Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.3k
gh-136912: fix handling ofOverflowError inhmac.digest#136917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
gh-136912: fix handling ofOverflowError inhmac.digest#136917
Uh oh!
There was an error while loading.Please reload this page.
Conversation
99d62fe tod0079c6Compare!buildbot bigmem |
bedevere-bot commentedJul 21, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commitd0079c6 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
!buildbot bigmem |
bedevere-bot commentedJul 21, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commitf93e1ba 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
Uh oh!
There was an error while loading.Please reload this page.
!buildbot bigmem |
bedevere-bot commentedJul 21, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commitdf36d7d 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
!buildbot bigmem |
bedevere-bot commentedJul 21, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commit74239be 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
Uh oh!
There was an error while loading.Please reload this page.
I'll rewrite this PR tomorrow to use suggestion 4. |
Lib/hmac.py Outdated
| return_hashopenssl.hmac_digest(key,msg,digest) | ||
| exceptOverflowError: | ||
| try: | ||
| return_hashopenssl.hmac_new(key,msg,digest).digest() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@gpshead This will create a real HMAC object using OpenSSL and handles chunks in C. Alternatively, I can just catch the OverflowError directly and ignore it. The pure Python implementation already handles chunks as we just call.update() which is implemented in C as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
EDIT: actually OpenSSL still requires a key of size at most INT_MAX and HACL* requires the size to be at most UINT32_MAX. I'll just directly switch to the "slow" python implementation.
1188f4a to84ea348Compare7e01d44 to1082bd5Compare!buildbot bigmem |
bedevere-bot commentedJul 22, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commit1082bd5 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
5686d8f to2bb7fb6Compare2bb7fb6 to4d412bdCompare!buildbot bigmem |
bedevere-bot commentedJul 22, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commit4d412bd 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
!buildbot bigmem |
bedevere-bot commentedJul 25, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commitac6b983 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136917%2Fmerge The command will test the builders whose names match following regular expression: The builders matched are:
|
d658b90 intopython:mainUh oh!
There was an error while loading.Please reload this page.
Thanks@picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.14. |
Sorry,@picnixz, I could not cleanly backport this to |
I'll do the 3.14 backporst in 3.14.1 |
GH-137116 is a backport of this pull request to the3.14 branch. |
…st` (pythonGH-136917)The OpenSSL and HACL* implementations of HMAC single-shotdigest computation reject keys whose length exceeds `INT_MAX`and `UINT32_MAX` respectively. The OpenSSL implementationalso rejects messages whose length exceed `INT_MAX`.Using such keys in `hmac.digest` previously raised an `OverflowError`which was propagated to the caller. This commit mitigates this case bymaking `hmac.digest` fall back to HMAC's pure Python implementationwhich accepts arbitrary large keys or messages.This change only affects the top-level entrypoint `hmac.digest`, leaving`_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched.(cherry picked from commitd658b90)Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
…thon#136917)The OpenSSL and HACL* implementations of HMAC single-shotdigest computation reject keys whose length exceeds `INT_MAX`and `UINT32_MAX` respectively. The OpenSSL implementationalso rejects messages whose length exceed `INT_MAX`.Using such keys in `hmac.digest` previously raised an `OverflowError`which was propagated to the caller. This commit mitigates this case bymaking `hmac.digest` fall back to HMAC's pure Python implementationwhich accepts arbitrary large keys or messages.This change only affects the top-level entrypoint `hmac.digest`, leaving`_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched.
…H-136917) (#137116)The OpenSSL and HACL* implementations of HMAC single-shotdigest computation reject keys whose length exceeds `INT_MAX`and `UINT32_MAX` respectively. The OpenSSL implementationalso rejects messages whose length exceed `INT_MAX`.Using such keys in `hmac.digest` previously raised an `OverflowError`which was propagated to the caller. This commit mitigates this case bymaking `hmac.digest` fall back to HMAC's pure Python implementationwhich accepts arbitrary large keys or messages.This change only affects the top-level entrypoint `hmac.digest`, leaving`_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched.(cherry picked from commitd658b90)
Uh oh!
There was an error while loading.Please reload this page.