crypto: constant time AES and GCM

[DemiMarie]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.7.4

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH=""
GORACE=""
GOROOT="/home/dobenour/archives/go"
GOTOOLDIR="/home/dobenour/archives/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build902131924=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

Looked at the Go docs for crypto/aes

What did you expect to see?

That the AES implementation uses bitslicing to make it constant time.

What did you see instead?

That the AES-GCM implementation is not constatn time and is vulnerable to timing attacks.

[ALTree]

This is pretty much a dup of #16821 (initially titled: "crypto: non-constant time arithmetic").

gri wrote on that issue:

We certainly can't change the implementation in the near-term - there's too much to change and it's subtle. I let [@]agl weigh in regarding the need to do so in the first place (or not).

At the end it was decided to just update the documentation to make clear what is (or isn't) constant-time.

Making everything constant-time on every system is probably a (very) long-term goal.

[bradfitz]

Yeah, the docs in 850e55b are sufficient for now.

We can leave this open as a tracking bug, though.