gh-136912: fix handling of OverflowError in hmac.digest#136917
gh-136912: fix handling of OverflowError in hmac.digest#136917picnixz merged 5 commits intopython:mainfrom
OverflowError in hmac.digest#136917Conversation
99d62fe to
d0079c6
Compare
|
!buildbot bigmem |
|
🤖 New build scheduled with the buildbot fleet by @picnixz for commit d0079c6 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
|
!buildbot bigmem |
|
🤖 New build scheduled with the buildbot fleet by @picnixz for commit f93e1ba 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
|
!buildbot bigmem |
|
🤖 New build scheduled with the buildbot fleet by @picnixz for commit df36d7d 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
|
!buildbot bigmem |
|
🤖 New build scheduled with the buildbot fleet by @picnixz for commit 74239be 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
|
I'll rewrite this PR tomorrow to use suggestion 4. |
Lib/hmac.py
Outdated
| return _hashopenssl.hmac_digest(key, msg, digest) | ||
| except OverflowError: | ||
| try: | ||
| return _hashopenssl.hmac_new(key, msg, digest).digest() |
There was a problem hiding this comment.
@gpshead This will create a real HMAC object using OpenSSL and handles chunks in C. Alternatively, I can just catch the OverflowError directly and ignore it. The pure Python implementation already handles chunks as we just call .update() which is implemented in C as well.
There was a problem hiding this comment.
EDIT: actually OpenSSL still requires a key of size at most INT_MAX and HACL* requires the size to be at most UINT32_MAX. I'll just directly switch to the "slow" python implementation.
1188f4a to
84ea348
Compare
7e01d44 to
1082bd5
Compare
|
!buildbot bigmem |
|
🤖 New build scheduled with the buildbot fleet by @picnixz for commit 1082bd5 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
5686d8f to
2bb7fb6
Compare
2bb7fb6 to
4d412bd
Compare
|
!buildbot bigmem |
|
🤖 New build scheduled with the buildbot fleet by @picnixz for commit 4d412bd 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
|
!buildbot bigmem |
|
🤖 New build scheduled with the buildbot fleet by @picnixz for commit ac6b983 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
|
Thanks @picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.14. |
|
Sorry, @picnixz, I could not cleanly backport this to |
|
I'll do the 3.14 backporst in 3.14.1 |
|
GH-137116 is a backport of this pull request to the 3.14 branch. |
…st` (pythonGH-136917) The OpenSSL and HACL* implementations of HMAC single-shot digest computation reject keys whose length exceeds `INT_MAX` and `UINT32_MAX` respectively. The OpenSSL implementation also rejects messages whose length exceed `INT_MAX`. Using such keys in `hmac.digest` previously raised an `OverflowError` which was propagated to the caller. This commit mitigates this case by making `hmac.digest` fall back to HMAC's pure Python implementation which accepts arbitrary large keys or messages. This change only affects the top-level entrypoint `hmac.digest`, leaving `_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched. (cherry picked from commit d658b90) Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
…thon#136917) The OpenSSL and HACL* implementations of HMAC single-shot digest computation reject keys whose length exceeds `INT_MAX` and `UINT32_MAX` respectively. The OpenSSL implementation also rejects messages whose length exceed `INT_MAX`. Using such keys in `hmac.digest` previously raised an `OverflowError` which was propagated to the caller. This commit mitigates this case by making `hmac.digest` fall back to HMAC's pure Python implementation which accepts arbitrary large keys or messages. This change only affects the top-level entrypoint `hmac.digest`, leaving `_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched.
…H-136917) (#137116) The OpenSSL and HACL* implementations of HMAC single-shot digest computation reject keys whose length exceeds `INT_MAX` and `UINT32_MAX` respectively. The OpenSSL implementation also rejects messages whose length exceed `INT_MAX`. Using such keys in `hmac.digest` previously raised an `OverflowError` which was propagated to the caller. This commit mitigates this case by making `hmac.digest` fall back to HMAC's pure Python implementation which accepts arbitrary large keys or messages. This change only affects the top-level entrypoint `hmac.digest`, leaving `_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched. (cherry picked from commit d658b90)
Uh oh!
There was an error while loading. Please reload this page.