diff --git a/.gitignore b/.gitignore index e766aa5..f8649bc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libselinux-3.2.tar.gz +SOURCES/libselinux-3.3.tar.gz diff --git a/.libselinux.metadata b/.libselinux.metadata index c81fb15..db6fb6a 100644 --- a/.libselinux.metadata +++ b/.libselinux.metadata @@ -1 +1 @@ -59d7e9a2db64ba994e2da976b4374871535cd196 SOURCES/libselinux-3.2.tar.gz +70128f2395fc86b09c57db979972b4823b35e614 SOURCES/libselinux-3.3.tar.gz diff --git a/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch new file mode 100644 index 0000000..ed63a8c --- /dev/null +++ b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch @@ -0,0 +1,1333 @@ +From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 30 Jul 2021 14:14:37 +0200 +Subject: [PATCH] Use SHA-2 instead of SHA-1 + +The use of SHA-1 in RHEL9 is deprecated +--- + libselinux/include/selinux/label.h | 6 +- + libselinux/include/selinux/restorecon.h | 4 +- + libselinux/man/man3/selabel_digest.3 | 4 +- + libselinux/man/man3/selabel_open.3 | 2 +- + libselinux/man/man3/selinux_restorecon.3 | 16 +- + .../man/man3/selinux_restorecon_xattr.3 | 2 +- + libselinux/src/Makefile | 2 +- + libselinux/src/label_file.c | 40 +-- + libselinux/src/label_internal.h | 10 +- + libselinux/src/label_support.c | 8 +- + libselinux/src/selinux_restorecon.c | 24 +- + libselinux/src/sha1.c | 220 ------------- + libselinux/src/sha1.h | 85 ----- + libselinux/src/sha256.c | 294 ++++++++++++++++++ + libselinux/src/sha256.h | 89 ++++++ + libselinux/utils/selabel_digest.c | 26 +- + .../selabel_get_digests_all_partial_matches.c | 28 +- + 17 files changed, 469 insertions(+), 391 deletions(-) + delete mode 100644 libselinux/src/sha1.c + delete mode 100644 libselinux/src/sha1.h + create mode 100644 libselinux/src/sha256.c + create mode 100644 libselinux/src/sha256.h + +diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h +index e8983606d93b..a35d84d63b0a 100644 +--- a/libselinux/include/selinux/label.h ++++ b/libselinux/include/selinux/label.h +@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, + const char *key, const char **aliases, int type); + + /** +- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to ++ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to + * generate the digest. The SELABEL_OPT_DIGEST option must + * be set in selabel_open() to initiate the digest generation. + * @handle: specifies backend instance to query +- * @digest: returns a pointer to the SHA1 digest. ++ * @digest: returns a pointer to the SHA256 digest. + * @digest_len: returns length of digest in bytes. +- * @specfiles: a list of specfiles used in the SHA1 digest generation. ++ * @specfiles: a list of specfiles used in the SHA256 digest generation. + * The list is NULL terminated and will hold @num_specfiles entries. + * @num_specfiles: number of specfiles in the list. + * +diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h +index 466de39aac72..ca8ce768587a 100644 +--- a/libselinux/include/selinux/restorecon.h ++++ b/libselinux/include/selinux/restorecon.h +@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname, + * restorecon_flags options + */ + /* +- * Force the checking of labels even if the stored SHA1 digest +- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN). ++ * Force the checking of labels even if the stored SHA256 digest ++ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN). + */ + #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001 + /* +diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3 +index 56a008f00df0..5f7c42533d0e 100644 +--- a/libselinux/man/man3/selabel_digest.3 ++++ b/libselinux/man/man3/selabel_digest.3 +@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used + .BR selabel_digest () + performs an operation on the handle + .IR hnd , +-returning the results of the SHA1 digest pointed to by ++returning the results of the SHA256 digest pointed to by + .IR digest , + whose length will be + .IR digest_len . +-The list of specfiles used in the SHA1 digest calculation is returned in ++The list of specfiles used in the SHA256 digest calculation is returned in + .I specfiles + with the number of entries in + .IR num_specfiles . +diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 +index 971ebc1acd41..2cf2eb8a1410 100644 +--- a/libselinux/man/man3/selabel_open.3 ++++ b/libselinux/man/man3/selabel_open.3 +@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via + Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation. + .TP + .B SELABEL_OPT_DIGEST +-A non-null value for this option enables the generation of an SHA1 digest of ++A non-null value for this option enables the generation of an SHA256 digest of + the spec files loaded as described in + .BR selabel_digest (3) + . +diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3 +index ad637406a30d..c4576fe79ff6 100644 +--- a/libselinux/man/man3/selinux_restorecon.3 ++++ b/libselinux/man/man3/selinux_restorecon.3 +@@ -28,7 +28,7 @@ If this is a directory and the + .B SELINUX_RESTORECON_RECURSE + has been set (for descending through directories), then + .BR selinux_restorecon () +-will write an SHA1 digest of specfile entries calculated by ++will write an SHA256 digest of specfile entries calculated by + .BR selabel_get_digests_all_partial_matches (3) + to an extended attribute of + .IR security.sehash +@@ -47,7 +47,7 @@ will take place. + .br + The + .IR restorecon_flags +-that can be used to manage the usage of the SHA1 digest are: ++that can be used to manage the usage of the SHA256 digest are: + .RS + .B SELINUX_RESTORECON_SKIP_DIGEST + .br +@@ -65,8 +65,8 @@ Do not check or update any extended attribute + entries. + .sp + .B SELINUX_RESTORECON_IGNORE_DIGEST +-force the checking of labels even if the stored SHA1 digest matches the +-specfile entries SHA1 digest. The specfile entries digest will be written to the ++force the checking of labels even if the stored SHA256 digest matches the ++specfile entries SHA256 digest. The specfile entries digest will be written to the + .IR security.sehash + extended attribute once relabeling has been completed successfully provided the + .B SELINUX_RESTORECON_NOCHANGE +@@ -84,7 +84,7 @@ default specfile context. + .sp + .B SELINUX_RESTORECON_RECURSE + change file and directory labels recursively (descend directories) +-and if successful write an SHA1 digest of the specfile entries to an ++and if successful write an SHA256 digest of the specfile entries to an + extended attribute as described in the + .B NOTES + section. +@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the + same inode have different contexts, as errors. + .RE + .sp +-The behavior regarding the checking and updating of the SHA1 digest described ++The behavior regarding the checking and updating of the SHA256 digest described + above is the default behavior. It is possible to change this by first calling + .BR selabel_open (3) + and not enabling the +@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the + .B SELINUX_RESTORECON_RECURSE + flag is set) + .BR selinux_restorecon () +-will write a calculated SHA1 digest of the specfile entries returned by ++will write a calculated SHA256 digest of the specfile entries returned by + .BR selabel_get_digests_all_partial_matches (3) + to an extended attribute named + .IR security.sehash +@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when + .BR selinux_restorecon () + is run again with the + .B SELINUX_RESTORECON_RECURSE +-flag set, new SHA1 digests will be calculated and all files automatically ++flag set, new SHA256 digests will be calculated and all files automatically + relabeled depending on the settings of the + .B SELINUX_RESTORECON_SET_SPECFILE_CTX + flag (provided +diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3 +index c56326814b94..098c840fc59b 100644 +--- a/libselinux/man/man3/selinux_restorecon_xattr.3 ++++ b/libselinux/man/man3/selinux_restorecon_xattr.3 +@@ -119,7 +119,7 @@ By default + .BR selinux_restorecon_xattr (3) + will use the default set of specfiles described in + .BR files_contexts (5) +-to calculate the SHA1 digests to be used for comparison. ++to calculate the SHA256 digests to be used for comparison. + To change this default behavior + .BR selabel_open (3) + must be called specifying the required +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index 52c40f018f51..674a5ed3a6f8 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ + -DBUILD_HOST + SRCS= callbacks.c freecon.c label.c label_file.c \ + label_backends_android.c regex.c label_support.c \ +- matchpathcon.c setrans_client.c sha1.c booleans.c ++ matchpathcon.c setrans_client.c sha256.c booleans.c + else + LABEL_BACKEND_ANDROID=y + endif +diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c +index 2e28d0474d73..c1306c9979e7 100644 +--- a/libselinux/src/label_file.c ++++ b/libselinux/src/label_file.c +@@ -1005,7 +1005,7 @@ static struct spec *lookup_common(struct selabel_handle *rec, + + /* + * Returns true if the digest of all partial matched contexts is the same as +- * the one saved by setxattr, otherwise returns false. The length of the SHA1 ++ * the one saved by setxattr, otherwise returns false. The length of the SHA256 + * digest will always be returned. The caller must free any returned digests. + */ + static bool get_digests_all_partial_matches(struct selabel_handle *rec, +@@ -1014,39 +1014,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec, + uint8_t **xattr_digest, + size_t *digest_len) + { +- uint8_t read_digest[SHA1_HASH_SIZE]; ++ uint8_t read_digest[SHA256_HASH_SIZE]; + ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST, +- read_digest, SHA1_HASH_SIZE ++ read_digest, SHA256_HASH_SIZE + #ifdef __APPLE__ + , 0, 0 + #endif /* __APPLE __ */ + ); +- uint8_t hash_digest[SHA1_HASH_SIZE]; ++ uint8_t hash_digest[SHA256_HASH_SIZE]; + bool status = selabel_hash_all_partial_matches(rec, pathname, + hash_digest); + + *xattr_digest = NULL; + *calculated_digest = NULL; +- *digest_len = SHA1_HASH_SIZE; ++ *digest_len = SHA256_HASH_SIZE; + +- if (read_size == SHA1_HASH_SIZE) { +- *xattr_digest = calloc(1, SHA1_HASH_SIZE + 1); ++ if (read_size == SHA256_HASH_SIZE) { ++ *xattr_digest = calloc(1, SHA256_HASH_SIZE + 1); + if (!*xattr_digest) + goto oom; + +- memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE); ++ memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE); + } + + if (status) { +- *calculated_digest = calloc(1, SHA1_HASH_SIZE + 1); ++ *calculated_digest = calloc(1, SHA256_HASH_SIZE + 1); + if (!*calculated_digest) + goto oom; + +- memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE); ++ memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE); + } + +- if (status && read_size == SHA1_HASH_SIZE && +- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0) ++ if (status && read_size == SHA256_HASH_SIZE && ++ memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0) + return true; + + return false; +@@ -1066,22 +1066,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key + return false; + } + +- Sha1Context context; +- Sha1Initialise(&context); ++ Sha256Context context; ++ Sha256Initialise(&context); + size_t i; + for (i = 0; i < total_matches; i++) { + char* regex_str = matches[i]->regex_str; + mode_t mode = matches[i]->mode; + char* ctx_raw = matches[i]->lr.ctx_raw; + +- Sha1Update(&context, regex_str, strlen(regex_str) + 1); +- Sha1Update(&context, &mode, sizeof(mode_t)); +- Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1); ++ Sha256Update(&context, regex_str, strlen(regex_str) + 1); ++ Sha256Update(&context, &mode, sizeof(mode_t)); ++ Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1); + } + +- SHA1_HASH sha1_hash; +- Sha1Finalise(&context, &sha1_hash); +- memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE); ++ SHA256_HASH sha256_hash; ++ Sha256Finalise(&context, &sha256_hash); ++ memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE); + + free(matches); + return true; +diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h +index 782c6aa8cc0c..304e8d96490a 100644 +--- a/libselinux/src/label_internal.h ++++ b/libselinux/src/label_internal.h +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include "sha1.h" ++#include "sha256.h" + + #if defined(ANDROID) || defined(__APPLE__) + // Android and Mac do not have fgets_unlocked() +@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec, + */ + + /* +- * Calculate an SHA1 hash of all the files used to build the specs. ++ * Calculate an SHA256 hash of all the files used to build the specs. + * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To + * calculate the hash the hashbuf will hold a concatenation of all the files + * used. This is released once the value has been calculated. + */ +-#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE ++#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE + #define DIGEST_FILES_MAX 8 + struct selabel_digest { +- unsigned char *digest; /* SHA1 digest of specfiles */ ++ unsigned char *digest; /* SHA256 digest of specfiles */ + unsigned char *hashbuf; /* buffer to hold specfiles */ + size_t hashbuf_size; /* buffer size */ + size_t specfile_cnt; /* how many specfiles processed */ +@@ -110,7 +110,7 @@ struct selabel_handle { + */ + char *spec_file; + +- /* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */ ++ /* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */ + struct selabel_digest *digest; + }; + +diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c +index 94ed6e4273cb..f53d73b609ab 100644 +--- a/libselinux/src/label_support.c ++++ b/libselinux/src/label_support.c +@@ -115,15 +115,15 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...) + /* Once all the specfiles are in the hash_buf, generate the hash. */ + void digest_gen_hash(struct selabel_digest *digest) + { +- Sha1Context context; ++ Sha256Context context; + + /* If SELABEL_OPT_DIGEST not set then just return */ + if (!digest) + return; + +- Sha1Initialise(&context); +- Sha1Update(&context, digest->hashbuf, digest->hashbuf_size); +- Sha1Finalise(&context, (SHA1_HASH *)digest->digest); ++ Sha256Initialise(&context); ++ Sha256Update(&context, digest->hashbuf, digest->hashbuf_size); ++ Sha256Finalise(&context, (SHA256_HASH *)digest->digest); + free(digest->hashbuf); + digest->hashbuf = NULL; + return; +diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c +index 04d956504952..100c77108a27 100644 +--- a/libselinux/src/selinux_restorecon.c ++++ b/libselinux/src/selinux_restorecon.c +@@ -37,7 +37,7 @@ + #include "callbacks.h" + #include "selinux_internal.h" + #include "label_file.h" +-#include "sha1.h" ++#include "sha256.h" + + #define STAR_COUNT 1024 + +@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void) + static int add_xattr_entry(const char *directory, bool delete_nonmatch, + bool delete_all) + { +- char *sha1_buf = NULL; ++ char *sha256_buf = NULL; + size_t i, digest_len = 0; + int rc, digest_result; + bool match; +@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + } + + /* Convert entry to a hex encoded string. */ +- sha1_buf = malloc(digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(digest_len * 2 + 1); ++ if (!sha256_buf) { + free(xattr_digest); + free(calculated_digest); + goto oom; + } + + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]); ++ sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]); + + digest_result = match ? MATCH : NOMATCH; + +@@ -344,7 +344,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + /* Now add entries to link list. */ + new_entry = malloc(sizeof(struct dir_xattr)); + if (!new_entry) { +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + new_entry->next = NULL; +@@ -352,15 +352,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + new_entry->directory = strdup(directory); + if (!new_entry->directory) { + free(new_entry); +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + +- new_entry->digest = strdup(sha1_buf); ++ new_entry->digest = strdup(sha256_buf); + if (!new_entry->digest) { + free(new_entry->directory); + free(new_entry); +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + +@@ -374,7 +374,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + dir_xattr_last = new_entry; + } + +- free(sha1_buf); ++ free(sha256_buf); + return 0; + + oom: +@@ -741,7 +741,7 @@ err: + + struct dir_hash_node { + char *path; +- uint8_t digest[SHA1_HASH_SIZE]; ++ uint8_t digest[SHA256_HASH_SIZE]; + struct dir_hash_node *next; + }; + /* +@@ -1091,7 +1091,7 @@ int selinux_restorecon(const char *pathname_orig, + if (setxattr(current->path, + RESTORECON_PARTIAL_MATCH_DIGEST, + current->digest, +- SHA1_HASH_SIZE, 0) < 0) { ++ SHA256_HASH_SIZE, 0) < 0) { + selinux_log(SELINUX_ERROR, + "setxattr failed: %s: %m\n", + current->path); +diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c +deleted file mode 100644 +index a848467785f3..000000000000 +--- a/libselinux/src/sha1.c ++++ /dev/null +@@ -1,220 +0,0 @@ +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// LibSha1 +-// +-// Implementation of SHA1 hash function. +-// Original author: Steve Reid +-// Contributions by: James H. Brown , Saul Kravitz , +-// and Ralph Giles +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-// Modified to: +-// - stop symbols being exported for libselinux shared library - October 2015 +-// Richard Haines +-// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses. +-// Fixes: +-// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] +-// CHAR64LONG16* block = (CHAR64LONG16*) workspace; +-// William Roberts +-// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include "sha1.h" +-#include +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TYPES +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-typedef union +-{ +- uint8_t c [64]; +- uint32_t l [16]; +-} CHAR64LONG16; +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// INTERNAL FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) +- +-// blk0() and blk() perform the initial expand. +-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ +- |(rol(block->l[i],8)&0x00FF00FF)) +- +-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ +- ^block->l[(i+2)&15]^block->l[i&15],1)) +- +-// (R0+R1), R2, R3, R4 are the different operations used in SHA1 +-#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0) +-#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0) +-#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0) +-#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0) +-#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0) +- +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TransformFunction +-// +-// Hash a single 512-bit block. This is the core of the algorithm +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-static +-void +- TransformFunction +- ( +- uint32_t state[5], +- const uint8_t buffer[64] +- ) +-{ +- uint32_t a; +- uint32_t b; +- uint32_t c; +- uint32_t d; +- uint32_t e; +- CHAR64LONG16 workspace; +- CHAR64LONG16* block = &workspace; +- +- memcpy(block, buffer, 64); +- +- // Copy context->state[] to working vars +- a = state[0]; +- b = state[1]; +- c = state[2]; +- d = state[3]; +- e = state[4]; +- +- // 4 rounds of 20 operations each. Loop unrolled. +- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); +- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); +- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); +- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); +- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); +- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); +- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); +- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); +- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); +- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); +- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); +- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); +- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); +- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); +- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); +- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); +- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); +- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); +- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); +- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); +- +- // Add the working vars back into context.state[] +- state[0] += a; +- state[1] += b; +- state[2] += c; +- state[3] += d; +- state[4] += e; +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Initialise +-// +-// Initialises an SHA1 Context. Use this to initialise/reset a context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Initialise +- ( +- Sha1Context* Context +- ) +-{ +- // SHA1 initialization constants +- Context->State[0] = 0x67452301; +- Context->State[1] = 0xEFCDAB89; +- Context->State[2] = 0x98BADCFE; +- Context->State[3] = 0x10325476; +- Context->State[4] = 0xC3D2E1F0; +- Context->Count[0] = 0; +- Context->Count[1] = 0; +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Update +-// +-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Update +- ( +- Sha1Context* Context, +- const void* Buffer, +- uint32_t BufferSize +- ) +-{ +- uint32_t i; +- uint32_t j; +- +- j = (Context->Count[0] >> 3) & 63; +- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3)) +- { +- Context->Count[1]++; +- } +- +- Context->Count[1] += (BufferSize >> 29); +- if ((j + BufferSize) > 63) +- { +- i = 64 - j; +- memcpy(&Context->Buffer[j], Buffer, i); +- TransformFunction(Context->State, Context->Buffer); +- for (; i + 63 < BufferSize; i += 64) +- { +- TransformFunction(Context->State, (const uint8_t*)Buffer + i); +- } +- j = 0; +- } +- else +- { +- i = 0; +- } +- +- memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i); +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Finalise +-// +-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After +-// calling this, Sha1Initialised must be used to reuse the context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Finalise +- ( +- Sha1Context* Context, +- SHA1_HASH* Digest +- ) +-{ +- uint32_t i; +- uint8_t finalcount[8]; +- +- for (i = 0; i < 8; i++) +- { +- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)] +- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent +- } +- Sha1Update(Context, (const uint8_t*)"\x80", 1); +- while ((Context->Count[0] & 504) != 448) +- { +- Sha1Update(Context, (const uint8_t*)"\0", 1); +- } +- +- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction() +- for (i = 0; i < SHA1_HASH_SIZE; i++) +- { +- Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255); +- } +-} +diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h +deleted file mode 100644 +index f83a6e7ed7ba..000000000000 +--- a/libselinux/src/sha1.h ++++ /dev/null +@@ -1,85 +0,0 @@ +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// LibSha1 +-// +-// Implementation of SHA1 hash function. +-// Original author: Steve Reid +-// Contributions by: James H. Brown , Saul Kravitz , +-// and Ralph Giles +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#ifndef _sha1_h_ +-#define _sha1_h_ +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include +-#include +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TYPES +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly. +-typedef struct +-{ +- uint32_t State[5]; +- uint32_t Count[2]; +- uint8_t Buffer[64]; +-} Sha1Context; +- +-#define SHA1_HASH_SIZE ( 160 / 8 ) +- +-typedef struct +-{ +- uint8_t bytes [SHA1_HASH_SIZE]; +-} SHA1_HASH; +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Initialise +-// +-// Initialises an SHA1 Context. Use this to initialise/reset a context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Initialise +- ( +- Sha1Context* Context +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Update +-// +-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Update +- ( +- Sha1Context* Context, +- const void* Buffer, +- uint32_t BufferSize +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Finalise +-// +-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After +-// calling this, Sha1Initialised must be used to reuse the context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Finalise +- ( +- Sha1Context* Context, +- SHA1_HASH* Digest +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-#endif //_sha1_h_ +diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c +new file mode 100644 +index 000000000000..fe2aeef07f53 +--- /dev/null ++++ b/libselinux/src/sha256.c +@@ -0,0 +1,294 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include "sha256.h" ++#include ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// MACROS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) ++ ++#define MIN(x, y) ( ((x)<(y))?(x):(y) ) ++ ++#define STORE32H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ ++ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } ++ ++#define LOAD32H(x, y) \ ++ { x = ((uint32_t)((y)[0] & 255)<<24) | \ ++ ((uint32_t)((y)[1] & 255)<<16) | \ ++ ((uint32_t)((y)[2] & 255)<<8) | \ ++ ((uint32_t)((y)[3] & 255)); } ++ ++#define STORE64H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ ++ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ ++ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ ++ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// CONSTANTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// The K array ++static const uint32_t K[64] = { ++ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, ++ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, ++ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, ++ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, ++ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, ++ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, ++ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, ++ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, ++ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, ++ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, ++ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, ++ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, ++ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL ++}; ++ ++#define BLOCK_SIZE 64 ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// INTERNAL FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// Various logical functions ++#define Ch( x, y, z ) (z ^ (x & (y ^ z))) ++#define Maj( x, y, z ) (((x | y) & z) | (x & y)) ++#define S( x, n ) ror((x),(n)) ++#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) ++#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) ++#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) ++#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) ++#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) ++ ++#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ ++ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ ++ t1 = Sigma0(a) + Maj(a, b, c); \ ++ d += t0; \ ++ h = t0 + t1; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// TransformFunction ++// ++// Compress 512-bits ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++static ++void ++ TransformFunction ++ ( ++ Sha256Context* Context, ++ uint8_t const* Buffer ++ ) ++{ ++ uint32_t S[8]; ++ uint32_t W[64]; ++ uint32_t t0; ++ uint32_t t1; ++ uint32_t t; ++ int i; ++ ++ // Copy state into S ++ for( i=0; i<8; i++ ) ++ { ++ S[i] = Context->state[i]; ++ } ++ ++ // Copy the state into 512-bits into W[0..15] ++ for( i=0; i<16; i++ ) ++ { ++ LOAD32H( W[i], Buffer + (4*i) ); ++ } ++ ++ // Fill W[16..63] ++ for( i=16; i<64; i++ ) ++ { ++ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; ++ } ++ ++ // Compress ++ for( i=0; i<64; i++ ) ++ { ++ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); ++ t = S[7]; ++ S[7] = S[6]; ++ S[6] = S[5]; ++ S[5] = S[4]; ++ S[4] = S[3]; ++ S[3] = S[2]; ++ S[2] = S[1]; ++ S[1] = S[0]; ++ S[0] = t; ++ } ++ ++ // Feedback ++ for( i=0; i<8; i++ ) ++ { ++ Context->state[i] = Context->state[i] + S[i]; ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ) ++{ ++ Context->curlen = 0; ++ Context->length = 0; ++ Context->state[0] = 0x6A09E667UL; ++ Context->state[1] = 0xBB67AE85UL; ++ Context->state[2] = 0x3C6EF372UL; ++ Context->state[3] = 0xA54FF53AUL; ++ Context->state[4] = 0x510E527FUL; ++ Context->state[5] = 0x9B05688CUL; ++ Context->state[6] = 0x1F83D9ABUL; ++ Context->state[7] = 0x5BE0CD19UL; ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ) ++{ ++ uint32_t n; ++ ++ if( Context->curlen > sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ while( BufferSize > 0 ) ++ { ++ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) ++ { ++ TransformFunction( Context, (uint8_t*)Buffer ); ++ Context->length += BLOCK_SIZE * 8; ++ Buffer = (uint8_t*)Buffer + BLOCK_SIZE; ++ BufferSize -= BLOCK_SIZE; ++ } ++ else ++ { ++ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); ++ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); ++ Context->curlen += n; ++ Buffer = (uint8_t*)Buffer + n; ++ BufferSize -= n; ++ if( Context->curlen == BLOCK_SIZE ) ++ { ++ TransformFunction( Context, Context->buf ); ++ Context->length += 8*BLOCK_SIZE; ++ Context->curlen = 0; ++ } ++ } ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ) ++{ ++ int i; ++ ++ if( Context->curlen >= sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ // Increase the length of the message ++ Context->length += Context->curlen * 8; ++ ++ // Append the '1' bit ++ Context->buf[Context->curlen++] = (uint8_t)0x80; ++ ++ // if the length is currently above 56 bytes we append zeros ++ // then compress. Then we can fall back to padding zeros and length ++ // encoding like normal. ++ if( Context->curlen > 56 ) ++ { ++ while( Context->curlen < 64 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ TransformFunction(Context, Context->buf); ++ Context->curlen = 0; ++ } ++ ++ // Pad up to 56 bytes of zeroes ++ while( Context->curlen < 56 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ ++ // Store length ++ STORE64H( Context->length, Context->buf+56 ); ++ TransformFunction( Context, Context->buf ); ++ ++ // Copy output ++ for( i=0; i<8; i++ ) ++ { ++ STORE32H( Context->state[i], Digest->bytes+(4*i) ); ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ) ++{ ++ Sha256Context context; ++ ++ Sha256Initialise( &context ); ++ Sha256Update( &context, Buffer, BufferSize ); ++ Sha256Finalise( &context, Digest ); ++} +diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h +new file mode 100644 +index 000000000000..406ed869cd82 +--- /dev/null ++++ b/libselinux/src/sha256.h +@@ -0,0 +1,89 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#pragma once ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include ++#include ++ ++typedef struct ++{ ++ uint64_t length; ++ uint32_t state[8]; ++ uint32_t curlen; ++ uint8_t buf[64]; ++} Sha256Context; ++ ++#define SHA256_HASH_SIZE ( 256 / 8 ) ++ ++typedef struct ++{ ++ uint8_t bytes [SHA256_HASH_SIZE]; ++} SHA256_HASH; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ); +diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c +index 49408a0ba8d8..67befadd23c5 100644 +--- a/libselinux/utils/selabel_digest.c ++++ b/libselinux/utils/selabel_digest.c +@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) + "Where:\n\t" + "-b The backend - \"file\", \"media\", \"x\", \"db\" or " + "\"prop\"\n\t" +- "-v Run \"cat | openssl dgst -sha1 -hex\"\n\t" +- " on the list of specfiles to compare the SHA1 digests.\n\t" ++ "-v Run \"cat | openssl dgst -sha256 -hex\"\n\t" ++ " on the list of specfiles to compare the SHA256 digests.\n\t" + "-B Use base specfiles only (valid for \"-b file\" only).\n\t" + "-i Do not request a digest.\n\t" + "-f Optional file containing the specs (defaults to\n\t" +@@ -62,12 +62,12 @@ int main(int argc, char **argv) + int backend = 0, rc, opt, validate = 0; + char *baseonly = NULL, *file = NULL, *digest = (char *)1; + char **specfiles = NULL; +- unsigned char *sha1_digest = NULL; ++ unsigned char *sha256_digest = NULL; + size_t i, num_specfiles; + + char cmd_buf[4096]; + char *cmd_ptr; +- char *sha1_buf; ++ char *sha256_buf; + + struct selabel_handle *hnd; + struct selinux_opt selabel_option[] = { +@@ -137,7 +137,7 @@ int main(int argc, char **argv) + return -1; + } + +- rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles, ++ rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles, + &num_specfiles); + + if (rc) { +@@ -152,19 +152,19 @@ int main(int argc, char **argv) + goto err; + } + +- sha1_buf = malloc(digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, "Could not malloc buffer ERROR: %s\n", + strerror(errno)); + rc = -1; + goto err; + } + +- printf("SHA1 digest: "); ++ printf("SHA256 digest: "); + for (i = 0; i < digest_len; i++) +- sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]); ++ sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]); + +- printf("%s\n", sha1_buf); ++ printf("%s\n", sha256_buf); + printf("calculated using the following specfile(s):\n"); + + if (specfiles) { +@@ -177,13 +177,13 @@ int main(int argc, char **argv) + cmd_ptr += strlen(specfiles[i]) + 1; + printf("%s\n", specfiles[i]); + } +- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex"); ++ sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex"); + + if (validate) +- rc = run_check_digest(cmd_buf, sha1_buf); ++ rc = run_check_digest(cmd_buf, sha256_buf); + } + +- free(sha1_buf); ++ free(sha256_buf); + err: + selabel_close(hnd); + return rc; +diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c +index e28833d2ce97..900f018c0091 100644 +--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c ++++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c +@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) + "-v Validate file_contxts entries against loaded policy.\n\t" + "-r Recursively descend directories.\n\t" + "-f Optional file_contexts file (defaults to current policy).\n\t" +- "path Path to check current SHA1 digest against file_contexts entries.\n\n" +- "This will check the directory selinux.sehash SHA1 digest for " ++ "path Path to check current SHA256 digest against file_contexts entries.\n\n" ++ "This will check the directory selinux.sehash SHA256 digest for " + " against\na newly generated digest based on the " + "file_context entries for that node\n(using the regx, mode " + "and path entries).\n", progname); +@@ -37,7 +37,7 @@ int main(int argc, char **argv) + char *paths[2] = { NULL, NULL }; + uint8_t *xattr_digest = NULL; + uint8_t *calculated_digest = NULL; +- char *sha1_buf = NULL; ++ char *sha256_buf = NULL; + + struct selabel_handle *hnd; + struct selinux_opt selabel_option[] = { +@@ -105,27 +105,27 @@ int main(int argc, char **argv) + &xattr_digest, + &digest_len); + +- sha1_buf = calloc(1, digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = calloc(1, digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, "Could not calloc buffer ERROR: %s\n", + strerror(errno)); + return -1; + } + + if (status) { /* They match */ +- printf("xattr and file_contexts SHA1 digests match for: %s\n", ++ printf("xattr and file_contexts SHA256 digests match for: %s\n", + ftsent->fts_path); + + if (calculated_digest) { + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), ++ sprintf((&sha256_buf[i * 2]), + "%02x", + calculated_digest[i]); +- printf("SHA1 digest: %s\n", sha1_buf); ++ printf("SHA256 digest: %s\n", sha256_buf); + } + } else { + if (!calculated_digest) { +- printf("No SHA1 digest available for: %s\n", ++ printf("No SHA256 digest available for: %s\n", + ftsent->fts_path); + printf("as file_context entry is \"<>\"\n"); + goto cleanup; +@@ -135,25 +135,25 @@ int main(int argc, char **argv) + ftsent->fts_path); + + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", ++ sprintf((&sha256_buf[i * 2]), "%02x", + calculated_digest[i]); +- printf("generated SHA1 digest: %s\n", sha1_buf); ++ printf("generated SHA256 digest: %s\n", sha256_buf); + + if (!xattr_digest) { + printf("however there is no selinux.sehash xattr entry.\n"); + } else { + printf("however it does NOT match the current entry of:\n"); + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), ++ sprintf((&sha256_buf[i * 2]), + "%02x", + xattr_digest[i]); +- printf("%s\n", sha1_buf); ++ printf("%s\n", sha256_buf); + } + } + cleanup: + free(xattr_digest); + free(calculated_digest); +- free(sha1_buf); ++ free(sha256_buf); + break; + } + default: +-- +2.32.0 + diff --git a/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch b/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch deleted file mode 100644 index 3d123e5..0000000 --- a/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch +++ /dev/null @@ -1,59 +0,0 @@ -From f63263c2d002fc8a4e681ea1a1b1db1e455acc49 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Thu, 22 Apr 2021 08:43:56 +0200 -Subject: [PATCH] libselinux: do not duplicate make target when going into - subdirectory - -When running "make install-pywrap", make displays: - - make[1]: Entering directory '/root/selinux/libselinux' - make -C src install-pywrap install-pywrap - make[2]: Entering directory '/root/selinux/libselinux/src' - -The duplicated "install-pywrap" is not expected. Remove it from the -Makefile. - -Signed-off-by: Nicolas Iooss ---- - libselinux/Makefile | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/libselinux/Makefile b/libselinux/Makefile -index ac16c15e8d0a..439bc6a9b7fd 100644 ---- a/libselinux/Makefile -+++ b/libselinux/Makefile -@@ -50,24 +50,24 @@ all install relabel clean distclean indent: - done - - swigify: all -- $(MAKE) -C src swigify $@ -+ $(MAKE) -C src $@ - - pywrap: -- $(MAKE) -C src pywrap $@ -+ $(MAKE) -C src $@ - - rubywrap: -- $(MAKE) -C src rubywrap $@ -+ $(MAKE) -C src $@ - - install-pywrap: -- $(MAKE) -C src install-pywrap $@ -+ $(MAKE) -C src $@ - - install-rubywrap: -- $(MAKE) -C src install-rubywrap $@ -+ $(MAKE) -C src $@ - - clean-pywrap: -- $(MAKE) -C src clean-pywrap $@ -+ $(MAKE) -C src $@ - - clean-rubywrap: -- $(MAKE) -C src clean-rubywrap $@ -+ $(MAKE) -C src $@ - - test: --- -2.32.0 - diff --git a/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch b/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch deleted file mode 100644 index 9eb5b1b..0000000 --- a/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a88d24522fe74100478122c298aa4ace1af876fd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 10 May 2021 12:12:38 +0200 -Subject: [PATCH] libselinux: selinux_check_passwd_access_internal(): respect - deny_unknown -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -`selinux_check_passwd_access_internal()`, and thereby -`checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not -respect the policy defined setting of `deny_unknown`, like -`selinux_check_access(3)` does. -This means in case the security class `passwd` is not defined, success -is returned instead of failure, i.e. permission denied. - -Most policies should define the `passwd` class and the two affected -public functions are marked deprecated. - -Align the behavior with `selinux_check_access(3)` and respect -the deny_unknown setting in case the security class is not defined. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/checkAccess.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c -index b337ea64f977..022cd6b5ecab 100644 ---- a/libselinux/src/checkAccess.c -+++ b/libselinux/src/checkAccess.c -@@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested) - passwd_class = string_to_security_class("passwd"); - if (passwd_class == 0) { - freecon(user_context); -- return 0; -+ if (security_deny_unknown() == 0) -+ return 0; -+ return -1; - } - - retval = security_compute_av_raw(user_context, --- -2.32.0 - diff --git a/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch b/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch deleted file mode 100644 index 4fc315c..0000000 --- a/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f1bc162cc272e01631e8f6d890fae71e1cb96e03 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Fri, 30 Apr 2021 21:37:02 +0200 -Subject: [PATCH] libselinux: silence -Wstringop-overflow warning from gcc - 10.3.1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When building libselinux on Fedora 33 with gcc 10.3.1, the compiler -reports: - - label_file.c: In function ‘lookup_all.isra’: - label_file.c:940:4: error: ‘strncpy’ specified bound depends on the - length of the source argument [-Werror=stringop-overflow=] - 940 | strncpy(clean_key, key, len - 1); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - label_file.c:927:8: note: length computed here - 927 | len = strlen(key); - | ^~~~~~~~~~~ - cc1: all warnings being treated as errors - -As clean_key is the result of malloc(len), there is no issue here. But -using strncpy can be considered as strange, because the size of the -string is already known and the NUL terminator is always added later, in -function ‘lookup_all.isra. - -Replace strncpy with memcpy to silence this gcc false-positive warning. - -Signed-off-by: Nicolas Iooss -Acked-by: Petr Lautrbach ---- - libselinux/src/label_file.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index 726394ca4332..cfce23e0119e 100644 ---- a/libselinux/src/label_file.c -+++ b/libselinux/src/label_file.c -@@ -909,7 +909,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec, - if (!clean_key) - goto finish; - -- strncpy(clean_key, key, len - 1); -+ memcpy(clean_key, key, len - 1); - } - - clean_key[len - 1] = '\0'; --- -2.32.0 - diff --git a/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch b/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch deleted file mode 100644 index 4041dc4..0000000 --- a/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ae34b3ca3c605f8648b10722330ef3fbc872f3d6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:35 +0200 -Subject: [PATCH] libselinux: sidtab_hash(): do not discard const qualifier -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not discard the const qualifier of the function argument, and drop -the redundant local variable `keyp`. - -avc_sidtab.c: In function ‘sidtab_hash’: -avc_sidtab.c:23:9: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual] - 23 | keyp = (char *)key; - | ^ - -Signed-off-by: Christian Göttsche ---- - libselinux/src/avc_sidtab.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c -index 9669264d651a..8dc875608762 100644 ---- a/libselinux/src/avc_sidtab.c -+++ b/libselinux/src/avc_sidtab.c -@@ -15,14 +15,13 @@ - - static inline unsigned sidtab_hash(const char * key) - { -- char *p, *keyp; -+ const char *p; - unsigned int size; - unsigned int val; - - val = 0; -- keyp = (char *)key; -- size = strlen(keyp); -- for (p = keyp; (unsigned int)(p - keyp) < size; p++) -+ size = strlen(key); -+ for (p = key; (unsigned int)(p - key) < size; p++) - val = - (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); - return val & (SIDTAB_SIZE - 1); --- -2.32.0 - diff --git a/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch b/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch deleted file mode 100644 index c370725..0000000 --- a/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d23421c65a4e53bef900d9e015833015fa123765 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:40 +0200 -Subject: [PATCH] libselinux: selinux_file_context_cmp(): do not discard const - qualifier -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -matchpathcon.c: In function ‘selinux_file_context_cmp’: -matchpathcon.c:487:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual] - 487 | rest_a = strchr((char *)a, ':'); - | ^ -matchpathcon.c:488:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual] - 488 | rest_b = strchr((char *)b, ':'); - | ^ - -Signed-off-by: Christian Göttsche ---- - libselinux/src/matchpathcon.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c -index 2ec66650cae0..9e1fab593266 100644 ---- a/libselinux/src/matchpathcon.c -+++ b/libselinux/src/matchpathcon.c -@@ -477,15 +477,15 @@ void matchpathcon_checkmatches(char *str __attribute__((unused))) - int selinux_file_context_cmp(const char * a, - const char * b) - { -- char *rest_a, *rest_b; /* Rest of the context after the user */ -+ const char *rest_a, *rest_b; /* Rest of the context after the user */ - if (!a && !b) - return 0; - if (!a) - return -1; - if (!b) - return 1; -- rest_a = strchr((char *)a, ':'); -- rest_b = strchr((char *)b, ':'); -+ rest_a = strchr(a, ':'); -+ rest_b = strchr(b, ':'); - if (!rest_a && !rest_b) - return 0; - if (!rest_a) --- -2.32.0 - diff --git a/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch b/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch deleted file mode 100644 index 0dca8cd..0000000 --- a/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 3950b1afedd1a5247dcb0eb4acffc3fe045a9fb3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:42 +0200 -Subject: [PATCH] libselinux: label_common(): do not discard const qualifier -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As the const qualifier is discarded in label_common(), do not return a -const qualified pointer pointer from the local function `lookup_all()`. - -label_file.c: In function ‘lookup_common’: -label_file.c:994:24: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual] - 994 | struct spec *result = (struct spec*)matches[0]; - | ^ - -Signed-off-by: Christian Göttsche ---- - libselinux/src/label_file.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index cfce23e0119e..b080fcf1305b 100644 ---- a/libselinux/src/label_file.c -+++ b/libselinux/src/label_file.c -@@ -845,7 +845,7 @@ static void closef(struct selabel_handle *rec) - // Finds all the matches of |key| in the given context. Returns the result in - // the allocated array and updates the match count. If match_count is NULL, - // stops early once the 1st match is found. --static const struct spec **lookup_all(struct selabel_handle *rec, -+static struct spec **lookup_all(struct selabel_handle *rec, - const char *key, - int type, - bool partial, -@@ -861,7 +861,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec, - unsigned int sofar = 0; - char *sub = NULL; - -- const struct spec **result = NULL; -+ struct spec **result = NULL; - if (match_count) { - *match_count = 0; - result = calloc(data->nspec, sizeof(struct spec*)); -@@ -987,11 +987,11 @@ static struct spec *lookup_common(struct selabel_handle *rec, - const char *key, - int type, - bool partial) { -- const struct spec **matches = lookup_all(rec, key, type, partial, NULL); -+ struct spec **matches = lookup_all(rec, key, type, partial, NULL); - if (!matches) { - return NULL; - } -- struct spec *result = (struct spec*)matches[0]; -+ struct spec *result = matches[0]; - free(matches); - return result; - } -@@ -1054,7 +1054,7 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key - assert(digest); - - size_t total_matches; -- const struct spec **matches = lookup_all(rec, key, 0, true, &total_matches); -+ struct spec **matches = lookup_all(rec, key, 0, true, &total_matches); - if (!matches) { - return false; - } --- -2.32.0 - diff --git a/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch b/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch deleted file mode 100644 index a60225c..0000000 --- a/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 7ca82e0db464052c1ed51e77b2d61ede82dfe3ee Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:44 +0200 -Subject: [PATCH] libselinux: Sha1Finalise(): do not discard const qualifier -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Mark the argument `Buffer` of `Sha1Update()` const, since it is not -modified. - -sha1.c: In function ‘Sha1Finalise’: -sha1.c:208:25: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual] - 208 | Sha1Update(Context, (uint8_t*)"\x80", 1); - | ^ -sha1.c:211:29: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual] - 211 | Sha1Update(Context, (uint8_t*)"\0", 1); - | ^ - -Signed-off-by: Christian Göttsche ---- - libselinux/src/sha1.c | 10 +++++----- - libselinux/src/sha1.h | 2 +- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c -index 9a8ce01dceda..664bbcf26eef 100644 ---- a/libselinux/src/sha1.c -+++ b/libselinux/src/sha1.c -@@ -151,7 +151,7 @@ void - Sha1Update - ( - Sha1Context* Context, -- void* Buffer, -+ const void* Buffer, - uint32_t BufferSize - ) - { -@@ -172,7 +172,7 @@ void - TransformFunction(Context->State, Context->Buffer); - for (; i + 63 < BufferSize; i += 64) - { -- TransformFunction(Context->State, (uint8_t*)Buffer + i); -+ TransformFunction(Context->State, (const uint8_t*)Buffer + i); - } - j = 0; - } -@@ -181,7 +181,7 @@ void - i = 0; - } - -- memcpy(&Context->Buffer[j], &((uint8_t*)Buffer)[i], BufferSize - i); -+ memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i); - } - - /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -@@ -205,10 +205,10 @@ void - finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)] - >> ((3-(i & 3)) * 8) ) & 255); // Endian independent - } -- Sha1Update(Context, (uint8_t*)"\x80", 1); -+ Sha1Update(Context, (const uint8_t*)"\x80", 1); - while ((Context->Count[0] & 504) != 448) - { -- Sha1Update(Context, (uint8_t*)"\0", 1); -+ Sha1Update(Context, (const uint8_t*)"\0", 1); - } - - Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction() -diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h -index eac3c195351a..f83a6e7ed7ba 100644 ---- a/libselinux/src/sha1.h -+++ b/libselinux/src/sha1.h -@@ -64,7 +64,7 @@ void - Sha1Update - ( - Sha1Context* Context, -- void* Buffer, -+ const void* Buffer, - uint32_t BufferSize - ); - --- -2.32.0 - diff --git a/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch b/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch deleted file mode 100644 index 39366bd..0000000 --- a/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 11194b982bb32c05548c38e4c81b1f166083f7e9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:46 +0200 -Subject: [PATCH] libselinux: sefcontext_compile: mark local variable static -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `policy_file` is only used in sefcontext_compile.c. - -Signed-off-by: Christian Göttsche ---- - libselinux/utils/sefcontext_compile.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c -index dcb0085ad67e..6c32172d9944 100644 ---- a/libselinux/utils/sefcontext_compile.c -+++ b/libselinux/utils/sefcontext_compile.c -@@ -14,7 +14,7 @@ - #include "../src/label_file.h" - #include "../src/regex.h" - --const char *policy_file; -+static const char *policy_file; - static int ctx_err; - - static int validate_context(char **ctxp) --- -2.32.0 - diff --git a/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch b/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch deleted file mode 100644 index 39a1ea4..0000000 --- a/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 533e9d6ce07c8909c9c020cd6920a2384f7eee22 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:48 +0200 -Subject: [PATCH] libselinux: avcstat: use standard length modifier for - unsigned long long -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The format width specifier `L` is only standardized for floating point -types. Use `ll` for fixed-width data types. - -Signed-off-by: Christian Göttsche ---- - libselinux/utils/avcstat.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c -index da2392870c51..cc9a48dd4c3a 100644 ---- a/libselinux/utils/avcstat.c -+++ b/libselinux/utils/avcstat.c -@@ -205,7 +205,7 @@ int main(int argc, char **argv) - die("unable to parse \'%s\': no data", avcstatfile); - - if (cumulative || !i) -- printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n", -+ printf("%10llu %10llu %10llu %10llu %10llu %10llu\n", - tot.lookups, tot.hits, tot.misses, - tot.allocations, tot.reclaims, tot.frees); - else { -@@ -215,7 +215,7 @@ int main(int argc, char **argv) - rel.allocations = tot.allocations - last.allocations; - rel.reclaims = tot.reclaims - last.reclaims; - rel.frees = tot.frees - last.frees; -- printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n", -+ printf("%10llu %10llu %10llu %10llu %10llu %10llu\n", - rel.lookups, rel.hits, rel.misses, - rel.allocations, rel.reclaims, rel.frees); - } --- -2.32.0 - diff --git a/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch b/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch deleted file mode 100644 index 28b1188..0000000 --- a/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 7464272caa1a69e3fc7971d1d80b6afd4785abef Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:51 +0200 -Subject: [PATCH] libselinux: selinux_restorecon: mark local variable static -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `dir_xattr_list` is only used inside `selinux_restorecon.c`. - -selinux_restorecon.c:65:19: warning: no previous extern declaration for non-static variable 'dir_xattr_list' [-Wmissing-variable-declarations] -struct dir_xattr *dir_xattr_list; - ^ -selinux_restorecon.c:65:1: note: declare 'static' if the variable is not intended to be used outside of this translation unit -struct dir_xattr *dir_xattr_list; -^ - -Signed-off-by: Christian Göttsche ---- - libselinux/src/selinux_restorecon.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index 63fb8dc53c28..249c361fa988 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -62,7 +62,7 @@ static uint64_t fc_count = 0; /* Number of files processed so far */ - static uint64_t efile_count; /* Estimated total number of files */ - - /* Store information on directories with xattr's. */ --struct dir_xattr *dir_xattr_list; -+static struct dir_xattr *dir_xattr_list; - static struct dir_xattr *dir_xattr_last; - - /* restorecon_flags for passing to restorecon_sb() */ --- -2.32.0 - diff --git a/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch b/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch deleted file mode 100644 index 5187561..0000000 --- a/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch +++ /dev/null @@ -1,51 +0,0 @@ -From d0c02882b7fdcf5e6478f9a82ac2946174f4bca4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:53 +0200 -Subject: [PATCH] libselinux: selabel_get_digests_all_partial_matches: free - memory after FTS_D block -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Free all memory from `selabel_get_digests_all_partial_matches()` in case -of success and failure. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche ---- - .../utils/selabel_get_digests_all_partial_matches.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c -index 0c2edc67771d..e28833d2ce97 100644 ---- a/libselinux/utils/selabel_get_digests_all_partial_matches.c -+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c -@@ -128,7 +128,7 @@ int main(int argc, char **argv) - printf("No SHA1 digest available for: %s\n", - ftsent->fts_path); - printf("as file_context entry is \"<>\"\n"); -- break; -+ goto cleanup; - } - - printf("The file_context entries for: %s\n", -@@ -149,11 +149,11 @@ int main(int argc, char **argv) - xattr_digest[i]); - printf("%s\n", sha1_buf); - } -- -- free(xattr_digest); -- free(calculated_digest); -- free(sha1_buf); - } -+ cleanup: -+ free(xattr_digest); -+ free(calculated_digest); -+ free(sha1_buf); - break; - } - default: --- -2.32.0 - diff --git a/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch b/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch deleted file mode 100644 index 4a6f921..0000000 --- a/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d0e16077d4ded64bbc878d29e0dc22b1f5e0912f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:55 +0200 -Subject: [PATCH] libselinux: getconlist: free memory on multiple level - arguments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not leak memory if the program argument `l` got passed more than -once. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche ---- - libselinux/utils/getconlist.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c -index 76654b75151a..0bb2846937ca 100644 ---- a/libselinux/utils/getconlist.c -+++ b/libselinux/utils/getconlist.c -@@ -26,6 +26,7 @@ int main(int argc, char **argv) - while ((opt = getopt(argc, argv, "l:")) > 0) { - switch (opt) { - case 'l': -+ free(level); - level = strdup(optarg); - if (!level) { - fprintf(stderr, "memory allocation failure: %d(%s)\n", --- -2.32.0 - diff --git a/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch b/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch deleted file mode 100644 index a78e2ec..0000000 --- a/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 319429ba3358c32a566f2c59898d01f2f36fdc95 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:57 +0200 -Subject: [PATCH] libselinux: exclude_non_seclabel_mounts(): drop unused - variable -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `num` is never read from. - -Found by clang-analyer. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/selinux_restorecon.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index 249c361fa988..6fb9e1ff486d 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -230,7 +230,6 @@ static int exclude_non_seclabel_mounts(void) - struct utsname uts; - FILE *fp; - size_t len; -- ssize_t num; - int index = 0, found = 0, nfile = 0; - char *mount_info[4]; - char *buf = NULL, *item; -@@ -245,7 +244,7 @@ static int exclude_non_seclabel_mounts(void) - if (!fp) - return 0; - -- while ((num = getline(&buf, &len, fp)) != -1) { -+ while (getline(&buf, &len, fp) != -1) { - found = 0; - index = 0; - item = strtok(buf, " "); --- -2.32.0 - diff --git a/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch b/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch deleted file mode 100644 index e1df68b..0000000 --- a/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 782fa6ea38f323c60fc437577af515ce44627452 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:59 +0200 -Subject: [PATCH] libselinux: context_new(): drop dead assignment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `i` is not used inside this loop, and it later -unconditionally set to 0. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/context.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/context.c b/libselinux/src/context.c -index ce4258806c53..b2144c7cf76c 100644 ---- a/libselinux/src/context.c -+++ b/libselinux/src/context.c -@@ -37,7 +37,7 @@ context_t context_new(const char *str) - } - n->current_str = n->component[0] = n->component[1] = n->component[2] = - n->component[3] = 0; -- for (i = count = 0, p = str; *p; p++) { -+ for (count = 0, p = str; *p; p++) { - switch (*p) { - case ':': - count++; --- -2.32.0 - diff --git a/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch b/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch deleted file mode 100644 index 0f9fadd..0000000 --- a/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 9c26043af6e4947e0e3e7fb789452da0c66e11c9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:01 +0200 -Subject: [PATCH] libselinux: label_x::init(): drop dead assignment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `lineno` is only used in the preceding loop and is always -set prior that to 0. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/label_x.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/libselinux/src/label_x.c b/libselinux/src/label_x.c -index 9674529931a7..e9fa063fafff 100644 ---- a/libselinux/src/label_x.c -+++ b/libselinux/src/label_x.c -@@ -146,7 +146,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts, - if (process_line(path, line_buf, pass, ++lineno, rec)) - goto finish; - } -- lineno = 0; - - if (pass == 0) { - if (data->nspec == 0) { --- -2.32.0 - diff --git a/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch b/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch deleted file mode 100644 index 3fd23ed..0000000 --- a/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 04335ab146d18f5865bed3516d5cbc9057a3df89 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:03 +0200 -Subject: [PATCH] libselinux: label_media::init(): drop dead assignment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `lineno` is only used in the preceding loop and it always -set prior that to 0. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/label_media.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/libselinux/src/label_media.c b/libselinux/src/label_media.c -index d202e5d5ab83..eb27deaf510e 100644 ---- a/libselinux/src/label_media.c -+++ b/libselinux/src/label_media.c -@@ -119,7 +119,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts, - if (process_line(path, line_buf, pass, ++lineno, rec)) - goto finish; - } -- lineno = 0; - - if (pass == 0) { - if (data->nspec == 0) { --- -2.32.0 - diff --git a/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch b/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch deleted file mode 100644 index ff787d6..0000000 --- a/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 411c5a54587b1459528fb8e6b66d0bebf1a5fb39 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:05 +0200 -Subject: [PATCH] libselinux: setexecfilecon(): drop dead assignment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `rc` is always unconditionally assigned by the next call of -`setexeccon()` and never read in between. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/setexecfilecon.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/libselinux/src/setexecfilecon.c b/libselinux/src/setexecfilecon.c -index e72ba0d98880..2c6505a96a48 100644 ---- a/libselinux/src/setexecfilecon.c -+++ b/libselinux/src/setexecfilecon.c -@@ -37,7 +37,6 @@ int setexecfilecon(const char *filename, const char *fallback_type) - newcon = strdup(context_str(con)); - if (!newcon) - goto out; -- rc = 0; - } - - rc = setexeccon(newcon); --- -2.32.0 - diff --git a/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch b/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch deleted file mode 100644 index eeecd9c..0000000 --- a/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch +++ /dev/null @@ -1,51 +0,0 @@ -From db69a3d3622005d3ffd62498eac8da1ded264874 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:07 +0200 -Subject: [PATCH] libselinux: getdefaultcon: free memory on multiple same - arguments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not leak memory if program arguments get specified more than once. - -Found by clang-anlyzer. - -getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'level' [unix.Malloc] - fprintf(stderr, - ^~~~~~~~~~~~~~~ -getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'role' [unix.Malloc] - fprintf(stderr, - ^~~~~~~~~~~~~~~ -getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'service' [unix.Malloc] - fprintf(stderr, - ^~~~~~~~~~~~~~~ - -Signed-off-by: Christian Göttsche ---- - libselinux/utils/getdefaultcon.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libselinux/utils/getdefaultcon.c b/libselinux/utils/getdefaultcon.c -index 96a5a8c23656..957c1cb2e307 100644 ---- a/libselinux/utils/getdefaultcon.c -+++ b/libselinux/utils/getdefaultcon.c -@@ -28,12 +28,15 @@ int main(int argc, char **argv) - while ((opt = getopt(argc, argv, "l:r:s:v")) > 0) { - switch (opt) { - case 'l': -+ free(level); - level = strdup(optarg); - break; - case 'r': -+ free(role); - role = strdup(optarg); - break; - case 's': -+ free(service); - service = strdup(optarg); - break; - case 'v': --- -2.32.0 - diff --git a/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch b/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch deleted file mode 100644 index e9e5446..0000000 --- a/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 6e5d16a012e1845774da106846b87090d39ea8f3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:09 +0200 -Subject: [PATCH] libselinux: store_stem(): do not free possible non-heap - object -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -GCC 11 complains: - -In file included from label_file.c:24: -In function ‘store_stem’, - inlined from ‘load_mmap’ at label_file.c:277:12, - inlined from ‘process_file’ at label_file.c:551:5: -label_file.h:289:25: error: ‘free’ called on pointer ‘*mmap_area.next_addr’ with nonzero offset 4 [-Werror=free-nonheap-object] - 289 | free(buf); - | ^~~~~~~~~ - -Free the pointer on failure at the caller instead of inside `store_stem()`. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/label_file.h | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h -index baed3341b6b3..9f6337012216 100644 ---- a/libselinux/src/label_file.h -+++ b/libselinux/src/label_file.h -@@ -286,7 +286,6 @@ static inline int store_stem(struct saved_data *data, char *buf, int stem_len) - tmp_arr = realloc(data->stem_arr, - sizeof(*tmp_arr) * alloc_stems); - if (!tmp_arr) { -- free(buf); - return -1; - } - data->alloc_stems = alloc_stems; -@@ -308,6 +307,7 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf) - int stem_len = get_stem_from_spec(buf); - int stemid; - char *stem; -+ int r; - - if (!stem_len) - return -1; -@@ -321,7 +321,11 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf) - if (!stem) - return -1; - -- return store_stem(data, stem, stem_len); -+ r = store_stem(data, stem, stem_len); -+ if (r < 0) -+ free(stem); -+ -+ return r; - } - - /* This will always check for buffer over-runs and either read the next entry --- -2.32.0 - diff --git a/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch b/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch deleted file mode 100644 index 22c4c0c..0000000 --- a/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0280a2a70c35c5c319f82f37a685424706b03ad4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:11 +0200 -Subject: [PATCH] libselinux: matchmediacon(): close file on error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by Infer. - -matchmediacon.c:25: error: Resource Leak - resource of type `_IO_FILE` acquired to `return` by call to `fopen()` at line 21, column 16 is not released after line 25, column 4. - 23. while (!feof_unlocked(infile)) { - 24. if (!fgets_unlocked(current_line, sizeof(current_line), infile)) { - 25. return -1; - ^ - 26. } - 27. if (current_line[strlen(current_line) - 1]) - -Signed-off-by: Christian Göttsche ---- - libselinux/src/matchmediacon.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libselinux/src/matchmediacon.c b/libselinux/src/matchmediacon.c -index 23d01af476d2..d3d9504348e1 100644 ---- a/libselinux/src/matchmediacon.c -+++ b/libselinux/src/matchmediacon.c -@@ -22,6 +22,7 @@ int matchmediacon(const char *media, char ** con) - return -1; - while (!feof_unlocked(infile)) { - if (!fgets_unlocked(current_line, sizeof(current_line), infile)) { -+ fclose(infile); - return -1; - } - if (current_line[strlen(current_line) - 1]) --- -2.32.0 - diff --git a/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch b/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch deleted file mode 100644 index 905d7fb..0000000 --- a/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 9ab27e21800e8b5589eef0fa9242042567e9bc78 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:13 +0200 -Subject: [PATCH] libselinux: init_selinux_config(): free resources on error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by Infer. - -selinux_config.c:181: error: Resource Leak - resource of type `_IO_FILE` acquired by call to `fopen()` at line 165, column 7 is not released after line 181, column 6. - 179. type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); - 180. if (!type) - 181. return; - ^ - 182. end = type + strlen(type) - 1; - 183. while ((end > type) && - -Signed-off-by: Christian Göttsche ---- - libselinux/src/selinux_config.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c -index 6c5238953cb1..97f81a8b61ce 100644 ---- a/libselinux/src/selinux_config.c -+++ b/libselinux/src/selinux_config.c -@@ -177,8 +177,11 @@ static void init_selinux_config(void) - if (!strncasecmp(buf_p, SELINUXTYPETAG, - sizeof(SELINUXTYPETAG) - 1)) { - type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); -- if (!type) -+ if (!type) { -+ free(line_buf); -+ fclose(fp); - return; -+ } - end = type + strlen(type) - 1; - while ((end > type) && - (isspace(*end) || iscntrl(*end))) { -@@ -187,6 +190,8 @@ static void init_selinux_config(void) - } - if (setpolicytype(type) != 0) { - free(type); -+ free(line_buf); -+ fclose(fp); - return; - } - free(type); --- -2.32.0 - diff --git a/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch b/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch deleted file mode 100644 index 7b4243c..0000000 --- a/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch +++ /dev/null @@ -1,48 +0,0 @@ -From bc0a0327ca6e47400e161f6d1e70e08cb350a36f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:15 +0200 -Subject: [PATCH] libselinux: label_file::init(): do not pass NULL to strdup -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If any of the build flags `BUILD_HOST` or `ANDROID` is set and the -caller did not pass an option of type `SELABEL_OPT_PATH`, the variable -`path` might be not set. -Add a check to avoid calling `strdup()` with a NULL pointer. - -Found by cppcheck. - -src/label_file.c:759:26: warning: Possible null pointer dereference: path [nullPointer] - rec->spec_file = strdup(path); - ^ -src/label_file.c:713:21: note: Assignment 'path=NULL', assigned value is 0 - const char *path = NULL; - ^ -src/label_file.c:759:26: note: Null pointer dereference - rec->spec_file = strdup(path); - ^ - -Signed-off-by: Christian Göttsche ---- - libselinux/src/label_file.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index b080fcf1305b..4268b52c84cc 100644 ---- a/libselinux/src/label_file.c -+++ b/libselinux/src/label_file.c -@@ -756,6 +756,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts, - } - - #endif -+ -+ if (!path) -+ goto finish; -+ - rec->spec_file = strdup(path); - - /* --- -2.32.0 - diff --git a/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch b/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch deleted file mode 100644 index 463fc49..0000000 --- a/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 65f1ccbecc30d31e66126e470d404b757eb9898e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:17 +0200 -Subject: [PATCH] libselinux: matchpathcon: free memory on realloc failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case `realloc()` fails and returns NULL, free the passed array, -instead of just setting the size helper variables to 0. - -Also free the string contents in `free_array_elts()` of the array -`con_array`, instead of just the array of pointers. - -Found by cppcheck. - -src/matchpathcon.c:86:4: error: Common realloc mistake: 'con_array' nulled but not freed upon failure [memleakOnRealloc] - con_array = (char **)realloc(con_array, sizeof(char*) * - ^ - -Signed-off-by: Christian Göttsche ---- - libselinux/src/matchpathcon.c | 26 ++++++++++++++++---------- - 1 file changed, 16 insertions(+), 10 deletions(-) - -diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c -index 9e1fab593266..075a3fb3ffcb 100644 ---- a/libselinux/src/matchpathcon.c -+++ b/libselinux/src/matchpathcon.c -@@ -78,17 +78,30 @@ static pthread_once_t once = PTHREAD_ONCE_INIT; - static pthread_key_t destructor_key; - static int destructor_key_initialized = 0; - -+static void free_array_elts(void) -+{ -+ int i; -+ for (i = 0; i < con_array_used; i++) -+ free(con_array[i]); -+ free(con_array); -+ -+ con_array_size = con_array_used = 0; -+ con_array = NULL; -+} -+ - static int add_array_elt(char *con) - { -+ char **tmp; - if (con_array_size) { - while (con_array_used >= con_array_size) { - con_array_size *= 2; -- con_array = (char **)realloc(con_array, sizeof(char*) * -+ tmp = (char **)realloc(con_array, sizeof(char*) * - con_array_size); -- if (!con_array) { -- con_array_size = con_array_used = 0; -+ if (!tmp) { -+ free_array_elts(); - return -1; - } -+ con_array = tmp; - } - } else { - con_array_size = 1000; -@@ -105,13 +118,6 @@ static int add_array_elt(char *con) - return con_array_used++; - } - --static void free_array_elts(void) --{ -- con_array_size = con_array_used = 0; -- free(con_array); -- con_array = NULL; --} -- - void set_matchpathcon_invalidcon(int (*f) (const char *p, unsigned l, char *c)) - { - myinvalidcon = f; --- -2.32.0 - diff --git a/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch b/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch deleted file mode 100644 index 205b477..0000000 --- a/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e1999379dfc6d12abb9fa454ac01d4239baf361f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:19 +0200 -Subject: [PATCH] libselinux: label_db::db_init(): open file with CLOEXEC mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Open the file stream with the `e` flag, so that the underlying file -descriptor gets closed on an exec in a potential sibling thread. - -Also drop the flag `b`, since it is ignored on POSIX systems. - -Found by clang-tidy. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/label_db.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c -index fba96c92299f..94c05c6d4397 100644 ---- a/libselinux/src/label_db.c -+++ b/libselinux/src/label_db.c -@@ -277,7 +277,7 @@ db_init(const struct selinux_opt *opts, unsigned nopts, - if (!path) - path = selinux_sepgsql_context_path(); - -- if ((filp = fopen(path, "rb")) == NULL) { -+ if ((filp = fopen(path, "re")) == NULL) { - free(catalog); - return NULL; - } --- -2.32.0 - diff --git a/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch b/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch deleted file mode 100644 index b680c7b..0000000 --- a/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 8827610e5045b9bce7d2fe24058548f938921ccf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:22 +0200 -Subject: [PATCH] libselinux: drop redundant casts to the same type -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by clang-tidy. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/audit2why.c | 2 +- - libselinux/src/avc_sidtab.c | 2 +- - libselinux/src/is_customizable_type.c | 2 +- - libselinux/src/selinux_restorecon.c | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c -index d56b56eb2a1a..029f874f4702 100644 ---- a/libselinux/src/audit2why.c -+++ b/libselinux/src/audit2why.c -@@ -275,7 +275,7 @@ static int __policy_init(const char *init_path) - } - - sepol_bool_iterate(avc->handle, avc->policydb, -- load_booleans, (void *)NULL); -+ load_booleans, NULL); - - /* Initialize the sidtab for subsequent use by sepol_context_to_sid - and sepol_compute_av_reason. */ -diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c -index 8dc875608762..8c81cf65d2ef 100644 ---- a/libselinux/src/avc_sidtab.c -+++ b/libselinux/src/avc_sidtab.c -@@ -56,7 +56,7 @@ int sidtab_insert(struct sidtab *s, const char * ctx) - rc = -1; - goto out; - } -- newctx = (char *) strdup(ctx); -+ newctx = strdup(ctx); - if (!newctx) { - rc = -1; - avc_free(newnode); -diff --git a/libselinux/src/is_customizable_type.c b/libselinux/src/is_customizable_type.c -index 92876f4d9371..1b17860c3622 100644 ---- a/libselinux/src/is_customizable_type.c -+++ b/libselinux/src/is_customizable_type.c -@@ -38,7 +38,7 @@ static int get_customizable_type_list(char *** retlist) - while (fgets_unlocked(buf, selinux_page_size, fp) - && i < ctr) { - buf[strlen(buf) - 1] = 0; -- list[i] = (char *) strdup(buf); -+ list[i] = strdup(buf); - if (!list[i]) { - unsigned int j; - for (j = 0; j < i; j++) -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index 6fb9e1ff486d..999aa924ba32 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -1152,7 +1152,7 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl) - unsigned char *fc_digest; - size_t num_specfiles, fc_digest_len; - -- fc_sehandle = (struct selabel_handle *) hndl; -+ fc_sehandle = hndl; - if (!fc_sehandle) - return; - --- -2.32.0 - diff --git a/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch b/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch deleted file mode 100644 index 9ba272e..0000000 --- a/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b1a4603c9208982e33291fe6dc5aa78148762530 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:24 +0200 -Subject: [PATCH] libselinux: sidtab_sid_stats(): unify parameter name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by clang-tidy. - -libselinux/src/avc_sidtab.h:32:6: warning: function 'sidtab_sid_stats' has a definition with different parameter names [readability-inconsistent-declaration-parameter-name] -void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ; - ^ -libselinux/src/avc_sidtab.c:103:6: note: the definition seen here -void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen) - ^ -libselinux/src/avc_sidtab.h:32:6: note: differing parameters are named here: ('s'), in definition: ('h') -void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ; - ^ ~ - h - -Signed-off-by: Christian Göttsche ---- - libselinux/src/avc_sidtab.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c -index 8c81cf65d2ef..f179d8558a45 100644 ---- a/libselinux/src/avc_sidtab.c -+++ b/libselinux/src/avc_sidtab.c -@@ -100,7 +100,7 @@ sidtab_context_to_sid(struct sidtab *s, - return rc; - } - --void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen) -+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) - { - int i, chain_len, slots_used, max_chain_len; - struct sidtab_node *cur; -@@ -108,7 +108,7 @@ void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen) - slots_used = 0; - max_chain_len = 0; - for (i = 0; i < SIDTAB_SIZE; i++) { -- cur = h->htable[i]; -+ cur = s->htable[i]; - if (cur) { - slots_used++; - chain_len = 0; -@@ -124,7 +124,7 @@ void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen) - - snprintf(buf, buflen, - "%s: %u SID entries and %d/%d buckets used, longest " -- "chain length %d\n", avc_prefix, h->nel, slots_used, -+ "chain length %d\n", avc_prefix, s->nel, slots_used, - SIDTAB_SIZE, max_chain_len); - } - --- -2.32.0 - diff --git a/SOURCES/0027-libselinux-regex-unify-parameter-names.patch b/SOURCES/0027-libselinux-regex-unify-parameter-names.patch deleted file mode 100644 index 5781ab6..0000000 --- a/SOURCES/0027-libselinux-regex-unify-parameter-names.patch +++ /dev/null @@ -1,42 +0,0 @@ -From e057080fcc148b3b1fc613c100340c325bde6c7e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:26 +0200 -Subject: [PATCH] libselinux: regex: unify parameter names -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Use the same parameter names as in the header `regex.h`. - -Found by clang-tidy. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/regex.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c -index 770bc3ea1310..73987d9f1063 100644 ---- a/libselinux/src/regex.c -+++ b/libselinux/src/regex.c -@@ -319,7 +319,7 @@ char const *regex_version(void) - } - - int regex_load_mmap(struct mmap_area *mmap_area, struct regex_data **regex, -- int unused __attribute__((unused)), bool *regex_compiled) -+ int do_load_precompregex __attribute__((unused)), bool *regex_compiled) - { - int rc; - uint32_t entry_len; -@@ -387,7 +387,7 @@ static inline pcre_extra *get_pcre_extra(struct regex_data *regex) - } - - int regex_writef(struct regex_data *regex, FILE *fp, -- int unused __attribute__((unused))) -+ int do_write_precompregex __attribute__((unused))) - { - int rc; - size_t len; --- -2.32.0 - diff --git a/SOURCES/0028-libselinux-label_file.c-fix-indent.patch b/SOURCES/0028-libselinux-label_file.c-fix-indent.patch deleted file mode 100644 index f072b85..0000000 --- a/SOURCES/0028-libselinux-label_file.c-fix-indent.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 2657e3ccbd01f09ea4c637c2d8cf23646507475a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:31 +0200 -Subject: [PATCH] libselinux: label_file.c: fix indent -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by clang-tidy. - -libselinux/src/label_file.c:374:4: warning: different indentation for 'if' and corresponding 'else' [readability-misleading-indentation] - else - ^ - -Signed-off-by: Christian Göttsche ---- - libselinux/src/label_file.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index 4268b52c84cc..56f499faef97 100644 ---- a/libselinux/src/label_file.c -+++ b/libselinux/src/label_file.c -@@ -371,7 +371,7 @@ end_arch_check: - - if (stem_id < 0 || stem_id >= (int32_t)stem_map_len) - spec->stem_id = -1; -- else -+ else - spec->stem_id = stem_map[stem_id]; - - /* retrieve the hasMetaChars bit */ --- -2.32.0 - diff --git a/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch b/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch deleted file mode 100644 index 1142019..0000000 --- a/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a2304cef5780d72ef0eb927b799337982c599ca9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 10 May 2021 12:56:46 +0200 -Subject: [PATCH] libselinux: avc_destroy(3) closes status page -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Mention in the manpage of avc_destroy(3) that it does close the SELinux -status page, which might have been opened manually by the client -application. - -Signed-off-by: Christian Göttsche ---- - libselinux/man/man3/avc_open.3 | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3 -index 3090dd5077c7..55683bb6594b 100644 ---- a/libselinux/man/man3/avc_open.3 -+++ b/libselinux/man/man3/avc_open.3 -@@ -26,6 +26,9 @@ initializes the userspace AVC and must be called before any other AVC operation - destroys the userspace AVC, freeing all internal memory structures. After this call has been made, - .BR avc_open () - must be called again before any AVC operations can be performed. -+.BR avc_destroy () -+also closes the SELinux status page, which might have been opened manually by -+.BR selinux_status_open (3). - - .BR avc_reset () - flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see --- -2.32.0 - diff --git a/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch b/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch deleted file mode 100644 index 953b991..0000000 --- a/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch +++ /dev/null @@ -1,39 +0,0 @@ -From c5a699046f4a08a554d2da9121924fc80bf27cba Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 10 May 2021 12:56:47 +0200 -Subject: [PATCH] libselinux: make selinux_status_open(3) reentrant -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not mmap the status page again if `selinux_status_open(3)` has already -been called with success. - -`selinux_status_open(3)` might be called unintentionally multiple times, -e.g. once to manually be able to call `selinux_status_getenforce(3)` and -once indirectly through `selinux_check_access(3)` -(since libselinux 3.2). - -Signed-off-by: Christian Göttsche ---- - libselinux/src/sestatus.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c -index 12b015e088ea..531a522c0f48 100644 ---- a/libselinux/src/sestatus.c -+++ b/libselinux/src/sestatus.c -@@ -282,6 +282,10 @@ int selinux_status_open(int fallback) - long pagesize; - uint32_t seqno; - -+ if (selinux_status != NULL) { -+ return 0; -+ } -+ - if (!selinux_mnt) { - errno = ENOENT; - return -1; --- -2.32.0 - diff --git a/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch b/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch deleted file mode 100644 index a952d93..0000000 --- a/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 3cef4110bee88ac81dfb5e62c2a8b7902248abba Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 10 May 2021 12:56:48 +0200 -Subject: [PATCH] libselinux: do not use status page fallback mode internally -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently `avc_init_internal()`, called by `avc_open(3)` and -`avc_init(3)`, does open the SELinux status page with fallback mode -enabled. - -Quote from man:selinux_status_open(3): - In this case, this function tries to open a netlink socket using - .BR avc_netlink_open (3) and overwrite corresponding callbacks - (setenforce and policyload). Thus, we need to pay attention to the - interaction with these interfaces, when fallback mode is enabled. - -Calling `selinux_status_open` internally in fallback mode is bad, cause -it overrides callbacks from client applications or the internal -fallback-callbacks get overridden by client applications. -Note that `avc_open(3)` gets called under the hood by -`selinux_check_access(3)` without checking for failure. -Also the status page is available since Linux 2.6.37, so failures of -`selinux_status_open(3)` in non-fallback mode should only be caused by -policies not allowing the client process to open/read/map -the /sys/fs/selinux/status file. - -Signed-off-by: Christian Göttsche ---- - libselinux/src/avc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c -index 8314d7ba3de6..daaedbc6a6fd 100644 ---- a/libselinux/src/avc.c -+++ b/libselinux/src/avc.c -@@ -214,7 +214,7 @@ static int avc_init_internal(const char *prefix, - avc_enforcing = rc; - } - -- rc = selinux_status_open(1); -+ rc = selinux_status_open(0); - if (rc < 0) { - avc_log(SELINUX_ERROR, - "%s: could not open selinux status page: %d (%s)\n", --- -2.32.0 - diff --git a/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch b/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch deleted file mode 100644 index 00ade44..0000000 --- a/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ed2e4db2f9941e01e65248ce5f0a9e49f3efd130 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 1 Jun 2021 17:05:23 +0200 -Subject: [PATCH] libselinux: selinux_status_open: return 1 in fallback mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case of a recurring call to `selinux_status_open(3)`, which -previously has been opened in fallback mode, return `1` according to its -documentation. - -Fixes: c5a699046f4 ("libselinux: make selinux_status_open(3) reentrant") - -Signed-off-by: Christian Göttsche -Acked-by: Petr Lautrbach ---- - libselinux/src/sestatus.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c -index 531a522c0f48..89c1f6216702 100644 ---- a/libselinux/src/sestatus.c -+++ b/libselinux/src/sestatus.c -@@ -283,7 +283,7 @@ int selinux_status_open(int fallback) - uint32_t seqno; - - if (selinux_status != NULL) { -- return 0; -+ return (selinux_status == MAP_FAILED) ? 1 : 0; - } - - if (!selinux_mnt) { --- -2.32.0 - diff --git a/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch b/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch deleted file mode 100644 index c1b4851..0000000 --- a/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch +++ /dev/null @@ -1,118 +0,0 @@ -From ea02e0acfaab93219359448a66edff365aef4ca5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 1 Jun 2021 17:35:09 +0200 -Subject: [PATCH] libselinux: improve getcon(3) man page -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Improve formatting of section DESCRIPTION by adding list points. -Mention errno is set on failure. -Mention the returned context might be NULL if SELinux is not enabled. -Align setcon/_raw parameter by adding const. - -Signed-off-by: Christian Göttsche -Acked-by: Petr Lautrbach ---- - libselinux/man/man3/getcon.3 | 41 +++++++++++++++++++++++++----------- - 1 file changed, 29 insertions(+), 12 deletions(-) - -diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3 -index 67872a4dede6..e7e394f305b7 100644 ---- a/libselinux/man/man3/getcon.3 -+++ b/libselinux/man/man3/getcon.3 -@@ -7,7 +7,7 @@ freecon, freeconary \- free memory associated with SELinux security contexts - getpeercon \- get security context of a peer socket - - setcon \- set current security context of a process --. -+ - .SH "SYNOPSIS" - .B #include - .sp -@@ -31,30 +31,39 @@ setcon \- set current security context of a process - .sp - .BI "void freeconary(char **" con ); - .sp --.BI "int setcon(char *" context ); -+.BI "int setcon(const char *" context ); - .sp --.BI "int setcon_raw(char *" context ); --. -+.BI "int setcon_raw(const char *" context ); -+ - .SH "DESCRIPTION" -+.TP - .BR getcon () - retrieves the context of the current process, which must be free'd with --freecon. -+.BR freecon (). - -+.TP - .BR getprevcon () - same as getcon but gets the context before the last exec. - -+.TP - .BR getpidcon () --returns the process context for the specified PID. -+returns the process context for the specified PID, which must be free'd with -+.BR freecon (). - -+.TP - .BR getpeercon () --retrieves context of peer socket, and set --.BI * context --to refer to it, which must be free'd with -+retrieves the context of the peer socket, which must be free'd with - .BR freecon (). - -+.TP - .BR freecon () - frees the memory allocated for a security context. - -+If -+.I con -+is NULL, no operation is performed. -+ -+.TP - .BR freeconary () - frees the memory allocated for a context array. - -@@ -62,6 +71,7 @@ If - .I con - is NULL, no operation is performed. - -+.TP - .BR setcon () - sets the current security context of the process to a new value. Note - that use of this function requires that the entire application be -@@ -110,6 +120,8 @@ context and the - .BR setcon () - will fail if it is not allowed by policy. - -+.TP -+.BR *_raw() - .BR getcon_raw (), - .BR getprevcon_raw (), - .BR getpidcon_raw (), -@@ -118,9 +130,14 @@ and - .BR setcon_raw () - behave identically to their non-raw counterparts but do not perform context - translation. --. -+ - .SH "RETURN VALUE" --On error \-1 is returned. On success 0 is returned. --. -+On error \-1 is returned with errno set. On success 0 is returned. -+ -+.SH "NOTES" -+The retrieval functions might return success and set -+.I *context -+to NULL if and only if SELinux is not enabled. -+ - .SH "SEE ALSO" - .BR selinux "(8), " setexeccon "(3)" --- -2.32.0 - diff --git a/SOURCES/0034-libselinux-fix-typo.patch b/SOURCES/0034-libselinux-fix-typo.patch deleted file mode 100644 index 3d9d604..0000000 --- a/SOURCES/0034-libselinux-fix-typo.patch +++ /dev/null @@ -1,30 +0,0 @@ -From fa4de3c9d85a310248bae516ed4535773885845b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 8 Jun 2021 17:36:44 +0200 -Subject: [PATCH] libselinux: fix typo -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Christian Göttsche -Acked-by: Petr Lautrbach ---- - libselinux/src/regex.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h -index 10c3df7856e1..2dfa25342034 100644 ---- a/libselinux/src/regex.h -+++ b/libselinux/src/regex.h -@@ -44,7 +44,7 @@ struct mmap_area; - char const *regex_arch_string(void) ; - - /** -- * regex_verison returns the version string of the underlying regular -+ * regex_version returns the version string of the underlying regular - * regular expressions library. In the case of PCRE it just returns the - * result of pcre_version(). In the case of PCRE2, the very first time this - * function is called it allocates a buffer large enough to hold the version --- -2.32.0 - diff --git a/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch b/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch deleted file mode 100644 index fdaabab..0000000 --- a/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 70b31e75fe157f4cfa5afc6589c0605868017028 Mon Sep 17 00:00:00 2001 -From: Topi Miettinen -Date: Sat, 12 Jun 2021 12:07:38 +0300 -Subject: [PATCH] selinux.8: document how mount flag nosuid affects SELinux - -Using mount flag `nosuid` also affects SELinux domain transitions but -this has not been documented well. - -Signed-off-by: Topi Miettinen ---- - libselinux/man/man8/selinux.8 | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 -index 0ef014609a36..5842150bfc72 100644 ---- a/libselinux/man/man8/selinux.8 -+++ b/libselinux/man/man8/selinux.8 -@@ -94,6 +94,13 @@ and reboot. - also has this capability. The - .BR restorecon / fixfiles - commands are also available for relabeling files. -+ -+Please note that using mount flag -+.I nosuid -+also disables SELinux domain transitions, unless permission -+.I nosuid_transition -+is used in the policy to allow this, which in turn needs also policy capability -+.IR nnp_nosuid_transition . - . - .SH AUTHOR - This manual page was written by Dan Walsh . --- -2.32.0 - diff --git a/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch b/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch deleted file mode 100644 index 2953a46..0000000 --- a/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 4859b738136ef8889fbb71a166cfec8d313ba4e0 Mon Sep 17 00:00:00 2001 -From: Fabrice Fontaine -Date: Thu, 1 Jul 2021 19:06:19 +0200 -Subject: [PATCH] libselinux/utils/getseuser.c: fix build with gcc 4.8 - -Fix the following build failure with gcc 4.8 which is raised since -version 3.2 and -https://github.com/SELinuxProject/selinux/commit/156dd0de5cad31e7d437c64e11a8aef027f0a691 - -getseuser.c:53:2: error: 'for' loop initial declarations are only allowed in C99 mode - for (int i = 0; i < n; i++) - ^ - -Fixes: - - http://autobuild.buildroot.org/results/37eb0952a763256fbf6ef3c668f6c95fbdf2dd35 - -Signed-off-by: Fabrice Fontaine ---- - libselinux/utils/getseuser.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libselinux/utils/getseuser.c b/libselinux/utils/getseuser.c -index ce1b7b27dbd9..34f2e887ffa0 100644 ---- a/libselinux/utils/getseuser.c -+++ b/libselinux/utils/getseuser.c -@@ -9,7 +9,7 @@ int main(int argc, char **argv) - { - char *seuser = NULL, *level = NULL; - char **contextlist; -- int rc, n; -+ int rc, n, i; - - if (argc != 3) { - fprintf(stderr, "usage: %s linuxuser fromcon\n", argv[0]); -@@ -50,7 +50,7 @@ int main(int argc, char **argv) - if (n == 0) - printf("no valid context found\n"); - -- for (int i = 0; i < n; i++) -+ for (i = 0; i < n; i++) - printf("Context %d\t%s\n", i, contextlist[i]); - - freeconary(contextlist); --- -2.32.0 - diff --git a/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch b/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch deleted file mode 100644 index bf958ac..0000000 --- a/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 40543dceedc1510d0d27177f564db0f232689803 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sat, 3 Jul 2021 16:31:18 +0200 -Subject: [PATCH] libselinux: silence -Wextra-semi-stmt warning - -On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt -(which is not the default build configuration), the compiler reports: - - sha1.c:90:21: error: empty expression statement has no effect; - remove unnecessary ';' to silence this warning - [-Werror,-Wextra-semi-stmt] - R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); - ^ - In file included from selinux_restorecon.c:39: - ./label_file.h:458:15: error: empty expression statement has no - effect; remove unnecessary ';' to silence this warning - [-Werror,-Wextra-semi-stmt] - lineno); - ^ - -Introduce "do { } while (0)" blocks to silence such warnings. - -Signed-off-by: Nicolas Iooss ---- - libselinux/src/avc_internal.h | 22 +++++++++++++------- - libselinux/src/label_internal.h | 10 +++++---- - libselinux/src/load_policy.c | 2 +- - libselinux/src/procattr.c | 4 ++-- - libselinux/src/sha1.c | 11 +++++----- - libselinux/utils/matchpathcon.c | 2 +- - libselinux/utils/selabel_lookup_best_match.c | 2 +- - 7 files changed, 31 insertions(+), 22 deletions(-) - -diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h -index da67affc9307..a9a4aa0b3c42 100644 ---- a/libselinux/src/avc_internal.h -+++ b/libselinux/src/avc_internal.h -@@ -85,10 +85,12 @@ static inline void avc_free(void *ptr) - - /* this is a macro in order to use the variadic capability. */ - #define avc_log(type, format...) \ -- if (avc_func_log) \ -- avc_func_log(format); \ -- else \ -- selinux_log(type, format); -+ do { \ -+ if (avc_func_log) \ -+ avc_func_log(format); \ -+ else \ -+ selinux_log(type, format); \ -+ } while (0) - - static inline void avc_suppl_audit(void *ptr, security_class_t class, - char *buf, size_t len) -@@ -137,14 +139,18 @@ static inline void avc_free_lock(void *lock) - #ifdef AVC_CACHE_STATS - - #define avc_cache_stats_incr(field) \ -- cache_stats.field ++; -+ do { \ -+ cache_stats.field ++; \ -+ } while (0) - #define avc_cache_stats_add(field, num) \ -- cache_stats.field += num; -+ do { \ -+ cache_stats.field += num; \ -+ } while (0) - - #else - --#define avc_cache_stats_incr(field) --#define avc_cache_stats_add(field, num) -+#define avc_cache_stats_incr(field) do {} while (0) -+#define avc_cache_stats_add(field, num) do {} while (0) - - #endif - -diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h -index 361b443cb9c4..782c6aa8cc0c 100644 ---- a/libselinux/src/label_internal.h -+++ b/libselinux/src/label_internal.h -@@ -128,10 +128,12 @@ extern int myprintf_compat; - extern void __attribute__ ((format(printf, 1, 2))) - (*myprintf) (const char *fmt, ...) ; - --#define COMPAT_LOG(type, fmt...) if (myprintf_compat) \ -- myprintf(fmt); \ -- else \ -- selinux_log(type, fmt); -+#define COMPAT_LOG(type, fmt...) do { \ -+ if (myprintf_compat) \ -+ myprintf(fmt); \ -+ else \ -+ selinux_log(type, fmt); \ -+ } while (0) - - extern int - compat_validate(struct selabel_handle *rec, -diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c -index 0034fa53d6e6..5857b821e80e 100644 ---- a/libselinux/src/load_policy.c -+++ b/libselinux/src/load_policy.c -@@ -80,7 +80,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused))) - if (libsepolh) { - usesepol = 1; - dlerror(); --#define DLERR() if ((errormsg = dlerror())) goto dlclose; -+#define DLERR() do { if ((errormsg = dlerror())) goto dlclose; } while (0) - vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max"); - DLERR(); - vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min"); -diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c -index 840570525f5f..6552ee01bca8 100644 ---- a/libselinux/src/procattr.c -+++ b/libselinux/src/procattr.c -@@ -146,7 +146,7 @@ static int getprocattrcon_raw(char ** context, - default: - errno = ENOENT; - return -1; -- }; -+ } - - if (prev_context && prev_context != UNSET) { - *context = strdup(prev_context); -@@ -240,7 +240,7 @@ static int setprocattrcon_raw(const char * context, - default: - errno = ENOENT; - return -1; -- }; -+ } - - if (!context && !*prev_context) - return 0; -diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c -index 664bbcf26eef..a848467785f3 100644 ---- a/libselinux/src/sha1.c -+++ b/libselinux/src/sha1.c -@@ -16,6 +16,7 @@ - // sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] - // CHAR64LONG16* block = (CHAR64LONG16*) workspace; - // William Roberts -+// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss - /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// - - /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -@@ -49,11 +50,11 @@ typedef union - ^block->l[(i+2)&15]^block->l[i&15],1)) - - // (R0+R1), R2, R3, R4 are the different operations used in SHA1 --#define R0(v,w,x,y,z,i) z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); --#define R1(v,w,x,y,z,i) z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); --#define R2(v,w,x,y,z,i) z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); --#define R3(v,w,x,y,z,i) z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); --#define R4(v,w,x,y,z,i) z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); -+#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0) -+#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0) -+#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0) -+#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0) -+#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0) - - - /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c -index a07e160dee71..1d713c01f81c 100644 ---- a/libselinux/utils/matchpathcon.c -+++ b/libselinux/utils/matchpathcon.c -@@ -65,7 +65,7 @@ static mode_t string_to_mode(char *s) - return S_IFREG; - default: - return -1; -- }; -+ } - return -1; - } - -diff --git a/libselinux/utils/selabel_lookup_best_match.c b/libselinux/utils/selabel_lookup_best_match.c -index 6a7174233667..2cddc6cde051 100644 ---- a/libselinux/utils/selabel_lookup_best_match.c -+++ b/libselinux/utils/selabel_lookup_best_match.c -@@ -47,7 +47,7 @@ static mode_t string_to_mode(char *s) - return S_IFSOCK; - case 'f': - return S_IFREG; -- }; -+ } - return 0; - } - --- -2.32.0 - diff --git a/SOURCES/0038-sha1-sha256.patch b/SOURCES/0038-sha1-sha256.patch deleted file mode 100644 index b49047f..0000000 --- a/SOURCES/0038-sha1-sha256.patch +++ /dev/null @@ -1,1333 +0,0 @@ -From 697f19f787686e423f7e92ccbbdf29fb486791f0 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 30 Jul 2021 11:58:33 +0200 -Subject: [PATCH] Use SHA-2 instead of SHA-1 - -The use of SHA-1 in RHEL9 is deprecated ---- - libselinux/include/selinux/label.h | 6 +- - libselinux/include/selinux/restorecon.h | 4 +- - libselinux/man/man3/selabel_digest.3 | 4 +- - libselinux/man/man3/selabel_open.3 | 2 +- - libselinux/man/man3/selinux_restorecon.3 | 16 +- - .../man/man3/selinux_restorecon_xattr.3 | 2 +- - libselinux/src/Makefile | 2 +- - libselinux/src/label_file.c | 40 +-- - libselinux/src/label_internal.h | 10 +- - libselinux/src/label_support.c | 8 +- - libselinux/src/selinux_restorecon.c | 24 +- - libselinux/src/sha1.c | 220 ------------- - libselinux/src/sha1.h | 85 ----- - libselinux/src/sha256.c | 294 ++++++++++++++++++ - libselinux/src/sha256.h | 89 ++++++ - libselinux/utils/selabel_digest.c | 26 +- - .../selabel_get_digests_all_partial_matches.c | 28 +- - 17 files changed, 469 insertions(+), 391 deletions(-) - delete mode 100644 libselinux/src/sha1.c - delete mode 100644 libselinux/src/sha1.h - create mode 100644 libselinux/src/sha256.c - create mode 100644 libselinux/src/sha256.h - -diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h -index e8983606d93b..a35d84d63b0a 100644 ---- a/libselinux/include/selinux/label.h -+++ b/libselinux/include/selinux/label.h -@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, - const char *key, const char **aliases, int type); - - /** -- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to -+ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to - * generate the digest. The SELABEL_OPT_DIGEST option must - * be set in selabel_open() to initiate the digest generation. - * @handle: specifies backend instance to query -- * @digest: returns a pointer to the SHA1 digest. -+ * @digest: returns a pointer to the SHA256 digest. - * @digest_len: returns length of digest in bytes. -- * @specfiles: a list of specfiles used in the SHA1 digest generation. -+ * @specfiles: a list of specfiles used in the SHA256 digest generation. - * The list is NULL terminated and will hold @num_specfiles entries. - * @num_specfiles: number of specfiles in the list. - * -diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h -index 466de39aac72..ca8ce768587a 100644 ---- a/libselinux/include/selinux/restorecon.h -+++ b/libselinux/include/selinux/restorecon.h -@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname, - * restorecon_flags options - */ - /* -- * Force the checking of labels even if the stored SHA1 digest -- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN). -+ * Force the checking of labels even if the stored SHA256 digest -+ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN). - */ - #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001 - /* -diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3 -index 56a008f00df0..5f7c42533d0e 100644 ---- a/libselinux/man/man3/selabel_digest.3 -+++ b/libselinux/man/man3/selabel_digest.3 -@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used - .BR selabel_digest () - performs an operation on the handle - .IR hnd , --returning the results of the SHA1 digest pointed to by -+returning the results of the SHA256 digest pointed to by - .IR digest , - whose length will be - .IR digest_len . --The list of specfiles used in the SHA1 digest calculation is returned in -+The list of specfiles used in the SHA256 digest calculation is returned in - .I specfiles - with the number of entries in - .IR num_specfiles . -diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 -index 971ebc1acd41..2cf2eb8a1410 100644 ---- a/libselinux/man/man3/selabel_open.3 -+++ b/libselinux/man/man3/selabel_open.3 -@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via - Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation. - .TP - .B SELABEL_OPT_DIGEST --A non-null value for this option enables the generation of an SHA1 digest of -+A non-null value for this option enables the generation of an SHA256 digest of - the spec files loaded as described in - .BR selabel_digest (3) - . -diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3 -index ad637406a30d..c4576fe79ff6 100644 ---- a/libselinux/man/man3/selinux_restorecon.3 -+++ b/libselinux/man/man3/selinux_restorecon.3 -@@ -28,7 +28,7 @@ If this is a directory and the - .B SELINUX_RESTORECON_RECURSE - has been set (for descending through directories), then - .BR selinux_restorecon () --will write an SHA1 digest of specfile entries calculated by -+will write an SHA256 digest of specfile entries calculated by - .BR selabel_get_digests_all_partial_matches (3) - to an extended attribute of - .IR security.sehash -@@ -47,7 +47,7 @@ will take place. - .br - The - .IR restorecon_flags --that can be used to manage the usage of the SHA1 digest are: -+that can be used to manage the usage of the SHA256 digest are: - .RS - .B SELINUX_RESTORECON_SKIP_DIGEST - .br -@@ -65,8 +65,8 @@ Do not check or update any extended attribute - entries. - .sp - .B SELINUX_RESTORECON_IGNORE_DIGEST --force the checking of labels even if the stored SHA1 digest matches the --specfile entries SHA1 digest. The specfile entries digest will be written to the -+force the checking of labels even if the stored SHA256 digest matches the -+specfile entries SHA256 digest. The specfile entries digest will be written to the - .IR security.sehash - extended attribute once relabeling has been completed successfully provided the - .B SELINUX_RESTORECON_NOCHANGE -@@ -84,7 +84,7 @@ default specfile context. - .sp - .B SELINUX_RESTORECON_RECURSE - change file and directory labels recursively (descend directories) --and if successful write an SHA1 digest of the specfile entries to an -+and if successful write an SHA256 digest of the specfile entries to an - extended attribute as described in the - .B NOTES - section. -@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the - same inode have different contexts, as errors. - .RE - .sp --The behavior regarding the checking and updating of the SHA1 digest described -+The behavior regarding the checking and updating of the SHA256 digest described - above is the default behavior. It is possible to change this by first calling - .BR selabel_open (3) - and not enabling the -@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the - .B SELINUX_RESTORECON_RECURSE - flag is set) - .BR selinux_restorecon () --will write a calculated SHA1 digest of the specfile entries returned by -+will write a calculated SHA256 digest of the specfile entries returned by - .BR selabel_get_digests_all_partial_matches (3) - to an extended attribute named - .IR security.sehash -@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when - .BR selinux_restorecon () - is run again with the - .B SELINUX_RESTORECON_RECURSE --flag set, new SHA1 digests will be calculated and all files automatically -+flag set, new SHA256 digests will be calculated and all files automatically - relabeled depending on the settings of the - .B SELINUX_RESTORECON_SET_SPECFILE_CTX - flag (provided -diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3 -index c56326814b94..098c840fc59b 100644 ---- a/libselinux/man/man3/selinux_restorecon_xattr.3 -+++ b/libselinux/man/man3/selinux_restorecon_xattr.3 -@@ -119,7 +119,7 @@ By default - .BR selinux_restorecon_xattr (3) - will use the default set of specfiles described in - .BR files_contexts (5) --to calculate the SHA1 digests to be used for comparison. -+to calculate the SHA256 digests to be used for comparison. - To change this default behavior - .BR selabel_open (3) - must be called specifying the required -diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile -index 52c40f018f51..674a5ed3a6f8 100644 ---- a/libselinux/src/Makefile -+++ b/libselinux/src/Makefile -@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ - -DBUILD_HOST - SRCS= callbacks.c freecon.c label.c label_file.c \ - label_backends_android.c regex.c label_support.c \ -- matchpathcon.c setrans_client.c sha1.c booleans.c -+ matchpathcon.c setrans_client.c sha256.c booleans.c - else - LABEL_BACKEND_ANDROID=y - endif -diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index 56f499faef97..db5d7553aab2 100644 ---- a/libselinux/src/label_file.c -+++ b/libselinux/src/label_file.c -@@ -1002,7 +1002,7 @@ static struct spec *lookup_common(struct selabel_handle *rec, - - /* - * Returns true if the digest of all partial matched contexts is the same as -- * the one saved by setxattr, otherwise returns false. The length of the SHA1 -+ * the one saved by setxattr, otherwise returns false. The length of the SHA256 - * digest will always be returned. The caller must free any returned digests. - */ - static bool get_digests_all_partial_matches(struct selabel_handle *rec, -@@ -1011,39 +1011,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec, - uint8_t **xattr_digest, - size_t *digest_len) - { -- uint8_t read_digest[SHA1_HASH_SIZE]; -+ uint8_t read_digest[SHA256_HASH_SIZE]; - ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST, -- read_digest, SHA1_HASH_SIZE -+ read_digest, SHA256_HASH_SIZE - #ifdef __APPLE__ - , 0, 0 - #endif /* __APPLE __ */ - ); -- uint8_t hash_digest[SHA1_HASH_SIZE]; -+ uint8_t hash_digest[SHA256_HASH_SIZE]; - bool status = selabel_hash_all_partial_matches(rec, pathname, - hash_digest); - - *xattr_digest = NULL; - *calculated_digest = NULL; -- *digest_len = SHA1_HASH_SIZE; -+ *digest_len = SHA256_HASH_SIZE; - -- if (read_size == SHA1_HASH_SIZE) { -- *xattr_digest = calloc(1, SHA1_HASH_SIZE + 1); -+ if (read_size == SHA256_HASH_SIZE) { -+ *xattr_digest = calloc(1, SHA256_HASH_SIZE + 1); - if (!*xattr_digest) - goto oom; - -- memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE); -+ memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE); - } - - if (status) { -- *calculated_digest = calloc(1, SHA1_HASH_SIZE + 1); -+ *calculated_digest = calloc(1, SHA256_HASH_SIZE + 1); - if (!*calculated_digest) - goto oom; - -- memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE); -+ memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE); - } - -- if (status && read_size == SHA1_HASH_SIZE && -- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0) -+ if (status && read_size == SHA256_HASH_SIZE && -+ memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0) - return true; - - return false; -@@ -1063,22 +1063,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key - return false; - } - -- Sha1Context context; -- Sha1Initialise(&context); -+ Sha256Context context; -+ Sha256Initialise(&context); - size_t i; - for (i = 0; i < total_matches; i++) { - char* regex_str = matches[i]->regex_str; - mode_t mode = matches[i]->mode; - char* ctx_raw = matches[i]->lr.ctx_raw; - -- Sha1Update(&context, regex_str, strlen(regex_str) + 1); -- Sha1Update(&context, &mode, sizeof(mode_t)); -- Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1); -+ Sha256Update(&context, regex_str, strlen(regex_str) + 1); -+ Sha256Update(&context, &mode, sizeof(mode_t)); -+ Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1); - } - -- SHA1_HASH sha1_hash; -- Sha1Finalise(&context, &sha1_hash); -- memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE); -+ SHA256_HASH sha256_hash; -+ Sha256Finalise(&context, &sha256_hash); -+ memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE); - - free(matches); - return true; -diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h -index 782c6aa8cc0c..304e8d96490a 100644 ---- a/libselinux/src/label_internal.h -+++ b/libselinux/src/label_internal.h -@@ -13,7 +13,7 @@ - #include - #include - #include --#include "sha1.h" -+#include "sha256.h" - - #if defined(ANDROID) || defined(__APPLE__) - // Android and Mac do not have fgets_unlocked() -@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec, - */ - - /* -- * Calculate an SHA1 hash of all the files used to build the specs. -+ * Calculate an SHA256 hash of all the files used to build the specs. - * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To - * calculate the hash the hashbuf will hold a concatenation of all the files - * used. This is released once the value has been calculated. - */ --#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE -+#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE - #define DIGEST_FILES_MAX 8 - struct selabel_digest { -- unsigned char *digest; /* SHA1 digest of specfiles */ -+ unsigned char *digest; /* SHA256 digest of specfiles */ - unsigned char *hashbuf; /* buffer to hold specfiles */ - size_t hashbuf_size; /* buffer size */ - size_t specfile_cnt; /* how many specfiles processed */ -@@ -110,7 +110,7 @@ struct selabel_handle { - */ - char *spec_file; - -- /* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */ -+ /* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */ - struct selabel_digest *digest; - }; - -diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c -index 94ed6e4273cb..f53d73b609ab 100644 ---- a/libselinux/src/label_support.c -+++ b/libselinux/src/label_support.c -@@ -115,15 +115,15 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...) - /* Once all the specfiles are in the hash_buf, generate the hash. */ - void digest_gen_hash(struct selabel_digest *digest) - { -- Sha1Context context; -+ Sha256Context context; - - /* If SELABEL_OPT_DIGEST not set then just return */ - if (!digest) - return; - -- Sha1Initialise(&context); -- Sha1Update(&context, digest->hashbuf, digest->hashbuf_size); -- Sha1Finalise(&context, (SHA1_HASH *)digest->digest); -+ Sha256Initialise(&context); -+ Sha256Update(&context, digest->hashbuf, digest->hashbuf_size); -+ Sha256Finalise(&context, (SHA256_HASH *)digest->digest); - free(digest->hashbuf); - digest->hashbuf = NULL; - return; -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index 999aa924ba32..10211a888cf6 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -37,7 +37,7 @@ - #include "callbacks.h" - #include "selinux_internal.h" - #include "label_file.h" --#include "sha1.h" -+#include "sha256.h" - - #define STAR_COUNT 1024 - -@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void) - static int add_xattr_entry(const char *directory, bool delete_nonmatch, - bool delete_all) - { -- char *sha1_buf = NULL; -+ char *sha256_buf = NULL; - size_t i, digest_len = 0; - int rc, digest_result; - bool match; -@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - } - - /* Convert entry to a hex encoded string. */ -- sha1_buf = malloc(digest_len * 2 + 1); -- if (!sha1_buf) { -+ sha256_buf = malloc(digest_len * 2 + 1); -+ if (!sha256_buf) { - free(xattr_digest); - free(calculated_digest); - goto oom; - } - - for (i = 0; i < digest_len; i++) -- sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]); -+ sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]); - - digest_result = match ? MATCH : NOMATCH; - -@@ -345,7 +345,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - /* Now add entries to link list. */ - new_entry = malloc(sizeof(struct dir_xattr)); - if (!new_entry) { -- free(sha1_buf); -+ free(sha256_buf); - goto oom; - } - new_entry->next = NULL; -@@ -353,15 +353,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - new_entry->directory = strdup(directory); - if (!new_entry->directory) { - free(new_entry); -- free(sha1_buf); -+ free(sha256_buf); - goto oom; - } - -- new_entry->digest = strdup(sha1_buf); -+ new_entry->digest = strdup(sha256_buf); - if (!new_entry->digest) { - free(new_entry->directory); - free(new_entry); -- free(sha1_buf); -+ free(sha256_buf); - goto oom; - } - -@@ -375,7 +375,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - dir_xattr_last = new_entry; - } - -- free(sha1_buf); -+ free(sha256_buf); - return 0; - - oom: -@@ -742,7 +742,7 @@ err: - - struct dir_hash_node { - char *path; -- uint8_t digest[SHA1_HASH_SIZE]; -+ uint8_t digest[SHA256_HASH_SIZE]; - struct dir_hash_node *next; - }; - /* -@@ -1085,7 +1085,7 @@ int selinux_restorecon(const char *pathname_orig, - if (setxattr(current->path, - RESTORECON_PARTIAL_MATCH_DIGEST, - current->digest, -- SHA1_HASH_SIZE, 0) < 0) { -+ SHA256_HASH_SIZE, 0) < 0) { - selinux_log(SELINUX_ERROR, - "setxattr failed: %s: %s\n", - current->path, -diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c -deleted file mode 100644 -index a848467785f3..000000000000 ---- a/libselinux/src/sha1.c -+++ /dev/null -@@ -1,220 +0,0 @@ --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// LibSha1 --// --// Implementation of SHA1 hash function. --// Original author: Steve Reid --// Contributions by: James H. Brown , Saul Kravitz , --// and Ralph Giles --// Modified by WaterJuice retaining Public Domain license. --// --// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org --// Modified to: --// - stop symbols being exported for libselinux shared library - October 2015 --// Richard Haines --// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses. --// Fixes: --// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] --// CHAR64LONG16* block = (CHAR64LONG16*) workspace; --// William Roberts --// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// IMPORTS --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --#include "sha1.h" --#include -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// TYPES --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --typedef union --{ -- uint8_t c [64]; -- uint32_t l [16]; --} CHAR64LONG16; -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// INTERNAL FUNCTIONS --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) -- --// blk0() and blk() perform the initial expand. --#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ -- |(rol(block->l[i],8)&0x00FF00FF)) -- --#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ -- ^block->l[(i+2)&15]^block->l[i&15],1)) -- --// (R0+R1), R2, R3, R4 are the different operations used in SHA1 --#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0) --#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0) --#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0) --#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0) --#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0) -- -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// TransformFunction --// --// Hash a single 512-bit block. This is the core of the algorithm --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --static --void -- TransformFunction -- ( -- uint32_t state[5], -- const uint8_t buffer[64] -- ) --{ -- uint32_t a; -- uint32_t b; -- uint32_t c; -- uint32_t d; -- uint32_t e; -- CHAR64LONG16 workspace; -- CHAR64LONG16* block = &workspace; -- -- memcpy(block, buffer, 64); -- -- // Copy context->state[] to working vars -- a = state[0]; -- b = state[1]; -- c = state[2]; -- d = state[3]; -- e = state[4]; -- -- // 4 rounds of 20 operations each. Loop unrolled. -- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); -- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); -- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); -- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); -- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); -- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); -- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); -- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); -- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); -- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); -- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); -- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); -- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); -- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); -- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); -- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); -- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); -- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); -- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); -- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); -- -- // Add the working vars back into context.state[] -- state[0] += a; -- state[1] += b; -- state[2] += c; -- state[3] += d; -- state[4] += e; --} -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// PUBLIC FUNCTIONS --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// Sha1Initialise --// --// Initialises an SHA1 Context. Use this to initialise/reset a context. --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --void -- Sha1Initialise -- ( -- Sha1Context* Context -- ) --{ -- // SHA1 initialization constants -- Context->State[0] = 0x67452301; -- Context->State[1] = 0xEFCDAB89; -- Context->State[2] = 0x98BADCFE; -- Context->State[3] = 0x10325476; -- Context->State[4] = 0xC3D2E1F0; -- Context->Count[0] = 0; -- Context->Count[1] = 0; --} -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// Sha1Update --// --// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on --// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash. --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --void -- Sha1Update -- ( -- Sha1Context* Context, -- const void* Buffer, -- uint32_t BufferSize -- ) --{ -- uint32_t i; -- uint32_t j; -- -- j = (Context->Count[0] >> 3) & 63; -- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3)) -- { -- Context->Count[1]++; -- } -- -- Context->Count[1] += (BufferSize >> 29); -- if ((j + BufferSize) > 63) -- { -- i = 64 - j; -- memcpy(&Context->Buffer[j], Buffer, i); -- TransformFunction(Context->State, Context->Buffer); -- for (; i + 63 < BufferSize; i += 64) -- { -- TransformFunction(Context->State, (const uint8_t*)Buffer + i); -- } -- j = 0; -- } -- else -- { -- i = 0; -- } -- -- memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i); --} -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// Sha1Finalise --// --// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After --// calling this, Sha1Initialised must be used to reuse the context. --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --void -- Sha1Finalise -- ( -- Sha1Context* Context, -- SHA1_HASH* Digest -- ) --{ -- uint32_t i; -- uint8_t finalcount[8]; -- -- for (i = 0; i < 8; i++) -- { -- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)] -- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent -- } -- Sha1Update(Context, (const uint8_t*)"\x80", 1); -- while ((Context->Count[0] & 504) != 448) -- { -- Sha1Update(Context, (const uint8_t*)"\0", 1); -- } -- -- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction() -- for (i = 0; i < SHA1_HASH_SIZE; i++) -- { -- Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255); -- } --} -diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h -deleted file mode 100644 -index f83a6e7ed7ba..000000000000 ---- a/libselinux/src/sha1.h -+++ /dev/null -@@ -1,85 +0,0 @@ --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// LibSha1 --// --// Implementation of SHA1 hash function. --// Original author: Steve Reid --// Contributions by: James H. Brown , Saul Kravitz , --// and Ralph Giles --// Modified by WaterJuice retaining Public Domain license. --// --// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --#ifndef _sha1_h_ --#define _sha1_h_ -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// IMPORTS --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --#include --#include -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// TYPES --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly. --typedef struct --{ -- uint32_t State[5]; -- uint32_t Count[2]; -- uint8_t Buffer[64]; --} Sha1Context; -- --#define SHA1_HASH_SIZE ( 160 / 8 ) -- --typedef struct --{ -- uint8_t bytes [SHA1_HASH_SIZE]; --} SHA1_HASH; -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// PUBLIC FUNCTIONS --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// Sha1Initialise --// --// Initialises an SHA1 Context. Use this to initialise/reset a context. --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --void -- Sha1Initialise -- ( -- Sha1Context* Context -- ); -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// Sha1Update --// --// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on --// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash. --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --void -- Sha1Update -- ( -- Sha1Context* Context, -- const void* Buffer, -- uint32_t BufferSize -- ); -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --// Sha1Finalise --// --// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After --// calling this, Sha1Initialised must be used to reuse the context. --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --void -- Sha1Finalise -- ( -- Sha1Context* Context, -- SHA1_HASH* Digest -- ); -- --/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// --#endif //_sha1_h_ -diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c -new file mode 100644 -index 000000000000..fe2aeef07f53 ---- /dev/null -+++ b/libselinux/src/sha256.c -@@ -0,0 +1,294 @@ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// WjCryptLib_Sha256 -+// -+// Implementation of SHA256 hash function. -+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org -+// Modified by WaterJuice retaining Public Domain license. -+// -+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// IMPORTS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+#include "sha256.h" -+#include -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// MACROS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) -+ -+#define MIN(x, y) ( ((x)<(y))?(x):(y) ) -+ -+#define STORE32H(x, y) \ -+ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ -+ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } -+ -+#define LOAD32H(x, y) \ -+ { x = ((uint32_t)((y)[0] & 255)<<24) | \ -+ ((uint32_t)((y)[1] & 255)<<16) | \ -+ ((uint32_t)((y)[2] & 255)<<8) | \ -+ ((uint32_t)((y)[3] & 255)); } -+ -+#define STORE64H(x, y) \ -+ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ -+ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ -+ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ -+ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// CONSTANTS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+// The K array -+static const uint32_t K[64] = { -+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, -+ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, -+ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, -+ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, -+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, -+ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, -+ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, -+ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, -+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, -+ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, -+ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, -+ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, -+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL -+}; -+ -+#define BLOCK_SIZE 64 -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// INTERNAL FUNCTIONS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+// Various logical functions -+#define Ch( x, y, z ) (z ^ (x & (y ^ z))) -+#define Maj( x, y, z ) (((x | y) & z) | (x & y)) -+#define S( x, n ) ror((x),(n)) -+#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) -+#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) -+#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) -+#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) -+#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) -+ -+#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ -+ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ -+ t1 = Sigma0(a) + Maj(a, b, c); \ -+ d += t0; \ -+ h = t0 + t1; -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// TransformFunction -+// -+// Compress 512-bits -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+static -+void -+ TransformFunction -+ ( -+ Sha256Context* Context, -+ uint8_t const* Buffer -+ ) -+{ -+ uint32_t S[8]; -+ uint32_t W[64]; -+ uint32_t t0; -+ uint32_t t1; -+ uint32_t t; -+ int i; -+ -+ // Copy state into S -+ for( i=0; i<8; i++ ) -+ { -+ S[i] = Context->state[i]; -+ } -+ -+ // Copy the state into 512-bits into W[0..15] -+ for( i=0; i<16; i++ ) -+ { -+ LOAD32H( W[i], Buffer + (4*i) ); -+ } -+ -+ // Fill W[16..63] -+ for( i=16; i<64; i++ ) -+ { -+ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; -+ } -+ -+ // Compress -+ for( i=0; i<64; i++ ) -+ { -+ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); -+ t = S[7]; -+ S[7] = S[6]; -+ S[6] = S[5]; -+ S[5] = S[4]; -+ S[4] = S[3]; -+ S[3] = S[2]; -+ S[2] = S[1]; -+ S[1] = S[0]; -+ S[0] = t; -+ } -+ -+ // Feedback -+ for( i=0; i<8; i++ ) -+ { -+ Context->state[i] = Context->state[i] + S[i]; -+ } -+} -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// PUBLIC FUNCTIONS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Initialise -+// -+// Initialises a SHA256 Context. Use this to initialise/reset a context. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Initialise -+ ( -+ Sha256Context* Context // [out] -+ ) -+{ -+ Context->curlen = 0; -+ Context->length = 0; -+ Context->state[0] = 0x6A09E667UL; -+ Context->state[1] = 0xBB67AE85UL; -+ Context->state[2] = 0x3C6EF372UL; -+ Context->state[3] = 0xA54FF53AUL; -+ Context->state[4] = 0x510E527FUL; -+ Context->state[5] = 0x9B05688CUL; -+ Context->state[6] = 0x1F83D9ABUL; -+ Context->state[7] = 0x5BE0CD19UL; -+} -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Update -+// -+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on -+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Update -+ ( -+ Sha256Context* Context, // [in out] -+ void const* Buffer, // [in] -+ uint32_t BufferSize // [in] -+ ) -+{ -+ uint32_t n; -+ -+ if( Context->curlen > sizeof(Context->buf) ) -+ { -+ return; -+ } -+ -+ while( BufferSize > 0 ) -+ { -+ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) -+ { -+ TransformFunction( Context, (uint8_t*)Buffer ); -+ Context->length += BLOCK_SIZE * 8; -+ Buffer = (uint8_t*)Buffer + BLOCK_SIZE; -+ BufferSize -= BLOCK_SIZE; -+ } -+ else -+ { -+ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); -+ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); -+ Context->curlen += n; -+ Buffer = (uint8_t*)Buffer + n; -+ BufferSize -= n; -+ if( Context->curlen == BLOCK_SIZE ) -+ { -+ TransformFunction( Context, Context->buf ); -+ Context->length += 8*BLOCK_SIZE; -+ Context->curlen = 0; -+ } -+ } -+ } -+} -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Finalise -+// -+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After -+// calling this, Sha256Initialised must be used to reuse the context. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Finalise -+ ( -+ Sha256Context* Context, // [in out] -+ SHA256_HASH* Digest // [out] -+ ) -+{ -+ int i; -+ -+ if( Context->curlen >= sizeof(Context->buf) ) -+ { -+ return; -+ } -+ -+ // Increase the length of the message -+ Context->length += Context->curlen * 8; -+ -+ // Append the '1' bit -+ Context->buf[Context->curlen++] = (uint8_t)0x80; -+ -+ // if the length is currently above 56 bytes we append zeros -+ // then compress. Then we can fall back to padding zeros and length -+ // encoding like normal. -+ if( Context->curlen > 56 ) -+ { -+ while( Context->curlen < 64 ) -+ { -+ Context->buf[Context->curlen++] = (uint8_t)0; -+ } -+ TransformFunction(Context, Context->buf); -+ Context->curlen = 0; -+ } -+ -+ // Pad up to 56 bytes of zeroes -+ while( Context->curlen < 56 ) -+ { -+ Context->buf[Context->curlen++] = (uint8_t)0; -+ } -+ -+ // Store length -+ STORE64H( Context->length, Context->buf+56 ); -+ TransformFunction( Context, Context->buf ); -+ -+ // Copy output -+ for( i=0; i<8; i++ ) -+ { -+ STORE32H( Context->state[i], Digest->bytes+(4*i) ); -+ } -+} -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Calculate -+// -+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the -+// buffer. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Calculate -+ ( -+ void const* Buffer, // [in] -+ uint32_t BufferSize, // [in] -+ SHA256_HASH* Digest // [in] -+ ) -+{ -+ Sha256Context context; -+ -+ Sha256Initialise( &context ); -+ Sha256Update( &context, Buffer, BufferSize ); -+ Sha256Finalise( &context, Digest ); -+} -diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h -new file mode 100644 -index 000000000000..406ed869cd82 ---- /dev/null -+++ b/libselinux/src/sha256.h -@@ -0,0 +1,89 @@ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// WjCryptLib_Sha256 -+// -+// Implementation of SHA256 hash function. -+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org -+// Modified by WaterJuice retaining Public Domain license. -+// -+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+#pragma once -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// IMPORTS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+#include -+#include -+ -+typedef struct -+{ -+ uint64_t length; -+ uint32_t state[8]; -+ uint32_t curlen; -+ uint8_t buf[64]; -+} Sha256Context; -+ -+#define SHA256_HASH_SIZE ( 256 / 8 ) -+ -+typedef struct -+{ -+ uint8_t bytes [SHA256_HASH_SIZE]; -+} SHA256_HASH; -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// PUBLIC FUNCTIONS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Initialise -+// -+// Initialises a SHA256 Context. Use this to initialise/reset a context. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Initialise -+ ( -+ Sha256Context* Context // [out] -+ ); -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Update -+// -+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on -+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Update -+ ( -+ Sha256Context* Context, // [in out] -+ void const* Buffer, // [in] -+ uint32_t BufferSize // [in] -+ ); -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Finalise -+// -+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After -+// calling this, Sha256Initialised must be used to reuse the context. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Finalise -+ ( -+ Sha256Context* Context, // [in out] -+ SHA256_HASH* Digest // [out] -+ ); -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Calculate -+// -+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the -+// buffer. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Calculate -+ ( -+ void const* Buffer, // [in] -+ uint32_t BufferSize, // [in] -+ SHA256_HASH* Digest // [in] -+ ); -diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c -index 49408a0ba8d8..67befadd23c5 100644 ---- a/libselinux/utils/selabel_digest.c -+++ b/libselinux/utils/selabel_digest.c -@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) - "Where:\n\t" - "-b The backend - \"file\", \"media\", \"x\", \"db\" or " - "\"prop\"\n\t" -- "-v Run \"cat | openssl dgst -sha1 -hex\"\n\t" -- " on the list of specfiles to compare the SHA1 digests.\n\t" -+ "-v Run \"cat | openssl dgst -sha256 -hex\"\n\t" -+ " on the list of specfiles to compare the SHA256 digests.\n\t" - "-B Use base specfiles only (valid for \"-b file\" only).\n\t" - "-i Do not request a digest.\n\t" - "-f Optional file containing the specs (defaults to\n\t" -@@ -62,12 +62,12 @@ int main(int argc, char **argv) - int backend = 0, rc, opt, validate = 0; - char *baseonly = NULL, *file = NULL, *digest = (char *)1; - char **specfiles = NULL; -- unsigned char *sha1_digest = NULL; -+ unsigned char *sha256_digest = NULL; - size_t i, num_specfiles; - - char cmd_buf[4096]; - char *cmd_ptr; -- char *sha1_buf; -+ char *sha256_buf; - - struct selabel_handle *hnd; - struct selinux_opt selabel_option[] = { -@@ -137,7 +137,7 @@ int main(int argc, char **argv) - return -1; - } - -- rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles, -+ rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles, - &num_specfiles); - - if (rc) { -@@ -152,19 +152,19 @@ int main(int argc, char **argv) - goto err; - } - -- sha1_buf = malloc(digest_len * 2 + 1); -- if (!sha1_buf) { -+ sha256_buf = malloc(digest_len * 2 + 1); -+ if (!sha256_buf) { - fprintf(stderr, "Could not malloc buffer ERROR: %s\n", - strerror(errno)); - rc = -1; - goto err; - } - -- printf("SHA1 digest: "); -+ printf("SHA256 digest: "); - for (i = 0; i < digest_len; i++) -- sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]); -+ sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]); - -- printf("%s\n", sha1_buf); -+ printf("%s\n", sha256_buf); - printf("calculated using the following specfile(s):\n"); - - if (specfiles) { -@@ -177,13 +177,13 @@ int main(int argc, char **argv) - cmd_ptr += strlen(specfiles[i]) + 1; - printf("%s\n", specfiles[i]); - } -- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex"); -+ sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex"); - - if (validate) -- rc = run_check_digest(cmd_buf, sha1_buf); -+ rc = run_check_digest(cmd_buf, sha256_buf); - } - -- free(sha1_buf); -+ free(sha256_buf); - err: - selabel_close(hnd); - return rc; -diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c -index e28833d2ce97..900f018c0091 100644 ---- a/libselinux/utils/selabel_get_digests_all_partial_matches.c -+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c -@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) - "-v Validate file_contxts entries against loaded policy.\n\t" - "-r Recursively descend directories.\n\t" - "-f Optional file_contexts file (defaults to current policy).\n\t" -- "path Path to check current SHA1 digest against file_contexts entries.\n\n" -- "This will check the directory selinux.sehash SHA1 digest for " -+ "path Path to check current SHA256 digest against file_contexts entries.\n\n" -+ "This will check the directory selinux.sehash SHA256 digest for " - " against\na newly generated digest based on the " - "file_context entries for that node\n(using the regx, mode " - "and path entries).\n", progname); -@@ -37,7 +37,7 @@ int main(int argc, char **argv) - char *paths[2] = { NULL, NULL }; - uint8_t *xattr_digest = NULL; - uint8_t *calculated_digest = NULL; -- char *sha1_buf = NULL; -+ char *sha256_buf = NULL; - - struct selabel_handle *hnd; - struct selinux_opt selabel_option[] = { -@@ -105,27 +105,27 @@ int main(int argc, char **argv) - &xattr_digest, - &digest_len); - -- sha1_buf = calloc(1, digest_len * 2 + 1); -- if (!sha1_buf) { -+ sha256_buf = calloc(1, digest_len * 2 + 1); -+ if (!sha256_buf) { - fprintf(stderr, "Could not calloc buffer ERROR: %s\n", - strerror(errno)); - return -1; - } - - if (status) { /* They match */ -- printf("xattr and file_contexts SHA1 digests match for: %s\n", -+ printf("xattr and file_contexts SHA256 digests match for: %s\n", - ftsent->fts_path); - - if (calculated_digest) { - for (i = 0; i < digest_len; i++) -- sprintf((&sha1_buf[i * 2]), -+ sprintf((&sha256_buf[i * 2]), - "%02x", - calculated_digest[i]); -- printf("SHA1 digest: %s\n", sha1_buf); -+ printf("SHA256 digest: %s\n", sha256_buf); - } - } else { - if (!calculated_digest) { -- printf("No SHA1 digest available for: %s\n", -+ printf("No SHA256 digest available for: %s\n", - ftsent->fts_path); - printf("as file_context entry is \"<>\"\n"); - goto cleanup; -@@ -135,25 +135,25 @@ int main(int argc, char **argv) - ftsent->fts_path); - - for (i = 0; i < digest_len; i++) -- sprintf((&sha1_buf[i * 2]), "%02x", -+ sprintf((&sha256_buf[i * 2]), "%02x", - calculated_digest[i]); -- printf("generated SHA1 digest: %s\n", sha1_buf); -+ printf("generated SHA256 digest: %s\n", sha256_buf); - - if (!xattr_digest) { - printf("however there is no selinux.sehash xattr entry.\n"); - } else { - printf("however it does NOT match the current entry of:\n"); - for (i = 0; i < digest_len; i++) -- sprintf((&sha1_buf[i * 2]), -+ sprintf((&sha256_buf[i * 2]), - "%02x", - xattr_digest[i]); -- printf("%s\n", sha1_buf); -+ printf("%s\n", sha256_buf); - } - } - cleanup: - free(xattr_digest); - free(calculated_digest); -- free(sha1_buf); -+ free(sha256_buf); - break; - } - default: --- -2.32.0 - diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec index cdb5158..0d93511 100644 --- a/SPECS/libselinux.spec +++ b/SPECS/libselinux.spec @@ -1,59 +1,22 @@ %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 3.2-3 +%define libsepolver 3.3-1 Summary: SELinux library and simple utilities Name: libselinux -Version: 3.2 -Release: 6%{?dist} +Version: 3.3 +Release: 1%{?dist} License: Public Domain # https://github.com/SELinuxProject/selinux/wiki/Releases -Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/libselinux-3.2.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz Source1: selinuxconlist.8 Source2: selinuxdefcon.8 Url: https://github.com/SELinuxProject/selinux/wiki # $ git clone https://github.com/fedora-selinux/selinux.git # $ cd selinux -# $ git format-patch -N 3.2 -- libselinux +# $ git format-patch -N 3.3 -- libselinux # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start -Patch0001: 0001-libselinux-do-not-duplicate-make-target-when-going-i.patch -Patch0002: 0002-libselinux-selinux_check_passwd_access_internal-resp.patch -Patch0003: 0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch -Patch0004: 0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch -Patch0005: 0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch -Patch0006: 0006-libselinux-label_common-do-not-discard-const-qualifi.patch -Patch0007: 0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch -Patch0008: 0008-libselinux-sefcontext_compile-mark-local-variable-st.patch -Patch0009: 0009-libselinux-avcstat-use-standard-length-modifier-for-.patch -Patch0010: 0010-libselinux-selinux_restorecon-mark-local-variable-st.patch -Patch0011: 0011-libselinux-selabel_get_digests_all_partial_matches-f.patch -Patch0012: 0012-libselinux-getconlist-free-memory-on-multiple-level-.patch -Patch0013: 0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch -Patch0014: 0014-libselinux-context_new-drop-dead-assignment.patch -Patch0015: 0015-libselinux-label_x-init-drop-dead-assignment.patch -Patch0016: 0016-libselinux-label_media-init-drop-dead-assignment.patch -Patch0017: 0017-libselinux-setexecfilecon-drop-dead-assignment.patch -Patch0018: 0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch -Patch0019: 0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch -Patch0020: 0020-libselinux-matchmediacon-close-file-on-error.patch -Patch0021: 0021-libselinux-init_selinux_config-free-resources-on-err.patch -Patch0022: 0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch -Patch0023: 0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch -Patch0024: 0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch -Patch0025: 0025-libselinux-drop-redundant-casts-to-the-same-type.patch -Patch0026: 0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch -Patch0027: 0027-libselinux-regex-unify-parameter-names.patch -Patch0028: 0028-libselinux-label_file.c-fix-indent.patch -Patch0029: 0029-libselinux-avc_destroy-3-closes-status-page.patch -Patch0030: 0030-libselinux-make-selinux_status_open-3-reentrant.patch -Patch0031: 0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch -Patch0032: 0032-libselinux-selinux_status_open-return-1-in-fallback-.patch -Patch0033: 0033-libselinux-improve-getcon-3-man-page.patch -Patch0034: 0034-libselinux-fix-typo.patch -Patch0035: 0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch -Patch0036: 0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch -Patch0037: 0037-libselinux-silence-Wextra-semi-stmt-warning.patch -Patch0038: 0038-sha1-sha256.patch +Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch # Patch list end BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel @@ -250,6 +213,15 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{ruby_vendorarchdir}/selinux.so %changelog +* Fri Oct 22 2021 Petr Lautrbach - 3.3-1 +- SELinux userspace 3.3 release + +* Fri Oct 8 2021 Petr Lautrbach - 3.3-0.rc3.1 +- SELinux userspace 3.3-rc3 release + +* Wed Sep 29 2021 Petr Lautrbach - 3.3-0.rc2.1 +- SELinux userspace 3.3-rc2 release + * Mon Aug 09 2021 Mohan Boddu - 3.2-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688