Merge 0571f5cb4e into 94e6e88ed9

In particular, LLVM/Clang 18 so that the coverage jobs succeed after
Rust Nightly upgraded to LLVM 18.

.github/workflows/ci.yml

@@ -9,27 +9,21 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-          components: rustfmt
-      - uses: briansmith/actions-checkout@v2
+      - run: rustup --version
+
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
+
       - run: cargo fmt --all -- --check
 
   clippy:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-          components: clippy
+      - run: rustup --version
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -39,22 +33,19 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
+      - run: rustup --version
 
-      - uses: briansmith/actions-cache@v2
+      - uses: briansmith/actions-cache@v3
         with:
           path: |
             ~/.cargo/bin/cargo-audit
             ~/.cargo/.crates.toml
             ~/.cargo/.crates2.json
-          key: ${{ runner.os }}-v2-cargo-audit-0.13.1
+          key: ${{ runner.os }}-v2-cargo-audit-locked-0.18.3
 
-      - run: cargo install cargo-audit --vers "0.13.1"
+      - run: cargo install cargo-audit  --locked --vers "0.18.3"
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -66,22 +57,19 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
+      - run: rustup --version
 
-      - uses: briansmith/actions-cache@v2
+      - uses: briansmith/actions-cache@v3
         with:
           path: |
             ~/.cargo/bin/cargo-deny
             ~/.cargo/.crates.toml
             ~/.cargo/.crates2.json
-          key: ${{ runner.os }}-v2-cargo-deny-locked-0.8.5
+          key: ${{ runner.os }}-v2-cargo-deny-locked-0.14.3
 
-      - run: cargo install cargo-deny --locked --vers "0.8.5"
+      - run: cargo install cargo-deny --locked --vers "0.14.3"
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -91,24 +79,10 @@ jobs:
   rustdoc:
     runs-on: ubuntu-22.04
 
-    strategy:
-      matrix:
-        rust_channel:
-          - stable
-          - beta
-          - nightly
-
-        include:
-          - target: x86_64-unknown-linux-gnu
-
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          override: true
-          target: ${{ matrix.target }}
-          toolchain: ${{ matrix.rust_channel }}
+      - run: rustup --version
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -119,12 +93,9 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
+      - run: rustup --version
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -147,9 +118,12 @@ jobs:
           # portable.
           # Specifically choose `aarch64-pc-windows-msvc` since it was new in
           # *ring* 0.17.
+          - aarch64-apple-darwin
           - aarch64-pc-windows-msvc
           - arm-unknown-linux-gnueabihf
           - i686-pc-windows-msvc
+          - riscv64gc-unknown-linux-gnu
+          - wasm32-wasi
           - x86_64-unknown-linux-musl
           - x86_64-unknown-linux-gnu
 
@@ -165,12 +139,10 @@ jobs:
 
           - beta
 
-        exclude:
-          # 1.46.0 doesn't support `-Clink-self-contained`.
-          - target: x86_64-unknown-linux-musl
-            rust_channel: 1.46.0
-
         include:
+          - target: aarch64-apple-darwin
+            host_os: macos-14
+
           - target: aarch64-pc-windows-msvc
             host_os: windows-latest
             # GitHub Actions doesn't have a way to run this target yet.
@@ -182,32 +154,44 @@ jobs:
           - target: i686-pc-windows-msvc
             host_os: windows-latest
 
+          - target: riscv64gc-unknown-linux-gnu
+            host_os: ubuntu-22.04
+
+          - target: wasm32-wasi
+            host_os: ubuntu-22.04
+
           - target: x86_64-unknown-linux-musl
             host_os: ubuntu-22.04
 
           - target: x86_64-unknown-linux-gnu
             host_os: ubuntu-22.04
 
+            # rcgen requires *ring* 0.16 which doesn't support this target.
+          - target: aarch64-pc-windows-msvc
+            skip_rcgen: true
+          - target: riscv64gc-unknown-linux-gnu
+            skip_rcgen: true
+          - target: wasm32-wasi
+            skip_rcgen: true
+
+          - rust_channel: 1.61.0
+            # rcgen requires Rust 1.67.
+            skip_rcgen: true
+
     steps:
       - if: ${{ contains(matrix.host_os, 'ubuntu') }}
         run: sudo apt-get update -y
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
+      - run: rustup toolchain add --profile=minimal ${{ matrix.rust_channel }}
+      - run: rustup target add --toolchain=${{ matrix.rust_channel }} ${{ matrix.target }}
+
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }}
 
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          override: true
-          target: ${{ matrix.target }}
-          toolchain: ${{ matrix.rust_channel }}
-
-      - if: ${{ matrix.target == 'aarch64-apple-darwin' }}
-        run: echo "DEVELOPER_DIR=/Applications/Xcode_12.2.app/Contents/Developer" >> $GITHUB_ENV
-
       - if: ${{ matrix.target == 'aarch64-pc-windows-msvc' }}
         run: |
           echo "C:\Program Files (x86)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\x64\bin" >> $GITHUB_PATH
@@ -215,21 +199,20 @@ jobs:
 
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: |
-          mk/cargo.sh test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
+          mk/cargo.sh +${{ matrix.rust_channel }} test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
       - if: ${{ contains(matrix.host_os, 'windows') }}
         run: |
-          cargo test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
+          cargo +${{ matrix.rust_channel }} test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
-      # rcgen-based tests require Rust 1.67.
-      - if: ${{ !contains(matrix.host_os, 'windows') && !contains(matrix.rust_channel, '1.61.0') }}
+      - if: ${{ !contains(matrix.host_os, 'windows') && !contains(matrix.skip_rcgen, 'true') }}
         run: |
-          mk/cargo.sh test -p rcgen-tests -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
+          mk/cargo.sh +${{ matrix.rust_channel }} test -p rcgen-tests -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
       # rcgen-based tests require Rust 1.67, and uses *ring* 0.16 which doesn't build for aarch64-pc-windows-msvc.
-      - if: ${{ contains(matrix.host_os, 'windows') && !contains(matrix.rust_channel, '1.61.0') && !contains(matrix.target, 'aarch64-pc-windows-msvc') }}
+      - if: ${{ contains(matrix.host_os, 'windows') && !contains(matrix.skip_rcgen, 'true') }}
         run: |
-          cargo test -vv -p rcgen-tests --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
+          cargo +${{ matrix.rust_channel }} test -vv -p rcgen-tests --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
   coverage:
     runs-on: ${{ matrix.host_os }}
@@ -259,27 +242,21 @@ jobs:
       - if: ${{ contains(matrix.host_os, 'ubuntu') }}
         run: sudo apt-get update -y
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
+      - run: rustup toolchain add --profile=minimal ${{ matrix.rust_channel }}
+      - run: rustup target add --toolchain=${{ matrix.rust_channel }} ${{ matrix.target }}
+
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: RING_COVERAGE=1 mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }}
 
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          override: true
-          target: ${{ matrix.target }}
-          toolchain: ${{ matrix.rust_channel }}
-
-      - if: ${{ matrix.target == 'aarch64-apple-darwin' }}
-        run: echo "DEVELOPER_DIR=/Applications/Xcode_12.2.app/Contents/Developer" >> $GITHUB_ENV
-
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: |
           RING_COVERAGE=1 mk/cargo.sh +${{ matrix.rust_channel }} test --workspace -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
-      - uses: briansmith/codecov-codecov-action@v1
+      - uses: briansmith/codecov-codecov-action@v3
         with:
           directory: ./target/${{ matrix.target }}/debug/coverage/reports
           fail_ci_if_error: true

Cargo.toml

@@ -22,7 +22,7 @@ name = "webpki"
 readme = "README.md"
 repository = "https://github.com/briansmith/webpki"
 rust-version = "1.61.0"
-version = "0.22.2"
+version = "0.22.4"
 
 include = [
     "Cargo.toml",

mk/cargo.sh

@@ -19,8 +19,17 @@ IFS=$'\n\t'
 
 rustflags_self_contained="-Clink-self-contained=yes -Clinker=rust-lld"
 qemu_aarch64="qemu-aarch64 -L /usr/aarch64-linux-gnu"
-qemu_arm="qemu-arm -L /usr/arm-linux-gnueabihf"
+qemu_arm_gnueabi="qemu-arm -L /usr/arm-linux-gnueabi"
+qemu_arm_gnueabihf="qemu-arm -L /usr/arm-linux-gnueabihf"
+qemu_mips="qemu-mips -L /usr/mips-linux-gnu"
+qemu_mips64="qemu-mips64 -L /usr/mips64-linux-gnuabi64"
+qemu_mips64el="qemu-mips64el -L /usr/mips64el-linux-gnuabi64"
 qemu_mipsel="qemu-mipsel -L /usr/mipsel-linux-gnu"
+qemu_powerpc="qemu-ppc -L /usr/powerpc-linux-gnu"
+qemu_powerpc64="qemu-ppc64 -L /usr/powerpc64-linux-gnu"
+qemu_powerpc64le="qemu-ppc64le -L /usr/powerpc64le-linux-gnu"
+qemu_riscv64="qemu-riscv64 -L /usr/riscv64-linux-gnu"
+qemu_s390x="qemu-s390x -L /usr/s390x-linux-gnu"
 
 # Avoid putting the Android tools in `$PATH` because there are tools in this
 # directory like `clang` that would conflict with the same-named tools that may
@@ -45,7 +54,7 @@ for arg in $*; do
 done
 
 # See comments in install-build-tools.sh.
-llvm_version=15
+llvm_version=18
 
 case $target in
    aarch64-linux-android)
@@ -66,22 +75,35 @@ case $target in
     export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
     export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUNNER="$qemu_aarch64"
     ;;
+  arm-unknown-linux-gnueabi)
+    export CC_arm_unknown_linux_gnueabi=arm-linux-gnueabi-gcc
+    export AR_arm_unknown_linux_gnueabi=arm-linux-gnueabi-gcc-ar
+    export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABI_LINKER=arm-linux-gnueabi-gcc
+    export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABI_RUNNER="$qemu_arm_gnueabi"
+    ;;
   arm-unknown-linux-gnueabihf)
+    # XXX: clang cannot build the sha256 and x25519 assembly.
     export CC_arm_unknown_linux_gnueabihf=arm-linux-gnueabihf-gcc
     export AR_arm_unknown_linux_gnueabihf=arm-linux-gnueabihf-gcc-ar
     export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_LINKER=arm-linux-gnueabihf-gcc
-    export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_RUNNER="$qemu_arm"
+    export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_RUNNER="$qemu_arm_gnueabihf"
     ;;
   armv7-linux-androideabi)
     export CC_armv7_linux_androideabi=$android_tools/armv7a-linux-androideabi19-clang
     export AR_armv7_linux_androideabi=$android_tools/llvm-ar
     export CARGO_TARGET_ARMV7_LINUX_ANDROIDEABI_LINKER=$android_tools/armv7a-linux-androideabi19-clang
     ;;
+  armv7-unknown-linux-gnueabihf)
+    export CC_armv7_unknown_linux_gnueabihf=arm-linux-gnueabihf-gcc
+    export AR_armv7_unknown_linux_gnueabihf=arm-linux-gnueabihf-gcc-ar
+    export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_GNUEABIHF_LINKER=arm-linux-gnueabihf-gcc
+    export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_GNUEABIHF_RUNNER="$qemu_arm_gnueabihf"
+    ;;
   armv7-unknown-linux-musleabihf)
     export CC_armv7_unknown_linux_musleabihf=clang-$llvm_version
     export AR_armv7_unknown_linux_musleabihf=llvm-ar-$llvm_version
     export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_RUSTFLAGS="$rustflags_self_contained"
-    export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_RUNNER="$qemu_arm"
+    export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_RUNNER="$qemu_arm_gnueabihf"
     ;;
   i686-unknown-linux-gnu)
     export CC_i686_unknown_linux_gnu=clang-$llvm_version
@@ -93,12 +115,67 @@ case $target in
     export AR_i686_unknown_linux_musl=llvm-ar-$llvm_version
     export CARGO_TARGET_I686_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
     ;;
+  mips-unknown-linux-gnu)
+    export CC_mips_unknown_linux_gnu=mips-linux-gnu-gcc
+    export AR_mips_unknown_linux_gnu=mips-linux-gnu-gcc-ar
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_LINKER=mips-linux-gnu-gcc
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mips"
+    ;;
+  mips64-unknown-linux-gnuabi64)
+    export CC_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc
+    export AR_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_LINKER=mips64-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64"
+    ;;
+  mips64el-unknown-linux-gnuabi64)
+    export CC_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc
+    export AR_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_LINKER=mips64el-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64el"
+    ;;
   mipsel-unknown-linux-gnu)
     export CC_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc
     export AR_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc-ar
     export CARGO_TARGET_MIPSEL_UNKNOWN_LINUX_GNU_LINKER=mipsel-linux-gnu-gcc
     export CARGO_TARGET_MIPSEL_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mipsel"
     ;;
+  powerpc-unknown-linux-gnu)
+    export CC_powerpc_unknown_linux_gnu=clang-$llvm_version
+    export AR_powerpc_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CFLAGS_powerpc_unknown_linux_gnu="--sysroot=/usr/powerpc-linux-gnu"
+    export CARGO_TARGET_POWERPC_UNKNOWN_LINUX_GNU_LINKER=powerpc-linux-gnu-gcc
+    export CARGO_TARGET_POWERPC_UNKNOWN_LINUX_GNU_RUNNER="$qemu_powerpc"
+    ;;
+  powerpc64-unknown-linux-gnu)
+    export CC_powerpc64_unknown_linux_gnu=clang-$llvm_version
+    export AR_powerpc64_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CFLAGS_powerpc64_unknown_linux_gnu="--sysroot=/usr/powerpc64-linux-gnu"
+    export CARGO_TARGET_POWERPC64_UNKNOWN_LINUX_GNU_LINKER=powerpc64-linux-gnu-gcc
+    export CARGO_TARGET_POWERPC64_UNKNOWN_LINUX_GNU_RUNNER="$qemu_powerpc64"
+    ;;
+  powerpc64le-unknown-linux-gnu)
+    export CC_powerpc64le_unknown_linux_gnu=clang-$llvm_version
+    export AR_powerpc64le_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CFLAGS_powerpc64le_unknown_linux_gnu="--sysroot=/usr/powerpc64le-linux-gnu"
+    export CARGO_TARGET_POWERPC64LE_UNKNOWN_LINUX_GNU_LINKER=powerpc64le-linux-gnu-gcc
+    export CARGO_TARGET_POWERPC64LE_UNKNOWN_LINUX_GNU_RUNNER="$qemu_powerpc64le"
+    ;;
+  riscv64gc-unknown-linux-gnu)
+    export CC_riscv64gc_unknown_linux_gnu=clang-$llvm_version
+    export AR_riscv64gc_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CARGO_TARGET_RISCV64GC_UNKNOWN_LINUX_GNU_LINKER=riscv64-linux-gnu-gcc
+    export CARGO_TARGET_RISCV64GC_UNKNOWN_LINUX_GNU_RUNNER="$qemu_riscv64"
+    ;;
+  s390x-unknown-linux-gnu)
+    export CC_s390x_unknown_linux_gnu=clang-$llvm_version
+    export AR_s390x_unknown_linux_gnu=llvm-ar-$llvm_version
+    # XXX: Using -march=zEC12 to work around a z13 instruction bug in
+    # QEMU 8.0.2 and earlier that causes `test_constant_time` to fail
+    # (https://lists.gnu.org/archive/html/qemu-devel/2023-05/msg06965.html).
+    export CFLAGS_s390x_unknown_linux_gnu="--sysroot=/usr/s390x-linux-gnu -march=zEC12"
+    export CARGO_TARGET_S390X_UNKNOWN_LINUX_GNU_LINKER=s390x-linux-gnu-gcc
+    export CARGO_TARGET_S390X_UNKNOWN_LINUX_GNU_RUNNER="$qemu_s390x"
+    ;;
   x86_64-unknown-linux-musl)
     export CC_x86_64_unknown_linux_musl=clang-$llvm_version
     export AR_x86_64_unknown_linux_musl=llvm-ar-$llvm_version
@@ -109,6 +186,11 @@ case $target in
       export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
     fi
     ;;
+  loongarch64-unknown-linux-gnu)
+    export CC_loongarch64_unknown_linux_gnu=clang-$llvm_version
+    export AR_loongarch64_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CARGO_TARGET_LOONGARCH64_UNKNOWN_LINUX_GNU_LINKER=clang-$llvm_version
+    ;;
   wasm32-unknown-unknown)
     # The first two are only needed for when the "wasm_c" feature is enabled.
     export CC_wasm32_unknown_unknown=clang-$llvm_version
@@ -116,6 +198,12 @@ case $target in
     export CARGO_TARGET_WASM32_UNKNOWN_UNKNOWN_RUNNER=wasm-bindgen-test-runner
     export WASM_BINDGEN_TEST_TIMEOUT=60
     ;;
+  wasm32-wasi)
+    # The first two are only needed for when the "wasm_c" feature is enabled.
+    export CC_wasm32_wasi=clang-$llvm_version
+    export AR_wasm32_wasi=llvm-ar-$llvm_version
+    export CARGO_TARGET_WASM32_WASI_RUNNER=target/tools/linux-x86_64/wasmtime/wasmtime
+    ;;
   *)
     ;;
 esac

mk/install-build-tools.ps1

@@ -0,0 +1,6 @@
+# TODO: Lock this down to a specific commit instead of always using the latest.
+git clone `
+    --branch windows `
+    --depth 1 `
+    https://github.com/briansmith/ring-toolchain `
+    target/tools/windows

mk/install-build-tools.sh

@@ -70,7 +70,13 @@ case $target in
   install_packages \
     qemu-user
   ;;
---target=arm-unknown-linux-gnueabihf)
+--target=arm-unknown-linux-gnueabi)
+  install_packages \
+    qemu-user \
+    gcc-arm-linux-gnueabi \
+    libc6-dev-armel-cross
+  ;;
+--target=arm-unknown-linux-gnueabihf|--target=armv7-unknown-linux-gnueabihf)
   install_packages \
     qemu-user \
     gcc-arm-linux-gnueabihf \
@@ -85,16 +91,81 @@ case $target in
 --target=i686-unknown-linux-musl|--target=x86_64-unknown-linux-musl)
   use_clang=1
   ;;
+--target=loongarch64-unknown-linux-gnu)
+  use_clang=1
+  ;;
+--target=mips-unknown-linux-gnu)
+  install_packages \
+    gcc-mips-linux-gnu \
+    libc6-dev-mips-cross \
+    qemu-user
+  ;;
+--target=mips64-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64-linux-gnuabi64 \
+    libc6-dev-mips64-cross \
+    qemu-user
+  ;;
+--target=mips64el-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64el-linux-gnuabi64 \
+    libc6-dev-mips64el-cross \
+    qemu-user
+  ;;
 --target=mipsel-unknown-linux-gnu)
   install_packages \
     gcc-mipsel-linux-gnu \
     libc6-dev-mipsel-cross \
     qemu-user
   ;;
+--target=powerpc-unknown-linux-gnu)
+  use_clang=1
+  install_packages \
+    gcc-powerpc-linux-gnu \
+    libc6-dev-powerpc-cross \
+    qemu-user
+  ;;
+--target=powerpc64-unknown-linux-gnu)
+  use_clang=1
+  install_packages \
+    gcc-powerpc64-linux-gnu \
+    libc6-dev-ppc64-cross \
+    qemu-user
+  ;;
+--target=powerpc64le-unknown-linux-gnu)
+  use_clang=1
+  install_packages \
+    gcc-powerpc64le-linux-gnu \
+    libc6-dev-ppc64el-cross \
+    qemu-user
+  ;;
+--target=riscv64gc-unknown-linux-gnu)
+  use_clang=1
+  install_packages \
+    gcc-riscv64-linux-gnu \
+    libc6-dev-riscv64-cross \
+    qemu-user
+  ;;
+--target=s390x-unknown-linux-gnu)
+  # Clang is needed for code coverage.
+  use_clang=1
+  install_packages \
+    qemu-user \
+    gcc-s390x-linux-gnu \
+    libc6-dev-s390x-cross
+  ;;
 --target=wasm32-unknown-unknown)
   cargo install wasm-bindgen-cli --bin wasm-bindgen-test-runner
   use_clang=1
   ;;
+--target=wasm32-wasi)
+  use_clang=1
+  git clone \
+      --branch linux-x86_64 \
+      --depth 1 \
+      https://github.com/briansmith/ring-toolchain \
+      target/tools/linux-x86_64
+  ;;
 --target=*)
   ;;
 esac
@@ -102,7 +173,7 @@ esac
 case "$OSTYPE" in
 linux*)
   ubuntu_codename=$(lsb_release --codename --short)
-  llvm_version=15
+  llvm_version=18
   sudo apt-key add mk/llvm-snapshot.gpg.key
   sudo add-apt-repository "deb http://apt.llvm.org/$ubuntu_codename/ llvm-toolchain-$ubuntu_codename-$llvm_version main"
   sudo apt-get update

src/calendar.rs

@@ -62,11 +62,13 @@ pub fn time_from_ymdhms_utc(
     ))
 }
 
+const UNIX_EPOCH_YEAR: u64 = 1970;
+
 fn days_before_year_since_unix_epoch(year: u64) -> Result<u64, Error> {
     // We don't support dates before January 1, 1970 because that is the
     // Unix epoch. It is likely that other software won't deal well with
     // certificates that have dates before the epoch.
-    if year < 1970 {
+    if year < UNIX_EPOCH_YEAR {
         return Err(Error::BadDerTime);
     }
     let days_before_year_ad = days_before_year_ad(year);
@@ -105,8 +107,25 @@ const DAYS_BEFORE_UNIX_EPOCH_AD: u64 = 719162;
 mod tests {
     #[test]
     fn test_days_before_unix_epoch() {
-        use super::{days_before_year_ad, DAYS_BEFORE_UNIX_EPOCH_AD};
-        assert_eq!(DAYS_BEFORE_UNIX_EPOCH_AD, days_before_year_ad(1970));
+        use super::{days_before_year_ad, DAYS_BEFORE_UNIX_EPOCH_AD, UNIX_EPOCH_YEAR};
+        assert_eq!(
+            DAYS_BEFORE_UNIX_EPOCH_AD,
+            days_before_year_ad(UNIX_EPOCH_YEAR)
+        );
+    }
+
+    #[test]
+    fn test_days_before_year_since_unix_epoch() {
+        use super::{days_before_year_since_unix_epoch, Error, UNIX_EPOCH_YEAR};
+        assert_eq!(Ok(0), days_before_year_since_unix_epoch(UNIX_EPOCH_YEAR));
+        assert_eq!(
+            Ok(365),
+            days_before_year_since_unix_epoch(UNIX_EPOCH_YEAR + 1)
+        );
+        assert_eq!(
+            Err(Error::BadDerTime),
+            days_before_year_since_unix_epoch(UNIX_EPOCH_YEAR - 1)
+        );
     }
 
     #[test]
@@ -135,7 +154,37 @@ mod tests {
     #[allow(clippy::unreadable_literal)] // TODO: Make this clear.
     #[test]
     fn test_time_from_ymdhms_utc() {
-        use super::{time_from_ymdhms_utc, Time};
+        use super::{time_from_ymdhms_utc, Error, Time, UNIX_EPOCH_YEAR};
+
+        // 1969-12-31 00:00:00
+        assert_eq!(
+            Err(Error::BadDerTime),
+            time_from_ymdhms_utc(UNIX_EPOCH_YEAR - 1, 1, 1, 0, 0, 0)
+        );
+
+        // 1969-12-31 23:59:59
+        assert_eq!(
+            Err(Error::BadDerTime),
+            time_from_ymdhms_utc(UNIX_EPOCH_YEAR - 1, 12, 31, 23, 59, 59)
+        );
+
+        // 1970-01-01 00:00:00
+        assert_eq!(
+            Time::from_seconds_since_unix_epoch(0),
+            time_from_ymdhms_utc(UNIX_EPOCH_YEAR, 1, 1, 0, 0, 0).unwrap()
+        );
+
+        // 1970-01-01 00:00:01
+        assert_eq!(
+            Time::from_seconds_since_unix_epoch(1),
+            time_from_ymdhms_utc(UNIX_EPOCH_YEAR, 1, 1, 0, 0, 1).unwrap()
+        );
+
+        // 1971-01-01 00:00:00
+        assert_eq!(
+            Time::from_seconds_since_unix_epoch(365 * 86400),
+            time_from_ymdhms_utc(UNIX_EPOCH_YEAR + 1, 1, 1, 0, 0, 0).unwrap()
+        );
 
         // year boundary
         assert_eq!(

src/der.rs

@@ -14,7 +14,7 @@
 
 use crate::{calendar, time, Error};
 pub use ring::io::{
-    der::{nested, Tag, CONSTRUCTED},
+    der::{nested, Tag},
     Positive,
 };
 

src/end_entity.rs

@@ -125,6 +125,25 @@ impl<'a> EndEntityCert<'a> {
         )
     }
 
+    /// Backward-SemVer-compatible wrapper around `verify_is_valid_tls_client_cert_ext`.
+    ///
+    /// Errors that aren't representable as an `Error` are mapped to `Error::UnknownIssuer`.
+    pub fn verify_is_valid_tls_client_cert(
+        &self,
+        supported_sig_algs: &[&SignatureAlgorithm],
+        trust_anchors: &TlsClientTrustAnchors,
+        intermediate_certs: &[&[u8]],
+        time: Time,
+    ) -> Result<(), Error> {
+        self.verify_is_valid_tls_client_cert_ext(
+            supported_sig_algs,
+            trust_anchors,
+            intermediate_certs,
+            time,
+        )
+        .map_err(ErrorExt::into_error_lossy)
+    }
+
     /// Verifies that the end-entity certificate is valid for use by a TLS
     /// client.
     ///
@@ -145,7 +164,7 @@ impl<'a> EndEntityCert<'a> {
         &TlsClientTrustAnchors(trust_anchors): &TlsClientTrustAnchors,
         intermediate_certs: &[&[u8]],
         time: Time,
-    ) -> Result<(), Error> {
+    ) -> Result<(), ErrorExt> {
         verify_cert::build_chain(
             verify_cert::EKU_CLIENT_AUTH,
             supported_sig_algs,
@@ -154,7 +173,6 @@ impl<'a> EndEntityCert<'a> {
             &self.inner,
             time,
         )
-        .map_err(ErrorExt::into_error_lossy)
     }
 
     /// Verifies that the certificate is valid for the given DNS host name.

src/verify_cert.rs

@@ -80,6 +80,7 @@ fn build_chain_inner(
 
     // TODO: revocation.
 
+    #[allow(clippy::blocks_in_conditions)]
     match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
         let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
         if !equal(cert.issuer, trust_anchor_subject) {