crypto/subtle: ConstantTimeCompare does not barf if slice lengths are unequal

[hanwen]

http://play.golang.org/p/12ZtQewpMz

What is the expected output?

I expect symmetrical behavior, and since the use is incorrect, it would be good to
panic. If somebody puts attacker controlled data in the first arg misuse would be
disastrous.


What do you see instead?

if the 2nd argument is smaller than the 1st => crash
if the 1st argument is smaller than the 2nd => success

[bradfitz]

Comment 1:

Adam?

Labels changed: added repo-main.

Owner changed to @agl.

[agl]

Comment 2:

Hmm. I rather think that users of 'subtle' should be paying attention to the docs at
least.
But perhaps this is too subtle even for 'subtle'.
https://golang.org/cl/62190043 out for review.

[agl]

Comment 3:

This issue was closed by revision 384f438.

Status changed to Fixed.

[ianlancetaylor]

Comment 4:

Issue #8131 has been merged into this issue.

[gopherbot]

Comment 5:

CL https://golang.org/cl/118750043 mentions this issue.