Skip to content

bpo-40645: restrict HMAC key len to INT_MAX #20238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 19, 2020
Merged

bpo-40645: restrict HMAC key len to INT_MAX #20238

merged 1 commit into from
May 19, 2020

Conversation

tiran
Copy link
Member

@tiran tiran commented May 19, 2020
edited by miss-islington
Loading

Signed-off-by: Christian Heimes [email protected]

https://bugs.python.org/issue40645

Automerge-Triggered-By: @tiran

@tiran tiran added skip news needs backport to 3.9 only security fixes labels May 19, 2020
vstinner
vstinner reviewed May 19, 2020
View reviewed changes
Modules/_hashopenssl.c
@@ -1403,6 +1403,12 @@ _hashlib_hmac_new_impl(PyObject *module, Py_buffer *key, PyObject *msg_obj,
HMACobject *self = NULL;
int r;

if (key->len > INT_MAX) {
PyErr_SetString(PyExc_OverflowError,
"key is too long.");
Copy link
Member

@vstinner vstinner May 19, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"2 GB key should be enough for everyone" :-D

vstinner
vstinner approved these changes May 19, 2020
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the fix.

@miss-islington miss-islington merged commit aca4670 into python:master May 19, 2020
@miss-islington
Copy link
Contributor

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 3.9.
🐍🍒⛏🤖

@bedevere-bot
Copy link

GH-20245 is a backport of this pull request to the 3.9 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.9 only security fixes label May 19, 2020
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 19, 2020
@tiran @miss-islington
bpo-40645: restrict HMAC key len to INT_MAX (pythonGH-20238)
c54c2c0 
Signed-off-by: Christian Heimes <[email protected]>

Automerge-Triggered-By: @tiran
(cherry picked from commit aca4670)

Co-authored-by: Christian Heimes <[email protected]>
miss-islington added a commit that referenced this pull request May 19, 2020
@miss-islington @tiran
bpo-40645: restrict HMAC key len to INT_MAX (GH-20238)
6ed3743 
Signed-off-by: Christian Heimes <[email protected]>

Automerge-Triggered-By: @tiran
(cherry picked from commit aca4670)

Co-authored-by: Christian Heimes <[email protected]>
arturoescaip pushed a commit to arturoescaip/cpython that referenced this pull request May 24, 2020
@tiran @arturoescaip
bpo-40645: restrict HMAC key len to INT_MAX (pythonGH-20238)
437b893 
Signed-off-by: Christian Heimes <[email protected]>

Automerge-Triggered-By: @tiran
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tiran @miss-islington @bedevere-bot @vstinner @the-knights-who-say-ni