bpo-40645: restrict HMAC key len to INT_MAX (GH-20238)

author Christian Heimes <christian@python.org>

Tue, 19 May 2020 22:35:51 +0000 (00:35 +0200)

committer GitHub <noreply@github.com>

Tue, 19 May 2020 22:35:51 +0000 (15:35 -0700)
author Christian Heimes <christian@python.org>
Tue, 19 May 2020 22:35:51 +0000 (00:35 +0200)
committer GitHub <noreply@github.com>
Tue, 19 May 2020 22:35:51 +0000 (15:35 -0700)
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c

index 36ad6a65d72cf589bab14d5cd8c0bcfb49bc2d35..674bddc090a6f98118267729f49e090b3a0576c6 100644 (file)
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -1403,6 +1403,12 @@ _hashlib_hmac_new_impl(PyObject *module, Py_buffer *key, PyObject *msg_obj,
      HMACobject *self = NULL;
      int r;
  
+    if (key->len > INT_MAX) {
+        PyErr_SetString(PyExc_OverflowError,
+                        "key is too long.");
+        return NULL;
+    }
+
      if ((digestmod == NULL) || !strlen(digestmod)) {
          PyErr_SetString(
              PyExc_TypeError, "Missing required parameter 'digestmod'.");
@@ -1424,7 +1430,7 @@ _hashlib_hmac_new_impl(PyObject *module, Py_buffer *key, PyObject *msg_obj,
      r = HMAC_Init_ex(
          ctx,
          (const char*)key->buf,
-        key->len,
+        (int)key->len,
          digest,
          NULL /*impl*/);
      if (r == 0) {
author	Christian Heimes <christian@python.org>
	Tue, 19 May 2020 22:35:51 +0000 (00:35 +0200)
committer	GitHub <noreply@github.com>
	Tue, 19 May 2020 22:35:51 +0000 (15:35 -0700)