Merge e4d2683da8 into 94e6e88ed9

In particular, LLVM/Clang 18 so that the coverage jobs succeed after
Rust Nightly upgraded to LLVM 18.

.github/workflows/ci.yml

@@ -9,27 +9,21 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-          components: rustfmt
-      - uses: briansmith/actions-checkout@v2
+      - run: rustup --version
+
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
+
       - run: cargo fmt --all -- --check
 
   clippy:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-          components: clippy
+      - run: rustup --version
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -39,22 +33,19 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
+      - run: rustup --version
 
-      - uses: briansmith/actions-cache@v2
+      - uses: briansmith/actions-cache@v3
         with:
           path: |
             ~/.cargo/bin/cargo-audit
             ~/.cargo/.crates.toml
             ~/.cargo/.crates2.json
-          key: ${{ runner.os }}-v2-cargo-audit-0.13.1
+          key: ${{ runner.os }}-v2-cargo-audit-locked-0.18.3
 
-      - run: cargo install cargo-audit --vers "0.13.1"
+      - run: cargo install cargo-audit  --locked --vers "0.18.3"
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -66,22 +57,19 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
+      - run: rustup --version
 
-      - uses: briansmith/actions-cache@v2
+      - uses: briansmith/actions-cache@v3
         with:
           path: |
             ~/.cargo/bin/cargo-deny
             ~/.cargo/.crates.toml
             ~/.cargo/.crates2.json
-          key: ${{ runner.os }}-v2-cargo-deny-locked-0.8.5
+          key: ${{ runner.os }}-v2-cargo-deny-locked-0.14.3
 
-      - run: cargo install cargo-deny --locked --vers "0.8.5"
+      - run: cargo install cargo-deny --locked --vers "0.14.3"
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -91,24 +79,10 @@ jobs:
   rustdoc:
     runs-on: ubuntu-22.04
 
-    strategy:
-      matrix:
-        rust_channel:
-          - stable
-          - beta
-          - nightly
-
-        include:
-          - target: x86_64-unknown-linux-gnu
-
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          override: true
-          target: ${{ matrix.target }}
-          toolchain: ${{ matrix.rust_channel }}
+      - run: rustup --version
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -119,12 +93,9 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
+      - run: rustup --version
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
@@ -147,9 +118,12 @@ jobs:
           # portable.
           # Specifically choose `aarch64-pc-windows-msvc` since it was new in
           # *ring* 0.17.
+          - aarch64-apple-darwin
           - aarch64-pc-windows-msvc
           - arm-unknown-linux-gnueabihf
           - i686-pc-windows-msvc
+          - riscv64gc-unknown-linux-gnu
+          - wasm32-wasi
           - x86_64-unknown-linux-musl
           - x86_64-unknown-linux-gnu
 
@@ -165,12 +139,10 @@ jobs:
 
           - beta
 
-        exclude:
-          # 1.46.0 doesn't support `-Clink-self-contained`.
-          - target: x86_64-unknown-linux-musl
-            rust_channel: 1.46.0
-
         include:
+          - target: aarch64-apple-darwin
+            host_os: macos-14
+
           - target: aarch64-pc-windows-msvc
             host_os: windows-latest
             # GitHub Actions doesn't have a way to run this target yet.
@@ -182,32 +154,44 @@ jobs:
           - target: i686-pc-windows-msvc
             host_os: windows-latest
 
+          - target: riscv64gc-unknown-linux-gnu
+            host_os: ubuntu-22.04
+
+          - target: wasm32-wasi
+            host_os: ubuntu-22.04
+
           - target: x86_64-unknown-linux-musl
             host_os: ubuntu-22.04
 
           - target: x86_64-unknown-linux-gnu
             host_os: ubuntu-22.04
 
+            # rcgen requires *ring* 0.16 which doesn't support this target.
+          - target: aarch64-pc-windows-msvc
+            skip_rcgen: true
+          - target: riscv64gc-unknown-linux-gnu
+            skip_rcgen: true
+          - target: wasm32-wasi
+            skip_rcgen: true
+
+          - rust_channel: 1.61.0
+            # rcgen requires Rust 1.67.
+            skip_rcgen: true
+
     steps:
       - if: ${{ contains(matrix.host_os, 'ubuntu') }}
         run: sudo apt-get update -y
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
+      - run: rustup toolchain add --profile=minimal ${{ matrix.rust_channel }}
+      - run: rustup target add --toolchain=${{ matrix.rust_channel }} ${{ matrix.target }}
+
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }}
 
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          override: true
-          target: ${{ matrix.target }}
-          toolchain: ${{ matrix.rust_channel }}
-
-      - if: ${{ matrix.target == 'aarch64-apple-darwin' }}
-        run: echo "DEVELOPER_DIR=/Applications/Xcode_12.2.app/Contents/Developer" >> $GITHUB_ENV
-
       - if: ${{ matrix.target == 'aarch64-pc-windows-msvc' }}
         run: |
           echo "C:\Program Files (x86)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\x64\bin" >> $GITHUB_PATH
@@ -215,21 +199,20 @@ jobs:
 
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: |
-          mk/cargo.sh test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
+          mk/cargo.sh +${{ matrix.rust_channel }} test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
       - if: ${{ contains(matrix.host_os, 'windows') }}
         run: |
-          cargo test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
+          cargo +${{ matrix.rust_channel }} test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
-      # rcgen-based tests require Rust 1.67.
-      - if: ${{ !contains(matrix.host_os, 'windows') && !contains(matrix.rust_channel, '1.61.0') }}
+      - if: ${{ !contains(matrix.host_os, 'windows') && !contains(matrix.skip_rcgen, 'true') }}
         run: |
-          mk/cargo.sh test -p rcgen-tests -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
+          mk/cargo.sh +${{ matrix.rust_channel }} test -p rcgen-tests -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
       # rcgen-based tests require Rust 1.67, and uses *ring* 0.16 which doesn't build for aarch64-pc-windows-msvc.
-      - if: ${{ contains(matrix.host_os, 'windows') && !contains(matrix.rust_channel, '1.61.0') && !contains(matrix.target, 'aarch64-pc-windows-msvc') }}
+      - if: ${{ contains(matrix.host_os, 'windows') && !contains(matrix.skip_rcgen, 'true') }}
         run: |
-          cargo test -vv -p rcgen-tests --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
+          cargo +${{ matrix.rust_channel }} test -vv -p rcgen-tests --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
   coverage:
     runs-on: ${{ matrix.host_os }}
@@ -259,27 +242,21 @@ jobs:
       - if: ${{ contains(matrix.host_os, 'ubuntu') }}
         run: sudo apt-get update -y
 
-      - uses: briansmith/actions-checkout@v2
+      - uses: briansmith/actions-checkout@v4
         with:
           persist-credentials: false
 
+      - run: rustup toolchain add --profile=minimal ${{ matrix.rust_channel }}
+      - run: rustup target add --toolchain=${{ matrix.rust_channel }} ${{ matrix.target }}
+
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: RING_COVERAGE=1 mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }}
 
-      - uses: briansmith/actions-rs-toolchain@v1
-        with:
-          override: true
-          target: ${{ matrix.target }}
-          toolchain: ${{ matrix.rust_channel }}
-
-      - if: ${{ matrix.target == 'aarch64-apple-darwin' }}
-        run: echo "DEVELOPER_DIR=/Applications/Xcode_12.2.app/Contents/Developer" >> $GITHUB_ENV
-
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: |
           RING_COVERAGE=1 mk/cargo.sh +${{ matrix.rust_channel }} test --workspace -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }}
 
-      - uses: briansmith/codecov-codecov-action@v1
+      - uses: briansmith/codecov-codecov-action@v3
         with:
           directory: ./target/${{ matrix.target }}/debug/coverage/reports
           fail_ci_if_error: true

mk/cargo.sh

@@ -19,8 +19,17 @@ IFS=$'\n\t'
 
 rustflags_self_contained="-Clink-self-contained=yes -Clinker=rust-lld"
 qemu_aarch64="qemu-aarch64 -L /usr/aarch64-linux-gnu"
-qemu_arm="qemu-arm -L /usr/arm-linux-gnueabihf"
+qemu_arm_gnueabi="qemu-arm -L /usr/arm-linux-gnueabi"
+qemu_arm_gnueabihf="qemu-arm -L /usr/arm-linux-gnueabihf"
+qemu_mips="qemu-mips -L /usr/mips-linux-gnu"
+qemu_mips64="qemu-mips64 -L /usr/mips64-linux-gnuabi64"
+qemu_mips64el="qemu-mips64el -L /usr/mips64el-linux-gnuabi64"
 qemu_mipsel="qemu-mipsel -L /usr/mipsel-linux-gnu"
+qemu_powerpc="qemu-ppc -L /usr/powerpc-linux-gnu"
+qemu_powerpc64="qemu-ppc64 -L /usr/powerpc64-linux-gnu"
+qemu_powerpc64le="qemu-ppc64le -L /usr/powerpc64le-linux-gnu"
+qemu_riscv64="qemu-riscv64 -L /usr/riscv64-linux-gnu"
+qemu_s390x="qemu-s390x -L /usr/s390x-linux-gnu"
 
 # Avoid putting the Android tools in `$PATH` because there are tools in this
 # directory like `clang` that would conflict with the same-named tools that may
@@ -45,7 +54,7 @@ for arg in $*; do
 done
 
 # See comments in install-build-tools.sh.
-llvm_version=15
+llvm_version=18
 
 case $target in
    aarch64-linux-android)
@@ -66,22 +75,35 @@ case $target in
     export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
     export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUNNER="$qemu_aarch64"
     ;;
+  arm-unknown-linux-gnueabi)
+    export CC_arm_unknown_linux_gnueabi=arm-linux-gnueabi-gcc
+    export AR_arm_unknown_linux_gnueabi=arm-linux-gnueabi-gcc-ar
+    export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABI_LINKER=arm-linux-gnueabi-gcc
+    export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABI_RUNNER="$qemu_arm_gnueabi"
+    ;;
   arm-unknown-linux-gnueabihf)
+    # XXX: clang cannot build the sha256 and x25519 assembly.
     export CC_arm_unknown_linux_gnueabihf=arm-linux-gnueabihf-gcc
     export AR_arm_unknown_linux_gnueabihf=arm-linux-gnueabihf-gcc-ar
     export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_LINKER=arm-linux-gnueabihf-gcc
-    export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_RUNNER="$qemu_arm"
+    export CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_RUNNER="$qemu_arm_gnueabihf"
     ;;
   armv7-linux-androideabi)
     export CC_armv7_linux_androideabi=$android_tools/armv7a-linux-androideabi19-clang
     export AR_armv7_linux_androideabi=$android_tools/llvm-ar
     export CARGO_TARGET_ARMV7_LINUX_ANDROIDEABI_LINKER=$android_tools/armv7a-linux-androideabi19-clang
     ;;
+  armv7-unknown-linux-gnueabihf)
+    export CC_armv7_unknown_linux_gnueabihf=arm-linux-gnueabihf-gcc
+    export AR_armv7_unknown_linux_gnueabihf=arm-linux-gnueabihf-gcc-ar
+    export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_GNUEABIHF_LINKER=arm-linux-gnueabihf-gcc
+    export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_GNUEABIHF_RUNNER="$qemu_arm_gnueabihf"
+    ;;
   armv7-unknown-linux-musleabihf)
     export CC_armv7_unknown_linux_musleabihf=clang-$llvm_version
     export AR_armv7_unknown_linux_musleabihf=llvm-ar-$llvm_version
     export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_RUSTFLAGS="$rustflags_self_contained"
-    export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_RUNNER="$qemu_arm"
+    export CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_RUNNER="$qemu_arm_gnueabihf"
     ;;
   i686-unknown-linux-gnu)
     export CC_i686_unknown_linux_gnu=clang-$llvm_version
@@ -93,12 +115,67 @@ case $target in
     export AR_i686_unknown_linux_musl=llvm-ar-$llvm_version
     export CARGO_TARGET_I686_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
     ;;
+  mips-unknown-linux-gnu)
+    export CC_mips_unknown_linux_gnu=mips-linux-gnu-gcc
+    export AR_mips_unknown_linux_gnu=mips-linux-gnu-gcc-ar
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_LINKER=mips-linux-gnu-gcc
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mips"
+    ;;
+  mips64-unknown-linux-gnuabi64)
+    export CC_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc
+    export AR_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_LINKER=mips64-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64"
+    ;;
+  mips64el-unknown-linux-gnuabi64)
+    export CC_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc
+    export AR_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_LINKER=mips64el-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64el"
+    ;;
   mipsel-unknown-linux-gnu)
     export CC_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc
     export AR_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc-ar
     export CARGO_TARGET_MIPSEL_UNKNOWN_LINUX_GNU_LINKER=mipsel-linux-gnu-gcc
     export CARGO_TARGET_MIPSEL_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mipsel"
     ;;
+  powerpc-unknown-linux-gnu)
+    export CC_powerpc_unknown_linux_gnu=clang-$llvm_version
+    export AR_powerpc_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CFLAGS_powerpc_unknown_linux_gnu="--sysroot=/usr/powerpc-linux-gnu"
+    export CARGO_TARGET_POWERPC_UNKNOWN_LINUX_GNU_LINKER=powerpc-linux-gnu-gcc
+    export CARGO_TARGET_POWERPC_UNKNOWN_LINUX_GNU_RUNNER="$qemu_powerpc"
+    ;;
+  powerpc64-unknown-linux-gnu)
+    export CC_powerpc64_unknown_linux_gnu=clang-$llvm_version
+    export AR_powerpc64_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CFLAGS_powerpc64_unknown_linux_gnu="--sysroot=/usr/powerpc64-linux-gnu"
+    export CARGO_TARGET_POWERPC64_UNKNOWN_LINUX_GNU_LINKER=powerpc64-linux-gnu-gcc
+    export CARGO_TARGET_POWERPC64_UNKNOWN_LINUX_GNU_RUNNER="$qemu_powerpc64"
+    ;;
+  powerpc64le-unknown-linux-gnu)
+    export CC_powerpc64le_unknown_linux_gnu=clang-$llvm_version
+    export AR_powerpc64le_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CFLAGS_powerpc64le_unknown_linux_gnu="--sysroot=/usr/powerpc64le-linux-gnu"
+    export CARGO_TARGET_POWERPC64LE_UNKNOWN_LINUX_GNU_LINKER=powerpc64le-linux-gnu-gcc
+    export CARGO_TARGET_POWERPC64LE_UNKNOWN_LINUX_GNU_RUNNER="$qemu_powerpc64le"
+    ;;
+  riscv64gc-unknown-linux-gnu)
+    export CC_riscv64gc_unknown_linux_gnu=clang-$llvm_version
+    export AR_riscv64gc_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CARGO_TARGET_RISCV64GC_UNKNOWN_LINUX_GNU_LINKER=riscv64-linux-gnu-gcc
+    export CARGO_TARGET_RISCV64GC_UNKNOWN_LINUX_GNU_RUNNER="$qemu_riscv64"
+    ;;
+  s390x-unknown-linux-gnu)
+    export CC_s390x_unknown_linux_gnu=clang-$llvm_version
+    export AR_s390x_unknown_linux_gnu=llvm-ar-$llvm_version
+    # XXX: Using -march=zEC12 to work around a z13 instruction bug in
+    # QEMU 8.0.2 and earlier that causes `test_constant_time` to fail
+    # (https://lists.gnu.org/archive/html/qemu-devel/2023-05/msg06965.html).
+    export CFLAGS_s390x_unknown_linux_gnu="--sysroot=/usr/s390x-linux-gnu -march=zEC12"
+    export CARGO_TARGET_S390X_UNKNOWN_LINUX_GNU_LINKER=s390x-linux-gnu-gcc
+    export CARGO_TARGET_S390X_UNKNOWN_LINUX_GNU_RUNNER="$qemu_s390x"
+    ;;
   x86_64-unknown-linux-musl)
     export CC_x86_64_unknown_linux_musl=clang-$llvm_version
     export AR_x86_64_unknown_linux_musl=llvm-ar-$llvm_version
@@ -109,6 +186,11 @@ case $target in
       export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
     fi
     ;;
+  loongarch64-unknown-linux-gnu)
+    export CC_loongarch64_unknown_linux_gnu=clang-$llvm_version
+    export AR_loongarch64_unknown_linux_gnu=llvm-ar-$llvm_version
+    export CARGO_TARGET_LOONGARCH64_UNKNOWN_LINUX_GNU_LINKER=clang-$llvm_version
+    ;;
   wasm32-unknown-unknown)
     # The first two are only needed for when the "wasm_c" feature is enabled.
     export CC_wasm32_unknown_unknown=clang-$llvm_version
@@ -116,6 +198,12 @@ case $target in
     export CARGO_TARGET_WASM32_UNKNOWN_UNKNOWN_RUNNER=wasm-bindgen-test-runner
     export WASM_BINDGEN_TEST_TIMEOUT=60
     ;;
+  wasm32-wasi)
+    # The first two are only needed for when the "wasm_c" feature is enabled.
+    export CC_wasm32_wasi=clang-$llvm_version
+    export AR_wasm32_wasi=llvm-ar-$llvm_version
+    export CARGO_TARGET_WASM32_WASI_RUNNER=target/tools/linux-x86_64/wasmtime/wasmtime
+    ;;
   *)
     ;;
 esac

mk/install-build-tools.ps1

@@ -0,0 +1,6 @@
+# TODO: Lock this down to a specific commit instead of always using the latest.
+git clone `
+    --branch windows `
+    --depth 1 `
+    https://github.com/briansmith/ring-toolchain `
+    target/tools/windows

mk/install-build-tools.sh

@@ -70,7 +70,13 @@ case $target in
   install_packages \
     qemu-user
   ;;
---target=arm-unknown-linux-gnueabihf)
+--target=arm-unknown-linux-gnueabi)
+  install_packages \
+    qemu-user \
+    gcc-arm-linux-gnueabi \
+    libc6-dev-armel-cross
+  ;;
+--target=arm-unknown-linux-gnueabihf|--target=armv7-unknown-linux-gnueabihf)
   install_packages \
     qemu-user \
     gcc-arm-linux-gnueabihf \
@@ -85,16 +91,81 @@ case $target in
 --target=i686-unknown-linux-musl|--target=x86_64-unknown-linux-musl)
   use_clang=1
   ;;
+--target=loongarch64-unknown-linux-gnu)
+  use_clang=1
+  ;;
+--target=mips-unknown-linux-gnu)
+  install_packages \
+    gcc-mips-linux-gnu \
+    libc6-dev-mips-cross \
+    qemu-user
+  ;;
+--target=mips64-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64-linux-gnuabi64 \
+    libc6-dev-mips64-cross \
+    qemu-user
+  ;;
+--target=mips64el-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64el-linux-gnuabi64 \
+    libc6-dev-mips64el-cross \
+    qemu-user
+  ;;
 --target=mipsel-unknown-linux-gnu)
   install_packages \
     gcc-mipsel-linux-gnu \
     libc6-dev-mipsel-cross \
     qemu-user
   ;;
+--target=powerpc-unknown-linux-gnu)
+  use_clang=1
+  install_packages \
+    gcc-powerpc-linux-gnu \
+    libc6-dev-powerpc-cross \
+    qemu-user
+  ;;
+--target=powerpc64-unknown-linux-gnu)
+  use_clang=1
+  install_packages \
+    gcc-powerpc64-linux-gnu \
+    libc6-dev-ppc64-cross \
+    qemu-user
+  ;;
+--target=powerpc64le-unknown-linux-gnu)
+  use_clang=1
+  install_packages \
+    gcc-powerpc64le-linux-gnu \
+    libc6-dev-ppc64el-cross \
+    qemu-user
+  ;;
+--target=riscv64gc-unknown-linux-gnu)
+  use_clang=1
+  install_packages \
+    gcc-riscv64-linux-gnu \
+    libc6-dev-riscv64-cross \
+    qemu-user
+  ;;
+--target=s390x-unknown-linux-gnu)
+  # Clang is needed for code coverage.
+  use_clang=1
+  install_packages \
+    qemu-user \
+    gcc-s390x-linux-gnu \
+    libc6-dev-s390x-cross
+  ;;
 --target=wasm32-unknown-unknown)
   cargo install wasm-bindgen-cli --bin wasm-bindgen-test-runner
   use_clang=1
   ;;
+--target=wasm32-wasi)
+  use_clang=1
+  git clone \
+      --branch linux-x86_64 \
+      --depth 1 \
+      https://github.com/briansmith/ring-toolchain \
+      target/tools/linux-x86_64
+  ;;
 --target=*)
   ;;
 esac
@@ -102,7 +173,7 @@ esac
 case "$OSTYPE" in
 linux*)
   ubuntu_codename=$(lsb_release --codename --short)
-  llvm_version=15
+  llvm_version=18
   sudo apt-key add mk/llvm-snapshot.gpg.key
   sudo add-apt-repository "deb http://apt.llvm.org/$ubuntu_codename/ llvm-toolchain-$ubuntu_codename-$llvm_version main"
   sudo apt-get update

src/der.rs

@@ -14,7 +14,7 @@
 
 use crate::{calendar, time, Error};
 pub use ring::io::{
-    der::{nested, Tag, CONSTRUCTED},
+    der::{nested, Tag},
     Positive,
 };
 
@@ -171,3 +171,78 @@ macro_rules! oid {
         [(40 * $first) + $second, $( $tail ),*]
     )
 }
+
+#[cfg(test)]
+mod tests {
+    fn bytes_reader(bytes: &[u8]) -> untrusted::Reader {
+        return untrusted::Reader::new(untrusted::Input::from(bytes));
+    }
+
+    #[test]
+    fn test_optional_boolean() {
+        use super::{optional_boolean, Error};
+
+        // Empty input results in false
+        assert_eq!(false, optional_boolean(&mut bytes_reader(&[])).unwrap());
+
+        // Optional, so another data type results in false
+        assert_eq!(
+            false,
+            optional_boolean(&mut bytes_reader(&[0x05, 0x00])).unwrap()
+        );
+
+        // Only 0x00 and 0xff are accepted values
+        assert_eq!(
+            Err(Error::BadDer),
+            optional_boolean(&mut bytes_reader(&[0x01, 0x01, 0x42]))
+        );
+
+        // True
+        assert_eq!(
+            true,
+            optional_boolean(&mut bytes_reader(&[0x01, 0x01, 0xff])).unwrap()
+        );
+
+        // False
+        assert_eq!(
+            false,
+            optional_boolean(&mut bytes_reader(&[0x01, 0x01, 0x00])).unwrap()
+        );
+    }
+
+    #[test]
+    fn test_bit_string_with_no_unused_bits() {
+        use super::{bit_string_with_no_unused_bits, Error};
+
+        // Unexpected type
+        assert_eq!(
+            Err(Error::BadDer),
+            bit_string_with_no_unused_bits(&mut bytes_reader(&[0x01, 0x01, 0xff]))
+        );
+
+        // Unexpected nonexistent type
+        assert_eq!(
+            Err(Error::BadDer),
+            bit_string_with_no_unused_bits(&mut bytes_reader(&[0x42, 0xff, 0xff]))
+        );
+
+        // Unexpected empty input
+        assert_eq!(
+            Err(Error::BadDer),
+            bit_string_with_no_unused_bits(&mut bytes_reader(&[]))
+        );
+
+        // Valid input with non-zero unused bits
+        assert_eq!(
+            Err(Error::BadDer),
+            bit_string_with_no_unused_bits(&mut bytes_reader(&[0x03, 0x03, 0x04, 0x12, 0x34]))
+        );
+
+        // Valid input
+        assert_eq!(
+            untrusted::Input::from(&[0x12, 0x34]),
+            bit_string_with_no_unused_bits(&mut bytes_reader(&[0x03, 0x03, 0x00, 0x12, 0x34]))
+                .unwrap()
+        );
+    }
+}

src/verify_cert.rs

@@ -80,6 +80,7 @@ fn build_chain_inner(
 
     // TODO: revocation.
 
+    #[allow(clippy::blocks_in_conditions)]
     match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
         let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
         if !equal(cert.issuer, trust_anchor_subject) {