crypto/subtle: panic if slices of different lengths are passed to ConstantTimeCompare.

ConstantTimeCompare has always been documented to take equal length
slices but perhaps this is too subtle, even for 'subtle'.

Fixes #7304.

LGTM=hanwen, bradfitz
R=golang-codereviews, hanwen, bradfitz
CC=golang-codereviews
https://golang.org/cl/62190043

diff --git a/src/pkg/crypto/subtle/constant_time.go b/src/pkg/crypto/subtle/constant_time.go
index dfb658465e9bdffaec2e5f7f0b1165c8ee6b8661..de1a4e8c54da1a4c59d6f88b9b3e78a9fe68f44e 100644 (file)
--- a/src/pkg/crypto/subtle/constant_time.go
+++ b/src/pkg/crypto/subtle/constant_time.go
@@ -10,6 +10,10 @@ package subtle
 // and y, have equal contents. The time taken is a function of the length of
 // the slices and is independent of the contents.
 func ConstantTimeCompare(x, y []byte) int {
+       if len(x) != len(y) {
+               panic("subtle: slices have different lengths")
+       }
+
        var v byte
 
        for i := 0; i < len(x); i++ {