Add a cleanup function for MDs.
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index c81f6e6..69a0bdb 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -165,6 +165,8 @@
 	/* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
 	 * because sometimes only copies of the context are ever finalised.
 	 */
+	if(ctx->digest && ctx->digest->cleanup)
+		ctx->digest->cleanup(ctx);
 	if(ctx->digest && ctx->digest->ctx_size && ctx->md_data)
 		{
 		memset(ctx->md_data,0,ctx->digest->ctx_size);
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 7f79838..de642c6 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -222,6 +222,7 @@
 	int (*update)(EVP_MD_CTX *ctx,const void *data,unsigned long count);
 	int (*final)(EVP_MD_CTX *ctx,unsigned char *md);
 	int (*copy)(EVP_MD_CTX *to,const EVP_MD_CTX *from);
+	int (*cleanup)(EVP_MD_CTX *ctx);
 
 	/* FIXME: prototype these some day */
 	int (*sign)();
diff --git a/crypto/evp/m_dss.c b/crypto/evp/m_dss.c
index f50b35b..beb8d7f 100644
--- a/crypto/evp/m_dss.c
+++ b/crypto/evp/m_dss.c
@@ -82,6 +82,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_DSA_method,
 	SHA_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA_CTX),
diff --git a/crypto/evp/m_dss1.c b/crypto/evp/m_dss1.c
index be27d63..f5668eb 100644
--- a/crypto/evp/m_dss1.c
+++ b/crypto/evp/m_dss1.c
@@ -82,6 +82,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_DSA_method,
 	SHA_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA_CTX),
diff --git a/crypto/evp/m_md2.c b/crypto/evp/m_md2.c
index 8f95541..50914c8 100644
--- a/crypto/evp/m_md2.c
+++ b/crypto/evp/m_md2.c
@@ -83,6 +83,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_RSA_method,
 	MD2_BLOCK,
 	sizeof(EVP_MD *)+sizeof(MD2_CTX),
diff --git a/crypto/evp/m_md4.c b/crypto/evp/m_md4.c
index 11458ee..8565e5d 100644
--- a/crypto/evp/m_md4.c
+++ b/crypto/evp/m_md4.c
@@ -83,6 +83,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_RSA_method,
 	MD4_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(MD4_CTX),
diff --git a/crypto/evp/m_md5.c b/crypto/evp/m_md5.c
index 69ec8aa..b00a03e 100644
--- a/crypto/evp/m_md5.c
+++ b/crypto/evp/m_md5.c
@@ -83,6 +83,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_RSA_method,
 	MD5_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(MD5_CTX),
diff --git a/crypto/evp/m_mdc2.c b/crypto/evp/m_mdc2.c
index d36a6e3..9f6467c 100644
--- a/crypto/evp/m_mdc2.c
+++ b/crypto/evp/m_mdc2.c
@@ -83,6 +83,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_RSA_ASN1_OCTET_STRING_method,
 	MDC2_BLOCK,
 	sizeof(EVP_MD *)+sizeof(MDC2_CTX),
diff --git a/crypto/evp/m_null.c b/crypto/evp/m_null.c
index fa3a030..f6f0a1d 100644
--- a/crypto/evp/m_null.c
+++ b/crypto/evp/m_null.c
@@ -81,6 +81,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_NULL_method,
 	0,
 	sizeof(EVP_MD *),
diff --git a/crypto/evp/m_ripemd.c b/crypto/evp/m_ripemd.c
index 0bfc04c..6472552 100644
--- a/crypto/evp/m_ripemd.c
+++ b/crypto/evp/m_ripemd.c
@@ -83,6 +83,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_RSA_method,
 	RIPEMD160_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(RIPEMD160_CTX),
diff --git a/crypto/evp/m_sha.c b/crypto/evp/m_sha.c
index acb7a44..10697c7 100644
--- a/crypto/evp/m_sha.c
+++ b/crypto/evp/m_sha.c
@@ -82,6 +82,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_RSA_method,
 	SHA_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA_CTX),
diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c
index ea54ada..d6be350 100644
--- a/crypto/evp/m_sha1.c
+++ b/crypto/evp/m_sha1.c
@@ -82,6 +82,7 @@
 	update,
 	final,
 	NULL,
+	NULL,
 	EVP_PKEY_RSA_method,
 	SHA_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA_CTX),
diff --git a/crypto/evp/openbsd_hw.c b/crypto/evp/openbsd_hw.c
index 550145e..2e4ad10 100644
--- a/crypto/evp/openbsd_hw.c
+++ b/crypto/evp/openbsd_hw.c
@@ -291,6 +291,17 @@
     return 1;
     }
 
+static int dev_crypto_cleanup_digest(MD_DATA *md_data)
+    {
+    if (ioctl(fd,CIOCFSESSION,&md_data->sess.ses) == -1)
+	{
+	err("CIOCFSESSION failed");
+	return 0;
+	}
+
+    return 1;
+    }
+
 /* FIXME: if device can do chained MACs, then don't accumulate */
 /* FIXME: move accumulation to the framework */
 static int dev_crypto_md5_init(EVP_MD_CTX *ctx)
@@ -346,7 +357,7 @@
 	    return 0;
 	    }
 	}
-    printf("done\n");
+    //    printf("done\n");
 
     return 1;
     }
@@ -374,13 +385,15 @@
     if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT)
 	{
 	memcpy(md,md_data->md,MD5_DIGEST_LENGTH);
-	return 1;
+	ret=1;
 	}
-
-    ret=do_digest(md_data->sess.ses,md,md_data->data,md_data->len);
-    OPENSSL_free(md_data->data);
-    md_data->data=NULL;
-    md_data->len=0;
+    else
+	{
+	ret=do_digest(md_data->sess.ses,md,md_data->data,md_data->len);
+	OPENSSL_free(md_data->data);
+	md_data->data=NULL;
+	md_data->len=0;
+	}
 
     return ret;
     }
@@ -399,6 +412,11 @@
     return 1;
     }
 
+static int dev_crypto_md5_cleanup(EVP_MD_CTX *ctx)
+    {
+    return dev_crypto_cleanup_digest(ctx->md_data);
+    }
+
 static const EVP_MD md5_md=
     {
     NID_md5,
@@ -409,6 +427,7 @@
     dev_crypto_md5_update,
     dev_crypto_md5_final,
     dev_crypto_md5_copy,
+    dev_crypto_md5_cleanup,
     EVP_PKEY_RSA_method,
     MD5_CBLOCK,
     sizeof(MD_DATA),