Fix resource leaks

JeremiahM37 · JeremiahM37 · commit 38b30efb75a9 · 2026-04-13T14:53:57.000Z
diff --git a/scripts/build_ffi.py b/scripts/build_ffi.py
@@ -650,6 +650,7 @@ def build_ffi(local_wolfssl, features):
             word32 sz, const byte* authIn, word32 authInSz);
         int wc_AesGcmDecryptFinal(Aes* aes, const byte* authTag,
             word32 authTagSz);
+        void wc_AesFree(Aes* aes);
         """
 
     if features["AES"] and features["AES_SIV"]:
@@ -962,6 +963,7 @@ def build_ffi(local_wolfssl, features):
         int wc_PemToDer(const unsigned char* buff, long longSz, int type,
                         DerBuffer** pDer, void* heap, EncryptedInfo* info,
                         int* keyFormat);
+        void wc_FreeDer(DerBuffer** pDer);
         int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
                         byte *cipher_info, int type);
         """
diff --git a/wolfcrypt/asn.py b/wolfcrypt/asn.py
@@ -42,7 +42,9 @@ def pem_to_der(pem, pem_type):
             err = "Error converting from PEM to DER. ({})".format(ret)
             raise WolfCryptError(err)
 
-        return _ffi.buffer(der[0][0].buffer, der[0][0].length)[:]
+        result = _ffi.buffer(der[0][0].buffer, der[0][0].length)[:]
+        _lib.wc_FreeDer(der)
+        return result
 
     def der_to_pem(der, pem_type):
         pem_length = _lib.wc_DerToPemEx(der, len(der), _ffi.NULL, 0, _ffi.NULL,
diff --git a/wolfcrypt/ciphers.py b/wolfcrypt/ciphers.py
@@ -191,6 +191,7 @@ def encrypt(self, string):
             self._enc = _ffi.new(self._native_type)
             ret = self._set_key(_ENCRYPTION)
             if ret < 0:  # pragma: no cover
+                self._enc = None
                 raise WolfCryptError("Invalid key error (%d)" % ret)
 
         result = _ffi.new("byte[%d]" % len(string))
@@ -223,6 +224,7 @@ def decrypt(self, string):
             self._dec = _ffi.new(self._native_type)
             ret = self._set_key(_DECRYPTION)
             if ret < 0:  # pragma: no cover
+                self._dec = None
                 raise WolfCryptError("Invalid key error (%d)" % ret)
 
         result = _ffi.new("byte[%d]" % len(string))
@@ -405,11 +407,16 @@ def __init__(self, key, IV, tag_bytes=16):
                 raise ValueError("key must be %s in length, not %d" %
                                  (self._key_sizes, len(key)))
             self._native_object = _ffi.new(self._native_type)
-            _lib.wc_AesInit(self._native_object, _ffi.NULL, -2)
+            ret = _lib.wc_AesInit(self._native_object, _ffi.NULL, -2)
+            if ret < 0:
+                raise WolfCryptError("AES init error (%d)" % ret)
             ret = _lib.wc_AesGcmInit(self._native_object, key, len(key), IV, len(IV))
             if ret < 0:
                 raise WolfCryptError("Init error (%d)" % ret)
 
+        def __del__(self):
+            _lib.wc_AesFree(self._native_object)
+
         def set_aad(self, data):
             """
             Set the additional authentication data for the stream
@@ -497,10 +504,11 @@ def __init__(self, key="", size=32):
             self._dec = None
             self._key = None
             if len(key) > 0:
-                if size not in self._key_sizes:
-                    raise ValueError("Invalid key size %d" % size)
                 self._key = t2b(key)
-                self.key_size = size
+                if len(self._key) not in self._key_sizes:
+                    raise ValueError("key must be %s in length, not %d" %
+                                     (self._key_sizes, len(self._key)))
+                self.key_size = len(self._key)
             self._IV_nonce = []
             self._IV_counter = 0
 
@@ -510,13 +518,13 @@ def _set_key(self, direction):
             if self._enc:
                 ret = _lib.wc_Chacha_SetKey(self._enc, self._key, len(self._key))
                 if ret == 0:
-                    _lib.wc_Chacha_SetIV(self._enc, self._IV_nonce, self._IV_counter)
+                    ret = _lib.wc_Chacha_SetIV(self._enc, self._IV_nonce, self._IV_counter)
                 if ret != 0:
                     return ret
             if self._dec:
                 ret = _lib.wc_Chacha_SetKey(self._dec, self._key, len(self._key))
                 if ret == 0:
-                    _lib.wc_Chacha_SetIV(self._dec, self._IV_nonce, self._IV_counter)
+                    ret = _lib.wc_Chacha_SetIV(self._dec, self._IV_nonce, self._IV_counter)
                 if ret != 0:
                     return ret
             return 0
@@ -627,6 +635,11 @@ class Des3(_Cipher):
         key_size = 24
         _native_type = "Des3 *"
 
+        def __init__(self, key, mode, IV=None):
+            if mode != MODE_CBC:
+                raise ValueError("Des3 only supports MODE_CBC")
+            super().__init__(key, mode, IV)
+
         def _set_key(self, direction):
             if direction == _ENCRYPTION:
                 return _lib.wc_Des3_SetKey(self._enc, self._key,
@@ -2021,7 +2034,6 @@ def decapsulate(self, ct):
             )
 
             if ret < 0:  # pragma: no cover
-                self.native_object = None
                 raise WolfCryptError("wc_KyberKey_Decapsulate() error (%d)" % ret)
 
             return _ffi.buffer(ss, ss_size)[:]
