Skip to content

[3.14] gh-136912: fix handling of OverflowError in hmac.digest (GH-136917) #137116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
picnixz merged 2 commits into from
Oct 8, 2025
Merged

[3.14] gh-136912: fix handling of OverflowError in hmac.digest (GH-136917) #137116

picnixz merged 2 commits into from
Oct 8, 2025

Conversation

@picnixz
Copy link
Member

@picnixz picnixz commented Jul 26, 2025
edited by bedevere-app bot
Loading

The OpenSSL and HACL* implementations of HMAC single-shot digest computation reject keys whose length exceeds INT_MAX and UINT32_MAX respectively. The OpenSSL implementation also rejects messages whose length exceed INT_MAX.

Using such keys in hmac.digest previously raised an OverflowError which was propagated to the caller. This commit mitigates this case by making hmac.digest fall back to HMAC's pure Python implementation which accepts arbitrary large keys or messages.

This change only affects the top-level entrypoint hmac.digest, leaving _hashopenssl.hmac_digest and _hmac.compute_digest untouched.

(cherry picked from commit d658b90)

@picnixz
[3.14] pythongh-136912: fix handling of OverflowError in `hmac.dige…
ab852a2 
…st` (pythonGH-136917)

The OpenSSL and HACL* implementations of HMAC single-shot
digest computation reject keys whose length exceeds `INT_MAX`
and `UINT32_MAX` respectively. The OpenSSL implementation
also rejects messages whose length exceed `INT_MAX`.

Using such keys in `hmac.digest` previously raised an `OverflowError`
which was propagated to the caller. This commit mitigates this case by
making `hmac.digest` fall back to HMAC's pure Python implementation
which accepts arbitrary large keys or messages.

This change only affects the top-level entrypoint `hmac.digest`, leaving
`_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched.
(cherry picked from commit d658b90)

Co-authored-by: Bénédikt Tran <[email protected]>
This was referenced Jul 26, 2025
Closed
Merged
@gpshead gpshead self-assigned this Jul 27, 2025
@gpshead
Copy link
Member

gpshead commented Jul 27, 2025

waiting for 3.14.1

@picnixz picnixz self-assigned this Jul 27, 2025
@vstinner
Copy link
Member

vstinner commented Oct 7, 2025
edited
Loading

@picnixz: Is it still a draft? The 3.14 branch was reopened for 3.14.1 changes.

@picnixz picnixz marked this pull request as ready for review October 8, 2025 09:57
@picnixz picnixz merged commit 8ad6eda into python:3.14 Oct 8, 2025
52 checks passed
@picnixz picnixz deleted the backport-d658b90-3.14 branch October 8, 2025 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead gpshead approved these changes

Assignees

@gpshead gpshead

@picnixz picnixz

Labels

None yet

Projects

Release and Deferred blockers 🚫
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@picnixz @gpshead @vstinner