Bug report

Bug description:

The following leaks:

deftest_leak1(self):import_hashlibself.assertRaises(TypeError,_hashlib.hmac_new,b"key",1,"sha256")

The issue is in_hashlib_hmac_new_impl:

self=PyObject_New(HMACobject,type);    ...if ((msg_obj!=NULL)&& (msg_obj!=Py_None)) {if (!_hmac_update(self,msg_obj))            gotoerror;    }return (PyObject*)self;error:if (ctx)HMAC_CTX_free(ctx);if (self)PyObject_Free(self);returnNULL;

More precisely, the issue is that we are only callingPyObject_Free(self) and we are not decrefing the type. So we need to callPy_XDECREF(self); instead and freectx separately ifself has not already been allocated. Note that the HMAC context is still cleared so we should not leak anything sensitive.

There is also a missingHMAC_CTX_free call in_hmac_digest, if the copy of the HMAC context fails. Again, there shouldn't be a security issue as the temporary context should still not be initialized on failure (and the secret key is not stored within, hopefully).

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs

• gh-130151: Fix reference leaks in_hashlib.hmac_{new,digest} #130152
• [3.13] gh-130151: Fix reference leaks in_hashlib.hmac_{new,digest} (GH-130152) #130491
• [3.12] gh-130151: Fix reference leaks in_hashlib.hmac_{new,digest} (GH-130152) #130539