Merge 691ea4cfa1 into 94e6e88ed9

In particular, LLVM/Clang 18 so that the coverage jobs succeed after
Rust Nightly upgraded to LLVM 18.

.github/workflows/ci.yml

@@ -141,7 +141,7 @@ jobs:
 
         include:
           - target: aarch64-apple-darwin
-            host_os: macos-13-xlarge
+            host_os: macos-14
 
           - target: aarch64-pc-windows-msvc
             host_os: windows-latest

mk/cargo.sh

@@ -21,6 +21,9 @@ rustflags_self_contained="-Clink-self-contained=yes -Clinker=rust-lld"
 qemu_aarch64="qemu-aarch64 -L /usr/aarch64-linux-gnu"
 qemu_arm_gnueabi="qemu-arm -L /usr/arm-linux-gnueabi"
 qemu_arm_gnueabihf="qemu-arm -L /usr/arm-linux-gnueabihf"
+qemu_mips="qemu-mips -L /usr/mips-linux-gnu"
+qemu_mips64="qemu-mips64 -L /usr/mips64-linux-gnuabi64"
+qemu_mips64el="qemu-mips64el -L /usr/mips64el-linux-gnuabi64"
 qemu_mipsel="qemu-mipsel -L /usr/mipsel-linux-gnu"
 qemu_powerpc="qemu-ppc -L /usr/powerpc-linux-gnu"
 qemu_powerpc64="qemu-ppc64 -L /usr/powerpc64-linux-gnu"
@@ -51,7 +54,7 @@ for arg in $*; do
 done
 
 # See comments in install-build-tools.sh.
-llvm_version=16
+llvm_version=18
 
 case $target in
    aarch64-linux-android)
@@ -112,6 +115,24 @@ case $target in
     export AR_i686_unknown_linux_musl=llvm-ar-$llvm_version
     export CARGO_TARGET_I686_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
     ;;
+  mips-unknown-linux-gnu)
+    export CC_mips_unknown_linux_gnu=mips-linux-gnu-gcc
+    export AR_mips_unknown_linux_gnu=mips-linux-gnu-gcc-ar
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_LINKER=mips-linux-gnu-gcc
+    export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mips"
+    ;;
+  mips64-unknown-linux-gnuabi64)
+    export CC_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc
+    export AR_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_LINKER=mips64-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64"
+    ;;
+  mips64el-unknown-linux-gnuabi64)
+    export CC_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc
+    export AR_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc-ar
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_LINKER=mips64el-linux-gnuabi64-gcc
+    export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64el"
+    ;;
   mipsel-unknown-linux-gnu)
     export CC_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc
     export AR_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc-ar

mk/install-build-tools.sh

@@ -94,6 +94,24 @@ case $target in
 --target=loongarch64-unknown-linux-gnu)
   use_clang=1
   ;;
+--target=mips-unknown-linux-gnu)
+  install_packages \
+    gcc-mips-linux-gnu \
+    libc6-dev-mips-cross \
+    qemu-user
+  ;;
+--target=mips64-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64-linux-gnuabi64 \
+    libc6-dev-mips64-cross \
+    qemu-user
+  ;;
+--target=mips64el-unknown-linux-gnuabi64)
+  install_packages \
+    gcc-mips64el-linux-gnuabi64 \
+    libc6-dev-mips64el-cross \
+    qemu-user
+  ;;
 --target=mipsel-unknown-linux-gnu)
   install_packages \
     gcc-mipsel-linux-gnu \
@@ -155,7 +173,7 @@ esac
 case "$OSTYPE" in
 linux*)
   ubuntu_codename=$(lsb_release --codename --short)
-  llvm_version=16
+  llvm_version=18
   sudo apt-key add mk/llvm-snapshot.gpg.key
   sudo add-apt-repository "deb http://apt.llvm.org/$ubuntu_codename/ llvm-toolchain-$ubuntu_codename-$llvm_version main"
   sudo apt-get update

src/der.rs

@@ -14,7 +14,7 @@
 
 use crate::{calendar, time, Error};
 pub use ring::io::{
-    der::{nested, Tag, CONSTRUCTED},
+    der::{nested, Tag},
     Positive,
 };
 

src/name/dns_name.rs

@@ -785,11 +785,67 @@ mod tests {
                 untrusted::Input::from(reference),
             );
             assert_eq!(
-                actual_result,
-                expected_result,
-                "presented_dns_id_matches_reference_dns_id(\"{:?}\", IDRole::ReferenceID, \"{:?}\")",
-                presented,
-                reference
+                actual_result, expected_result,
+                "presented_id_matches_reference_id(\"{:?}\", \"{:?}\")",
+                presented, reference
+            );
+        }
+    }
+
+    const PRESENTED_MATCHES_CONTRAINT: &[(&[u8], &[u8], Option<bool>)] = &[
+        // No absolute presented IDs allowed
+        (b".", b"", None),
+        (b"www.example.com.", b"", None),
+        (b"www.example.com.", b"www.example.com.", None),
+        // No absolute contraints allowed
+        (b"www.example.com", b".", None),
+        (b"www.example.com", b"www.example.com.", None),
+        // No wildcard in constraints allowed
+        (b"www.example.com", b"*.example.com", None),
+        // No empty presented IDs allowed
+        (b"", b"", None),
+        // Empty constraints match everything allowed
+        (b"example.com", b"", Some(true)),
+        (b"*.example.com", b"", Some(true)),
+        // Constraints that start with a dot
+        (b"www.example.com", b".example.com", Some(true)),
+        (b"www.example.com", b".EXAMPLE.COM", Some(true)),
+        (b"www.example.com", b".axample.com", Some(false)),
+        (b"www.example.com", b".xample.com", Some(false)),
+        (b"www.example.com", b".exampl.com", Some(false)),
+        (b"badexample.com", b".example.com", Some(false)),
+        // Constraints that do not start with a dot
+        (b"www.example.com", b"example.com", Some(true)),
+        (b"www.example.com", b"EXAMPLE.COM", Some(true)),
+        (b"www.example.com", b"axample.com", Some(false)),
+        (b"www.example.com", b"xample.com", Some(false)),
+        (b"www.example.com", b"exampl.com", Some(false)),
+        (b"badexample.com", b"example.com", Some(false)),
+        // Presented IDs with wildcard
+        (b"*.example.com", b".example.com", Some(true)),
+        (b"*.example.com", b"example.com", Some(true)),
+        (b"*.example.com", b"www.example.com", Some(true)),
+        (b"*.example.com", b"www.EXAMPLE.COM", Some(true)),
+        (b"*.example.com", b"www.axample.com", Some(false)),
+        (b"*.example.com", b".xample.com", Some(false)),
+        (b"*.example.com", b"xample.com", Some(false)),
+        (b"*.example.com", b".exampl.com", Some(false)),
+        (b"*.example.com", b"exampl.com", Some(false)),
+        // Matching IDs
+        (b"www.example.com", b"www.example.com", Some(true)),
+    ];
+
+    #[test]
+    fn presented_matches_constraint_test() {
+        for &(presented, constraint, expected_result) in PRESENTED_MATCHES_CONTRAINT {
+            let actual_result = presented_id_matches_constraint(
+                untrusted::Input::from(presented),
+                untrusted::Input::from(constraint),
+            );
+            assert_eq!(
+                actual_result, expected_result,
+                "presented_id_matches_constraint(\"{:?}\", \"{:?}\")",
+                presented, constraint
             );
         }
     }

src/name/ip_address.rs

@@ -62,3 +62,77 @@ pub(super) fn presented_id_matches_constraint(
 
     Ok(true)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    const PRESENTED_MATCHES_CONTRAINT: &[(&str, &str, &str, Result<bool, Error>)] = &[
+        // Cannot mix IpV4 with IpV6 and viceversa
+        ("2001:db8::", "8.8.8.8", "255.255.255.255", Ok(false)),
+        ("8.8.8.8", "2001:db8::", "ffff::", Ok(false)),
+        // IpV4
+        ("8.8.8.8", "8.8.8.8", "255.255.255.255", Ok(true)),
+        ("8.8.8.9", "8.8.8.8", "255.255.255.255", Ok(false)),
+        ("8.8.8.9", "8.8.8.8", "255.255.255.254", Ok(true)),
+        ("8.8.8.10", "8.8.8.8", "255.255.255.254", Ok(false)),
+        ("8.8.8.10", "8.8.8.8", "255.255.255.0", Ok(true)),
+        ("8.8.15.10", "8.8.8.8", "255.255.248.0", Ok(true)),
+        ("8.8.16.10", "8.8.8.8", "255.255.248.0", Ok(false)),
+        ("8.8.16.10", "8.8.8.8", "255.255.0.0", Ok(true)),
+        ("8.31.16.10", "8.8.8.8", "255.224.0.0", Ok(true)),
+        ("8.32.16.10", "8.8.8.8", "255.224.0.0", Ok(false)),
+        ("8.32.16.10", "8.8.8.8", "255.0.0.0", Ok(true)),
+        ("63.32.16.10", "8.8.8.8", "192.0.0.0", Ok(true)),
+        ("64.32.16.10", "8.8.8.8", "192.0.0.0", Ok(false)),
+        ("64.32.16.10", "8.8.8.8", "0.0.0.0", Ok(true)),
+        // IpV6
+        ("2001:db8::", "2001:db8::", "ffff:ffff::", Ok(true)),
+        ("2001:db9::", "2001:db8::", "ffff:ffff::", Ok(false)),
+        ("2001:db9::", "2001:db8::", "ffff:fffe::", Ok(true)),
+        ("2001:dba::", "2001:db8::", "ffff:fffe::", Ok(false)),
+        ("2001:dba::", "2001:db8::", "ffff:ff00::", Ok(true)),
+        ("2001:dca::", "2001:db8::", "ffff:fe00::", Ok(true)),
+        ("2001:fca::", "2001:db8::", "ffff:fe00::", Ok(false)),
+        ("2001:fca::", "2001:db8::", "ffff:0000::", Ok(true)),
+        ("2000:fca::", "2001:db8::", "fffe:0000::", Ok(true)),
+        ("2003:fca::", "2001:db8::", "fffe:0000::", Ok(false)),
+        ("2003:fca::", "2001:db8::", "ff00:0000::", Ok(true)),
+        ("1003:fca::", "2001:db8::", "e000:0000::", Ok(false)),
+        ("1003:fca::", "2001:db8::", "0000:0000::", Ok(true)),
+    ];
+
+    #[cfg(feature = "std")]
+    #[test]
+    fn presented_matches_constraint_test() {
+        use std::boxed::Box;
+        use std::net::IpAddr;
+
+        for &(presented, constraint_address, constraint_mask, expected_result) in
+            PRESENTED_MATCHES_CONTRAINT
+        {
+            let presented_bytes: Box<[u8]> = match presented.parse::<IpAddr>().unwrap() {
+                IpAddr::V4(p) => Box::new(p.octets()),
+                IpAddr::V6(p) => Box::new(p.octets()),
+            };
+            let ca_bytes: Box<[u8]> = match constraint_address.parse::<IpAddr>().unwrap() {
+                IpAddr::V4(ca) => Box::new(ca.octets()),
+                IpAddr::V6(ca) => Box::new(ca.octets()),
+            };
+            let cm_bytes: Box<[u8]> = match constraint_mask.parse::<IpAddr>().unwrap() {
+                IpAddr::V4(cm) => Box::new(cm.octets()),
+                IpAddr::V6(cm) => Box::new(cm.octets()),
+            };
+            let constraint_bytes = [ca_bytes, cm_bytes].concat();
+            let actual_result = presented_id_matches_constraint(
+                untrusted::Input::from(&presented_bytes),
+                untrusted::Input::from(&constraint_bytes),
+            );
+            assert_eq!(
+                actual_result, expected_result,
+                "presented_id_matches_constraint(\"{:?}\", \"{:?}\")",
+                presented_bytes, constraint_bytes
+            );
+        }
+    }
+}

src/verify_cert.rs

@@ -80,6 +80,7 @@ fn build_chain_inner(
 
     // TODO: revocation.
 
+    #[allow(clippy::blocks_in_conditions)]
     match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
         let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
         if !equal(cert.issuer, trust_anchor_subject) {