Skip to content

[3.14] gh-136912: fix handling of OverflowError in hmac.digest (GH-136917) #137116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: 3.14
Choose a base branch
from
Draft

[3.14] gh-136912: fix handling of OverflowError in hmac.digest (GH-136917) #137116

wants to merge 1 commit into from
+70 −10

Conversation

picnixz
Copy link
Member

@picnixz picnixz commented Jul 26, 2025
edited by bedevere-app bot
Loading

The OpenSSL and HACL* implementations of HMAC single-shot digest computation reject keys whose length exceeds INT_MAX and UINT32_MAX respectively. The OpenSSL implementation also rejects messages whose length exceed INT_MAX.

Using such keys in hmac.digest previously raised an OverflowError which was propagated to the caller. This commit mitigates this case by making hmac.digest fall back to HMAC's pure Python implementation which accepts arbitrary large keys or messages.

This change only affects the top-level entrypoint hmac.digest, leaving _hashopenssl.hmac_digest and _hmac.compute_digest untouched.

(cherry picked from commit d658b90)

@picnixz
[3.14] pythongh-136912: fix handling of OverflowError in `hmac.dige…
ab852a2 
…st` (pythonGH-136917)

The OpenSSL and HACL* implementations of HMAC single-shot
digest computation reject keys whose length exceeds `INT_MAX`
and `UINT32_MAX` respectively. The OpenSSL implementation
also rejects messages whose length exceed `INT_MAX`.

Using such keys in `hmac.digest` previously raised an `OverflowError`
which was propagated to the caller. This commit mitigates this case by
making `hmac.digest` fall back to HMAC's pure Python implementation
which accepts arbitrary large keys or messages.

This change only affects the top-level entrypoint `hmac.digest`, leaving
`_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched.
(cherry picked from commit d658b90)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
This was referenced Jul 26, 2025
Open
Merged
@gpshead gpshead self-assigned this Jul 27, 2025
@gpshead
Copy link
Member

gpshead commented Jul 27, 2025

waiting for 3.14.1

@picnixz picnixz self-assigned this Jul 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

Assignees

@gpshead gpshead

@picnixz picnixz

Labels
awaiting merge deferred-blocker
Projects
Release and Deferred blockers 🚫
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@picnixz @gpshead
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy