diff --git a/0029-sha1-sha256.patch b/0029-sha1-sha256.patch new file mode 100644 index 0000000..f393cec --- /dev/null +++ b/0029-sha1-sha256.patch @@ -0,0 +1,1331 @@ +From 182f2661945cfe2c50692fd9752de425781a6631 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 22 Jun 2021 19:23:04 +0200 +Subject: [PATCH] sha1 -> sha256 + +--- + libselinux/include/selinux/label.h | 6 +- + libselinux/include/selinux/restorecon.h | 4 +- + libselinux/man/man3/selabel_digest.3 | 4 +- + libselinux/man/man3/selabel_open.3 | 2 +- + libselinux/man/man3/selinux_restorecon.3 | 16 +- + .../man/man3/selinux_restorecon_xattr.3 | 2 +- + libselinux/src/Makefile | 2 +- + libselinux/src/label_file.c | 40 +-- + libselinux/src/label_internal.h | 10 +- + libselinux/src/label_support.c | 8 +- + libselinux/src/selinux_restorecon.c | 24 +- + libselinux/src/sha1.c | 219 ------------- + libselinux/src/sha1.h | 85 ----- + libselinux/src/sha256.c | 294 ++++++++++++++++++ + libselinux/src/sha256.h | 89 ++++++ + libselinux/utils/selabel_digest.c | 26 +- + .../selabel_get_digests_all_partial_matches.c | 28 +- + 17 files changed, 469 insertions(+), 390 deletions(-) + delete mode 100644 libselinux/src/sha1.c + delete mode 100644 libselinux/src/sha1.h + create mode 100644 libselinux/src/sha256.c + create mode 100644 libselinux/src/sha256.h + +diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h +index e8983606d93b..a35d84d63b0a 100644 +--- a/libselinux/include/selinux/label.h ++++ b/libselinux/include/selinux/label.h +@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, + const char *key, const char **aliases, int type); + + /** +- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to ++ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to + * generate the digest. The SELABEL_OPT_DIGEST option must + * be set in selabel_open() to initiate the digest generation. + * @handle: specifies backend instance to query +- * @digest: returns a pointer to the SHA1 digest. ++ * @digest: returns a pointer to the SHA256 digest. + * @digest_len: returns length of digest in bytes. +- * @specfiles: a list of specfiles used in the SHA1 digest generation. ++ * @specfiles: a list of specfiles used in the SHA256 digest generation. + * The list is NULL terminated and will hold @num_specfiles entries. + * @num_specfiles: number of specfiles in the list. + * +diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h +index 466de39aac72..ca8ce768587a 100644 +--- a/libselinux/include/selinux/restorecon.h ++++ b/libselinux/include/selinux/restorecon.h +@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname, + * restorecon_flags options + */ + /* +- * Force the checking of labels even if the stored SHA1 digest +- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN). ++ * Force the checking of labels even if the stored SHA256 digest ++ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN). + */ + #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001 + /* +diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3 +index 56a008f00df0..5f7c42533d0e 100644 +--- a/libselinux/man/man3/selabel_digest.3 ++++ b/libselinux/man/man3/selabel_digest.3 +@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used + .BR selabel_digest () + performs an operation on the handle + .IR hnd , +-returning the results of the SHA1 digest pointed to by ++returning the results of the SHA256 digest pointed to by + .IR digest , + whose length will be + .IR digest_len . +-The list of specfiles used in the SHA1 digest calculation is returned in ++The list of specfiles used in the SHA256 digest calculation is returned in + .I specfiles + with the number of entries in + .IR num_specfiles . +diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 +index 971ebc1acd41..2cf2eb8a1410 100644 +--- a/libselinux/man/man3/selabel_open.3 ++++ b/libselinux/man/man3/selabel_open.3 +@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via + Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation. + .TP + .B SELABEL_OPT_DIGEST +-A non-null value for this option enables the generation of an SHA1 digest of ++A non-null value for this option enables the generation of an SHA256 digest of + the spec files loaded as described in + .BR selabel_digest (3) + . +diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3 +index ad637406a30d..c4576fe79ff6 100644 +--- a/libselinux/man/man3/selinux_restorecon.3 ++++ b/libselinux/man/man3/selinux_restorecon.3 +@@ -28,7 +28,7 @@ If this is a directory and the + .B SELINUX_RESTORECON_RECURSE + has been set (for descending through directories), then + .BR selinux_restorecon () +-will write an SHA1 digest of specfile entries calculated by ++will write an SHA256 digest of specfile entries calculated by + .BR selabel_get_digests_all_partial_matches (3) + to an extended attribute of + .IR security.sehash +@@ -47,7 +47,7 @@ will take place. + .br + The + .IR restorecon_flags +-that can be used to manage the usage of the SHA1 digest are: ++that can be used to manage the usage of the SHA256 digest are: + .RS + .B SELINUX_RESTORECON_SKIP_DIGEST + .br +@@ -65,8 +65,8 @@ Do not check or update any extended attribute + entries. + .sp + .B SELINUX_RESTORECON_IGNORE_DIGEST +-force the checking of labels even if the stored SHA1 digest matches the +-specfile entries SHA1 digest. The specfile entries digest will be written to the ++force the checking of labels even if the stored SHA256 digest matches the ++specfile entries SHA256 digest. The specfile entries digest will be written to the + .IR security.sehash + extended attribute once relabeling has been completed successfully provided the + .B SELINUX_RESTORECON_NOCHANGE +@@ -84,7 +84,7 @@ default specfile context. + .sp + .B SELINUX_RESTORECON_RECURSE + change file and directory labels recursively (descend directories) +-and if successful write an SHA1 digest of the specfile entries to an ++and if successful write an SHA256 digest of the specfile entries to an + extended attribute as described in the + .B NOTES + section. +@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the + same inode have different contexts, as errors. + .RE + .sp +-The behavior regarding the checking and updating of the SHA1 digest described ++The behavior regarding the checking and updating of the SHA256 digest described + above is the default behavior. It is possible to change this by first calling + .BR selabel_open (3) + and not enabling the +@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the + .B SELINUX_RESTORECON_RECURSE + flag is set) + .BR selinux_restorecon () +-will write a calculated SHA1 digest of the specfile entries returned by ++will write a calculated SHA256 digest of the specfile entries returned by + .BR selabel_get_digests_all_partial_matches (3) + to an extended attribute named + .IR security.sehash +@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when + .BR selinux_restorecon () + is run again with the + .B SELINUX_RESTORECON_RECURSE +-flag set, new SHA1 digests will be calculated and all files automatically ++flag set, new SHA256 digests will be calculated and all files automatically + relabeled depending on the settings of the + .B SELINUX_RESTORECON_SET_SPECFILE_CTX + flag (provided +diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3 +index c56326814b94..098c840fc59b 100644 +--- a/libselinux/man/man3/selinux_restorecon_xattr.3 ++++ b/libselinux/man/man3/selinux_restorecon_xattr.3 +@@ -119,7 +119,7 @@ By default + .BR selinux_restorecon_xattr (3) + will use the default set of specfiles described in + .BR files_contexts (5) +-to calculate the SHA1 digests to be used for comparison. ++to calculate the SHA256 digests to be used for comparison. + To change this default behavior + .BR selabel_open (3) + must be called specifying the required +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index 52c40f018f51..674a5ed3a6f8 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ + -DBUILD_HOST + SRCS= callbacks.c freecon.c label.c label_file.c \ + label_backends_android.c regex.c label_support.c \ +- matchpathcon.c setrans_client.c sha1.c booleans.c ++ matchpathcon.c setrans_client.c sha256.c booleans.c + else + LABEL_BACKEND_ANDROID=y + endif +diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c +index 56f499faef97..db5d7553aab2 100644 +--- a/libselinux/src/label_file.c ++++ b/libselinux/src/label_file.c +@@ -1002,7 +1002,7 @@ static struct spec *lookup_common(struct selabel_handle *rec, + + /* + * Returns true if the digest of all partial matched contexts is the same as +- * the one saved by setxattr, otherwise returns false. The length of the SHA1 ++ * the one saved by setxattr, otherwise returns false. The length of the SHA256 + * digest will always be returned. The caller must free any returned digests. + */ + static bool get_digests_all_partial_matches(struct selabel_handle *rec, +@@ -1011,39 +1011,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec, + uint8_t **xattr_digest, + size_t *digest_len) + { +- uint8_t read_digest[SHA1_HASH_SIZE]; ++ uint8_t read_digest[SHA256_HASH_SIZE]; + ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST, +- read_digest, SHA1_HASH_SIZE ++ read_digest, SHA256_HASH_SIZE + #ifdef __APPLE__ + , 0, 0 + #endif /* __APPLE __ */ + ); +- uint8_t hash_digest[SHA1_HASH_SIZE]; ++ uint8_t hash_digest[SHA256_HASH_SIZE]; + bool status = selabel_hash_all_partial_matches(rec, pathname, + hash_digest); + + *xattr_digest = NULL; + *calculated_digest = NULL; +- *digest_len = SHA1_HASH_SIZE; ++ *digest_len = SHA256_HASH_SIZE; + +- if (read_size == SHA1_HASH_SIZE) { +- *xattr_digest = calloc(1, SHA1_HASH_SIZE + 1); ++ if (read_size == SHA256_HASH_SIZE) { ++ *xattr_digest = calloc(1, SHA256_HASH_SIZE + 1); + if (!*xattr_digest) + goto oom; + +- memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE); ++ memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE); + } + + if (status) { +- *calculated_digest = calloc(1, SHA1_HASH_SIZE + 1); ++ *calculated_digest = calloc(1, SHA256_HASH_SIZE + 1); + if (!*calculated_digest) + goto oom; + +- memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE); ++ memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE); + } + +- if (status && read_size == SHA1_HASH_SIZE && +- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0) ++ if (status && read_size == SHA256_HASH_SIZE && ++ memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0) + return true; + + return false; +@@ -1063,22 +1063,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key + return false; + } + +- Sha1Context context; +- Sha1Initialise(&context); ++ Sha256Context context; ++ Sha256Initialise(&context); + size_t i; + for (i = 0; i < total_matches; i++) { + char* regex_str = matches[i]->regex_str; + mode_t mode = matches[i]->mode; + char* ctx_raw = matches[i]->lr.ctx_raw; + +- Sha1Update(&context, regex_str, strlen(regex_str) + 1); +- Sha1Update(&context, &mode, sizeof(mode_t)); +- Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1); ++ Sha256Update(&context, regex_str, strlen(regex_str) + 1); ++ Sha256Update(&context, &mode, sizeof(mode_t)); ++ Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1); + } + +- SHA1_HASH sha1_hash; +- Sha1Finalise(&context, &sha1_hash); +- memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE); ++ SHA256_HASH sha256_hash; ++ Sha256Finalise(&context, &sha256_hash); ++ memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE); + + free(matches); + return true; +diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h +index 361b443cb9c4..1cff4ba99686 100644 +--- a/libselinux/src/label_internal.h ++++ b/libselinux/src/label_internal.h +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include "sha1.h" ++#include "sha256.h" + + #if defined(ANDROID) || defined(__APPLE__) + // Android and Mac do not have fgets_unlocked() +@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec, + */ + + /* +- * Calculate an SHA1 hash of all the files used to build the specs. ++ * Calculate an SHA256 hash of all the files used to build the specs. + * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To + * calculate the hash the hashbuf will hold a concatenation of all the files + * used. This is released once the value has been calculated. + */ +-#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE ++#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE + #define DIGEST_FILES_MAX 8 + struct selabel_digest { +- unsigned char *digest; /* SHA1 digest of specfiles */ ++ unsigned char *digest; /* SHA256 digest of specfiles */ + unsigned char *hashbuf; /* buffer to hold specfiles */ + size_t hashbuf_size; /* buffer size */ + size_t specfile_cnt; /* how many specfiles processed */ +@@ -110,7 +110,7 @@ struct selabel_handle { + */ + char *spec_file; + +- /* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */ ++ /* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */ + struct selabel_digest *digest; + }; + +diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c +index 94ed6e4273cb..f53d73b609ab 100644 +--- a/libselinux/src/label_support.c ++++ b/libselinux/src/label_support.c +@@ -115,15 +115,15 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...) + /* Once all the specfiles are in the hash_buf, generate the hash. */ + void digest_gen_hash(struct selabel_digest *digest) + { +- Sha1Context context; ++ Sha256Context context; + + /* If SELABEL_OPT_DIGEST not set then just return */ + if (!digest) + return; + +- Sha1Initialise(&context); +- Sha1Update(&context, digest->hashbuf, digest->hashbuf_size); +- Sha1Finalise(&context, (SHA1_HASH *)digest->digest); ++ Sha256Initialise(&context); ++ Sha256Update(&context, digest->hashbuf, digest->hashbuf_size); ++ Sha256Finalise(&context, (SHA256_HASH *)digest->digest); + free(digest->hashbuf); + digest->hashbuf = NULL; + return; +diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c +index 999aa924ba32..10211a888cf6 100644 +--- a/libselinux/src/selinux_restorecon.c ++++ b/libselinux/src/selinux_restorecon.c +@@ -37,7 +37,7 @@ + #include "callbacks.h" + #include "selinux_internal.h" + #include "label_file.h" +-#include "sha1.h" ++#include "sha256.h" + + #define STAR_COUNT 1024 + +@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void) + static int add_xattr_entry(const char *directory, bool delete_nonmatch, + bool delete_all) + { +- char *sha1_buf = NULL; ++ char *sha256_buf = NULL; + size_t i, digest_len = 0; + int rc, digest_result; + bool match; +@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + } + + /* Convert entry to a hex encoded string. */ +- sha1_buf = malloc(digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(digest_len * 2 + 1); ++ if (!sha256_buf) { + free(xattr_digest); + free(calculated_digest); + goto oom; + } + + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]); ++ sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]); + + digest_result = match ? MATCH : NOMATCH; + +@@ -345,7 +345,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + /* Now add entries to link list. */ + new_entry = malloc(sizeof(struct dir_xattr)); + if (!new_entry) { +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + new_entry->next = NULL; +@@ -353,15 +353,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + new_entry->directory = strdup(directory); + if (!new_entry->directory) { + free(new_entry); +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + +- new_entry->digest = strdup(sha1_buf); ++ new_entry->digest = strdup(sha256_buf); + if (!new_entry->digest) { + free(new_entry->directory); + free(new_entry); +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + +@@ -375,7 +375,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + dir_xattr_last = new_entry; + } + +- free(sha1_buf); ++ free(sha256_buf); + return 0; + + oom: +@@ -742,7 +742,7 @@ err: + + struct dir_hash_node { + char *path; +- uint8_t digest[SHA1_HASH_SIZE]; ++ uint8_t digest[SHA256_HASH_SIZE]; + struct dir_hash_node *next; + }; + /* +@@ -1085,7 +1085,7 @@ int selinux_restorecon(const char *pathname_orig, + if (setxattr(current->path, + RESTORECON_PARTIAL_MATCH_DIGEST, + current->digest, +- SHA1_HASH_SIZE, 0) < 0) { ++ SHA256_HASH_SIZE, 0) < 0) { + selinux_log(SELINUX_ERROR, + "setxattr failed: %s: %s\n", + current->path, +diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c +deleted file mode 100644 +index 664bbcf26eef..000000000000 +--- a/libselinux/src/sha1.c ++++ /dev/null +@@ -1,219 +0,0 @@ +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// LibSha1 +-// +-// Implementation of SHA1 hash function. +-// Original author: Steve Reid +-// Contributions by: James H. Brown , Saul Kravitz , +-// and Ralph Giles +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-// Modified to: +-// - stop symbols being exported for libselinux shared library - October 2015 +-// Richard Haines +-// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses. +-// Fixes: +-// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] +-// CHAR64LONG16* block = (CHAR64LONG16*) workspace; +-// William Roberts +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include "sha1.h" +-#include +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TYPES +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-typedef union +-{ +- uint8_t c [64]; +- uint32_t l [16]; +-} CHAR64LONG16; +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// INTERNAL FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) +- +-// blk0() and blk() perform the initial expand. +-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ +- |(rol(block->l[i],8)&0x00FF00FF)) +- +-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ +- ^block->l[(i+2)&15]^block->l[i&15],1)) +- +-// (R0+R1), R2, R3, R4 are the different operations used in SHA1 +-#define R0(v,w,x,y,z,i) z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); +-#define R1(v,w,x,y,z,i) z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); +-#define R2(v,w,x,y,z,i) z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); +-#define R3(v,w,x,y,z,i) z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); +-#define R4(v,w,x,y,z,i) z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); +- +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TransformFunction +-// +-// Hash a single 512-bit block. This is the core of the algorithm +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-static +-void +- TransformFunction +- ( +- uint32_t state[5], +- const uint8_t buffer[64] +- ) +-{ +- uint32_t a; +- uint32_t b; +- uint32_t c; +- uint32_t d; +- uint32_t e; +- CHAR64LONG16 workspace; +- CHAR64LONG16* block = &workspace; +- +- memcpy(block, buffer, 64); +- +- // Copy context->state[] to working vars +- a = state[0]; +- b = state[1]; +- c = state[2]; +- d = state[3]; +- e = state[4]; +- +- // 4 rounds of 20 operations each. Loop unrolled. +- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); +- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); +- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); +- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); +- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); +- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); +- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); +- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); +- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); +- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); +- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); +- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); +- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); +- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); +- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); +- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); +- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); +- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); +- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); +- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); +- +- // Add the working vars back into context.state[] +- state[0] += a; +- state[1] += b; +- state[2] += c; +- state[3] += d; +- state[4] += e; +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Initialise +-// +-// Initialises an SHA1 Context. Use this to initialise/reset a context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Initialise +- ( +- Sha1Context* Context +- ) +-{ +- // SHA1 initialization constants +- Context->State[0] = 0x67452301; +- Context->State[1] = 0xEFCDAB89; +- Context->State[2] = 0x98BADCFE; +- Context->State[3] = 0x10325476; +- Context->State[4] = 0xC3D2E1F0; +- Context->Count[0] = 0; +- Context->Count[1] = 0; +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Update +-// +-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Update +- ( +- Sha1Context* Context, +- const void* Buffer, +- uint32_t BufferSize +- ) +-{ +- uint32_t i; +- uint32_t j; +- +- j = (Context->Count[0] >> 3) & 63; +- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3)) +- { +- Context->Count[1]++; +- } +- +- Context->Count[1] += (BufferSize >> 29); +- if ((j + BufferSize) > 63) +- { +- i = 64 - j; +- memcpy(&Context->Buffer[j], Buffer, i); +- TransformFunction(Context->State, Context->Buffer); +- for (; i + 63 < BufferSize; i += 64) +- { +- TransformFunction(Context->State, (const uint8_t*)Buffer + i); +- } +- j = 0; +- } +- else +- { +- i = 0; +- } +- +- memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i); +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Finalise +-// +-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After +-// calling this, Sha1Initialised must be used to reuse the context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Finalise +- ( +- Sha1Context* Context, +- SHA1_HASH* Digest +- ) +-{ +- uint32_t i; +- uint8_t finalcount[8]; +- +- for (i = 0; i < 8; i++) +- { +- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)] +- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent +- } +- Sha1Update(Context, (const uint8_t*)"\x80", 1); +- while ((Context->Count[0] & 504) != 448) +- { +- Sha1Update(Context, (const uint8_t*)"\0", 1); +- } +- +- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction() +- for (i = 0; i < SHA1_HASH_SIZE; i++) +- { +- Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255); +- } +-} +diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h +deleted file mode 100644 +index f83a6e7ed7ba..000000000000 +--- a/libselinux/src/sha1.h ++++ /dev/null +@@ -1,85 +0,0 @@ +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// LibSha1 +-// +-// Implementation of SHA1 hash function. +-// Original author: Steve Reid +-// Contributions by: James H. Brown , Saul Kravitz , +-// and Ralph Giles +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#ifndef _sha1_h_ +-#define _sha1_h_ +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include +-#include +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TYPES +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly. +-typedef struct +-{ +- uint32_t State[5]; +- uint32_t Count[2]; +- uint8_t Buffer[64]; +-} Sha1Context; +- +-#define SHA1_HASH_SIZE ( 160 / 8 ) +- +-typedef struct +-{ +- uint8_t bytes [SHA1_HASH_SIZE]; +-} SHA1_HASH; +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Initialise +-// +-// Initialises an SHA1 Context. Use this to initialise/reset a context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Initialise +- ( +- Sha1Context* Context +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Update +-// +-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Update +- ( +- Sha1Context* Context, +- const void* Buffer, +- uint32_t BufferSize +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Finalise +-// +-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After +-// calling this, Sha1Initialised must be used to reuse the context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Finalise +- ( +- Sha1Context* Context, +- SHA1_HASH* Digest +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-#endif //_sha1_h_ +diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c +new file mode 100644 +index 000000000000..fe2aeef07f53 +--- /dev/null ++++ b/libselinux/src/sha256.c +@@ -0,0 +1,294 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include "sha256.h" ++#include ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// MACROS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) ++ ++#define MIN(x, y) ( ((x)<(y))?(x):(y) ) ++ ++#define STORE32H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ ++ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } ++ ++#define LOAD32H(x, y) \ ++ { x = ((uint32_t)((y)[0] & 255)<<24) | \ ++ ((uint32_t)((y)[1] & 255)<<16) | \ ++ ((uint32_t)((y)[2] & 255)<<8) | \ ++ ((uint32_t)((y)[3] & 255)); } ++ ++#define STORE64H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ ++ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ ++ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ ++ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// CONSTANTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// The K array ++static const uint32_t K[64] = { ++ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, ++ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, ++ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, ++ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, ++ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, ++ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, ++ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, ++ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, ++ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, ++ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, ++ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, ++ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, ++ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL ++}; ++ ++#define BLOCK_SIZE 64 ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// INTERNAL FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// Various logical functions ++#define Ch( x, y, z ) (z ^ (x & (y ^ z))) ++#define Maj( x, y, z ) (((x | y) & z) | (x & y)) ++#define S( x, n ) ror((x),(n)) ++#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) ++#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) ++#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) ++#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) ++#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) ++ ++#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ ++ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ ++ t1 = Sigma0(a) + Maj(a, b, c); \ ++ d += t0; \ ++ h = t0 + t1; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// TransformFunction ++// ++// Compress 512-bits ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++static ++void ++ TransformFunction ++ ( ++ Sha256Context* Context, ++ uint8_t const* Buffer ++ ) ++{ ++ uint32_t S[8]; ++ uint32_t W[64]; ++ uint32_t t0; ++ uint32_t t1; ++ uint32_t t; ++ int i; ++ ++ // Copy state into S ++ for( i=0; i<8; i++ ) ++ { ++ S[i] = Context->state[i]; ++ } ++ ++ // Copy the state into 512-bits into W[0..15] ++ for( i=0; i<16; i++ ) ++ { ++ LOAD32H( W[i], Buffer + (4*i) ); ++ } ++ ++ // Fill W[16..63] ++ for( i=16; i<64; i++ ) ++ { ++ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; ++ } ++ ++ // Compress ++ for( i=0; i<64; i++ ) ++ { ++ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); ++ t = S[7]; ++ S[7] = S[6]; ++ S[6] = S[5]; ++ S[5] = S[4]; ++ S[4] = S[3]; ++ S[3] = S[2]; ++ S[2] = S[1]; ++ S[1] = S[0]; ++ S[0] = t; ++ } ++ ++ // Feedback ++ for( i=0; i<8; i++ ) ++ { ++ Context->state[i] = Context->state[i] + S[i]; ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ) ++{ ++ Context->curlen = 0; ++ Context->length = 0; ++ Context->state[0] = 0x6A09E667UL; ++ Context->state[1] = 0xBB67AE85UL; ++ Context->state[2] = 0x3C6EF372UL; ++ Context->state[3] = 0xA54FF53AUL; ++ Context->state[4] = 0x510E527FUL; ++ Context->state[5] = 0x9B05688CUL; ++ Context->state[6] = 0x1F83D9ABUL; ++ Context->state[7] = 0x5BE0CD19UL; ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ) ++{ ++ uint32_t n; ++ ++ if( Context->curlen > sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ while( BufferSize > 0 ) ++ { ++ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) ++ { ++ TransformFunction( Context, (uint8_t*)Buffer ); ++ Context->length += BLOCK_SIZE * 8; ++ Buffer = (uint8_t*)Buffer + BLOCK_SIZE; ++ BufferSize -= BLOCK_SIZE; ++ } ++ else ++ { ++ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); ++ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); ++ Context->curlen += n; ++ Buffer = (uint8_t*)Buffer + n; ++ BufferSize -= n; ++ if( Context->curlen == BLOCK_SIZE ) ++ { ++ TransformFunction( Context, Context->buf ); ++ Context->length += 8*BLOCK_SIZE; ++ Context->curlen = 0; ++ } ++ } ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ) ++{ ++ int i; ++ ++ if( Context->curlen >= sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ // Increase the length of the message ++ Context->length += Context->curlen * 8; ++ ++ // Append the '1' bit ++ Context->buf[Context->curlen++] = (uint8_t)0x80; ++ ++ // if the length is currently above 56 bytes we append zeros ++ // then compress. Then we can fall back to padding zeros and length ++ // encoding like normal. ++ if( Context->curlen > 56 ) ++ { ++ while( Context->curlen < 64 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ TransformFunction(Context, Context->buf); ++ Context->curlen = 0; ++ } ++ ++ // Pad up to 56 bytes of zeroes ++ while( Context->curlen < 56 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ ++ // Store length ++ STORE64H( Context->length, Context->buf+56 ); ++ TransformFunction( Context, Context->buf ); ++ ++ // Copy output ++ for( i=0; i<8; i++ ) ++ { ++ STORE32H( Context->state[i], Digest->bytes+(4*i) ); ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ) ++{ ++ Sha256Context context; ++ ++ Sha256Initialise( &context ); ++ Sha256Update( &context, Buffer, BufferSize ); ++ Sha256Finalise( &context, Digest ); ++} +diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h +new file mode 100644 +index 000000000000..406ed869cd82 +--- /dev/null ++++ b/libselinux/src/sha256.h +@@ -0,0 +1,89 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#pragma once ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include ++#include ++ ++typedef struct ++{ ++ uint64_t length; ++ uint32_t state[8]; ++ uint32_t curlen; ++ uint8_t buf[64]; ++} Sha256Context; ++ ++#define SHA256_HASH_SIZE ( 256 / 8 ) ++ ++typedef struct ++{ ++ uint8_t bytes [SHA256_HASH_SIZE]; ++} SHA256_HASH; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ); +diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c +index 49408a0ba8d8..67befadd23c5 100644 +--- a/libselinux/utils/selabel_digest.c ++++ b/libselinux/utils/selabel_digest.c +@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) + "Where:\n\t" + "-b The backend - \"file\", \"media\", \"x\", \"db\" or " + "\"prop\"\n\t" +- "-v Run \"cat | openssl dgst -sha1 -hex\"\n\t" +- " on the list of specfiles to compare the SHA1 digests.\n\t" ++ "-v Run \"cat | openssl dgst -sha256 -hex\"\n\t" ++ " on the list of specfiles to compare the SHA256 digests.\n\t" + "-B Use base specfiles only (valid for \"-b file\" only).\n\t" + "-i Do not request a digest.\n\t" + "-f Optional file containing the specs (defaults to\n\t" +@@ -62,12 +62,12 @@ int main(int argc, char **argv) + int backend = 0, rc, opt, validate = 0; + char *baseonly = NULL, *file = NULL, *digest = (char *)1; + char **specfiles = NULL; +- unsigned char *sha1_digest = NULL; ++ unsigned char *sha256_digest = NULL; + size_t i, num_specfiles; + + char cmd_buf[4096]; + char *cmd_ptr; +- char *sha1_buf; ++ char *sha256_buf; + + struct selabel_handle *hnd; + struct selinux_opt selabel_option[] = { +@@ -137,7 +137,7 @@ int main(int argc, char **argv) + return -1; + } + +- rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles, ++ rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles, + &num_specfiles); + + if (rc) { +@@ -152,19 +152,19 @@ int main(int argc, char **argv) + goto err; + } + +- sha1_buf = malloc(digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, "Could not malloc buffer ERROR: %s\n", + strerror(errno)); + rc = -1; + goto err; + } + +- printf("SHA1 digest: "); ++ printf("SHA256 digest: "); + for (i = 0; i < digest_len; i++) +- sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]); ++ sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]); + +- printf("%s\n", sha1_buf); ++ printf("%s\n", sha256_buf); + printf("calculated using the following specfile(s):\n"); + + if (specfiles) { +@@ -177,13 +177,13 @@ int main(int argc, char **argv) + cmd_ptr += strlen(specfiles[i]) + 1; + printf("%s\n", specfiles[i]); + } +- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex"); ++ sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex"); + + if (validate) +- rc = run_check_digest(cmd_buf, sha1_buf); ++ rc = run_check_digest(cmd_buf, sha256_buf); + } + +- free(sha1_buf); ++ free(sha256_buf); + err: + selabel_close(hnd); + return rc; +diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c +index e28833d2ce97..900f018c0091 100644 +--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c ++++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c +@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) + "-v Validate file_contxts entries against loaded policy.\n\t" + "-r Recursively descend directories.\n\t" + "-f Optional file_contexts file (defaults to current policy).\n\t" +- "path Path to check current SHA1 digest against file_contexts entries.\n\n" +- "This will check the directory selinux.sehash SHA1 digest for " ++ "path Path to check current SHA256 digest against file_contexts entries.\n\n" ++ "This will check the directory selinux.sehash SHA256 digest for " + " against\na newly generated digest based on the " + "file_context entries for that node\n(using the regx, mode " + "and path entries).\n", progname); +@@ -37,7 +37,7 @@ int main(int argc, char **argv) + char *paths[2] = { NULL, NULL }; + uint8_t *xattr_digest = NULL; + uint8_t *calculated_digest = NULL; +- char *sha1_buf = NULL; ++ char *sha256_buf = NULL; + + struct selabel_handle *hnd; + struct selinux_opt selabel_option[] = { +@@ -105,27 +105,27 @@ int main(int argc, char **argv) + &xattr_digest, + &digest_len); + +- sha1_buf = calloc(1, digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = calloc(1, digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, "Could not calloc buffer ERROR: %s\n", + strerror(errno)); + return -1; + } + + if (status) { /* They match */ +- printf("xattr and file_contexts SHA1 digests match for: %s\n", ++ printf("xattr and file_contexts SHA256 digests match for: %s\n", + ftsent->fts_path); + + if (calculated_digest) { + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), ++ sprintf((&sha256_buf[i * 2]), + "%02x", + calculated_digest[i]); +- printf("SHA1 digest: %s\n", sha1_buf); ++ printf("SHA256 digest: %s\n", sha256_buf); + } + } else { + if (!calculated_digest) { +- printf("No SHA1 digest available for: %s\n", ++ printf("No SHA256 digest available for: %s\n", + ftsent->fts_path); + printf("as file_context entry is \"<>\"\n"); + goto cleanup; +@@ -135,25 +135,25 @@ int main(int argc, char **argv) + ftsent->fts_path); + + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", ++ sprintf((&sha256_buf[i * 2]), "%02x", + calculated_digest[i]); +- printf("generated SHA1 digest: %s\n", sha1_buf); ++ printf("generated SHA256 digest: %s\n", sha256_buf); + + if (!xattr_digest) { + printf("however there is no selinux.sehash xattr entry.\n"); + } else { + printf("however it does NOT match the current entry of:\n"); + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), ++ sprintf((&sha256_buf[i * 2]), + "%02x", + xattr_digest[i]); +- printf("%s\n", sha1_buf); ++ printf("%s\n", sha256_buf); + } + } + cleanup: + free(xattr_digest); + free(calculated_digest); +- free(sha1_buf); ++ free(sha256_buf); + break; + } + default: +-- +2.32.0.rc2 + diff --git a/libselinux.spec b/libselinux.spec index e13d146..51e27af 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -44,6 +44,7 @@ Patch0025: 0025-libselinux-sidtab_sid_stats-unify-parameter-name.patch Patch0026: 0026-libselinux-regex-unify-parameter-names.patch Patch0027: 0027-libselinux-label_file.c-fix-indent.patch Patch0028: 0028-libselinux-setexecfilecon-remove-unnecessary-if.patch +Patch0029: 0029-sha1-sha256.patch # Patch list end BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel