fix: resource leaks in _new_key_from_parameters() init on 3.x#138
Merged
atoomic merged 1 commit intoMar 24, 2026
Merged
Conversation
On OpenSSL 3.x, the early CHECK_OPEN_SSL() calls for pctx, params_build, and push_BN operations would croak immediately on failure, bypassing the err: cleanup label. This leaked pctx, params_build, and the input BIGNUMs (n, e, d, p, q). Convert to THROW()/goto err which routes through the existing cleanup code. Also initialize `error` to 0 at declaration (was uninitialized before the if(p||q) block). Additionally adds t/pss_auto_promote.t to MANIFEST (missing since cpan-authors#133). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
timlegge
approved these changes
Mar 23, 2026
Member
timlegge
left a comment
timlegge
left a comment
There was a problem hiding this comment.
Reviewed- changes the immediate croak to instead cleanup and free memory as required before croaking.
Standard best practice in line with the design and tested with OpenSSL3 code path and earlier code path
atoomic
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fix resource leaks on error paths in
_new_key_from_parameters()early initialization (OpenSSL 3.x), and add missing test file to MANIFEST.Why
On OpenSSL 3.x, if
EVP_PKEY_CTX_new_from_name(),EVP_PKEY_fromdata_init(),OSSL_PARAM_BLD_new(), orOSSL_PARAM_BLD_push_BN()failed during the early setup of_new_key_from_parameters(), the code usedCHECK_OPEN_SSL()which croaks immediately — bypassing theerr:cleanup label. This leakedpctx,params_build, and the input BIGNUMs.How
CHECK_OPEN_SSL()toTHROW()/goto erron the 3.x path, routing failures through the existing cleanup codeerror = 0at declaration (was uninitialized before theif(p||q)block)t/pss_auto_promote.tto MANIFEST (missing since fix: PSS mgf1/saltlen setup for auto-promoted OAEP padding #133)Testing
Full test suite passes (507 tests). The error paths are only reachable under extreme conditions (OOM, corrupted OpenSSL context) — the fix ensures they clean up properly instead of leaking.
🤖 Generated with Claude Code
Quality Report
Changes: 2 files changed, 7 insertions(+), 6 deletions(-)
Code scan: clean
Tests: passed (OK)
Branch hygiene: clean
Generated by Kōan post-mission quality pipeline