@@ -89,6 +89,7 @@ int XzCheck_Final(CXzCheck *p, Byte *digest)

     }

     case XZ_CHECK_SHA256:

       EVP_DigestFinal(&p->sha, digest, NULL);

+      EVP_MD_CTX_cleanup(&(p->sha));

       break;

     default:

       return 0;

@@ -706,6 +706,7 @@ SRes XzUnpacker_Code(CXzUnpacker *p, Byte *dest, SizeT *destLen,

             p->indexPos = p->indexPreSize;

             p->indexSize += p->indexPreSize;

             EVP_DigestFinal(&p->sha, p->shaDigest, NULL);

+            EVP_MD_CTX_cleanup(&p->sha);

             EVP_DigestInit(&p->sha, EVP_sha256());

             p->crc = CrcUpdate(CRC_INIT_VAL, p->buf, p->indexPreSize);

             p->state = XZ_STATE_STREAM_INDEX;

@@ -806,6 +807,7 @@ SRes XzUnpacker_Code(CXzUnpacker *p, Byte *dest, SizeT *destLen,

             p->indexSize += 4;

             p->pos = 0;

             EVP_DigestFinal(&p->sha, digest, NULL);

+            EVP_MD_CTX_cleanup(&p->sha);

             if (memcmp(digest, p->shaDigest, SHA256_DIGEST_SIZE) != 0)

               return SZ_ERROR_CRC;

           }

@@ -1025,6 +1025,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

 	EVP_DigestUpdate(&ctx, "\x31", 1);

 	EVP_DigestUpdate(&ctx, attrs + 1, attrs_size - 1);

 	EVP_DigestFinal(&ctx, sha1, NULL);

+    EVP_MD_CTX_cleanup(&ctx);

 	if(!fmap_need_ptr_once(map, asn1.content, asn1.size)) {

 	    cli_dbgmsg("asn1_parse_mscat: failed to read encryptedDigest\n");

@@ -1266,11 +1267,13 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

         EVP_DigestUpdate(&ctx, "\x31", 1);

         EVP_DigestUpdate(&ctx, attrs + 1, attrs_size - 1);

         EVP_DigestFinal(&ctx, sha1, NULL);

+        EVP_MD_CTX_cleanup(&ctx);

 	} else {

         EVP_DigestInit(&ctx, EVP_md5());

         EVP_DigestUpdate(&ctx, "\x31", 1);

         EVP_DigestUpdate(&ctx, attrs + 1, attrs_size - 1);

         EVP_DigestFinal(&ctx, sha1, NULL);

+        EVP_MD_CTX_cleanup(&ctx);

 	}

 	if(!fmap_need_ptr_once(map, asn1.content, asn1.size)) {

@@ -938,6 +938,7 @@ int cache_check(unsigned char *hash, cli_ctx *ctx) {

     }

     EVP_DigestFinal(&hashctx, hash, NULL);

+    EVP_MD_CTX_cleanup(&hashctx);

     ret = cache_lookup_hash(hash, map->len, ctx->engine->cache, ctx->recursion);

     cli_dbgmsg("cache_check: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x is %s\n", hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7], hash[8], hash[9], hash[10], hash[11], hash[12], hash[13], hash[14], hash[15], (ret == CL_VIRUS) ? "negative" : "positive");

@@ -131,6 +131,8 @@ unsigned char *cl_hash_data(char *alg, const void *buf, size_t len, unsigned cha

         return NULL;

     }

+    EVP_MD_CTX_cleanup(&ctx);

+

     if ((olen))

         *olen = i;

@@ -215,6 +217,8 @@ unsigned char *cl_hash_file_fd_ctx(EVP_MD_CTX *ctx, int fd, unsigned int *olen)

         return NULL;

     }

+    EVP_MD_CTX_cleanup(&ctx);

+

     if ((olen))

         *olen = hashlen;

@@ -197,6 +197,11 @@ static void cli_tgzload_cleanup(int comp, struct cli_dbio *dbio, int fdd)

         free(dbio->buf);

         dbio->buf = NULL;

     }

+

+    if (dbio->hashctx) {

+        EVP_MD_CTX_destroy(dbio->hashctx);

+        dbio->hashctx = NULL;

+    }

 }

 static int cli_tgzload(int fd, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio, struct cli_dbinfo *dbinfo)

@@ -315,7 +320,14 @@ static int cli_tgzload(int fd, struct cl_engine *engine, unsigned int *signo, un

 	dbio->readsize = dbio->size < dbio->bufsize ? dbio->size : dbio->bufsize - 1;

 	dbio->bufpt = NULL;

 	dbio->readpt = dbio->buf;

-    EVP_DigestInit(&(dbio->hashctx), EVP_sha256());

+    if (!(dbio->hashctx)) {

+        dbio->hashctx = EVP_MD_CTX_create();

+        if (!(dbio->hashctx)) {

+            cli_tgzload_cleanup(compr, dbio, fdd);

+            return CL_EMALFDB;

+        }

+        EVP_DigestInit(dbio->hashctx, EVP_sha256());

+    }

 	dbio->bread = 0;

 	/* cli_dbgmsg("cli_tgzload: Loading %s, size: %u\n", name, size); */

@@ -349,7 +361,8 @@ static int cli_tgzload(int fd, struct cl_engine *engine, unsigned int *signo, un

 			cli_tgzload_cleanup(compr, dbio, fdd);

 			return CL_EMALFDB;

 		    }

-            EVP_DigestFinal(&(dbio->hashctx), hash, NULL);

+            EVP_DigestFinal(dbio->hashctx, hash, NULL);

+            EVP_DigestInit(dbio->hashctx, EVP_sha256());

 		    if(memcmp(db->hash, hash, 32)) {

 			cli_errmsg("cli_tgzload: Invalid checksum for file %s\n", name);

 			cli_tgzload_cleanup(compr, dbio, fdd);

@@ -590,6 +603,8 @@ int cli_cvdload(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigne

 	struct cli_dbinfo *dbinfo = NULL;

 	char *dupname;

+    dbio.hashctx = NULL;

+

     cli_dbgmsg("in cli_cvdload()\n");

     /* verify */

@@ -32,7 +32,7 @@ struct cli_dbio {

     char *buf, *bufpt, *readpt;

     unsigned int usebuf, bufsize, readsize;

     unsigned int chkonly;

-    EVP_MD_CTX hashctx;

+    EVP_MD_CTX *hashctx;

 };

 int cli_cvdload(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int options, unsigned int dbtype, const char *filename, unsigned int chkonly);

@@ -191,6 +191,7 @@ int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n

 	EVP_DigestUpdate(&ctx, digest2, HASH_LEN);

 	EVP_DigestUpdate(&ctx, c, 4);

 	EVP_DigestFinal(&ctx, digest3, NULL);

+    EVP_MD_CTX_cleanup(&ctx);

 	if(i + 1 == rounds)

             memcpy(&data[i * 32], digest3, BLK_LEN - i * HASH_LEN);

 	else

@@ -215,6 +216,7 @@ int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n

     EVP_DigestInit(&ctx, EVP_sha256());

 	EVP_DigestUpdate(&ctx, final, sizeof(final));

 	EVP_DigestFinal(&ctx, digest1, NULL);

+    EVP_MD_CTX_cleanup(&ctx);

     return memcmp(digest1, digest2, HASH_LEN) ? CL_EVERIFY : CL_SUCCESS;

 }

@@ -264,6 +264,7 @@ char *internal_get_host_id(void)

         EVP_DigestUpdate(&ctx, devices[i].mac, sizeof(devices[i].mac));

     EVP_DigestFinal(&ctx, raw_md5, NULL);

+    EVP_MD_CTX_cleanup(&ctx);

     for (i=0; devices[i].name != NULL; i++)

         free(devices[i].name);

@@ -750,8 +750,12 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

     }

     if(ftonly) {

-        if(!troot)

+        if(!troot) {

+            EVP_MD_CTX_cleanup(&md5ctx);

+            EVP_MD_CTX_cleanup(&sha1ctx);

+            EVP_MD_CTX_cleanup(&sha256ctx);

             return CL_CLEAN;

+        }

         maxpatlen = troot->maxpatlen;

     } else {

@@ -769,6 +773,9 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

                 free(info.exeinfo.section);

             cli_hashset_destroy(&info.exeinfo.vinfo);

+            EVP_MD_CTX_cleanup(&md5ctx);

+            EVP_MD_CTX_cleanup(&sha1ctx);

+            EVP_MD_CTX_cleanup(&sha256ctx);

             return ret;

         }

     }

@@ -781,6 +788,9 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

                 free(info.exeinfo.section);

             cli_hashset_destroy(&info.exeinfo.vinfo);

+            EVP_MD_CTX_cleanup(&md5ctx);

+            EVP_MD_CTX_cleanup(&sha1ctx);

+            EVP_MD_CTX_cleanup(&sha256ctx);

             return ret;

         }

         if(troot->bm_offmode) {

@@ -794,6 +804,9 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

                         free(info.exeinfo.section);

                     cli_hashset_destroy(&info.exeinfo.vinfo);

+                    EVP_MD_CTX_cleanup(&md5ctx);

+                    EVP_MD_CTX_cleanup(&sha1ctx);

+                    EVP_MD_CTX_cleanup(&sha256ctx);

                     return ret;

                 }

@@ -860,6 +873,9 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

                     free(info.exeinfo.section);

                 cli_hashset_destroy(&info.exeinfo.vinfo);

+                EVP_MD_CTX_cleanup(&md5ctx);

+                EVP_MD_CTX_cleanup(&sha1ctx);

+                EVP_MD_CTX_cleanup(&sha256ctx);

                 return ret;

             }

         }

@@ -918,14 +934,17 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

     if(!ftonly && hdb) {

         enum CLI_HASH_TYPE hashtype, hashtype2;

-        if(compute_hash[CLI_HASH_MD5])

+        if(compute_hash[CLI_HASH_MD5]) {

             EVP_DigestFinal(&md5ctx, digest[CLI_HASH_MD5], NULL);

+        }

         if(refhash)

             compute_hash[CLI_HASH_MD5] = 1;

-        if(compute_hash[CLI_HASH_SHA1])

+        if(compute_hash[CLI_HASH_SHA1]) {

             EVP_DigestFinal(&sha1ctx, digest[CLI_HASH_SHA1], NULL);

-        if(compute_hash[CLI_HASH_SHA256])

+        }

+        if(compute_hash[CLI_HASH_SHA256]) {

             EVP_DigestFinal(&sha256ctx, digest[CLI_HASH_SHA256], NULL);

+        }

         virname = NULL;

         for(hashtype = CLI_HASH_MD5; hashtype < CLI_HASH_AVAIL_TYPES; hashtype++) {

@@ -982,6 +1001,10 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

         }

     }

+    EVP_MD_CTX_cleanup(&md5ctx);

+    EVP_MD_CTX_cleanup(&sha1ctx);

+    EVP_MD_CTX_cleanup(&sha256ctx);

+

     if(troot) {

         if(ret != CL_VIRUS || SCAN_ALL)

             ret = cli_lsig_eval(ctx, troot, &tdata, &info, refhash);

@@ -877,6 +877,7 @@ char *cli_hashstream(FILE *fs, unsigned char *digcpy, int type)

         EVP_DigestUpdate(&ctx, buff, bytes);

     EVP_DigestFinal(&ctx, digest, &size);

+    EVP_MD_CTX_cleanup(&ctx);

     if(!(hashstr = (char *) cli_calloc(size*2 + 1, sizeof(char))))

         return NULL;

@@ -2927,6 +2927,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

     }

     cli_qsort(exe_sections, nsections, sizeof(*exe_sections), sort_sects);

+    EVP_DigestInit(&hashctx, EVP_sha1());

     if (flags & CL_CHECKFP_PE_FLAG_AUTHENTICODE) {

         /* Check to see if we have a security section. */

@@ -2935,11 +2936,10 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

                 /* If stats is enabled, continue parsing the sample */

                 flags ^= CL_CHECKFP_PE_FLAG_AUTHENTICODE;

             } else {

+                EVP_MD_CTX_cleanup(&hashctx);

                 return CL_BREAK;

             }

         }

-

-        EVP_DigestInit(&hashctx, EVP_sha1());

     }

 #define hash_chunk(where, size, isStatAble, section) \

@@ -2957,6 +2957,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

             EVP_DigestInit(&md5ctx, EVP_md5()); \

             EVP_DigestUpdate(&md5ctx, hptr, size); \

             EVP_DigestFinal(&md5ctx, hashes->sections[section].md5, NULL); \

+            EVP_MD_CTX_cleanup(&md5ctx); \

         } \

     } while(0)

@@ -2981,6 +2982,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

                 break;

             } else {

                 free(exe_sections);

+                EVP_MD_CTX_cleanup(&hashctx);

                 return CL_EFORMAT;

             }

         }

@@ -3012,6 +3014,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

                     break;

                 } else {

                     free(exe_sections);

+                    EVP_MD_CTX_cleanup(&hashctx);

                     return CL_EFORMAT;

                 }

             }

@@ -3042,8 +3045,10 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

         hlen -= 8;

+        EVP_MD_CTX_cleanup(&hashctx);

         return asn1_check_mscat((struct cl_engine *)(ctx->engine), map, at + 8, hlen, authsha1);

     } else {

+        EVP_MD_CTX_cleanup(&hashctx);

         return CL_VIRUS;

     }

 }

@@ -1208,6 +1208,7 @@ static int hash_match(const struct regex_matcher *rlist, const char *host, size_

         EVP_DigestUpdate(&sha256, host, hlen);

         EVP_DigestUpdate(&sha256, path, plen);

         EVP_DigestFinal(&sha256, sha256_dig, NULL);

+        EVP_MD_CTX_cleanup(&sha256);

 	    for(i=0;i<32;i++) {

 		h[2*i] = hexchars[sha256_dig[i]>>4];

@@ -420,7 +420,8 @@ char *cli_dbgets(char *buff, unsigned int size, FILE *fs, struct cli_dbio *dbio)

 		dbio->bufpt = dbio->buf;

 		dbio->size -= bread;

 		dbio->bread += bread;

-        EVP_DigestUpdate(&(dbio->hashctx), dbio->readpt, bread);

+        if (dbio->hashctx)

+            EVP_DigestUpdate(dbio->hashctx, dbio->readpt, bread);

 	    }

 	    if(dbio->chkonly && dbio->bufpt) {

 		dbio->bufpt = NULL;

@@ -477,7 +478,8 @@ char *cli_dbgets(char *buff, unsigned int size, FILE *fs, struct cli_dbio *dbio)

 	bs = strlen(buff);

 	dbio->size -= bs;

 	dbio->bread += bs;

-    EVP_DigestUpdate(&(dbio->hashctx), buff, bs);

+    if (dbio->hashctx)

+        EVP_DigestUpdate(dbio->hashctx, buff, bs);

 	return pt;

     }

 }

@@ -370,6 +370,7 @@ static void xar_hash_final(EVP_MD_CTX * hash_ctx, void * result, int hash)

     }

     EVP_DigestFinal(hash_ctx, result, NULL);

+    EVP_MD_CTX_cleanup(hash_ctx);

 }

 static int xar_hash_check(int hash, const void * result, const void * expected)

@@ -64,13 +64,3 @@

     fun:sendmmsg

     ...

 }

-{

-    openssl-leak-01

-    Memcheck:Leak

-    fun:malloc

-    ...

-    fun:CRYPTO_malloc

-    ...

-    fun:EVP_DigestInit_ex

-    ...

-}