mirror of https://github.com/briansmith/webpki
Compare commits
7 Commits
bedb10e7e8
...
737373a9bb
Author | SHA1 | Date |
---|---|---|
Alessandro Bono | 737373a9bb | |
Brian Smith | 94e6e88ed9 | |
Brian Smith | 9613e5d115 | |
Brian Smith | 8f81719df5 | |
Alessandro Bono | 691ea4cfa1 | |
Alessandro Bono | d2b950fc71 | |
Alessandro Bono | a603e72967 |
|
@ -141,7 +141,7 @@ jobs:
|
|||
|
||||
include:
|
||||
- target: aarch64-apple-darwin
|
||||
host_os: macos-13-xlarge
|
||||
host_os: macos-14
|
||||
|
||||
- target: aarch64-pc-windows-msvc
|
||||
host_os: windows-latest
|
||||
|
|
23
mk/cargo.sh
23
mk/cargo.sh
|
@ -21,6 +21,9 @@ rustflags_self_contained="-Clink-self-contained=yes -Clinker=rust-lld"
|
|||
qemu_aarch64="qemu-aarch64 -L /usr/aarch64-linux-gnu"
|
||||
qemu_arm_gnueabi="qemu-arm -L /usr/arm-linux-gnueabi"
|
||||
qemu_arm_gnueabihf="qemu-arm -L /usr/arm-linux-gnueabihf"
|
||||
qemu_mips="qemu-mips -L /usr/mips-linux-gnu"
|
||||
qemu_mips64="qemu-mips64 -L /usr/mips64-linux-gnuabi64"
|
||||
qemu_mips64el="qemu-mips64el -L /usr/mips64el-linux-gnuabi64"
|
||||
qemu_mipsel="qemu-mipsel -L /usr/mipsel-linux-gnu"
|
||||
qemu_powerpc="qemu-ppc -L /usr/powerpc-linux-gnu"
|
||||
qemu_powerpc64="qemu-ppc64 -L /usr/powerpc64-linux-gnu"
|
||||
|
@ -51,7 +54,7 @@ for arg in $*; do
|
|||
done
|
||||
|
||||
# See comments in install-build-tools.sh.
|
||||
llvm_version=16
|
||||
llvm_version=18
|
||||
|
||||
case $target in
|
||||
aarch64-linux-android)
|
||||
|
@ -112,6 +115,24 @@ case $target in
|
|||
export AR_i686_unknown_linux_musl=llvm-ar-$llvm_version
|
||||
export CARGO_TARGET_I686_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
|
||||
;;
|
||||
mips-unknown-linux-gnu)
|
||||
export CC_mips_unknown_linux_gnu=mips-linux-gnu-gcc
|
||||
export AR_mips_unknown_linux_gnu=mips-linux-gnu-gcc-ar
|
||||
export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_LINKER=mips-linux-gnu-gcc
|
||||
export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mips"
|
||||
;;
|
||||
mips64-unknown-linux-gnuabi64)
|
||||
export CC_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc
|
||||
export AR_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc-ar
|
||||
export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_LINKER=mips64-linux-gnuabi64-gcc
|
||||
export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64"
|
||||
;;
|
||||
mips64el-unknown-linux-gnuabi64)
|
||||
export CC_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc
|
||||
export AR_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc-ar
|
||||
export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_LINKER=mips64el-linux-gnuabi64-gcc
|
||||
export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64el"
|
||||
;;
|
||||
mipsel-unknown-linux-gnu)
|
||||
export CC_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc
|
||||
export AR_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc-ar
|
||||
|
|
|
@ -94,6 +94,24 @@ case $target in
|
|||
--target=loongarch64-unknown-linux-gnu)
|
||||
use_clang=1
|
||||
;;
|
||||
--target=mips-unknown-linux-gnu)
|
||||
install_packages \
|
||||
gcc-mips-linux-gnu \
|
||||
libc6-dev-mips-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mips64-unknown-linux-gnuabi64)
|
||||
install_packages \
|
||||
gcc-mips64-linux-gnuabi64 \
|
||||
libc6-dev-mips64-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mips64el-unknown-linux-gnuabi64)
|
||||
install_packages \
|
||||
gcc-mips64el-linux-gnuabi64 \
|
||||
libc6-dev-mips64el-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mipsel-unknown-linux-gnu)
|
||||
install_packages \
|
||||
gcc-mipsel-linux-gnu \
|
||||
|
@ -155,7 +173,7 @@ esac
|
|||
case "$OSTYPE" in
|
||||
linux*)
|
||||
ubuntu_codename=$(lsb_release --codename --short)
|
||||
llvm_version=16
|
||||
llvm_version=18
|
||||
sudo apt-key add mk/llvm-snapshot.gpg.key
|
||||
sudo add-apt-repository "deb http://apt.llvm.org/$ubuntu_codename/ llvm-toolchain-$ubuntu_codename-$llvm_version main"
|
||||
sudo apt-get update
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
use crate::{calendar, time, Error};
|
||||
pub use ring::io::{
|
||||
der::{nested, Tag, CONSTRUCTED},
|
||||
der::{nested, Tag},
|
||||
Positive,
|
||||
};
|
||||
|
||||
|
|
|
@ -785,11 +785,67 @@ mod tests {
|
|||
untrusted::Input::from(reference),
|
||||
);
|
||||
assert_eq!(
|
||||
actual_result,
|
||||
expected_result,
|
||||
"presented_dns_id_matches_reference_dns_id(\"{:?}\", IDRole::ReferenceID, \"{:?}\")",
|
||||
presented,
|
||||
reference
|
||||
actual_result, expected_result,
|
||||
"presented_id_matches_reference_id(\"{:?}\", \"{:?}\")",
|
||||
presented, reference
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
const PRESENTED_MATCHES_CONTRAINT: &[(&[u8], &[u8], Option<bool>)] = &[
|
||||
// No absolute presented IDs allowed
|
||||
(b".", b"", None),
|
||||
(b"www.example.com.", b"", None),
|
||||
(b"www.example.com.", b"www.example.com.", None),
|
||||
// No absolute contraints allowed
|
||||
(b"www.example.com", b".", None),
|
||||
(b"www.example.com", b"www.example.com.", None),
|
||||
// No wildcard in constraints allowed
|
||||
(b"www.example.com", b"*.example.com", None),
|
||||
// No empty presented IDs allowed
|
||||
(b"", b"", None),
|
||||
// Empty constraints match everything allowed
|
||||
(b"example.com", b"", Some(true)),
|
||||
(b"*.example.com", b"", Some(true)),
|
||||
// Constraints that start with a dot
|
||||
(b"www.example.com", b".example.com", Some(true)),
|
||||
(b"www.example.com", b".EXAMPLE.COM", Some(true)),
|
||||
(b"www.example.com", b".axample.com", Some(false)),
|
||||
(b"www.example.com", b".xample.com", Some(false)),
|
||||
(b"www.example.com", b".exampl.com", Some(false)),
|
||||
(b"badexample.com", b".example.com", Some(false)),
|
||||
// Constraints that do not start with a dot
|
||||
(b"www.example.com", b"example.com", Some(true)),
|
||||
(b"www.example.com", b"EXAMPLE.COM", Some(true)),
|
||||
(b"www.example.com", b"axample.com", Some(false)),
|
||||
(b"www.example.com", b"xample.com", Some(false)),
|
||||
(b"www.example.com", b"exampl.com", Some(false)),
|
||||
(b"badexample.com", b"example.com", Some(false)),
|
||||
// Presented IDs with wildcard
|
||||
(b"*.example.com", b".example.com", Some(true)),
|
||||
(b"*.example.com", b"example.com", Some(true)),
|
||||
(b"*.example.com", b"www.example.com", Some(true)),
|
||||
(b"*.example.com", b"www.EXAMPLE.COM", Some(true)),
|
||||
(b"*.example.com", b"www.axample.com", Some(false)),
|
||||
(b"*.example.com", b".xample.com", Some(false)),
|
||||
(b"*.example.com", b"xample.com", Some(false)),
|
||||
(b"*.example.com", b".exampl.com", Some(false)),
|
||||
(b"*.example.com", b"exampl.com", Some(false)),
|
||||
// Matching IDs
|
||||
(b"www.example.com", b"www.example.com", Some(true)),
|
||||
];
|
||||
|
||||
#[test]
|
||||
fn presented_matches_constraint_test() {
|
||||
for &(presented, constraint, expected_result) in PRESENTED_MATCHES_CONTRAINT {
|
||||
let actual_result = presented_id_matches_constraint(
|
||||
untrusted::Input::from(presented),
|
||||
untrusted::Input::from(constraint),
|
||||
);
|
||||
assert_eq!(
|
||||
actual_result, expected_result,
|
||||
"presented_id_matches_constraint(\"{:?}\", \"{:?}\")",
|
||||
presented, constraint
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -62,3 +62,77 @@ pub(super) fn presented_id_matches_constraint(
|
|||
|
||||
Ok(true)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
|
||||
const PRESENTED_MATCHES_CONTRAINT: &[(&str, &str, &str, Result<bool, Error>)] = &[
|
||||
// Cannot mix IpV4 with IpV6 and viceversa
|
||||
("2001:db8::", "8.8.8.8", "255.255.255.255", Ok(false)),
|
||||
("8.8.8.8", "2001:db8::", "ffff::", Ok(false)),
|
||||
// IpV4
|
||||
("8.8.8.8", "8.8.8.8", "255.255.255.255", Ok(true)),
|
||||
("8.8.8.9", "8.8.8.8", "255.255.255.255", Ok(false)),
|
||||
("8.8.8.9", "8.8.8.8", "255.255.255.254", Ok(true)),
|
||||
("8.8.8.10", "8.8.8.8", "255.255.255.254", Ok(false)),
|
||||
("8.8.8.10", "8.8.8.8", "255.255.255.0", Ok(true)),
|
||||
("8.8.15.10", "8.8.8.8", "255.255.248.0", Ok(true)),
|
||||
("8.8.16.10", "8.8.8.8", "255.255.248.0", Ok(false)),
|
||||
("8.8.16.10", "8.8.8.8", "255.255.0.0", Ok(true)),
|
||||
("8.31.16.10", "8.8.8.8", "255.224.0.0", Ok(true)),
|
||||
("8.32.16.10", "8.8.8.8", "255.224.0.0", Ok(false)),
|
||||
("8.32.16.10", "8.8.8.8", "255.0.0.0", Ok(true)),
|
||||
("63.32.16.10", "8.8.8.8", "192.0.0.0", Ok(true)),
|
||||
("64.32.16.10", "8.8.8.8", "192.0.0.0", Ok(false)),
|
||||
("64.32.16.10", "8.8.8.8", "0.0.0.0", Ok(true)),
|
||||
// IpV6
|
||||
("2001:db8::", "2001:db8::", "ffff:ffff::", Ok(true)),
|
||||
("2001:db9::", "2001:db8::", "ffff:ffff::", Ok(false)),
|
||||
("2001:db9::", "2001:db8::", "ffff:fffe::", Ok(true)),
|
||||
("2001:dba::", "2001:db8::", "ffff:fffe::", Ok(false)),
|
||||
("2001:dba::", "2001:db8::", "ffff:ff00::", Ok(true)),
|
||||
("2001:dca::", "2001:db8::", "ffff:fe00::", Ok(true)),
|
||||
("2001:fca::", "2001:db8::", "ffff:fe00::", Ok(false)),
|
||||
("2001:fca::", "2001:db8::", "ffff:0000::", Ok(true)),
|
||||
("2000:fca::", "2001:db8::", "fffe:0000::", Ok(true)),
|
||||
("2003:fca::", "2001:db8::", "fffe:0000::", Ok(false)),
|
||||
("2003:fca::", "2001:db8::", "ff00:0000::", Ok(true)),
|
||||
("1003:fca::", "2001:db8::", "e000:0000::", Ok(false)),
|
||||
("1003:fca::", "2001:db8::", "0000:0000::", Ok(true)),
|
||||
];
|
||||
|
||||
#[cfg(feature = "std")]
|
||||
#[test]
|
||||
fn presented_matches_constraint_test() {
|
||||
use std::boxed::Box;
|
||||
use std::net::IpAddr;
|
||||
|
||||
for &(presented, constraint_address, constraint_mask, expected_result) in
|
||||
PRESENTED_MATCHES_CONTRAINT
|
||||
{
|
||||
let presented_bytes: Box<[u8]> = match presented.parse::<IpAddr>().unwrap() {
|
||||
IpAddr::V4(p) => Box::new(p.octets()),
|
||||
IpAddr::V6(p) => Box::new(p.octets()),
|
||||
};
|
||||
let ca_bytes: Box<[u8]> = match constraint_address.parse::<IpAddr>().unwrap() {
|
||||
IpAddr::V4(ca) => Box::new(ca.octets()),
|
||||
IpAddr::V6(ca) => Box::new(ca.octets()),
|
||||
};
|
||||
let cm_bytes: Box<[u8]> = match constraint_mask.parse::<IpAddr>().unwrap() {
|
||||
IpAddr::V4(cm) => Box::new(cm.octets()),
|
||||
IpAddr::V6(cm) => Box::new(cm.octets()),
|
||||
};
|
||||
let constraint_bytes = [ca_bytes, cm_bytes].concat();
|
||||
let actual_result = presented_id_matches_constraint(
|
||||
untrusted::Input::from(&presented_bytes),
|
||||
untrusted::Input::from(&constraint_bytes),
|
||||
);
|
||||
assert_eq!(
|
||||
actual_result, expected_result,
|
||||
"presented_id_matches_constraint(\"{:?}\", \"{:?}\")",
|
||||
presented_bytes, constraint_bytes
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -80,6 +80,7 @@ fn build_chain_inner(
|
|||
|
||||
// TODO: revocation.
|
||||
|
||||
#[allow(clippy::blocks_in_conditions)]
|
||||
match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
|
||||
let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
|
||||
if !equal(cert.issuer, trust_anchor_subject) {
|
||||
|
|
Loading…
Reference in New Issue