Merge eb358ea1cf into 94e6e88ed9

In particular, LLVM/Clang 18 so that the coverage jobs succeed after
Rust Nightly upgraded to LLVM 18.

.github/workflows/ci.yml

@@ -141,7 +141,7 @@ jobs:
 
         include:
           - target: aarch64-apple-darwin
-            host_os: macos-13-xlarge
+            host_os: macos-14
 
           - target: aarch64-pc-windows-msvc
             host_os: windows-latest

mk/cargo.sh

@@ -21,6 +21,9 @@ rustflags_self_contained="-Clink-self-contained=yes -Clinker=rust-lld"
 qemu_aarch64="qemu-aarch64 -L /usr/aarch64-linux-gnu"
 qemu_arm_gnueabi="qemu-arm -L /usr/arm-linux-gnueabi"
 qemu_arm_gnueabihf="qemu-arm -L /usr/arm-linux-gnueabihf"
+qemu_mips="qemu-mips -L /usr/mips-linux-gnu"
+qemu_mips64="qemu-mips64 -L /usr/mips64-linux-gnuabi64"
+qemu_mips64el="qemu-mips64el -L /usr/mips64el-linux-gnuabi64"
 qemu_mipsel="qemu-mipsel -L /usr/mipsel-linux-gnu"
 qemu_powerpc="qemu-ppc -L /usr/powerpc-linux-gnu"
 qemu_powerpc64="qemu-ppc64 -L /usr/powerpc64-linux-gnu"
@@ -51,7 +54,7 @@ for arg in $*; do
 done
 
 # See comments in install-build-tools.sh.
-llvm_version=16
+llvm_version=18
 
 case $target in
    aarch64-linux-android)
@@ -112,6 +115,24 @@ case $target in
     export AR_i686_unknown_linux_musl=llvm-ar-$llvm_version
     export CARGO_TARGET_I686_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
     ;;
+  mips-unknown-linux-gnu)
+    export CC_mips_unknown_linux_gnu=mips-linux-gnu-gcc
+    export AR_mips_unknown_linux_gnu=mips-linux-gnu-gcc-ar
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_LINKER=mips-linux-gnu-gcc
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mips"
+    ;;
+  mips64-unknown-linux-gnuabi64)
+    export CC_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc
+    export AR_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_LINKER=mips64-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64"
+    ;;
+  mips64el-unknown-linux-gnuabi64)
+    export CC_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc
+    export AR_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_LINKER=mips64el-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64el"
+    ;;
   mipsel-unknown-linux-gnu)
     export CC_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc
     export AR_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc-ar

mk/install-build-tools.sh

@@ -94,6 +94,24 @@ case $target in
 --target=loongarch64-unknown-linux-gnu)
   use_clang=1
   ;;
+--target=mips-unknown-linux-gnu)
+  install_packages \
+    gcc-mips-linux-gnu \
+    libc6-dev-mips-cross \
+    qemu-user
+  ;;
+--target=mips64-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64-linux-gnuabi64 \
+    libc6-dev-mips64-cross \
+    qemu-user
+  ;;
+--target=mips64el-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64el-linux-gnuabi64 \
+    libc6-dev-mips64el-cross \
+    qemu-user
+  ;;
 --target=mipsel-unknown-linux-gnu)
   install_packages \
     gcc-mipsel-linux-gnu \
@@ -155,7 +173,7 @@ esac
 case "$OSTYPE" in
 linux*)
   ubuntu_codename=$(lsb_release --codename --short)
-  llvm_version=16
+  llvm_version=18
   sudo apt-key add mk/llvm-snapshot.gpg.key
   sudo add-apt-repository "deb http://apt.llvm.org/$ubuntu_codename/ llvm-toolchain-$ubuntu_codename-$llvm_version main"
   sudo apt-get update

src/der.rs

@@ -14,7 +14,7 @@
 
 use crate::{calendar, time, Error};
 pub use ring::io::{
-    der::{nested, Tag, CONSTRUCTED},
+    der::{nested, Tag},
     Positive,
 };
 

src/end_entity.rs

@@ -239,4 +239,39 @@ impl<'a> EndEntityCert<'a> {
             untrusted::Input::from(signature),
         )
     }
+
+    /// Verifies that the end-entity certificate is valid for use by cert chain
+    ///
+    /// `required_eku` is the Certificate Extended Key Usage Oid in bytes.
+    /// If the certificate is not valid for `required_eku` then this
+    /// fails with `Error::CertNotValidForName`.
+    /// `supported_sig_algs` is the list of signature algorithms that are
+    /// trusted for use in certificate signatures; the end-entity certificate's
+    /// public key is not validated against this list. `trust_anchors` is the
+    /// list of root CAs to trust. `intermediate_certs` is the sequence of
+    /// intermediate certificates that the client sent in the TLS handshake.
+    /// `cert` is the purported end-entity certificate of the client. `time` is
+    /// the time for which the validation is effective (usually the current
+    /// time).
+    ///
+    pub fn verify_is_valid_cert_with_eku(
+        &self,
+        required_eku: &'static [u8],
+        supported_sig_algs: &[&SignatureAlgorithm],
+        trust_anchors: &[crate::TrustAnchor],
+        intermediate_certs: &[&[u8]],
+        time: Time,
+    ) -> Result<(), Error> {
+        let eku = verify_cert::KeyPurposeId::new(required_eku);
+
+        crate::verify_cert::build_chain(
+            eku,
+            supported_sig_algs,
+            trust_anchors,
+            intermediate_certs,
+            &self.inner,
+            time,
+            0,
+        )
+    }
 }

src/verify_cert.rs

@@ -80,6 +80,7 @@ fn build_chain_inner(
 
     // TODO: revocation.
 
+    #[allow(clippy::blocks_in_conditions)]
     match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
         let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
         if !equal(cert.issuer, trust_anchor_subject) {
@@ -309,6 +310,22 @@ pub struct KeyPurposeId {
     oid_value: untrusted::Input<'static>,
 }
 
+impl KeyPurposeId {
+    /// Construct a new `KeyPurposeId`
+    ///
+    /// `oid` is the OBJECT IDENTIFIER in bytes.
+    ///
+    /// For example:
+    /// static EKU_SERVER_AUTH_BYTES: &'static [u8] = &[(40 * 1) + 3, 6, 1, 5, 5, 7, 3, 1];
+    /// let oid = KeyPurposeId::new(EKU_SERVER_AUTH_BYTES);
+    ///
+    pub fn new(oid: &'static [u8]) -> Self {
+        KeyPurposeId {
+            oid_value: untrusted::Input::from(oid),
+        }
+    }
+}
+
 // id-pkix            OBJECT IDENTIFIER ::= { 1 3 6 1 5 5 7 }
 // id-kp              OBJECT IDENTIFIER ::= { id-pkix 3 }