crypto/subtle: make ConstantTimeCompare return zero for args of different length.

This is more useful than panicking, since otherwise every caller needs
to do the length check before calling; some will forget, and have a
potential submarine crasher as a result. Other implementations of this
functionality do a length check.

This is backward compatible, except if someone has written code that
relies on this panicking with different length args. However, that was
not the case before Go 1.3 either.

Updates #7304.

LGTM=agl
R=agl, minux, hanwen
CC=golang-codereviews
https://golang.org/cl/118750043

src/pkg/crypto/subtle/constant_time.go

@@ -6,12 +6,12 @@
 // code but require careful thought to use correctly.
 package subtle
 
-// ConstantTimeCompare returns 1 iff the two equal length slices, x
+// ConstantTimeCompare returns 1 iff the two slices, x
 // and y, have equal contents. The time taken is a function of the length of
 // the slices and is independent of the contents.
 func ConstantTimeCompare(x, y []byte) int {
 	if len(x) != len(y) {
-		panic("subtle: slices have different lengths")
+		return 0
 	}
 
 	var v byte
@@ -62,7 +62,6 @@ func ConstantTimeCopy(v int, x, y []byte) {
 	for i := 0; i < len(x); i++ {
 		x[i] = x[i]&xmask | y[i]&ymask
 	}
-	return
 }
 
 // ConstantTimeLessOrEq returns 1 if x <= y and 0 otherwise.

src/pkg/crypto/subtle/constant_time_test.go

@@ -18,6 +18,8 @@ var testConstantTimeCompareData = []TestConstantTimeCompareStruct{
 	{[]byte{}, []byte{}, 1},
 	{[]byte{0x11}, []byte{0x11}, 1},
 	{[]byte{0x12}, []byte{0x11}, 0},
+	{[]byte{0x11}, []byte{0x11, 0x12}, 0},
+	{[]byte{0x11, 0x12}, []byte{0x11}, 0},
 }
 
 func TestConstantTimeCompare(t *testing.T) {