From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Tue, 19 May 2020 22:52:54 +0000 (-0700)
Subject: bpo-40645: restrict HMAC key len to INT_MAX (GH-20238)
X-Git-Tag: v3.9.0b2~127
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ed37430d31e915103ab5decd14d757eb2d159d5;p=thirdparty%2FPython%2Fcpython.git

bpo-40645: restrict HMAC key len to INT_MAX (GH-20238)


Signed-off-by: Christian Heimes <christian@python.org>

Automerge-Triggered-By: @tiran
(cherry picked from commit aca4670ad695d4b01c7880fe3d0af817421945bd)

Co-authored-by: Christian Heimes <christian@python.org>
---

diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 36ad6a65d72c..674bddc090a6 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -1403,6 +1403,12 @@ _hashlib_hmac_new_impl(PyObject *module, Py_buffer *key, PyObject *msg_obj,
     HMACobject *self = NULL;
     int r;
 
+    if (key->len > INT_MAX) {
+        PyErr_SetString(PyExc_OverflowError,
+                        "key is too long.");
+        return NULL;
+    }
+
     if ((digestmod == NULL) || !strlen(digestmod)) {
         PyErr_SetString(
             PyExc_TypeError, "Missing required parameter 'digestmod'.");
@@ -1424,7 +1430,7 @@ _hashlib_hmac_new_impl(PyObject *module, Py_buffer *key, PyObject *msg_obj,
     r = HMAC_Init_ex(
         ctx,
         (const char*)key->buf,
-        key->len,
+        (int)key->len,
         digest,
         NULL /*impl*/);
     if (r == 0) {