From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Date: Tue, 4 Jun 2024 18:44:09 +0000 (+0000)
Subject: crypto/x509: don't panic when asn1.ObjectIdentifier is shorter than x509.OID
X-Git-Tag: go1.23rc1~86
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=e8f7a959ecc0071644ed033365a0d76630706696;p=gostls13.git

crypto/x509: don't panic when asn1.ObjectIdentifier is shorter than x509.OID

Change-Id: Ia08673450edc93fe1a9c7c05b7e69a05cd5ac8b9
GitHub-Last-Rev: c396197cb1f94b7fe8405d89c805c0566aa07fda
GitHub-Pull-Request: golang/go#64655
Reviewed-on: https://go-review.googlesource.com/c/go/+/548915
Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---

diff --git a/src/crypto/x509/oid.go b/src/crypto/x509/oid.go
index b00c35e696..fd438eacf9 100644
--- a/src/crypto/x509/oid.go
+++ b/src/crypto/x509/oid.go
@@ -268,7 +268,7 @@ func (oid OID) EqualASN1OID(other asn1.ObjectIdentifier) bool {
 			// the OID, but better safe than sorry.
 			return false
 		}
-		if v != other[i] {
+		if i >= len(other) || v != other[i] {
 			return false
 		}
 	}
diff --git a/src/crypto/x509/oid_test.go b/src/crypto/x509/oid_test.go
index cbb3406424..270dca0bb5 100644
--- a/src/crypto/x509/oid_test.go
+++ b/src/crypto/x509/oid_test.go
@@ -127,6 +127,27 @@ func TestInvalidOID(t *testing.T) {
 	}
 }
 
+func TestOIDEqual(t *testing.T) {
+	var cases = []struct {
+		oid  OID
+		oid2 OID
+		eq   bool
+	}{
+		{oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: mustNewOIDFromInts(t, []uint64{1, 2, 3}), eq: true},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: mustNewOIDFromInts(t, []uint64{1, 2, 4}), eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: mustNewOIDFromInts(t, []uint64{1, 2, 3, 4}), eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{2, 33, 22}), oid2: mustNewOIDFromInts(t, []uint64{2, 33, 23}), eq: false},
+		{oid: OID{}, oid2: OID{}, eq: true},
+		{oid: OID{}, oid2: mustNewOIDFromInts(t, []uint64{2, 33, 23}), eq: false},
+	}
+
+	for _, tt := range cases {
+		if eq := tt.oid.Equal(tt.oid2); eq != tt.eq {
+			t.Errorf("(%v).Equal(%v) = %v, want %v", tt.oid, tt.oid2, eq, tt.eq)
+		}
+	}
+}
+
 var (
 	_ encoding.BinaryMarshaler   = OID{}
 	_ encoding.BinaryUnmarshaler = new(OID)
@@ -224,6 +245,50 @@ func TestOIDMarshal(t *testing.T) {
 	}
 }
 
+func TestOIDEqualASN1OID(t *testing.T) {
+	maxInt32PlusOne := int64(math.MaxInt32) + 1
+	var cases = []struct {
+		oid  OID
+		oid2 asn1.ObjectIdentifier
+		eq   bool
+	}{
+		{oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: asn1.ObjectIdentifier{1, 2, 3}, eq: true},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: asn1.ObjectIdentifier{1, 2, 4}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: asn1.ObjectIdentifier{1, 2, 3, 4}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 22}), oid2: asn1.ObjectIdentifier{1, 33, 23}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 23}), oid2: asn1.ObjectIdentifier{1, 33, 22}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 127}), oid2: asn1.ObjectIdentifier{1, 33, 127}, eq: true},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 128}), oid2: asn1.ObjectIdentifier{1, 33, 127}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 128}), oid2: asn1.ObjectIdentifier{1, 33, 128}, eq: true},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 129}), oid2: asn1.ObjectIdentifier{1, 33, 129}, eq: true},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 128}), oid2: asn1.ObjectIdentifier{1, 33, 129}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 129}), oid2: asn1.ObjectIdentifier{1, 33, 128}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 255}), oid2: asn1.ObjectIdentifier{1, 33, 255}, eq: true},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 256}), oid2: asn1.ObjectIdentifier{1, 33, 256}, eq: true},
+		{oid: mustNewOIDFromInts(t, []uint64{2, 33, 257}), oid2: asn1.ObjectIdentifier{2, 33, 256}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{2, 33, 256}), oid2: asn1.ObjectIdentifier{2, 33, 257}, eq: false},
+
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33}), oid2: asn1.ObjectIdentifier{1, 33, math.MaxInt32}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, math.MaxInt32}), oid2: asn1.ObjectIdentifier{1, 33}, eq: false},
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, math.MaxInt32}), oid2: asn1.ObjectIdentifier{1, 33, math.MaxInt32}, eq: true},
+		{
+			oid:  mustNewOIDFromInts(t, []uint64{1, 33, math.MaxInt32 + 1}),
+			oid2: asn1.ObjectIdentifier{1, 33 /*convert to int, so that it compiles on 32bit*/, int(maxInt32PlusOne)},
+			eq:   false,
+		},
+
+		{oid: mustNewOIDFromInts(t, []uint64{1, 33, 256}), oid2: asn1.ObjectIdentifier{}, eq: false},
+		{oid: OID{}, oid2: asn1.ObjectIdentifier{1, 33, 256}, eq: false},
+		{oid: OID{}, oid2: asn1.ObjectIdentifier{}, eq: false},
+	}
+
+	for _, tt := range cases {
+		if eq := tt.oid.EqualASN1OID(tt.oid2); eq != tt.eq {
+			t.Errorf("(%v).EqualASN1OID(%v) = %v, want %v", tt.oid, tt.oid2, eq, tt.eq)
+		}
+	}
+}
+
 func TestOIDUnmarshalBinary(t *testing.T) {
 	for _, tt := range oidTests {
 		var o OID