Merge 3cef1bf053 into 94e6e88ed9

CI: Use free macOS runners for aarch64-apple-darwin jobs.
Sync mk/{cargo.sh,install-build-tools.sh} with *ring*.
2024-02-21 01:53:40 -07:00 · 2024-02-18 14:48:35 -08:00 · 2024-02-18 14:46:52 -08:00 · 2024-02-18 13:14:42 -08:00 · 2021-05-02 00:40:37 +02:00
9 changed files with 83 additions and 8 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -141,7 +141,7 @@ jobs:

        include:
          - target: aarch64-apple-darwin
-            host_os: macos-13-xlarge
+            host_os: macos-14

          - target: aarch64-pc-windows-msvc
            host_os: windows-latest
--- a/mk/cargo.sh
+++ b/mk/cargo.sh
@ -21,6 +21,9 @@ rustflags_self_contained="-Clink-self-contained=yes -Clinker=rust-lld"
 qemu_aarch64="qemu-aarch64 -L /usr/aarch64-linux-gnu"
 qemu_arm_gnueabi="qemu-arm -L /usr/arm-linux-gnueabi"
 qemu_arm_gnueabihf="qemu-arm -L /usr/arm-linux-gnueabihf"
+qemu_mips="qemu-mips -L /usr/mips-linux-gnu"
+qemu_mips64="qemu-mips64 -L /usr/mips64-linux-gnuabi64"
+qemu_mips64el="qemu-mips64el -L /usr/mips64el-linux-gnuabi64"
 qemu_mipsel="qemu-mipsel -L /usr/mipsel-linux-gnu"
 qemu_powerpc="qemu-ppc -L /usr/powerpc-linux-gnu"
 qemu_powerpc64="qemu-ppc64 -L /usr/powerpc64-linux-gnu"
@ -51,7 +54,7 @@ for arg in $*; do
 done

 # See comments in install-build-tools.sh.
-llvm_version=16
+llvm_version=18

 case $target in
   aarch64-linux-android)
@ -112,6 +115,24 @@ case $target in
    export AR_i686_unknown_linux_musl=llvm-ar-$llvm_version
    export CARGO_TARGET_I686_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
    ;;
+  mips-unknown-linux-gnu)
+    export CC_mips_unknown_linux_gnu=mips-linux-gnu-gcc
+    export AR_mips_unknown_linux_gnu=mips-linux-gnu-gcc-ar
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_LINKER=mips-linux-gnu-gcc
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mips"
+    ;;
+  mips64-unknown-linux-gnuabi64)
+    export CC_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc
+    export AR_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_LINKER=mips64-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64"
+    ;;
+  mips64el-unknown-linux-gnuabi64)
+    export CC_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc
+    export AR_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_LINKER=mips64el-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64el"
+    ;;
  mipsel-unknown-linux-gnu)
    export CC_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc
    export AR_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc-ar
--- a/mk/install-build-tools.sh
+++ b/mk/install-build-tools.sh
@ -94,6 +94,24 @@ case $target in
 --target=loongarch64-unknown-linux-gnu)
  use_clang=1
  ;;
+--target=mips-unknown-linux-gnu)
+  install_packages \
+    gcc-mips-linux-gnu \
+    libc6-dev-mips-cross \
+    qemu-user
+  ;;
+--target=mips64-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64-linux-gnuabi64 \
+    libc6-dev-mips64-cross \
+    qemu-user
+  ;;
+--target=mips64el-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64el-linux-gnuabi64 \
+    libc6-dev-mips64el-cross \
+    qemu-user
+  ;;
 --target=mipsel-unknown-linux-gnu)
  install_packages \
    gcc-mipsel-linux-gnu \
@ -155,7 +173,7 @@ esac
 case "$OSTYPE" in
 linux*)
  ubuntu_codename=$(lsb_release --codename --short)
-  llvm_version=16
+  llvm_version=18
  sudo apt-key add mk/llvm-snapshot.gpg.key
  sudo add-apt-repository "deb http://apt.llvm.org/$ubuntu_codename/ llvm-toolchain-$ubuntu_codename-$llvm_version main"
  sudo apt-get update
--- a/src/der.rs
+++ b/src/der.rs
@ -14,7 +14,7 @@

 use crate::{calendar, time, Error};
 pub use ring::io::{
-    der::{nested, Tag, CONSTRUCTED},
+    der::{nested, Tag},
    Positive,
 };

--- a/src/name/verify.rs
+++ b/src/name/verify.rs
@ -70,10 +70,7 @@ pub fn check_name_constraints(
        if !inner.peek(subtrees_tag.into()) {
            return Ok(None);
        }
-        let subtrees = der::nested(inner, subtrees_tag, Error::BadDer, |tagged| {
-            der::expect_tag_and_get_value(tagged, der::Tag::Sequence)
-        })?;
-        Ok(Some(subtrees))
+        der::expect_tag_and_get_value(inner, subtrees_tag).map(Some)
    }

    let permitted_subtrees = parse_subtrees(input, der::Tag::ContextSpecificConstructed0)?;
@ -167,6 +164,10 @@ fn check_presented_id_conforms_to_constraints_in_subtree(
                dns_name::presented_id_matches_constraint(name, base).ok_or(Error::BadDer)
            }

+            (GeneralName::DirectoryName(name), GeneralName::DnsName(base)) => {
+                common_name(name).map(|cn| cn == base)
+            }
+
            (GeneralName::DirectoryName(name), GeneralName::DirectoryName(base)) => Ok(
                presented_directory_name_matches_constraint(name, base, subtrees),
            ),
@ -326,3 +327,18 @@ fn general_name<'a>(input: &mut untrusted::Reader<'a>) -> Result<GeneralName<'a>
    };
    Ok(name)
 }
+
+static COMMON_NAME: untrusted::Input = untrusted::Input::from(&[85, 4, 3]);
+
+fn common_name(input: untrusted::Input) -> Result<untrusted::Input, Error> {
+    let inner = &mut untrusted::Reader::new(input);
+    der::nested(inner, der::Tag::Set, Error::BadDer, |tagged| {
+        der::nested(tagged, der::Tag::Sequence, Error::BadDer, |tagged| {
+            let value = der::expect_tag_and_get_value(tagged, der::Tag::OID)?;
+            if value != COMMON_NAME {
+                return Err(Error::BadDer);
+            }
+            der::expect_tag_and_get_value(tagged, der::Tag::UTF8String)
+        })
+    })
+}
--- a/src/verify_cert.rs
+++ b/src/verify_cert.rs
@ -80,6 +80,7 @@ fn build_chain_inner(

    // TODO: revocation.

+    #[allow(clippy::blocks_in_conditions)]
    match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
        let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
        if !equal(cert.issuer, trust_anchor_subject) {
--- a/tests/integration.rs
+++ b/tests/integration.rs
@ -53,6 +53,25 @@ pub fn netflix() {
    );
 }

+#[cfg(feature = "alloc")]
+#[test]
+pub fn wpt() {
+    let ee: &[u8] = include_bytes!("wpt/ee.der");
+    let ca = include_bytes!("wpt/ca.der");
+
+    let anchors = vec![webpki::TrustAnchor::try_from_cert_der(ca).unwrap()];
+    let anchors = webpki::TlsServerTrustAnchors(&anchors);
+
+    #[allow(clippy::unreadable_literal)] // TODO: Make this clear.
+    let time = webpki::Time::from_seconds_since_unix_epoch(1619256684);
+
+    let cert = webpki::EndEntityCert::try_from(ee).unwrap();
+    assert_eq!(
+        Ok(()),
+        cert.verify_is_valid_tls_server_cert(ALL_SIGALGS, &anchors, &[], time)
+    );
+}
+
 #[test]
 pub fn ed25519() {
    let ee: &[u8] = include_bytes!("ed25519/ee.der");
--- a/tests/wpt/ca.der
+++ b/tests/wpt/ca.der
--- a/tests/wpt/ee.der
+++ b/tests/wpt/ee.der
Author	SHA1	Message	Date
Ben Noordhuis	a463719ae3	Merge `3cef1bf053` into `94e6e88ed9`	2024-02-21 01:53:40 -07:00
Brian Smith	94e6e88ed9	CI: Use free macOS runners for aarch64-apple-darwin jobs.	2024-02-18 14:48:35 -08:00
Brian Smith	9613e5d115	Sync mk/{cargo.sh,install-build-tools.sh} with ring. In particular, LLVM/Clang 18 so that the coverage jobs succeed after Rust Nightly upgraded to LLVM 18.	2024-02-18 14:46:52 -08:00
Brian Smith	8f81719df5	Appease Clippy.	2024-02-18 13:14:42 -08:00
Ben Noordhuis	3cef1bf053	Fix name constraints check There were two bugs. webpki didn't: 1. read the X.509 Name Constraints field in its entirety, nor 2. check the certificate subject against the constraints correctly (1) is a simple fix, (2) requires reading the Common Name from the certificate. Closes #20, #134.	2021-05-02 00:40:37 +02:00