stem, stem_len);
-+ if (r < 0)
-+ free(stem);
-+
-+ return r;
- }
-
- /* This will always check for buffer over-runs and either read the next entry
---
-2.32.0
-
diff --git a/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch b/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch
deleted file mode 100644
index 22c4c0c..0000000
--- a/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 0280a2a70c35c5c319f82f37a685424706b03ad4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:11 +0200
-Subject: [PATCH] libselinux: matchmediacon(): close file on error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by Infer.
-
-matchmediacon.c:25: error: Resource Leak
- resource of type `_IO_FILE` acquired to `return` by call to `fopen()` at line 21, column 16 is not released after line 25, column 4.
- 23. while (!feof_unlocked(infile)) {
- 24. if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {
- 25. return -1;
- ^
- 26. }
- 27. if (current_line[strlen(current_line) - 1])
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/matchmediacon.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libselinux/src/matchmediacon.c b/libselinux/src/matchmediacon.c
-index 23d01af476d2..d3d9504348e1 100644
---- a/libselinux/src/matchmediacon.c
-+++ b/libselinux/src/matchmediacon.c
-@@ -22,6 +22,7 @@ int matchmediacon(const char *media, char ** con)
- return -1;
- while (!feof_unlocked(infile)) {
- if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {
-+ fclose(infile);
- return -1;
- }
- if (current_line[strlen(current_line) - 1])
---
-2.32.0
-
diff --git a/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch b/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch
deleted file mode 100644
index 905d7fb..0000000
--- a/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 9ab27e21800e8b5589eef0fa9242042567e9bc78 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:13 +0200
-Subject: [PATCH] libselinux: init_selinux_config(): free resources on error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by Infer.
-
-selinux_config.c:181: error: Resource Leak
- resource of type `_IO_FILE` acquired by call to `fopen()` at line 165, column 7 is not released after line 181, column 6.
- 179. type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
- 180. if (!type)
- 181. return;
- ^
- 182. end = type + strlen(type) - 1;
- 183. while ((end > type) &&
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/selinux_config.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
-index 6c5238953cb1..97f81a8b61ce 100644
---- a/libselinux/src/selinux_config.c
-+++ b/libselinux/src/selinux_config.c
-@@ -177,8 +177,11 @@ static void init_selinux_config(void)
- if (!strncasecmp(buf_p, SELINUXTYPETAG,
- sizeof(SELINUXTYPETAG) - 1)) {
- type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
-- if (!type)
-+ if (!type) {
-+ free(line_buf);
-+ fclose(fp);
- return;
-+ }
- end = type + strlen(type) - 1;
- while ((end > type) &&
- (isspace(*end) || iscntrl(*end))) {
-@@ -187,6 +190,8 @@ static void init_selinux_config(void)
- }
- if (setpolicytype(type) != 0) {
- free(type);
-+ free(line_buf);
-+ fclose(fp);
- return;
- }
- free(type);
---
-2.32.0
-
diff --git a/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch b/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch
deleted file mode 100644
index 7b4243c..0000000
--- a/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From bc0a0327ca6e47400e161f6d1e70e08cb350a36f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:15 +0200
-Subject: [PATCH] libselinux: label_file::init(): do not pass NULL to strdup
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If any of the build flags `BUILD_HOST` or `ANDROID` is set and the
-caller did not pass an option of type `SELABEL_OPT_PATH`, the variable
-`path` might be not set.
-Add a check to avoid calling `strdup()` with a NULL pointer.
-
-Found by cppcheck.
-
-src/label_file.c:759:26: warning: Possible null pointer dereference: path [nullPointer]
- rec->spec_file = strdup(path);
- ^
-src/label_file.c:713:21: note: Assignment 'path=NULL', assigned value is 0
- const char *path = NULL;
- ^
-src/label_file.c:759:26: note: Null pointer dereference
- rec->spec_file = strdup(path);
- ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_file.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index b080fcf1305b..4268b52c84cc 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -756,6 +756,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
- }
-
- #endif
-+
-+ if (!path)
-+ goto finish;
-+
- rec->spec_file = strdup(path);
-
- /*
---
-2.32.0
-
diff --git a/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch b/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch
deleted file mode 100644
index 463fc49..0000000
--- a/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 65f1ccbecc30d31e66126e470d404b757eb9898e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:17 +0200
-Subject: [PATCH] libselinux: matchpathcon: free memory on realloc failure
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In case `realloc()` fails and returns NULL, free the passed array,
-instead of just setting the size helper variables to 0.
-
-Also free the string contents in `free_array_elts()` of the array
-`con_array`, instead of just the array of pointers.
-
-Found by cppcheck.
-
-src/matchpathcon.c:86:4: error: Common realloc mistake: 'con_array' nulled but not freed upon failure [memleakOnRealloc]
- con_array = (char **)realloc(con_array, sizeof(char*) *
- ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/matchpathcon.c | 26 ++++++++++++++++----------
- 1 file changed, 16 insertions(+), 10 deletions(-)
-
-diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index 9e1fab593266..075a3fb3ffcb 100644
---- a/libselinux/src/matchpathcon.c
-+++ b/libselinux/src/matchpathcon.c
-@@ -78,17 +78,30 @@ static pthread_once_t once = PTHREAD_ONCE_INIT;
- static pthread_key_t destructor_key;
- static int destructor_key_initialized = 0;
-
-+static void free_array_elts(void)
-+{
-+ int i;
-+ for (i = 0; i < con_array_used; i++)
-+ free(con_array[i]);
-+ free(con_array);
-+
-+ con_array_size = con_array_used = 0;
-+ con_array = NULL;
-+}
-+
- static int add_array_elt(char *con)
- {
-+ char **tmp;
- if (con_array_size) {
- while (con_array_used >= con_array_size) {
- con_array_size *= 2;
-- con_array = (char **)realloc(con_array, sizeof(char*) *
-+ tmp = (char **)realloc(con_array, sizeof(char*) *
- con_array_size);
-- if (!con_array) {
-- con_array_size = con_array_used = 0;
-+ if (!tmp) {
-+ free_array_elts();
- return -1;
- }
-+ con_array = tmp;
- }
- } else {
- con_array_size = 1000;
-@@ -105,13 +118,6 @@ static int add_array_elt(char *con)
- return con_array_used++;
- }
-
--static void free_array_elts(void)
--{
-- con_array_size = con_array_used = 0;
-- free(con_array);
-- con_array = NULL;
--}
--
- void set_matchpathcon_invalidcon(int (*f) (const char *p, unsigned l, char *c))
- {
- myinvalidcon = f;
---
-2.32.0
-
diff --git a/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch b/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch
deleted file mode 100644
index 205b477..0000000
--- a/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From e1999379dfc6d12abb9fa454ac01d4239baf361f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:19 +0200
-Subject: [PATCH] libselinux: label_db::db_init(): open file with CLOEXEC mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Open the file stream with the `e` flag, so that the underlying file
-descriptor gets closed on an exec in a potential sibling thread.
-
-Also drop the flag `b`, since it is ignored on POSIX systems.
-
-Found by clang-tidy.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_db.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
-index fba96c92299f..94c05c6d4397 100644
---- a/libselinux/src/label_db.c
-+++ b/libselinux/src/label_db.c
-@@ -277,7 +277,7 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
- if (!path)
- path = selinux_sepgsql_context_path();
-
-- if ((filp = fopen(path, "rb")) == NULL) {
-+ if ((filp = fopen(path, "re")) == NULL) {
- free(catalog);
- return NULL;
- }
---
-2.32.0
-
diff --git a/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch b/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch
deleted file mode 100644
index b680c7b..0000000
--- a/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 8827610e5045b9bce7d2fe24058548f938921ccf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:22 +0200
-Subject: [PATCH] libselinux: drop redundant casts to the same type
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by clang-tidy.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/audit2why.c | 2 +-
- libselinux/src/avc_sidtab.c | 2 +-
- libselinux/src/is_customizable_type.c | 2 +-
- libselinux/src/selinux_restorecon.c | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
-index d56b56eb2a1a..029f874f4702 100644
---- a/libselinux/src/audit2why.c
-+++ b/libselinux/src/audit2why.c
-@@ -275,7 +275,7 @@ static int __policy_init(const char *init_path)
- }
-
- sepol_bool_iterate(avc->handle, avc->policydb,
-- load_booleans, (void *)NULL);
-+ load_booleans, NULL);
-
- /* Initialize the sidtab for subsequent use by sepol_context_to_sid
- and sepol_compute_av_reason. */
-diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
-index 8dc875608762..8c81cf65d2ef 100644
---- a/libselinux/src/avc_sidtab.c
-+++ b/libselinux/src/avc_sidtab.c
-@@ -56,7 +56,7 @@ int sidtab_insert(struct sidtab *s, const char * ctx)
- rc = -1;
- goto out;
- }
-- newctx = (char *) strdup(ctx);
-+ newctx = strdup(ctx);
- if (!newctx) {
- rc = -1;
- avc_free(newnode);
-diff --git a/libselinux/src/is_customizable_type.c b/libselinux/src/is_customizable_type.c
-index 92876f4d9371..1b17860c3622 100644
---- a/libselinux/src/is_customizable_type.c
-+++ b/libselinux/src/is_customizable_type.c
-@@ -38,7 +38,7 @@ static int get_customizable_type_list(char *** retlist)
- while (fgets_unlocked(buf, selinux_page_size, fp)
- && i < ctr) {
- buf[strlen(buf) - 1] = 0;
-- list[i] = (char *) strdup(buf);
-+ list[i] = strdup(buf);
- if (!list[i]) {
- unsigned int j;
- for (j = 0; j < i; j++)
-diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 6fb9e1ff486d..999aa924ba32 100644
---- a/libselinux/src/selinux_restorecon.c
-+++ b/libselinux/src/selinux_restorecon.c
-@@ -1152,7 +1152,7 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
- unsigned char *fc_digest;
- size_t num_specfiles, fc_digest_len;
-
-- fc_sehandle = (struct selabel_handle *) hndl;
-+ fc_sehandle = hndl;
- if (!fc_sehandle)
- return;
-
---
-2.32.0
-
diff --git a/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch b/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch
deleted file mode 100644
index 9ba272e..0000000
--- a/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From b1a4603c9208982e33291fe6dc5aa78148762530 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:24 +0200
-Subject: [PATCH] libselinux: sidtab_sid_stats(): unify parameter name
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by clang-tidy.
-
-libselinux/src/avc_sidtab.h:32:6: warning: function 'sidtab_sid_stats' has a definition with different parameter names [readability-inconsistent-declaration-parameter-name]
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
- ^
-libselinux/src/avc_sidtab.c:103:6: note: the definition seen here
-void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
- ^
-libselinux/src/avc_sidtab.h:32:6: note: differing parameters are named here: ('s'), in definition: ('h')
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
- ^ ~
- h
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/avc_sidtab.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
-index 8c81cf65d2ef..f179d8558a45 100644
---- a/libselinux/src/avc_sidtab.c
-+++ b/libselinux/src/avc_sidtab.c
-@@ -100,7 +100,7 @@ sidtab_context_to_sid(struct sidtab *s,
- return rc;
- }
-
--void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
-+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen)
- {
- int i, chain_len, slots_used, max_chain_len;
- struct sidtab_node *cur;
-@@ -108,7 +108,7 @@ void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
- slots_used = 0;
- max_chain_len = 0;
- for (i = 0; i < SIDTAB_SIZE; i++) {
-- cur = h->htable[i];
-+ cur = s->htable[i];
- if (cur) {
- slots_used++;
- chain_len = 0;
-@@ -124,7 +124,7 @@ void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
-
- snprintf(buf, buflen,
- "%s: %u SID entries and %d/%d buckets used, longest "
-- "chain length %d\n", avc_prefix, h->nel, slots_used,
-+ "chain length %d\n", avc_prefix, s->nel, slots_used,
- SIDTAB_SIZE, max_chain_len);
- }
-
---
-2.32.0
-
diff --git a/SOURCES/0027-libselinux-regex-unify-parameter-names.patch b/SOURCES/0027-libselinux-regex-unify-parameter-names.patch
deleted file mode 100644
index 5781ab6..0000000
--- a/SOURCES/0027-libselinux-regex-unify-parameter-names.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e057080fcc148b3b1fc613c100340c325bde6c7e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:26 +0200
-Subject: [PATCH] libselinux: regex: unify parameter names
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use the same parameter names as in the header `regex.h`.
-
-Found by clang-tidy.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/regex.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c
-index 770bc3ea1310..73987d9f1063 100644
---- a/libselinux/src/regex.c
-+++ b/libselinux/src/regex.c
-@@ -319,7 +319,7 @@ char const *regex_version(void)
- }
-
- int regex_load_mmap(struct mmap_area *mmap_area, struct regex_data **regex,
-- int unused __attribute__((unused)), bool *regex_compiled)
-+ int do_load_precompregex __attribute__((unused)), bool *regex_compiled)
- {
- int rc;
- uint32_t entry_len;
-@@ -387,7 +387,7 @@ static inline pcre_extra *get_pcre_extra(struct regex_data *regex)
- }
-
- int regex_writef(struct regex_data *regex, FILE *fp,
-- int unused __attribute__((unused)))
-+ int do_write_precompregex __attribute__((unused)))
- {
- int rc;
- size_t len;
---
-2.32.0
-
diff --git a/SOURCES/0028-libselinux-label_file.c-fix-indent.patch b/SOURCES/0028-libselinux-label_file.c-fix-indent.patch
deleted file mode 100644
index f072b85..0000000
--- a/SOURCES/0028-libselinux-label_file.c-fix-indent.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 2657e3ccbd01f09ea4c637c2d8cf23646507475a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:31 +0200
-Subject: [PATCH] libselinux: label_file.c: fix indent
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by clang-tidy.
-
-libselinux/src/label_file.c:374:4: warning: different indentation for 'if' and corresponding 'else' [readability-misleading-indentation]
- else
- ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_file.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 4268b52c84cc..56f499faef97 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -371,7 +371,7 @@ end_arch_check:
-
- if (stem_id < 0 || stem_id >= (int32_t)stem_map_len)
- spec->stem_id = -1;
-- else
-+ else
- spec->stem_id = stem_map[stem_id];
-
- /* retrieve the hasMetaChars bit */
---
-2.32.0
-
diff --git a/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch b/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch
deleted file mode 100644
index 1142019..0000000
--- a/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a2304cef5780d72ef0eb927b799337982c599ca9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 10 May 2021 12:56:46 +0200
-Subject: [PATCH] libselinux: avc_destroy(3) closes status page
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Mention in the manpage of avc_destroy(3) that it does close the SELinux
-status page, which might have been opened manually by the client
-application.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/man/man3/avc_open.3 | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3
-index 3090dd5077c7..55683bb6594b 100644
---- a/libselinux/man/man3/avc_open.3
-+++ b/libselinux/man/man3/avc_open.3
-@@ -26,6 +26,9 @@ initializes the userspace AVC and must be called before any other AVC operation
- destroys the userspace AVC, freeing all internal memory structures. After this call has been made,
- .BR avc_open ()
- must be called again before any AVC operations can be performed.
-+.BR avc_destroy ()
-+also closes the SELinux status page, which might have been opened manually by
-+.BR selinux_status_open (3).
-
- .BR avc_reset ()
- flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see
---
-2.32.0
-
diff --git a/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch b/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch
deleted file mode 100644
index 953b991..0000000
--- a/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From c5a699046f4a08a554d2da9121924fc80bf27cba Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 10 May 2021 12:56:47 +0200
-Subject: [PATCH] libselinux: make selinux_status_open(3) reentrant
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not mmap the status page again if `selinux_status_open(3)` has already
-been called with success.
-
-`selinux_status_open(3)` might be called unintentionally multiple times,
-e.g. once to manually be able to call `selinux_status_getenforce(3)` and
-once indirectly through `selinux_check_access(3)`
-(since libselinux 3.2).
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/sestatus.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
-index 12b015e088ea..531a522c0f48 100644
---- a/libselinux/src/sestatus.c
-+++ b/libselinux/src/sestatus.c
-@@ -282,6 +282,10 @@ int selinux_status_open(int fallback)
- long pagesize;
- uint32_t seqno;
-
-+ if (selinux_status != NULL) {
-+ return 0;
-+ }
-+
- if (!selinux_mnt) {
- errno = ENOENT;
- return -1;
---
-2.32.0
-
diff --git a/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch b/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch
deleted file mode 100644
index a952d93..0000000
--- a/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 3cef4110bee88ac81dfb5e62c2a8b7902248abba Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 10 May 2021 12:56:48 +0200
-Subject: [PATCH] libselinux: do not use status page fallback mode internally
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently `avc_init_internal()`, called by `avc_open(3)` and
-`avc_init(3)`, does open the SELinux status page with fallback mode
-enabled.
-
-Quote from man:selinux_status_open(3):
- In this case, this function tries to open a netlink socket using
- .BR avc_netlink_open (3) and overwrite corresponding callbacks
- (setenforce and policyload). Thus, we need to pay attention to the
- interaction with these interfaces, when fallback mode is enabled.
-
-Calling `selinux_status_open` internally in fallback mode is bad, cause
-it overrides callbacks from client applications or the internal
-fallback-callbacks get overridden by client applications.
-Note that `avc_open(3)` gets called under the hood by
-`selinux_check_access(3)` without checking for failure.
-Also the status page is available since Linux 2.6.37, so failures of
-`selinux_status_open(3)` in non-fallback mode should only be caused by
-policies not allowing the client process to open/read/map
-the /sys/fs/selinux/status file.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/avc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
-index 8314d7ba3de6..daaedbc6a6fd 100644
---- a/libselinux/src/avc.c
-+++ b/libselinux/src/avc.c
-@@ -214,7 +214,7 @@ static int avc_init_internal(const char *prefix,
- avc_enforcing = rc;
- }
-
-- rc = selinux_status_open(1);
-+ rc = selinux_status_open(0);
- if (rc < 0) {
- avc_log(SELINUX_ERROR,
- "%s: could not open selinux status page: %d (%s)\n",
---
-2.32.0
-
diff --git a/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch b/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch
deleted file mode 100644
index 00ade44..0000000
--- a/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From ed2e4db2f9941e01e65248ce5f0a9e49f3efd130 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Tue, 1 Jun 2021 17:05:23 +0200
-Subject: [PATCH] libselinux: selinux_status_open: return 1 in fallback mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In case of a recurring call to `selinux_status_open(3)`, which
-previously has been opened in fallback mode, return `1` according to its
-documentation.
-
-Fixes: c5a699046f4 ("libselinux: make selinux_status_open(3) reentrant")
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libselinux/src/sestatus.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
-index 531a522c0f48..89c1f6216702 100644
---- a/libselinux/src/sestatus.c
-+++ b/libselinux/src/sestatus.c
-@@ -283,7 +283,7 @@ int selinux_status_open(int fallback)
- uint32_t seqno;
-
- if (selinux_status != NULL) {
-- return 0;
-+ return (selinux_status == MAP_FAILED) ? 1 : 0;
- }
-
- if (!selinux_mnt) {
---
-2.32.0
-
diff --git a/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch b/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch
deleted file mode 100644
index c1b4851..0000000
--- a/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From ea02e0acfaab93219359448a66edff365aef4ca5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Tue, 1 Jun 2021 17:35:09 +0200
-Subject: [PATCH] libselinux: improve getcon(3) man page
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Improve formatting of section DESCRIPTION by adding list points.
-Mention errno is set on failure.
-Mention the returned context might be NULL if SELinux is not enabled.
-Align setcon/_raw parameter by adding const.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libselinux/man/man3/getcon.3 | 41 +++++++++++++++++++++++++-----------
- 1 file changed, 29 insertions(+), 12 deletions(-)
-
-diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3
-index 67872a4dede6..e7e394f305b7 100644
---- a/libselinux/man/man3/getcon.3
-+++ b/libselinux/man/man3/getcon.3
-@@ -7,7 +7,7 @@ freecon, freeconary \- free memory associated with SELinux security contexts
- getpeercon \- get security context of a peer socket
-
- setcon \- set current security context of a process
--.
-+
- .SH "SYNOPSIS"
- .B #include <selinux/selinux.h>
- .sp
-@@ -31,30 +31,39 @@ setcon \- set current security context of a process
- .sp
- .BI "void freeconary(char **" con );
- .sp
--.BI "int setcon(char *" context );
-+.BI "int setcon(const char *" context );
- .sp
--.BI "int setcon_raw(char *" context );
--.
-+.BI "int setcon_raw(const char *" context );
-+
- .SH "DESCRIPTION"
-+.TP
- .BR getcon ()
- retrieves the context of the current process, which must be free'd with
--freecon.
-+.BR freecon ().
-
-+.TP
- .BR getprevcon ()
- same as getcon but gets the context before the last exec.
-
-+.TP
- .BR getpidcon ()
--returns the process context for the specified PID.
-+returns the process context for the specified PID, which must be free'd with
-+.BR freecon ().
-
-+.TP
- .BR getpeercon ()
--retrieves context of peer socket, and set
--.BI * context
--to refer to it, which must be free'd with
-+retrieves the context of the peer socket, which must be free'd with
- .BR freecon ().
-
-+.TP
- .BR freecon ()
- frees the memory allocated for a security context.
-
-+If
-+.I con
-+is NULL, no operation is performed.
-+
-+.TP
- .BR freeconary ()
- frees the memory allocated for a context array.
-
-@@ -62,6 +71,7 @@ If
- .I con
- is NULL, no operation is performed.
-
-+.TP
- .BR setcon ()
- sets the current security context of the process to a new value. Note
- that use of this function requires that the entire application be
-@@ -110,6 +120,8 @@ context and the
- .BR setcon ()
- will fail if it is not allowed by policy.
-
-+.TP
-+.BR *_raw()
- .BR getcon_raw (),
- .BR getprevcon_raw (),
- .BR getpidcon_raw (),
-@@ -118,9 +130,14 @@ and
- .BR setcon_raw ()
- behave identically to their non-raw counterparts but do not perform context
- translation.
--.
-+
- .SH "RETURN VALUE"
--On error \-1 is returned. On success 0 is returned.
--.
-+On error \-1 is returned with errno set. On success 0 is returned.
-+
-+.SH "NOTES"
-+The retrieval functions might return success and set
-+.I *context
-+to NULL if and only if SELinux is not enabled.
-+
- .SH "SEE ALSO"
- .BR selinux "(8), " setexeccon "(3)"
---
-2.32.0
-
diff --git a/SOURCES/0034-libselinux-fix-typo.patch b/SOURCES/0034-libselinux-fix-typo.patch
deleted file mode 100644
index 3d9d604..0000000
--- a/SOURCES/0034-libselinux-fix-typo.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From fa4de3c9d85a310248bae516ed4535773885845b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Tue, 8 Jun 2021 17:36:44 +0200
-Subject: [PATCH] libselinux: fix typo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libselinux/src/regex.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h
-index 10c3df7856e1..2dfa25342034 100644
---- a/libselinux/src/regex.h
-+++ b/libselinux/src/regex.h
-@@ -44,7 +44,7 @@ struct mmap_area;
- char const *regex_arch_string(void) ;
-
- /**
-- * regex_verison returns the version string of the underlying regular
-+ * regex_version returns the version string of the underlying regular
- * regular expressions library. In the case of PCRE it just returns the
- * result of pcre_version(). In the case of PCRE2, the very first time this
- * function is called it allocates a buffer large enough to hold the version
---
-2.32.0
-
diff --git a/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch b/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch
deleted file mode 100644
index fdaabab..0000000
--- a/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 70b31e75fe157f4cfa5afc6589c0605868017028 Mon Sep 17 00:00:00 2001
-From: Topi Miettinen <toiwoton@gmail.com>
-Date: Sat, 12 Jun 2021 12:07:38 +0300
-Subject: [PATCH] selinux.8: document how mount flag nosuid affects SELinux
-
-Using mount flag `nosuid` also affects SELinux domain transitions but
-this has not been documented well.
-
-Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
----
- libselinux/man/man8/selinux.8 | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
-index 0ef014609a36..5842150bfc72 100644
---- a/libselinux/man/man8/selinux.8
-+++ b/libselinux/man/man8/selinux.8
-@@ -94,6 +94,13 @@ and reboot.
- also has this capability. The
- .BR restorecon / fixfiles
- commands are also available for relabeling files.
-+
-+Please note that using mount flag
-+.I nosuid
-+also disables SELinux domain transitions, unless permission
-+.I nosuid_transition
-+is used in the policy to allow this, which in turn needs also policy capability
-+.IR nnp_nosuid_transition .
- .
- .SH AUTHOR
- This manual page was written by Dan Walsh <dwalsh@redhat.com>.
---
-2.32.0
-
diff --git a/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch b/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch
deleted file mode 100644
index 2953a46..0000000
--- a/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 4859b738136ef8889fbb71a166cfec8d313ba4e0 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Thu, 1 Jul 2021 19:06:19 +0200
-Subject: [PATCH] libselinux/utils/getseuser.c: fix build with gcc 4.8
-
-Fix the following build failure with gcc 4.8 which is raised since
-version 3.2 and
-https://github.com/SELinuxProject/selinux/commit/156dd0de5cad31e7d437c64e11a8aef027f0a691
-
-getseuser.c:53:2: error: 'for' loop initial declarations are only allowed in C99 mode
- for (int i = 0; i < n; i++)
- ^
-
-Fixes:
- - http://autobuild.buildroot.org/results/37eb0952a763256fbf6ef3c668f6c95fbdf2dd35
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- libselinux/utils/getseuser.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libselinux/utils/getseuser.c b/libselinux/utils/getseuser.c
-index ce1b7b27dbd9..34f2e887ffa0 100644
---- a/libselinux/utils/getseuser.c
-+++ b/libselinux/utils/getseuser.c
-@@ -9,7 +9,7 @@ int main(int argc, char **argv)
- {
- char *seuser = NULL, *level = NULL;
- char **contextlist;
-- int rc, n;
-+ int rc, n, i;
-
- if (argc != 3) {
- fprintf(stderr, "usage: %s linuxuser fromcon\n", argv[0]);
-@@ -50,7 +50,7 @@ int main(int argc, char **argv)
- if (n == 0)
- printf("no valid context found\n");
-
-- for (int i = 0; i < n; i++)
-+ for (i = 0; i < n; i++)
- printf("Context %d\t%s\n", i, contextlist[i]);
-
- freeconary(contextlist);
---
-2.32.0
-
diff --git a/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch b/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch
deleted file mode 100644
index bf958ac..0000000
--- a/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-From 40543dceedc1510d0d27177f564db0f232689803 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Sat, 3 Jul 2021 16:31:18 +0200
-Subject: [PATCH] libselinux: silence -Wextra-semi-stmt warning
-
-On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
-(which is not the default build configuration), the compiler reports:
-
- sha1.c:90:21: error: empty expression statement has no effect;
- remove unnecessary ';' to silence this warning
- [-Werror,-Wextra-semi-stmt]
- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
- ^
- In file included from selinux_restorecon.c:39:
- ./label_file.h:458:15: error: empty expression statement has no
- effect; remove unnecessary ';' to silence this warning
- [-Werror,-Wextra-semi-stmt]
- lineno);
- ^
-
-Introduce "do { } while (0)" blocks to silence such warnings.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- libselinux/src/avc_internal.h | 22 +++++++++++++-------
- libselinux/src/label_internal.h | 10 +++++----
- libselinux/src/load_policy.c | 2 +-
- libselinux/src/procattr.c | 4 ++--
- libselinux/src/sha1.c | 11 +++++-----
- libselinux/utils/matchpathcon.c | 2 +-
- libselinux/utils/selabel_lookup_best_match.c | 2 +-
- 7 files changed, 31 insertions(+), 22 deletions(-)
-
-diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
-index da67affc9307..a9a4aa0b3c42 100644
---- a/libselinux/src/avc_internal.h
-+++ b/libselinux/src/avc_internal.h
-@@ -85,10 +85,12 @@ static inline void avc_free(void *ptr)
-
- /* this is a macro in order to use the variadic capability. */
- #define avc_log(type, format...) \
-- if (avc_func_log) \
-- avc_func_log(format); \
-- else \
-- selinux_log(type, format);
-+ do { \
-+ if (avc_func_log) \
-+ avc_func_log(format); \
-+ else \
-+ selinux_log(type, format); \
-+ } while (0)
-
- static inline void avc_suppl_audit(void *ptr, security_class_t class,
- char *buf, size_t len)
-@@ -137,14 +139,18 @@ static inline void avc_free_lock(void *lock)
- #ifdef AVC_CACHE_STATS
-
- #define avc_cache_stats_incr(field) \
-- cache_stats.field ++;
-+ do { \
-+ cache_stats.field ++; \
-+ } while (0)
- #define avc_cache_stats_add(field, num) \
-- cache_stats.field += num;
-+ do { \
-+ cache_stats.field += num; \
-+ } while (0)
-
- #else
-
--#define avc_cache_stats_incr(field)
--#define avc_cache_stats_add(field, num)
-+#define avc_cache_stats_incr(field) do {} while (0)
-+#define avc_cache_stats_add(field, num) do {} while (0)
-
- #endif
-
-diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
-index 361b443cb9c4..782c6aa8cc0c 100644
---- a/libselinux/src/label_internal.h
-+++ b/libselinux/src/label_internal.h
-@@ -128,10 +128,12 @@ extern int myprintf_compat;
- extern void __attribute__ ((format(printf, 1, 2)))
- (*myprintf) (const char *fmt, ...) ;
-
--#define COMPAT_LOG(type, fmt...) if (myprintf_compat) \
-- myprintf(fmt); \
-- else \
-- selinux_log(type, fmt);
-+#define COMPAT_LOG(type, fmt...) do { \
-+ if (myprintf_compat) \
-+ myprintf(fmt); \
-+ else \
-+ selinux_log(type, fmt); \
-+ } while (0)
-
- extern int
- compat_validate(struct selabel_handle *rec,
-diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
-index 0034fa53d6e6..5857b821e80e 100644
---- a/libselinux/src/load_policy.c
-+++ b/libselinux/src/load_policy.c
-@@ -80,7 +80,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
- if (libsepolh) {
- usesepol = 1;
- dlerror();
--#define DLERR() if ((errormsg = dlerror())) goto dlclose;
-+#define DLERR() do { if ((errormsg = dlerror())) goto dlclose; } while (0)
- vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max");
- DLERR();
- vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min");
-diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
-index 840570525f5f..6552ee01bca8 100644
---- a/libselinux/src/procattr.c
-+++ b/libselinux/src/procattr.c
-@@ -146,7 +146,7 @@ static int getprocattrcon_raw(char ** context,
- default:
- errno = ENOENT;
- return -1;
-- };
-+ }
-
- if (prev_context && prev_context != UNSET) {
- *context = strdup(prev_context);
-@@ -240,7 +240,7 @@ static int setprocattrcon_raw(const char * context,
- default:
- errno = ENOENT;
- return -1;
-- };
-+ }
-
- if (!context && !*prev_context)
- return 0;
-diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
-index 664bbcf26eef..a848467785f3 100644
---- a/libselinux/src/sha1.c
-+++ b/libselinux/src/sha1.c
-@@ -16,6 +16,7 @@
- // sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
- // CHAR64LONG16* block = (CHAR64LONG16*) workspace;
- // William Roberts <william.c.roberts@intel.com>
-+// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
- ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
- ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-@@ -49,11 +50,11 @@ typedef union
- ^block->l[(i+2)&15]^block->l[i&15],1))
-
- // (R0+R1), R2, R3, R4 are the different operations used in SHA1
--#define R0(v,w,x,y,z,i) z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30);
--#define R1(v,w,x,y,z,i) z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30);
--#define R2(v,w,x,y,z,i) z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30);
--#define R3(v,w,x,y,z,i) z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30);
--#define R4(v,w,x,y,z,i) z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30);
-+#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
-+#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
-+#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
-+#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
-+#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
-
-
- ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
-index a07e160dee71..1d713c01f81c 100644
---- a/libselinux/utils/matchpathcon.c
-+++ b/libselinux/utils/matchpathcon.c
-@@ -65,7 +65,7 @@ static mode_t string_to_mode(char *s)
- return S_IFREG;
- default:
- return -1;
-- };
-+ }
- return -1;
- }
-
-diff --git a/libselinux/utils/selabel_lookup_best_match.c b/libselinux/utils/selabel_lookup_best_match.c
-index 6a7174233667..2cddc6cde051 100644
---- a/libselinux/utils/selabel_lookup_best_match.c
-+++ b/libselinux/utils/selabel_lookup_best_match.c
-@@ -47,7 +47,7 @@ static mode_t string_to_mode(char *s)
- return S_IFSOCK;
- case 'f':
- return S_IFREG;
-- };
-+ }
- return 0;
- }
-
---
-2.32.0
-
diff --git a/SOURCES/0038-sha1-sha256.patch b/SOURCES/0038-sha1-sha256.patch
deleted file mode 100644
index b49047f..0000000
--- a/SOURCES/0038-sha1-sha256.patch
+++ /dev/null
@@ -1,1333 +0,0 @@
-From 697f19f787686e423f7e92ccbbdf29fb486791f0 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 30 Jul 2021 11:58:33 +0200
-Subject: [PATCH] Use SHA-2 instead of SHA-1
-
-The use of SHA-1 in RHEL9 is deprecated
----
- libselinux/include/selinux/label.h | 6 +-
- libselinux/include/selinux/restorecon.h | 4 +-
- libselinux/man/man3/selabel_digest.3 | 4 +-
- libselinux/man/man3/selabel_open.3 | 2 +-
- libselinux/man/man3/selinux_restorecon.3 | 16 +-
- .../man/man3/selinux_restorecon_xattr.3 | 2 +-
- libselinux/src/Makefile | 2 +-
- libselinux/src/label_file.c | 40 +--
- libselinux/src/label_internal.h | 10 +-
- libselinux/src/label_support.c | 8 +-
- libselinux/src/selinux_restorecon.c | 24 +-
- libselinux/src/sha1.c | 220 -------------
- libselinux/src/sha1.h | 85 -----
- libselinux/src/sha256.c | 294 ++++++++++++++++++
- libselinux/src/sha256.h | 89 ++++++
- libselinux/utils/selabel_digest.c | 26 +-
- .../selabel_get_digests_all_partial_matches.c | 28 +-
- 17 files changed, 469 insertions(+), 391 deletions(-)
- delete mode 100644 libselinux/src/sha1.c
- delete mode 100644 libselinux/src/sha1.h
- create mode 100644 libselinux/src/sha256.c
- create mode 100644 libselinux/src/sha256.h
-
-diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
-index e8983606d93b..a35d84d63b0a 100644
---- a/libselinux/include/selinux/label.h
-+++ b/libselinux/include/selinux/label.h
-@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
- const char *key, const char **aliases, int type);
-
- /**
-- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
-+ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to
- * generate the digest. The SELABEL_OPT_DIGEST option must
- * be set in selabel_open() to initiate the digest generation.
- * @handle: specifies backend instance to query
-- * @digest: returns a pointer to the SHA1 digest.
-+ * @digest: returns a pointer to the SHA256 digest.
- * @digest_len: returns length of digest in bytes.
-- * @specfiles: a list of specfiles used in the SHA1 digest generation.
-+ * @specfiles: a list of specfiles used in the SHA256 digest generation.
- * The list is NULL terminated and will hold @num_specfiles entries.
- * @num_specfiles: number of specfiles in the list.
- *
-diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
-index 466de39aac72..ca8ce768587a 100644
---- a/libselinux/include/selinux/restorecon.h
-+++ b/libselinux/include/selinux/restorecon.h
-@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname,
- * restorecon_flags options
- */
- /*
-- * Force the checking of labels even if the stored SHA1 digest
-- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
-+ * Force the checking of labels even if the stored SHA256 digest
-+ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).
- */
- #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001
- /*
-diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
-index 56a008f00df0..5f7c42533d0e 100644
---- a/libselinux/man/man3/selabel_digest.3
-+++ b/libselinux/man/man3/selabel_digest.3
-@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used
- .BR selabel_digest ()
- performs an operation on the handle
- .IR hnd ,
--returning the results of the SHA1 digest pointed to by
-+returning the results of the SHA256 digest pointed to by
- .IR digest ,
- whose length will be
- .IR digest_len .
--The list of specfiles used in the SHA1 digest calculation is returned in
-+The list of specfiles used in the SHA256 digest calculation is returned in
- .I specfiles
- with the number of entries in
- .IR num_specfiles .
-diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
-index 971ebc1acd41..2cf2eb8a1410 100644
---- a/libselinux/man/man3/selabel_open.3
-+++ b/libselinux/man/man3/selabel_open.3
-@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via
- Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
- .TP
- .B SELABEL_OPT_DIGEST
--A non-null value for this option enables the generation of an SHA1 digest of
-+A non-null value for this option enables the generation of an SHA256 digest of
- the spec files loaded as described in
- .BR selabel_digest (3)
- .
-diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
-index ad637406a30d..c4576fe79ff6 100644
---- a/libselinux/man/man3/selinux_restorecon.3
-+++ b/libselinux/man/man3/selinux_restorecon.3
-@@ -28,7 +28,7 @@ If this is a directory and the
- .B SELINUX_RESTORECON_RECURSE
- has been set (for descending through directories), then
- .BR selinux_restorecon ()
--will write an SHA1 digest of specfile entries calculated by
-+will write an SHA256 digest of specfile entries calculated by
- .BR selabel_get_digests_all_partial_matches (3)
- to an extended attribute of
- .IR security.sehash
-@@ -47,7 +47,7 @@ will take place.
- .br
- The
- .IR restorecon_flags
--that can be used to manage the usage of the SHA1 digest are:
-+that can be used to manage the usage of the SHA256 digest are:
- .RS
- .B SELINUX_RESTORECON_SKIP_DIGEST
- .br
-@@ -65,8 +65,8 @@ Do not check or update any extended attribute
- entries.
- .sp
- .B SELINUX_RESTORECON_IGNORE_DIGEST
--force the checking of labels even if the stored SHA1 digest matches the
--specfile entries SHA1 digest. The specfile entries digest will be written to the
-+force the checking of labels even if the stored SHA256 digest matches the
-+specfile entries SHA256 digest. The specfile entries digest will be written to the
- .IR security.sehash
- extended attribute once relabeling has been completed successfully provided the
- .B SELINUX_RESTORECON_NOCHANGE
-@@ -84,7 +84,7 @@ default specfile context.
- .sp
- .B SELINUX_RESTORECON_RECURSE
- change file and directory labels recursively (descend directories)
--and if successful write an SHA1 digest of the specfile entries to an
-+and if successful write an SHA256 digest of the specfile entries to an
- extended attribute as described in the
- .B NOTES
- section.
-@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the
- same inode have different contexts, as errors.
- .RE
- .sp
--The behavior regarding the checking and updating of the SHA1 digest described
-+The behavior regarding the checking and updating of the SHA256 digest described
- above is the default behavior. It is possible to change this by first calling
- .BR selabel_open (3)
- and not enabling the
-@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the
- .B SELINUX_RESTORECON_RECURSE
- flag is set)
- .BR selinux_restorecon ()
--will write a calculated SHA1 digest of the specfile entries returned by
-+will write a calculated SHA256 digest of the specfile entries returned by
- .BR selabel_get_digests_all_partial_matches (3)
- to an extended attribute named
- .IR security.sehash
-@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when
- .BR selinux_restorecon ()
- is run again with the
- .B SELINUX_RESTORECON_RECURSE
--flag set, new SHA1 digests will be calculated and all files automatically
-+flag set, new SHA256 digests will be calculated and all files automatically
- relabeled depending on the settings of the
- .B SELINUX_RESTORECON_SET_SPECFILE_CTX
- flag (provided
-diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3
-index c56326814b94..098c840fc59b 100644
---- a/libselinux/man/man3/selinux_restorecon_xattr.3
-+++ b/libselinux/man/man3/selinux_restorecon_xattr.3
-@@ -119,7 +119,7 @@ By default
- .BR selinux_restorecon_xattr (3)
- will use the default set of specfiles described in
- .BR files_contexts (5)
--to calculate the SHA1 digests to be used for comparison.
-+to calculate the SHA256 digests to be used for comparison.
- To change this default behavior
- .BR selabel_open (3)
- must be called specifying the required
-diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
-index 52c40f018f51..674a5ed3a6f8 100644
---- a/libselinux/src/Makefile
-+++ b/libselinux/src/Makefile
-@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
- -DBUILD_HOST
- SRCS= callbacks.c freecon.c label.c label_file.c \
- label_backends_android.c regex.c label_support.c \
-- matchpathcon.c setrans_client.c sha1.c booleans.c
-+ matchpathcon.c setrans_client.c sha256.c booleans.c
- else
- LABEL_BACKEND_ANDROID=y
- endif
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 56f499faef97..db5d7553aab2 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -1002,7 +1002,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
-
- /*
- * Returns true if the digest of all partial matched contexts is the same as
-- * the one saved by setxattr, otherwise returns false. The length of the SHA1
-+ * the one saved by setxattr, otherwise returns false. The length of the SHA256
- * digest will always be returned. The caller must free any returned digests.
- */
- static bool get_digests_all_partial_matches(struct selabel_handle *rec,
-@@ -1011,39 +1011,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
- uint8_t **xattr_digest,
- size_t *digest_len)
- {
-- uint8_t read_digest[SHA1_HASH_SIZE];
-+ uint8_t read_digest[SHA256_HASH_SIZE];
- ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,
-- read_digest, SHA1_HASH_SIZE
-+ read_digest, SHA256_HASH_SIZE
- #ifdef __APPLE__
- , 0, 0
- #endif /* __APPLE __ */
- );
-- uint8_t hash_digest[SHA1_HASH_SIZE];
-+ uint8_t hash_digest[SHA256_HASH_SIZE];
- bool status = selabel_hash_all_partial_matches(rec, pathname,
- hash_digest);
-
- *xattr_digest = NULL;
- *calculated_digest = NULL;
-- *digest_len = SHA1_HASH_SIZE;
-+ *digest_len = SHA256_HASH_SIZE;
-
-- if (read_size == SHA1_HASH_SIZE) {
-- *xattr_digest = calloc(1, SHA1_HASH_SIZE + 1);
-+ if (read_size == SHA256_HASH_SIZE) {
-+ *xattr_digest = calloc(1, SHA256_HASH_SIZE + 1);
- if (!*xattr_digest)
- goto oom;
-
-- memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE);
-+ memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE);
- }
-
- if (status) {
-- *calculated_digest = calloc(1, SHA1_HASH_SIZE + 1);
-+ *calculated_digest = calloc(1, SHA256_HASH_SIZE + 1);
- if (!*calculated_digest)
- goto oom;
-
-- memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE);
-+ memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE);
- }
-
-- if (status && read_size == SHA1_HASH_SIZE &&
-- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
-+ if (status && read_size == SHA256_HASH_SIZE &&
-+ memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)
- return true;
-
- return false;
-@@ -1063,22 +1063,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
- return false;
- }
-
-- Sha1Context context;
-- Sha1Initialise(&context);
-+ Sha256Context context;
-+ Sha256Initialise(&context);
- size_t i;
- for (i = 0; i < total_matches; i++) {
- char* regex_str = matches[i]->regex_str;
- mode_t mode = matches[i]->mode;
- char* ctx_raw = matches[i]->lr.ctx_raw;
-
-- Sha1Update(&context, regex_str, strlen(regex_str) + 1);
-- Sha1Update(&context, &mode, sizeof(mode_t));
-- Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1);
-+ Sha256Update(&context, regex_str, strlen(regex_str) + 1);
-+ Sha256Update(&context, &mode, sizeof(mode_t));
-+ Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1);
- }
-
-- SHA1_HASH sha1_hash;
-- Sha1Finalise(&context, &sha1_hash);
-- memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE);
-+ SHA256_HASH sha256_hash;
-+ Sha256Finalise(&context, &sha256_hash);
-+ memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE);
-
- free(matches);
- return true;
-diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
-index 782c6aa8cc0c..304e8d96490a 100644
---- a/libselinux/src/label_internal.h
-+++ b/libselinux/src/label_internal.h
-@@ -13,7 +13,7 @@
- #include <stdio.h>
- #include <selinux/selinux.h>
- #include <selinux/label.h>
--#include "sha1.h"
-+#include "sha256.h"
-
- #if defined(ANDROID) || defined(__APPLE__)
- // Android and Mac do not have fgets_unlocked()
-@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,
- */
-
- /*
-- * Calculate an SHA1 hash of all the files used to build the specs.
-+ * Calculate an SHA256 hash of all the files used to build the specs.
- * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To
- * calculate the hash the hashbuf will hold a concatenation of all the files
- * used. This is released once the value has been calculated.
- */
--#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE
-+#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE
- #define DIGEST_FILES_MAX 8
- struct selabel_digest {
-- unsigned char *digest; /* SHA1 digest of specfiles */
-+ unsigned char *digest; /* SHA256 digest of specfiles */
- unsigned char *hashbuf; /* buffer to hold specfiles */
- size_t hashbuf_size; /* buffer size */
- size_t specfile_cnt; /* how many specfiles processed */
-@@ -110,7 +110,7 @@ struct selabel_handle {
- */
- char *spec_file;
-
-- /* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */
-+ /* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */
- struct selabel_digest *digest;
- };
-
-diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
-index 94ed6e4273cb..f53d73b609ab 100644
---- a/libselinux/src/label_support.c
-+++ b/libselinux/src/label_support.c
-@@ -115,15 +115,15 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
- /* Once all the specfiles are in the hash_buf, generate the hash. */
- void digest_gen_hash(struct selabel_digest *digest)
- {
-- Sha1Context context;
-+ Sha256Context context;
-
- /* If SELABEL_OPT_DIGEST not set then just return */
- if (!digest)
- return;
-
-- Sha1Initialise(&context);
-- Sha1Update(&context, digest->hashbuf, digest->hashbuf_size);
-- Sha1Finalise(&context, (SHA1_HASH *)digest->digest);
-+ Sha256Initialise(&context);
-+ Sha256Update(&context, digest->hashbuf, digest->hashbuf_size);
-+ Sha256Finalise(&context, (SHA256_HASH *)digest->digest);
- free(digest->hashbuf);
- digest->hashbuf = NULL;
- return;
-diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 999aa924ba32..10211a888cf6 100644
---- a/libselinux/src/selinux_restorecon.c
-+++ b/libselinux/src/selinux_restorecon.c
-@@ -37,7 +37,7 @@
- #include "callbacks.h"
- #include "selinux_internal.h"
- #include "label_file.h"
--#include "sha1.h"
-+#include "sha256.h"
-
- #define STAR_COUNT 1024
-
-@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void)
- static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- bool delete_all)
- {
-- char *sha1_buf = NULL;
-+ char *sha256_buf = NULL;
- size_t i, digest_len = 0;
- int rc, digest_result;
- bool match;
-@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- }
-
- /* Convert entry to a hex encoded string. */
-- sha1_buf = malloc(digest_len * 2 + 1);
-- if (!sha1_buf) {
-+ sha256_buf = malloc(digest_len * 2 + 1);
-+ if (!sha256_buf) {
- free(xattr_digest);
- free(calculated_digest);
- goto oom;
- }
-
- for (i = 0; i < digest_len; i++)
-- sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
-+ sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]);
-
- digest_result = match ? MATCH : NOMATCH;
-
-@@ -345,7 +345,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- /* Now add entries to link list. */
- new_entry = malloc(sizeof(struct dir_xattr));
- if (!new_entry) {
-- free(sha1_buf);
-+ free(sha256_buf);
- goto oom;
- }
- new_entry->next = NULL;
-@@ -353,15 +353,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- new_entry->directory = strdup(directory);
- if (!new_entry->directory) {
- free(new_entry);
-- free(sha1_buf);
-+ free(sha256_buf);
- goto oom;
- }
-
-- new_entry->digest = strdup(sha1_buf);
-+ new_entry->digest = strdup(sha256_buf);
- if (!new_entry->digest) {
- free(new_entry->directory);
- free(new_entry);
-- free(sha1_buf);
-+ free(sha256_buf);
- goto oom;
- }
-
-@@ -375,7 +375,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- dir_xattr_last = new_entry;
- }
-
-- free(sha1_buf);
-+ free(sha256_buf);
- return 0;
-
- oom:
-@@ -742,7 +742,7 @@ err:
-
- struct dir_hash_node {
- char *path;
-- uint8_t digest[SHA1_HASH_SIZE];
-+ uint8_t digest[SHA256_HASH_SIZE];
- struct dir_hash_node *next;
- };
- /*
-@@ -1085,7 +1085,7 @@ int selinux_restorecon(const char *pathname_orig,
- if (setxattr(current->path,
- RESTORECON_PARTIAL_MATCH_DIGEST,
- current->digest,
-- SHA1_HASH_SIZE, 0) < 0) {
-+ SHA256_HASH_SIZE, 0) < 0) {
- selinux_log(SELINUX_ERROR,
- "setxattr failed: %s: %s\n",
- current->path,
-diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
-deleted file mode 100644
-index a848467785f3..000000000000
---- a/libselinux/src/sha1.c
-+++ /dev/null
-@@ -1,220 +0,0 @@
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// LibSha1
--//
--// Implementation of SHA1 hash function.
--// Original author: Steve Reid <sreid@sea-to-sky.net>
--// Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
--// and Ralph Giles <giles@ghostscript.com>
--// Modified by WaterJuice retaining Public Domain license.
--//
--// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
--// Modified to:
--// - stop symbols being exported for libselinux shared library - October 2015
--// Richard Haines <richard_c_haines@btinternet.com>
--// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses.
--// Fixes:
--// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
--// CHAR64LONG16* block = (CHAR64LONG16*) workspace;
--// William Roberts <william.c.roberts@intel.com>
--// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// IMPORTS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#include "sha1.h"
--#include <memory.h>
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// TYPES
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--typedef union
--{
-- uint8_t c [64];
-- uint32_t l [16];
--} CHAR64LONG16;
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// INTERNAL FUNCTIONS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
--
--// blk0() and blk() perform the initial expand.
--#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
-- |(rol(block->l[i],8)&0x00FF00FF))
--
--#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
-- ^block->l[(i+2)&15]^block->l[i&15],1))
--
--// (R0+R1), R2, R3, R4 are the different operations used in SHA1
--#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
--#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
--#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
--#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
--#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
--
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// TransformFunction
--//
--// Hash a single 512-bit block. This is the core of the algorithm
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--static
--void
-- TransformFunction
-- (
-- uint32_t state[5],
-- const uint8_t buffer[64]
-- )
--{
-- uint32_t a;
-- uint32_t b;
-- uint32_t c;
-- uint32_t d;
-- uint32_t e;
-- CHAR64LONG16 workspace;
-- CHAR64LONG16* block = &workspace;
--
-- memcpy(block, buffer, 64);
--
-- // Copy context->state[] to working vars
-- a = state[0];
-- b = state[1];
-- c = state[2];
-- d = state[3];
-- e = state[4];
--
-- // 4 rounds of 20 operations each. Loop unrolled.
-- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
--
-- // Add the working vars back into context.state[]
-- state[0] += a;
-- state[1] += b;
-- state[2] += c;
-- state[3] += d;
-- state[4] += e;
--}
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// PUBLIC FUNCTIONS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// Sha1Initialise
--//
--// Initialises an SHA1 Context. Use this to initialise/reset a context.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Initialise
-- (
-- Sha1Context* Context
-- )
--{
-- // SHA1 initialization constants
-- Context->State[0] = 0x67452301;
-- Context->State[1] = 0xEFCDAB89;
-- Context->State[2] = 0x98BADCFE;
-- Context->State[3] = 0x10325476;
-- Context->State[4] = 0xC3D2E1F0;
-- Context->Count[0] = 0;
-- Context->Count[1] = 0;
--}
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// Sha1Update
--//
--// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
--// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Update
-- (
-- Sha1Context* Context,
-- const void* Buffer,
-- uint32_t BufferSize
-- )
--{
-- uint32_t i;
-- uint32_t j;
--
-- j = (Context->Count[0] >> 3) & 63;
-- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
-- {
-- Context->Count[1]++;
-- }
--
-- Context->Count[1] += (BufferSize >> 29);
-- if ((j + BufferSize) > 63)
-- {
-- i = 64 - j;
-- memcpy(&Context->Buffer[j], Buffer, i);
-- TransformFunction(Context->State, Context->Buffer);
-- for (; i + 63 < BufferSize; i += 64)
-- {
-- TransformFunction(Context->State, (const uint8_t*)Buffer + i);
-- }
-- j = 0;
-- }
-- else
-- {
-- i = 0;
-- }
--
-- memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
--}
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// Sha1Finalise
--//
--// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
--// calling this, Sha1Initialised must be used to reuse the context.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Finalise
-- (
-- Sha1Context* Context,
-- SHA1_HASH* Digest
-- )
--{
-- uint32_t i;
-- uint8_t finalcount[8];
--
-- for (i = 0; i < 8; i++)
-- {
-- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
-- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent
-- }
-- Sha1Update(Context, (const uint8_t*)"\x80", 1);
-- while ((Context->Count[0] & 504) != 448)
-- {
-- Sha1Update(Context, (const uint8_t*)"\0", 1);
-- }
--
-- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction()
-- for (i = 0; i < SHA1_HASH_SIZE; i++)
-- {
-- Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
-- }
--}
-diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
-deleted file mode 100644
-index f83a6e7ed7ba..000000000000
---- a/libselinux/src/sha1.h
-+++ /dev/null
-@@ -1,85 +0,0 @@
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// LibSha1
--//
--// Implementation of SHA1 hash function.
--// Original author: Steve Reid <sreid@sea-to-sky.net>
--// Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
--// and Ralph Giles <giles@ghostscript.com>
--// Modified by WaterJuice retaining Public Domain license.
--//
--// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#ifndef _sha1_h_
--#define _sha1_h_
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// IMPORTS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#include <stdint.h>
--#include <stdio.h>
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// TYPES
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly.
--typedef struct
--{
-- uint32_t State[5];
-- uint32_t Count[2];
-- uint8_t Buffer[64];
--} Sha1Context;
--
--#define SHA1_HASH_SIZE ( 160 / 8 )
--
--typedef struct
--{
-- uint8_t bytes [SHA1_HASH_SIZE];
--} SHA1_HASH;
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// PUBLIC FUNCTIONS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// Sha1Initialise
--//
--// Initialises an SHA1 Context. Use this to initialise/reset a context.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Initialise
-- (
-- Sha1Context* Context
-- );
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// Sha1Update
--//
--// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
--// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Update
-- (
-- Sha1Context* Context,
-- const void* Buffer,
-- uint32_t BufferSize
-- );
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--// Sha1Finalise
--//
--// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
--// calling this, Sha1Initialised must be used to reuse the context.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Finalise
-- (
-- Sha1Context* Context,
-- SHA1_HASH* Digest
-- );
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--#endif //_sha1_h_
-diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c
-new file mode 100644
-index 000000000000..fe2aeef07f53
---- /dev/null
-+++ b/libselinux/src/sha256.c
-@@ -0,0 +1,294 @@
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// WjCryptLib_Sha256
-+//
-+// Implementation of SHA256 hash function.
-+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-+// Modified by WaterJuice retaining Public Domain license.
-+//
-+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// IMPORTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#include "sha256.h"
-+#include <memory.h>
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// MACROS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
-+
-+#define MIN(x, y) ( ((x)<(y))?(x):(y) )
-+
-+#define STORE32H(x, y) \
-+ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
-+ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
-+
-+#define LOAD32H(x, y) \
-+ { x = ((uint32_t)((y)[0] & 255)<<24) | \
-+ ((uint32_t)((y)[1] & 255)<<16) | \
-+ ((uint32_t)((y)[2] & 255)<<8) | \
-+ ((uint32_t)((y)[3] & 255)); }
-+
-+#define STORE64H(x, y) \
-+ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
-+ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
-+ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
-+ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// CONSTANTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+// The K array
-+static const uint32_t K[64] = {
-+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
-+ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
-+ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
-+ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
-+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
-+ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
-+ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
-+ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
-+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
-+ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
-+ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
-+ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
-+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-+};
-+
-+#define BLOCK_SIZE 64
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// INTERNAL FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+// Various logical functions
-+#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
-+#define Maj( x, y, z ) (((x | y) & z) | (x & y))
-+#define S( x, n ) ror((x),(n))
-+#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
-+#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
-+#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
-+#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
-+#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
-+
-+#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
-+ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
-+ t1 = Sigma0(a) + Maj(a, b, c); \
-+ d += t0; \
-+ h = t0 + t1;
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// TransformFunction
-+//
-+// Compress 512-bits
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+static
-+void
-+ TransformFunction
-+ (
-+ Sha256Context* Context,
-+ uint8_t const* Buffer
-+ )
-+{
-+ uint32_t S[8];
-+ uint32_t W[64];
-+ uint32_t t0;
-+ uint32_t t1;
-+ uint32_t t;
-+ int i;
-+
-+ // Copy state into S
-+ for( i=0; i<8; i++ )
-+ {
-+ S[i] = Context->state[i];
-+ }
-+
-+ // Copy the state into 512-bits into W[0..15]
-+ for( i=0; i<16; i++ )
-+ {
-+ LOAD32H( W[i], Buffer + (4*i) );
-+ }
-+
-+ // Fill W[16..63]
-+ for( i=16; i<64; i++ )
-+ {
-+ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
-+ }
-+
-+ // Compress
-+ for( i=0; i<64; i++ )
-+ {
-+ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
-+ t = S[7];
-+ S[7] = S[6];
-+ S[6] = S[5];
-+ S[5] = S[4];
-+ S[4] = S[3];
-+ S[3] = S[2];
-+ S[2] = S[1];
-+ S[1] = S[0];
-+ S[0] = t;
-+ }
-+
-+ // Feedback
-+ for( i=0; i<8; i++ )
-+ {
-+ Context->state[i] = Context->state[i] + S[i];
-+ }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// PUBLIC FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// Sha256Initialise
-+//
-+// Initialises a SHA256 Context. Use this to initialise/reset a context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+ Sha256Initialise
-+ (
-+ Sha256Context* Context // [out]
-+ )
-+{
-+ Context->curlen = 0;
-+ Context->length = 0;
-+ Context->state[0] = 0x6A09E667UL;
-+ Context->state[1] = 0xBB67AE85UL;
-+ Context->state[2] = 0x3C6EF372UL;
-+ Context->state[3] = 0xA54FF53AUL;
-+ Context->state[4] = 0x510E527FUL;
-+ Context->state[5] = 0x9B05688CUL;
-+ Context->state[6] = 0x1F83D9ABUL;
-+ Context->state[7] = 0x5BE0CD19UL;
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// Sha256Update
-+//
-+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+ Sha256Update
-+ (
-+ Sha256Context* Context, // [in out]
-+ void const* Buffer, // [in]
-+ uint32_t BufferSize // [in]
-+ )
-+{
-+ uint32_t n;
-+
-+ if( Context->curlen > sizeof(Context->buf) )
-+ {
-+ return;
-+ }
-+
-+ while( BufferSize > 0 )
-+ {
-+ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
-+ {
-+ TransformFunction( Context, (uint8_t*)Buffer );
-+ Context->length += BLOCK_SIZE * 8;
-+ Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
-+ BufferSize -= BLOCK_SIZE;
-+ }
-+ else
-+ {
-+ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
-+ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
-+ Context->curlen += n;
-+ Buffer = (uint8_t*)Buffer + n;
-+ BufferSize -= n;
-+ if( Context->curlen == BLOCK_SIZE )
-+ {
-+ TransformFunction( Context, Context->buf );
-+ Context->length += 8*BLOCK_SIZE;
-+ Context->curlen = 0;
-+ }
-+ }
-+ }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// Sha256Finalise
-+//
-+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-+// calling this, Sha256Initialised must be used to reuse the context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+ Sha256Finalise
-+ (
-+ Sha256Context* Context, // [in out]
-+ SHA256_HASH* Digest // [out]
-+ )
-+{
-+ int i;
-+
-+ if( Context->curlen >= sizeof(Context->buf) )
-+ {
-+ return;
-+ }
-+
-+ // Increase the length of the message
-+ Context->length += Context->curlen * 8;
-+
-+ // Append the '1' bit
-+ Context->buf[Context->curlen++] = (uint8_t)0x80;
-+
-+ // if the length is currently above 56 bytes we append zeros
-+ // then compress. Then we can fall back to padding zeros and length
-+ // encoding like normal.
-+ if( Context->curlen > 56 )
-+ {
-+ while( Context->curlen < 64 )
-+ {
-+ Context->buf[Context->curlen++] = (uint8_t)0;
-+ }
-+ TransformFunction(Context, Context->buf);
-+ Context->curlen = 0;
-+ }
-+
-+ // Pad up to 56 bytes of zeroes
-+ while( Context->curlen < 56 )
-+ {
-+ Context->buf[Context->curlen++] = (uint8_t)0;
-+ }
-+
-+ // Store length
-+ STORE64H( Context->length, Context->buf+56 );
-+ TransformFunction( Context, Context->buf );
-+
-+ // Copy output
-+ for( i=0; i<8; i++ )
-+ {
-+ STORE32H( Context->state[i], Digest->bytes+(4*i) );
-+ }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// Sha256Calculate
-+//
-+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-+// buffer.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+ Sha256Calculate
-+ (
-+ void const* Buffer, // [in]
-+ uint32_t BufferSize, // [in]
-+ SHA256_HASH* Digest // [in]
-+ )
-+{
-+ Sha256Context context;
-+
-+ Sha256Initialise( &context );
-+ Sha256Update( &context, Buffer, BufferSize );
-+ Sha256Finalise( &context, Digest );
-+}
-diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h
-new file mode 100644
-index 000000000000..406ed869cd82
---- /dev/null
-+++ b/libselinux/src/sha256.h
-@@ -0,0 +1,89 @@
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// WjCryptLib_Sha256
-+//
-+// Implementation of SHA256 hash function.
-+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-+// Modified by WaterJuice retaining Public Domain license.
-+//
-+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#pragma once
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// IMPORTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#include <stdint.h>
-+#include <stdio.h>
-+
-+typedef struct
-+{
-+ uint64_t length;
-+ uint32_t state[8];
-+ uint32_t curlen;
-+ uint8_t buf[64];
-+} Sha256Context;
-+
-+#define SHA256_HASH_SIZE ( 256 / 8 )
-+
-+typedef struct
-+{
-+ uint8_t bytes [SHA256_HASH_SIZE];
-+} SHA256_HASH;
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// PUBLIC FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// Sha256Initialise
-+//
-+// Initialises a SHA256 Context. Use this to initialise/reset a context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+ Sha256Initialise
-+ (
-+ Sha256Context* Context // [out]
-+ );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// Sha256Update
-+//
-+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+ Sha256Update
-+ (
-+ Sha256Context* Context, // [in out]
-+ void const* Buffer, // [in]
-+ uint32_t BufferSize // [in]
-+ );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// Sha256Finalise
-+//
-+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-+// calling this, Sha256Initialised must be used to reuse the context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+ Sha256Finalise
-+ (
-+ Sha256Context* Context, // [in out]
-+ SHA256_HASH* Digest // [out]
-+ );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+// Sha256Calculate
-+//
-+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-+// buffer.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+ Sha256Calculate
-+ (
-+ void const* Buffer, // [in]
-+ uint32_t BufferSize, // [in]
-+ SHA256_HASH* Digest // [in]
-+ );
-diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
-index 49408a0ba8d8..67befadd23c5 100644
---- a/libselinux/utils/selabel_digest.c
-+++ b/libselinux/utils/selabel_digest.c
-@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
- "Where:\n\t"
- "-b The backend - \"file\", \"media\", \"x\", \"db\" or "
- "\"prop\"\n\t"
-- "-v Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
-- " on the list of specfiles to compare the SHA1 digests.\n\t"
-+ "-v Run \"cat <specfile_list> | openssl dgst -sha256 -hex\"\n\t"
-+ " on the list of specfiles to compare the SHA256 digests.\n\t"
- "-B Use base specfiles only (valid for \"-b file\" only).\n\t"
- "-i Do not request a digest.\n\t"
- "-f Optional file containing the specs (defaults to\n\t"
-@@ -62,12 +62,12 @@ int main(int argc, char **argv)
- int backend = 0, rc, opt, validate = 0;
- char *baseonly = NULL, *file = NULL, *digest = (char *)1;
- char **specfiles = NULL;
-- unsigned char *sha1_digest = NULL;
-+ unsigned char *sha256_digest = NULL;
- size_t i, num_specfiles;
-
- char cmd_buf[4096];
- char *cmd_ptr;
-- char *sha1_buf;
-+ char *sha256_buf;
-
- struct selabel_handle *hnd;
- struct selinux_opt selabel_option[] = {
-@@ -137,7 +137,7 @@ int main(int argc, char **argv)
- return -1;
- }
-
-- rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
-+ rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles,
- &num_specfiles);
-
- if (rc) {
-@@ -152,19 +152,19 @@ int main(int argc, char **argv)
- goto err;
- }
-
-- sha1_buf = malloc(digest_len * 2 + 1);
-- if (!sha1_buf) {
-+ sha256_buf = malloc(digest_len * 2 + 1);
-+ if (!sha256_buf) {
- fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
- strerror(errno));
- rc = -1;
- goto err;
- }
-
-- printf("SHA1 digest: ");
-+ printf("SHA256 digest: ");
- for (i = 0; i < digest_len; i++)
-- sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]);
-+ sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]);
-
-- printf("%s\n", sha1_buf);
-+ printf("%s\n", sha256_buf);
- printf("calculated using the following specfile(s):\n");
-
- if (specfiles) {
-@@ -177,13 +177,13 @@ int main(int argc, char **argv)
- cmd_ptr += strlen(specfiles[i]) + 1;
- printf("%s\n", specfiles[i]);
- }
-- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
-+ sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex");
-
- if (validate)
-- rc = run_check_digest(cmd_buf, sha1_buf);
-+ rc = run_check_digest(cmd_buf, sha256_buf);
- }
-
-- free(sha1_buf);
-+ free(sha256_buf);
- err:
- selabel_close(hnd);
- return rc;
-diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-index e28833d2ce97..900f018c0091 100644
---- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
-+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
- "-v Validate file_contxts entries against loaded policy.\n\t"
- "-r Recursively descend directories.\n\t"
- "-f Optional file_contexts file (defaults to current policy).\n\t"
-- "path Path to check current SHA1 digest against file_contexts entries.\n\n"
-- "This will check the directory selinux.sehash SHA1 digest for "
-+ "path Path to check current SHA256 digest against file_contexts entries.\n\n"
-+ "This will check the directory selinux.sehash SHA256 digest for "
- "<path> against\na newly generated digest based on the "
- "file_context entries for that node\n(using the regx, mode "
- "and path entries).\n", progname);
-@@ -37,7 +37,7 @@ int main(int argc, char **argv)
- char *paths[2] = { NULL, NULL };
- uint8_t *xattr_digest = NULL;
- uint8_t *calculated_digest = NULL;
-- char *sha1_buf = NULL;
-+ char *sha256_buf = NULL;
-
- struct selabel_handle *hnd;
- struct selinux_opt selabel_option[] = {
-@@ -105,27 +105,27 @@ int main(int argc, char **argv)
- &xattr_digest,
- &digest_len);
-
-- sha1_buf = calloc(1, digest_len * 2 + 1);
-- if (!sha1_buf) {
-+ sha256_buf = calloc(1, digest_len * 2 + 1);
-+ if (!sha256_buf) {
- fprintf(stderr, "Could not calloc buffer ERROR: %s\n",
- strerror(errno));
- return -1;
- }
-
- if (status) { /* They match */
-- printf("xattr and file_contexts SHA1 digests match for: %s\n",
-+ printf("xattr and file_contexts SHA256 digests match for: %s\n",
- ftsent->fts_path);
-
- if (calculated_digest) {
- for (i = 0; i < digest_len; i++)
-- sprintf((&sha1_buf[i * 2]),
-+ sprintf((&sha256_buf[i * 2]),
- "%02x",
- calculated_digest[i]);
-- printf("SHA1 digest: %s\n", sha1_buf);
-+ printf("SHA256 digest: %s\n", sha256_buf);
- }
- } else {
- if (!calculated_digest) {
-- printf("No SHA1 digest available for: %s\n",
-+ printf("No SHA256 digest available for: %s\n",
- ftsent->fts_path);
- printf("as file_context entry is \"<<none>>\"\n");
- goto cleanup;
-@@ -135,25 +135,25 @@ int main(int argc, char **argv)
- ftsent->fts_path);
-
- for (i = 0; i < digest_len; i++)
-- sprintf((&sha1_buf[i * 2]), "%02x",
-+ sprintf((&sha256_buf[i * 2]), "%02x",
- calculated_digest[i]);
-- printf("generated SHA1 digest: %s\n", sha1_buf);
-+ printf("generated SHA256 digest: %s\n", sha256_buf);
-
- if (!xattr_digest) {
- printf("however there is no selinux.sehash xattr entry.\n");
- } else {
- printf("however it does NOT match the current entry of:\n");
- for (i = 0; i < digest_len; i++)
-- sprintf((&sha1_buf[i * 2]),
-+ sprintf((&sha256_buf[i * 2]),
- "%02x",
- xattr_digest[i]);
-- printf("%s\n", sha1_buf);
-+ printf("%s\n", sha256_buf);
- }
- }
- cleanup:
- free(xattr_digest);
- free(calculated_digest);
-- free(sha1_buf);
-+ free(sha256_buf);
- break;
- }
- default:
---
-2.32.0
-
diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec
index cdb5158..0d93511 100644
--- a/SPECS/libselinux.spec
+++ b/SPECS/libselinux.spec
@@ -1,59 +1,22 @@
%define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 3.2-3
+%define libsepolver 3.3-1
Summary: SELinux library and simple utilities
Name: libselinux
-Version: 3.2
-Release: 6%{?dist}
+Version: 3.3
+Release: 1%{?dist}
License: Public Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/libselinux-3.2.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz
Source1: selinuxconlist.8
Source2: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki
# $ git clone https://github.com/fedora-selinux/selinux.git
# $ cd selinux
-# $ git format-patch -N 3.2 -- libselinux
+# $ git format-patch -N 3.3 -- libselinux
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
-Patch0001: 0001-libselinux-do-not-duplicate-make-target-when-going-i.patch
-Patch0002: 0002-libselinux-selinux_check_passwd_access_internal-resp.patch
-Patch0003: 0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch
-Patch0004: 0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch
-Patch0005: 0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch
-Patch0006: 0006-libselinux-label_common-do-not-discard-const-qualifi.patch
-Patch0007: 0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch
-Patch0008: 0008-libselinux-sefcontext_compile-mark-local-variable-st.patch
-Patch0009: 0009-libselinux-avcstat-use-standard-length-modifier-for-.patch
-Patch0010: 0010-libselinux-selinux_restorecon-mark-local-variable-st.patch
-Patch0011: 0011-libselinux-selabel_get_digests_all_partial_matches-f.patch
-Patch0012: 0012-libselinux-getconlist-free-memory-on-multiple-level-.patch
-Patch0013: 0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch
-Patch0014: 0014-libselinux-context_new-drop-dead-assignment.patch
-Patch0015: 0015-libselinux-label_x-init-drop-dead-assignment.patch
-Patch0016: 0016-libselinux-label_media-init-drop-dead-assignment.patch
-Patch0017: 0017-libselinux-setexecfilecon-drop-dead-assignment.patch
-Patch0018: 0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch
-Patch0019: 0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch
-Patch0020: 0020-libselinux-matchmediacon-close-file-on-error.patch
-Patch0021: 0021-libselinux-init_selinux_config-free-resources-on-err.patch
-Patch0022: 0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch
-Patch0023: 0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch
-Patch0024: 0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch
-Patch0025: 0025-libselinux-drop-redundant-casts-to-the-same-type.patch
-Patch0026: 0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch
-Patch0027: 0027-libselinux-regex-unify-parameter-names.patch
-Patch0028: 0028-libselinux-label_file.c-fix-indent.patch
-Patch0029: 0029-libselinux-avc_destroy-3-closes-status-page.patch
-Patch0030: 0030-libselinux-make-selinux_status_open-3-reentrant.patch
-Patch0031: 0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch
-Patch0032: 0032-libselinux-selinux_status_open-return-1-in-fallback-.patch
-Patch0033: 0033-libselinux-improve-getcon-3-man-page.patch
-Patch0034: 0034-libselinux-fix-typo.patch
-Patch0035: 0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch
-Patch0036: 0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch
-Patch0037: 0037-libselinux-silence-Wextra-semi-stmt-warning.patch
-Patch0038: 0038-sha1-sha256.patch
+Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
# Patch list end
BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
@@ -250,6 +213,15 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{ruby_vendorarchdir}/selinux.so
%changelog
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
+
+* Fri Oct 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
+
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688