crypto/subtle: No Constant Time Comparison For int64

[InnovativeInventor]

Several well-used programs in Golang use int64 as an identifier, but do not use constant time comparison when authenticating. This could be used to leak information to an adversary (potentially). Unfortunately, crypto/subtle does not have a constant-time comparison algorithm for int64, which would clearly be useful to have.

I do not have a clear understanding of how things work "under the hood" in Golang, so I do not trust myself to write a proper constant time int64 comparison algorithm for crypto/subtle. However, I think one could be easily implemented/adapted.

@FiloSottile @rsc @agl It looks like you guys know what you're doing on crypto/subtle. Could you help out here?

[randall77]

Do you just want eq/neq, or do you need ordering?

For eq/neq ConstantTimeEq(int32(x), int32(y)) & ConstantTimeEq(int32(x>>32), int32(y>>32)) will work.

for ordering, I think (ConstantTimeLessOrEq(int32(x>>32), int32(y>>32)) & ^ConstantTimeEq(int32(x>>32),int32(y>>32))) | (ConstantTimeEq(int32(x>>32),int32(y>>32)) & ConstantTimeLessOrEq(int32(x), int32(y))) might work.

[InnovativeInventor]

Eq/neq is all I need (sorry for being ambiguous).