From 997dbdcacad14c3ea49ef8d1fadf1f2b7e83e03a Mon Sep 17 00:00:00 2001 From: raminfp Date: Wed, 25 Feb 2026 12:04:13 +0330 Subject: [PATCH 1/4] gh-145200: Fix EVP_MAC_CTX leak in hashlib HMAC on init failure --- Lib/test/test_hmac.py | 8 ++++++++ .../2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst | 3 +++ Modules/_hashopenssl.c | 1 + 3 files changed, 12 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py index de4d200374bcea..3d91f1cf74afc8 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -1024,6 +1024,14 @@ def test_hmac_digest_digestmod_parameter(self): ): self.hmac_digest(b'key', b'msg', value) + def test_hmac_new_xof_digestmod(self): + # gh-145200: XOF digests (SHAKE) are not supported by HMAC. + # Verify that the error path does not leak the EVP_MAC_CTX. + for xof_name in ('shake_128', 'shake_256'): + with self.subTest(digestmod=xof_name): + with self.assertRaises(_hashlib.UnsupportedDigestmodError): + self.hmac_new(b'key', digestmod=xof_name) + class BuiltinConstructorTestCase(ThroughBuiltinAPIMixin, ExtensionConstructorTestCaseMixin, diff --git a/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst b/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst new file mode 100644 index 00000000000000..60160cbbddbd20 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst @@ -0,0 +1,3 @@ +Fix memory leak in :mod:`hashlib` HMAC when ``EVP_MAC_init()`` or +``HMAC_Init_ex()`` fails (e.g., with an XOF digest such as SHAKE). The +``EVP_MAC_CTX`` is now freed on the error path. diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c index 77832a768e0cbc..ae1d1c29d6c201 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -2103,6 +2103,7 @@ hashlib_HMAC_CTX_new_from_digestmod(_hashlibstate *state, PY_EVP_MD_free(md); #endif if (r == 0) { + hashlib_openssl_HMAC_CTX_free(ctx); if (is_xof) { /* use a better default error message if an XOF is used */ raise_unsupported_algorithm_error(state, digestmod); From 38e392bd3e3f0e5e097d0a7aeec0e08f3efc0e16 Mon Sep 17 00:00:00 2001 From: Ramin Farajpour Cami Date: Wed, 25 Feb 2026 12:16:16 +0330 Subject: [PATCH 2/4] Update Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- .../Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst b/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst index 60160cbbddbd20..b958b190334b36 100644 --- a/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst +++ b/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst @@ -1,3 +1,2 @@ -Fix memory leak in :mod:`hashlib` HMAC when ``EVP_MAC_init()`` or -``HMAC_Init_ex()`` fails (e.g., with an XOF digest such as SHAKE). The -``EVP_MAC_CTX`` is now freed on the error path. +Fix memory leak in :mod:`hashlib` HMAC when allocating +or initializing the HMAC context fails. From bfd20ca85319df2f211eb700e3095e071965ce90 Mon Sep 17 00:00:00 2001 From: Ramin Farajpour Cami Date: Wed, 25 Feb 2026 12:16:26 +0330 Subject: [PATCH 3/4] Update Lib/test/test_hmac.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- Lib/test/test_hmac.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py index 3d91f1cf74afc8..8c992b433e843e 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -1024,13 +1024,12 @@ def test_hmac_digest_digestmod_parameter(self): ): self.hmac_digest(b'key', b'msg', value) - def test_hmac_new_xof_digestmod(self): + @support.subTests("xof_name", ("shake_128", "shake_256")) + def test_hmac_new_xof_digestmod(self, xof_name): # gh-145200: XOF digests (SHAKE) are not supported by HMAC. # Verify that the error path does not leak the EVP_MAC_CTX. - for xof_name in ('shake_128', 'shake_256'): - with self.subTest(digestmod=xof_name): - with self.assertRaises(_hashlib.UnsupportedDigestmodError): - self.hmac_new(b'key', digestmod=xof_name) + with self.assertRaises(_hashlib.UnsupportedDigestmodError): + self.hmac_new(b'key', digestmod=xof_name) class BuiltinConstructorTestCase(ThroughBuiltinAPIMixin, From b1755587ad72216c3245ba6feb5f685ac795f1f7 Mon Sep 17 00:00:00 2001 From: Ramin Farajpour Cami Date: Wed, 25 Feb 2026 12:19:23 +0330 Subject: [PATCH 4/4] Update Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- .../Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst b/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst index b958b190334b36..2fae260377cf73 100644 --- a/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst +++ b/Misc/NEWS.d/next/Library/2026-02-25-10-00-00.gh-issue-145200.m_4PAtcI.rst @@ -1,2 +1,2 @@ -Fix memory leak in :mod:`hashlib` HMAC when allocating -or initializing the HMAC context fails. +:mod:`hashlib`: fix a memory leak when allocating +or initializing an OpenSSL HMAC context fails.