7 files changed, 664 insertions, 220 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 563b347..2398eaf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - C# .NET 8.0 library wrapper for noscrypt
 - Full NIP44 vector testing for encryption
+- Valgrind memory checking during unit testing
+- Added CI testing for Windows and Linux deployments
+
+### Fixed
+- Convert all OpenSSL apis to use the EVP api and unify it's usage. Also fixes some detected memory leaks that were undocumented.
 
 ## [0.1.5]
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..68d96ac
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,34 @@
+
+# Security Policy
+
+Please follow the [official issues page](https://www.vaughnnugent.com/resources/software/modules/noscrypt-issues) 
+for progress on all security related issues.
+
+## Supported Versions
+
+Noscrypt is in pre-release and is not yet considered completely stable,
+security fixes will be issued as soon as possible and rolled into the next release.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| > 0.1.1 | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+Vulnerabilities should be reported by email to vnpublic[at]proton.me or by submitting a 
+private vulnerability report on [GitHub](https://github.com/VnUgE/noscrypt/security). 
+Email is preferred for the fastest response.
+
+Security reports are greatly appreciated and will be handled with the highest priority,
+as noscrypt is cryptography infrastructure software. You should hear back within 48 hours
+but this can vary because I'm just a single person who also has responsibilities.
+
+Please contact me as soon as possible if you believe you have found a security vulnerability 
+in noscrypt, preferably before disclosing the issue publicly. I will keep you informed about
+the progress of the fix and disclosure.
+ 
+
+## Notices
+I will attempt to update the [changelog](CHANGELOG.md) with security fixes as they are completed
+and close issues as they are resolved. If you have any questions or concerns about the security
+of noscrypt, please contact me at the email address above.
diff --git a/Taskfile.yaml b/Taskfile.yaml
index b19a135..ea12599 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -37,7 +37,19 @@ tasks:
     cmds:
      - task: build-debug
      - cmd: cd {{ .CMAKE_BUILD_DIR }} && ctest -C Debug --verbose
-  
+
+  dev:
+    watch: true
+    sources:
+      - include/*
+      - src/*
+      - src/*/* 
+      - tests/*
+      - CMakelists.txt
+      - vendor/* 
+    cmds:
+     - task: test-dev
+
   test-mbedtls:
     desc: "Builds and runs tests for noscrypt using the mbedtls crypto library for the current platform"
     cmds:
@@ -55,6 +67,7 @@ tasks:
      - task: compile
        vars: { BUILD_CONFIG: 'Debug' }
      - cmd: cd {{ .CMAKE_BUILD_DIR }} && ctest -C Debug --verbose --output-on-failure
+     - task: memcheck
 
   build-internal:
     internal: true
@@ -84,7 +97,24 @@ tasks:
      - cmd: echo "Installing noscrypt globally"
        silent: true
      - cmd: cmake --install {{ .CMAKE_BUILD_DIR }} {{ .CLI_ARGS }}
-
+   
+  #Test executable and library must be built for tests to run
+  memcheck:
+    desc: 'Runs Valgrind memcheck in debug mode against the nctest executable (Linux only)'
+    platforms:
+      - linux 
+    preconditions:
+      - which valgrind
+    cmds:
+     - cmd: echo "Running valgrind memory check on test executable"
+       silent: true
+     - cmd: 
+         valgrind 
+         --tool=memcheck
+         --leak-check=full 
+         --show-leak-kinds=all 
+         --track-origins=yes 
+         {{ .CMAKE_BUILD_DIR }}/{{ .TEST_EXE_NAME }}
 
 #CI ONLY!!
 
diff --git a/src/nc-util.h b/src/nc-util.h
index 36d26de..02228fb 100644
--- a/src/nc-util.h
+++ b/src/nc-util.h
@@ -207,14 +207,22 @@ static _nc_fn_inline span_t ncSpanSlice(span_t span, uint32_t offset, uint32_t s
 	span_t slice;
 
 	DEBUG_ASSERT2(ncSpanIsValid(span),	"Expected span to be non-null");
-	DEBUG_ASSERT2(offset + size <= span.size, "Expected offset + size to be less than span size")
+	DEBUG_ASSERT2(offset + size <= span.size, "Expected offset + size to be less than span size");
 
-	/* Initialize slice, offset input data by the specified offset */
-	ncSpanInit(
-		&slice, 
-		ncSpanGetOffset(span, offset), 
-		size
-	);
+	/* If the size of the sliced span is 0 return an empty span */
+	if (size == 0)
+	{
+		ncSpanInit(&slice, NULL, 0);
+	}
+	else
+	{
+		/* Initialize slice, offset input data by the specified offset */
+		ncSpanInit(
+			&slice,
+			ncSpanGetOffset(span, offset),
+			size
+		);
+	}
 
 	return slice;
 }
@@ -226,12 +234,20 @@ static _nc_fn_inline cspan_t ncSpanSliceC(cspan_t span, uint32_t offset, uint32_
 	DEBUG_ASSERT2(ncSpanIsValidC(span), "Expected span to be non-null");
 	DEBUG_ASSERT2(offset + size <= span.size, "Expected offset + size to be less than span size")
 
-	/* Initialize slice, offset input data by the specified offset */
-	ncSpanInitC(
-		&slice, 
-		ncSpanGetOffsetC(span, offset), 
-		size
-	);
+	/* If the size of the sliced span is 0 return an empty span */
+	if (size == 0)
+	{
+		ncSpanInitC(&slice, NULL, 0);
+	}
+	else
+	{
+		/* Initialize slice, offset input data by the specified offset */
+		ncSpanInitC(
+			&slice,
+			ncSpanGetOffsetC(span, offset),
+			size
+		);
+	}
 
 	return slice;
 }
diff --git a/src/providers/openssl-helpers.c b/src/providers/openssl-helpers.c
new file mode 100644
index 0000000..5369457
--- /dev/null
+++ b/src/providers/openssl-helpers.c
@@ -0,0 +1,388 @@
+/*
+* Copyright (c) 2024 Vaughn Nugent
+*
+* Package: noscrypt
+* File: providers/openssl-helpers.c
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public License
+* as published by the Free Software Foundation; either version 2.1
+* of the License, or  (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public License
+* along with noscrypt. If not, see http://www.gnu.org/licenses/.
+*/
+
+
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+
+#define OSSL_SHA256 "SHA2-256"
+#define OSSL_HMAC "hmac"
+#define OSSL_CHACHA20 "ChaCha20"
+
+
+typedef enum {
+	
+	EvpStateTypeInvalid,
+
+	EvpStateTypeDigest,
+	
+	EvpStateTypeMac,
+
+	EvpStateTypeCipher
+
+} _evp_state_type;
+
+struct ossl_evp_state {
+	void* _context;
+	void* _providerHandle;	
+
+	_evp_state_type type;
+
+	cspan_t _prk;
+};
+
+
+_IMPLSTB EVP_MAC_CTX* _osslEvpGetMacContext(const struct ossl_evp_state* state)
+{
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->type == EvpStateTypeMac);
+
+	return (EVP_MAC_CTX*)state->_context;
+}
+
+_IMPLSTB EVP_MD_CTX* _osslEvpGetMdContext(const struct ossl_evp_state* state)
+{
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->type == EvpStateTypeDigest);
+
+	return (EVP_MD_CTX*)state->_context;
+}
+
+_IMPLSTB EVP_CIPHER_CTX* _osslEvpGetCipherContext(const struct ossl_evp_state* state)
+{
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->type == EvpStateTypeCipher);
+
+	return (EVP_CIPHER_CTX*)state->_context;
+}
+
+_IMPLSTB cspan_t _osslEvpGetPrk(const struct ossl_evp_state* state)
+{
+	DEBUG_ASSERT(state != NULL);
+
+	return state->_prk;
+}
+
+_IMPLSTB void _osslEvpSetPrk(struct ossl_evp_state* state, cspan_t prk)
+{
+	DEBUG_ASSERT(state != NULL);
+
+	state->_prk = prk;
+}
+
+_IMPLSTB cstatus_t _osslEvpUpdate(const struct ossl_evp_state* state, cspan_t data)
+{
+	int result;
+
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->_context != NULL);
+
+	result = 0;
+
+	switch (state->type)
+	{
+	case EvpStateTypeDigest:
+		result = EVP_DigestUpdate(
+			_osslEvpGetMdContext(state),
+			ncSpanGetOffsetC(data, 0),
+			ncSpanGetSizeC(data)
+		);
+		break;
+
+	case EvpStateTypeMac:
+		result = EVP_MAC_update(
+			_osslEvpGetMacContext(state),
+			ncSpanGetOffsetC(data, 0),
+			ncSpanGetSizeC(data)
+		);
+		break;
+		/* Cipher is not supported by this api */
+	default:
+		DEBUG_ASSERT2(0, "Called update on an invalid state type");
+		break;
+	}
+
+	return (cstatus_t)(result != 0);
+}
+
+_IMPLSTB cstatus_t _osslEvpCipherUpdate(
+	const struct ossl_evp_state* state, 
+	cspan_t input, 
+	span_t output, 
+	int* bytesConsumed
+)
+{
+	int result;
+
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->_context != NULL);
+	DEBUG_ASSERT(state->type == EvpStateTypeCipher);
+
+	result = EVP_EncryptUpdate(
+		_osslEvpGetCipherContext(state),
+		ncSpanGetOffset(output, 0),
+		bytesConsumed,
+		ncSpanGetOffsetC(input, 0),
+		ncSpanGetSizeC(input)
+	);
+
+	return (cstatus_t)(result != 0);
+}
+
+_IMPLSTB cstatus_t __digestFinal(const struct ossl_evp_state* state, span_t out)
+{
+	int result;
+	unsigned int mdOut;
+
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->type == EvpStateTypeDigest);
+
+	mdOut = ncSpanGetSize(out);
+
+	/* If the output span is empty, nothing to do */
+	if (mdOut == 0)
+	{
+		return CSTATUS_OK;
+	}
+
+	result = EVP_DigestFinal_ex(
+		_osslEvpGetMdContext(state),
+		ncSpanGetOffset(out, 0),
+		&mdOut
+	);
+
+	return (cstatus_t)(result != 0 && mdOut == ncSpanGetSize(out));
+}
+
+_IMPLSTB cstatus_t __macFinal(const struct ossl_evp_state* state, span_t out)
+{
+	int result;
+	size_t macOut;
+
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->type == EvpStateTypeMac);
+
+	macOut = ncSpanGetSize(out);
+
+	/* If the output span is empty, nothing to do */
+	if (macOut == 0)
+	{
+		return CSTATUS_OK;
+	}
+
+	result = EVP_MAC_final(
+		_osslEvpGetMacContext(state),
+		ncSpanGetOffset(out, 0),
+		&macOut,
+		macOut
+	);
+
+	return (cstatus_t)(result != 0 && macOut == ncSpanGetSize(out));
+}
+
+_IMPLSTB cstatus_t __cipherFinal(const struct ossl_evp_state* state, span_t out)
+{
+	int result, cipherOut;
+
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->type == EvpStateTypeCipher);
+	
+	/* guard small integer overflow */
+	if (ncSpanGetSize(out) > INT_MAX)
+	{
+		return CSTATUS_FAIL;
+	}
+
+	cipherOut = (int)ncSpanGetSize(out);
+
+	/* If the output span is empty, nothing to do */
+	if (cipherOut == 0)
+	{
+		return CSTATUS_OK;
+	}
+
+	result = EVP_CipherFinal_ex(
+		_osslEvpGetCipherContext(state),
+		ncSpanGetOffset(out, 0),
+		&cipherOut
+	);
+
+	return (cstatus_t)(result != 0 && cipherOut >= 0 && (uint32_t)cipherOut == ncSpanGetSize(out));
+}
+
+static cstatus_t _osslEvpFinal(const struct ossl_evp_state* state, span_t out)
+{
+	DEBUG_ASSERT(state != NULL);
+
+	switch (state->type)
+	{
+	case EvpStateTypeDigest:
+		return __digestFinal(state, out);
+
+	case EvpStateTypeMac:
+		return __macFinal(state, out);
+
+	case EvpStateTypeCipher:
+		return __cipherFinal(state, out);
+
+	default:
+		break;
+	}
+
+	/*
+	* If the result is non-zero and the hash length is equal to the output
+	* buffer size, return success, otherwise return failure.
+	*/
+
+	return CSTATUS_FAIL;
+}
+
+_IMPLSTB cstatus_t _osslEvpMacInit(const struct ossl_evp_state* state, const OSSL_PARAM* params)
+{
+	int result;
+
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(state->type == EvpStateTypeMac);
+	DEBUG_ASSERT(ncSpanIsValidC(state->_prk));
+
+	result = EVP_MAC_init(
+		_osslEvpGetMacContext(state),
+		ncSpanGetOffsetC(state->_prk, 0),
+		ncSpanGetSizeC(state->_prk),
+		params
+	);
+
+	return (cstatus_t)(result != 0);
+}
+
+_IMPLSTB cstatus_t _osslEvpCipherInit(const struct ossl_evp_state* state, cspan_t key, cspan_t iv)
+{
+	int osslResult;
+	const EVP_CIPHER* cipher;
+
+	DEBUG_ASSERT(state != NULL);
+
+	cipher = (const EVP_CIPHER*)state->_providerHandle;
+
+	/*
+	* Sanity check on key and IV sizes for the created
+	* cipher
+	*/
+	DEBUG_ASSERT((uint32_t)EVP_CIPHER_get_key_length(cipher) == ncSpanGetSizeC(key));
+	DEBUG_ASSERT((uint32_t)EVP_CIPHER_iv_length(cipher) == ncSpanGetSizeC(iv));
+
+	osslResult = EVP_EncryptInit_ex2(
+		_osslEvpGetCipherContext(state),
+		cipher,
+		ncSpanGetOffsetC(key, 0),
+		ncSpanGetOffsetC(iv, 0),
+		NULL
+	);
+
+	return (cstatus_t)(osslResult != 0);
+}
+
+_IMPLSTB void _osslEvpFree(struct ossl_evp_state* state)
+{
+	DEBUG_ASSERT(state != NULL);
+
+	switch (state->type)
+	{
+	case EvpStateTypeDigest:
+		if (state->_context) EVP_MD_CTX_free(state->_context);
+		if (state->_providerHandle) EVP_MD_free(state->_providerHandle);
+		break;
+	case EvpStateTypeMac:
+		if (state->_context) EVP_MAC_CTX_free(state->_context);
+		if (state->_providerHandle) EVP_MAC_free(state->_providerHandle);
+		break;
+	case EvpStateTypeCipher:
+		if (state->_context) EVP_CIPHER_CTX_free(state->_context);
+		if (state->_providerHandle) EVP_CIPHER_free(state->_providerHandle);
+		break;
+	default:
+		break;
+	}
+}
+
+_IMPLSTB cstatus_t _osslEvpInit(
+	struct ossl_evp_state* state,
+	_evp_state_type type,
+	const char* providerName
+)
+{
+	DEBUG_ASSERT(state != NULL);
+	DEBUG_ASSERT(providerName != NULL);
+
+	state->type = type;
+
+	switch (type)
+	{
+	case EvpStateTypeDigest:
+		state->_providerHandle = EVP_MD_fetch(NULL, providerName, NULL);
+		state->_context = EVP_MD_CTX_new();		
+		break;
+	case EvpStateTypeMac:
+
+		state->_providerHandle = EVP_MAC_fetch(NULL, providerName, NULL);
+
+		if (state->_providerHandle)
+		{
+			state->_context = EVP_MAC_CTX_new((EVP_MAC*)(state->_providerHandle));
+		}
+
+		break;
+	case EvpStateTypeCipher:
+		state->_providerHandle = EVP_CIPHER_fetch(NULL, providerName, NULL);
+		state->_context = EVP_CIPHER_CTX_new();
+		break;
+
+	default:
+		return CSTATUS_FAIL;
+	}
+
+	/*
+	* Ensure allocations succeded, otherwise free the context
+	* and return a failure status.
+	*/
+	if (state->_providerHandle == NULL || state->_context == NULL)
+	{		
+		return CSTATUS_FAIL;
+	}
+
+	/*
+	* If the type is a digest, initialize the digest context
+	*/
+	if (type == EvpStateTypeDigest)
+	{
+		if (
+			!EVP_DigestInit_ex(
+				_osslEvpGetMdContext(state),
+				(EVP_MD*)state->_providerHandle,
+				NULL
+			)
+		)
+		{
+			return CSTATUS_FAIL;
+		}
+	}
+
+	return CSTATUS_OK;
+}
diff --git a/src/providers/openssl.c b/src/providers/openssl.c
index c2933fb..925386d 100644
--- a/src/providers/openssl.c
+++ b/src/providers/openssl.c
@@ -22,13 +22,7 @@
 /* Setup openssl */
 #ifdef OPENSSL_CRYPTO_LIB
 
-#include <openssl/crypto.h>
-
-#define _OSSL_FAIL(x) if(!(x)) return CSTATUS_FAIL;
-
-#define ossl_md_sha256() EVP_MD_fetch(NULL, "SHA2-256", NULL)
-#define ossl_evp_fetch_chacha20() EVP_CIPHER_fetch(NULL, "ChaCha20", NULL)
-#define ossl_mac_fetch_hmac() EVP_MAC_fetch(NULL, "hmac", NULL)
+#include "openssl-helpers.c"
 
 #ifndef _IMPL_SECURE_ZERO_MEMSET
 
@@ -63,171 +57,188 @@
 
 #ifndef _IMPL_CRYPTO_SHA256_DIGEST	
 
-	#include <openssl/sha.h>
-
 	#define _IMPL_CRYPTO_SHA256_DIGEST			_ossl_sha256_digest	
 
 	_IMPLSTB cstatus_t _ossl_sha256_digest(cspan_t data, sha256_t digestOut32)
 	{
-		_overflow_check(data.size);
+		cstatus_t result;
+		span_t digestSpan;
+		struct ossl_evp_state evpState;		
 
 		DEBUG_ASSERT(digestOut32 != NULL);
 		DEBUG_ASSERT(ncSpanIsValidC(data));
 
-		_OSSL_FAIL(
-			SHA256(
-				ncSpanGetOffsetC(data, 0),
-				ncSpanGetSizeC(data),
-				digestOut32
-			)
-		);
+		result = CSTATUS_FAIL;
+
+		_overflow_check(data.size);
+
+		ncSpanInit(&digestSpan, digestOut32, sizeof(sha256_t));
+
+		/*
+		* Allocate and initalize the context
+		*/
+		if (!_osslEvpInit(&evpState, EvpStateTypeDigest, OSSL_SHA256))
+		{
+			goto Cleanup;
+		}
+
+		if (!_osslEvpUpdate(&evpState, data))
+		{
+			goto Cleanup;
+		}
 
-		return CSTATUS_OK;
+		if (!_osslEvpFinal(&evpState, digestSpan))
+		{
+			goto Cleanup;
+		}
+
+		result = CSTATUS_OK;
+
+	Cleanup:
+
+		_osslEvpFree(&evpState);
+
+		return result;
 	}
 
 #endif
 
 #ifndef _IMPL_CRYPTO_SHA256_HMAC
 
-	#include <openssl/hmac.h>
-
 	/* Export function */
 	#define _IMPL_CRYPTO_SHA256_HMAC			_ossl_hmac_sha256	
 	
 	_IMPLSTB cstatus_t _ossl_hmac_sha256(cspan_t key, cspan_t data, sha256_t hmacOut32)
 	{
-		unsigned int hmacLen;
+		cstatus_t result;
+		span_t digestSpan;	
+		OSSL_PARAM params[2];
+		struct ossl_evp_state evpState;
+
+		result = CSTATUS_FAIL;
 
 		_overflow_check(key.size)
 		_overflow_check(data.size)
 
-		hmacLen = sizeof(sha256_t);
-
-		_OSSL_FAIL(
-			HMAC(
-				ossl_md_sha256(),
-				ncSpanGetOffsetC(key, 0),
-				ncSpanGetSizeC(key),
-				ncSpanGetOffsetC(data, 0),
-				ncSpanGetSizeC(data),
-				hmacOut32,
-				&hmacLen
-			)
-		);
+		ncSpanInit(&digestSpan, hmacOut32, sizeof(sha256_t));
+
+		/*
+		* Allocate and initalize the context
+		*/
+		if (!_osslEvpInit(&evpState, EvpStateTypeMac, OSSL_HMAC))
+		{
+			goto Cleanup;
+		}
+
+		/*
+		* To use HMAC the digest parameters must be set
+		* before the context can be initialized
+		*/
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest", "sha256", 0);
+		params[1] = OSSL_PARAM_construct_end();
+
+		/*
+		* PRK Data must be assigned before the hmac 
+		* can be initialized
+		*/
+
+		_osslEvpSetPrk(&evpState, key);
+	
+		if (!_osslEvpMacInit(&evpState, params))
+		{
+			goto Cleanup;
+		}
+
+		if (!_osslEvpUpdate(&evpState, data))
+		{
+			goto Cleanup;
+		}
+
+		if (!_osslEvpFinal(&evpState, digestSpan))
+		{
+			goto Cleanup;
+		}
 		
-		/* digest length should match the actual digest size */
-		DEBUG_ASSERT(hmacLen == sizeof(sha256_t));
+		result = CSTATUS_OK;
+
+	Cleanup:
 
-		return CSTATUS_OK;
+		_osslEvpFree(&evpState);
+
+		return result;
 	}
 
 #endif /* !_IMPL_CRYPTO_SHA256_HMAC */
 
 #ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND
-	
-	#include <openssl/evp.h>
 
 	#define _IMPL_CRYPTO_SHA256_HKDF_EXPAND		_ossl_sha256_hkdf_expand
 
-	struct ossl_hmac_state {
-		EVP_MAC_CTX* libCtx;
+	struct _hkdf_state {
 		OSSL_PARAM params[2];
-		cspan_t prk; 
+		struct ossl_evp_state evpState;
 	};
 
-	static cstatus_t _ossl_hmac_init(const struct ossl_hmac_state* osslCtx)
-	{
-		DEBUG_ASSERT(ncSpanIsValidC(osslCtx->prk));
-		DEBUG_ASSERT(osslCtx->params != NULL);
-
-		_OSSL_FAIL(
-			EVP_MAC_init(
-				osslCtx->libCtx,
-				ncSpanGetOffsetC(osslCtx->prk, 0),
-				ncSpanGetSizeC(osslCtx->prk),
-				osslCtx->params
-			)
-		);
-
-		return CSTATUS_OK;
-	}
-
 	static cstatus_t _ossl_hkdf_update(void* ctx, cspan_t data)
 	{
-		const struct ossl_hmac_state* osslCtx;
+		const struct _hkdf_state* state;
 
 		DEBUG_ASSERT(ctx != NULL);
-		_overflow_check(data.size);
-
-		osslCtx = (const struct ossl_hmac_state*)ctx;
 
-		DEBUG_ASSERT(osslCtx->libCtx != NULL);
+		state = (const struct _hkdf_state*)ctx;
 
-		_OSSL_FAIL(
-			EVP_MAC_update(
-				osslCtx->libCtx,
-				ncSpanGetOffsetC(data, 0),
-				ncSpanGetSizeC(data)
-			)
+		return _osslEvpUpdate(
+			&state->evpState, 
+			data
 		);
-		
-		return CSTATUS_OK;
 	}
 
 	static cstatus_t _ossl_hkdf_finish(void* ctx, sha256_t hmacOut32)
 	{
-		const struct ossl_hmac_state* osslCtx;
-		size_t hmacSize;
+		span_t hmacSpan;
+		const struct _hkdf_state* state;
 
 		DEBUG_ASSERT(ctx != NULL);
 		DEBUG_ASSERT(hmacOut32 != NULL);
 
-		osslCtx = (const struct ossl_hmac_state*)ctx;
-		hmacSize = 0;
-
-		DEBUG_ASSERT(osslCtx->libCtx != NULL);
-
-		_OSSL_FAIL(
-			EVP_MAC_final(
-				osslCtx->libCtx,
-				hmacOut32,
-				&hmacSize,
-				sizeof(sha256_t)
-			)
-		);
+		state = (const struct _hkdf_state*)ctx;
+		ncSpanInit(&hmacSpan, hmacOut32, sizeof(sha256_t));
 
-		/* When configured for sha256, should always be the same size in/out */
-		DEBUG_ASSERT(hmacSize == sizeof(sha256_t));		
+		if (!_osslEvpFinal(&state->evpState, hmacSpan))
+		{
+			return CSTATUS_FAIL;
+		}
 
 		/* 
 		* Context must be re-initalized after finalize
 		* See lifecycle https://docs.openssl.org/3.0/man7/life_cycle-mac/#copyright
 		*/
 
-		return _ossl_hmac_init(osslCtx);
+		return _osslEvpMacInit(&state->evpState, state->params);
 	}
 	
 
 	_IMPLSTB cstatus_t _ossl_sha256_hkdf_expand(cspan_t prk, cspan_t info, span_t okm)
 	{
-		EVP_MAC* mac;
 		cstatus_t result;
-		struct ossl_hmac_state hkdfState;
+		struct _hkdf_state state;
 		struct nc_hkdf_fn_cb_struct handler;		
 
 		result = CSTATUS_FAIL;
 
 		handler.update = _ossl_hkdf_update;
 		handler.finish = _ossl_hkdf_finish;
-	
-		_overflow_check(prk.size);
+		
 		_overflow_check(info.size);
 		_overflow_check(okm.size);
 
-		hkdfState.params[0] = OSSL_PARAM_construct_utf8_string("digest", "sha256", 0);
-		hkdfState.params[1] = OSSL_PARAM_construct_end();
-
-		hkdfState.prk = prk;
+		/*
+		* PRK Must be set before any call to MacInit
+		*
+		* Params must also be set for sha256 digest for mac
+		*/
+		_osslEvpSetPrk(&state.evpState, prk);
 
 		/*
 		* Silly openssl stuff. Enable hmac with sha256 using the system default
@@ -235,34 +246,28 @@
 		* we need to call update multiple times.
 		*/
 
-		mac = ossl_mac_fetch_hmac();
-
-		if (mac == NULL)
-		{
-			goto Cleanup;
-		}
-
-		hkdfState.libCtx = EVP_MAC_CTX_new(mac);
+		state.params[0] = OSSL_PARAM_construct_utf8_string("digest", "sha256", 0);
+		state.params[1] = OSSL_PARAM_construct_end();
 
-		if (hkdfState.libCtx == NULL)
+		if (!_osslEvpInit(&state.evpState, EvpStateTypeMac, OSSL_HMAC))
 		{
 			goto Cleanup;
 		}
 
-		if (_ossl_hmac_init(&hkdfState) != CSTATUS_OK)
+		if (_osslEvpMacInit(&state.evpState, state.params) != CSTATUS_OK)
 		{
 			goto Cleanup;
 		}
 
-		DEBUG_ASSERT(EVP_MAC_CTX_get_mac_size(hkdfState.libCtx) == sizeof(sha256_t));
+		/* Sanity check mac size */
+		DEBUG_ASSERT(EVP_MAC_CTX_get_mac_size(_osslEvpGetMacContext(&state.evpState)) == sizeof(sha256_t));
 
-		/* Pass the library  */
-		result = hkdfExpandProcess(&handler, &hkdfState, info, okm);
+		/* Pass to the library  */
+		result = hkdfExpandProcess(&handler, &state, info, okm);
 
 	Cleanup:
-		
-		if (hkdfState.libCtx) EVP_MAC_CTX_free(hkdfState.libCtx);
-		if (mac) EVP_MAC_free(mac);
+
+		_osslEvpFree(&state.evpState);
 
 		return result;
 	}
@@ -271,84 +276,8 @@
 
 #ifndef _IMPL_CHACHA20_CRYPT
 
-    #include <openssl/evp.h>
-
 	#define _IMPL_CHACHA20_CRYPT _ossl_chacha20_crypt
-
-	_IMPLSTB cstatus_t _ossl_cipher_core(
-		const EVP_CIPHER* cipher,
-		cspan_t key,
-		cspan_t iv,
-		cspan_t input,
-		span_t output
-	)
-	{
-		cstatus_t result;
-		EVP_CIPHER_CTX* ctx;
-		int tempLen, osslResult;
-
-		DEBUG_ASSERT2(ncSpanGetSize(output) <= ncSpanGetSizeC(input), "Output buffer must be equal or larger than the input buffer");
-		DEBUG_ASSERT(cipher != NULL);
-
-		DEBUG_ASSERT((uint32_t)EVP_CIPHER_get_key_length(cipher) == ncSpanGetSizeC(key));
-		DEBUG_ASSERT((uint32_t)EVP_CIPHER_iv_length(cipher) == ncSpanGetSizeC(iv));
-
-		result = CSTATUS_FAIL;
-
-		ctx = EVP_CIPHER_CTX_new();
-
-		if (ctx == NULL)
-		{
-			goto Cleanup;
-		}
-
-		osslResult = EVP_EncryptInit_ex2(
-			ctx, 
-			cipher, 
-			ncSpanGetOffsetC(key, 0),
-			ncSpanGetOffsetC(iv, 0),
-			NULL
-		);
-
-		if (!osslResult)
-		{
-			goto Cleanup;
-		}
-
-		osslResult = EVP_EncryptUpdate(
-			ctx,
-			ncSpanGetOffset(output, 0),
-			&tempLen,
-			ncSpanGetOffsetC(input, 0),
-			ncSpanGetSizeC(input)
-		);
-
-		if (!osslResult)
-		{
-			goto Cleanup;
-		}
-
-		/*
-		* We can't get a pointer outside the range of the 
-		* output buffer
-		*/
-		if (((uint32_t)tempLen) < ncSpanGetSize(output))
-		{
-			if (!EVP_EncryptFinal_ex(ctx, ncSpanGetOffset(output, tempLen), &tempLen))
-			{
-				goto Cleanup;
-			}
-		}
-
-		result = CSTATUS_OK;
-
-	Cleanup:
-
-		if (ctx) EVP_CIPHER_CTX_free(ctx);
-
-		return result;
-	}
-
+	
 	_IMPLSTB cstatus_t _ossl_chacha20_crypt(
 		const uint8_t* key,
 		const uint8_t* nonce,
@@ -358,12 +287,23 @@
 	)
 	{
 		cstatus_t result;
-		EVP_CIPHER* cipher;
+		struct ossl_evp_state state;
 		uint8_t chaChaIv[CHACHA_NONCE_SIZE + 4];
 		cspan_t keySpan, nonceSpan, inputSpan;
 		span_t outputSpan;
+		int bytesWritten;
 
 		result = CSTATUS_FAIL;
+		bytesWritten = 0;
+
+		/*
+		* Alloc and init the cipher state for ChaCha20 in 
+		* cipher mode
+		*/
+		if (!_osslEvpInit(&state, EvpStateTypeCipher, OSSL_CHACHA20))
+		{
+			goto Cleanup;
+		}
 
 		/*
 		* RFC 7539 ChaCha20 requires a 16 byte initialization vector. A 
@@ -381,24 +321,44 @@
 		ncSpanInitC(&inputSpan, input, dataLen);
 		ncSpanInit(&outputSpan, output, dataLen);
 
-		cipher = ossl_evp_fetch_chacha20();
+		if (!_osslEvpCipherInit(&state, keySpan, nonceSpan))
+		{
+			goto Cleanup;
+		}
 
-		if (cipher == NULL)
+		if (!_osslEvpCipherUpdate(&state, inputSpan, outputSpan, &bytesWritten))
 		{
 			goto Cleanup;
 		}
+		
+		/*
+		* Possible static asser that int size must be 32bit or smaller
+		* so it can be cast safely to uint32
+		*/
+		if (bytesWritten < 0 || bytesWritten > INT32_MAX)
+		{
+			goto Cleanup;
+		}
+
+		DEBUG_ASSERT((uint32_t)bytesWritten <= dataLen)
 
-		result = _ossl_cipher_core(
-			cipher, 
-			keySpan, 
-			nonceSpan, 
-			inputSpan, 
-			outputSpan
+		/* shift output span by consumed data amount */
+		outputSpan = ncSpanSlice(
+			outputSpan, 
+			(uint32_t)bytesWritten,
+			dataLen - (uint32_t)bytesWritten
 		);
 
+		if (!_osslEvpFinal(&state, outputSpan))
+		{
+			goto Cleanup;
+		}
+	
+		result = CSTATUS_OK;
+
 	Cleanup:
 		
-		if (cipher) EVP_CIPHER_free(cipher);
+		_osslEvpFree(&state);
 
 		return result;
 	}
diff --git a/tests/test.c b/tests/test.c
index 20a0e5d..a1f5abe 100644
--- a/tests/test.c
+++ b/tests/test.c
@@ -289,10 +289,13 @@ static int TestPublicApiArgumentValidation()
     NCPublicKey pubKey;
     uint8_t hmacKeyOut[NC_HMAC_KEY_SIZE];
     uint8_t nonce[NC_NIP44_IV_SIZE];
-
+   
     NCEncryptionArgs cryptoData;
 
-    PRINTL("TEST: Public API argument validation tests")
+    PRINTL("TEST: Public API argument validation tests");
+
+    /* Zero fill the structure to inialize */
+    ZERO_FILL(&cryptoData, sizeof(cryptoData));
 
     {
         TEST(NCEncryptionGetIvSize(NC_ENC_VERSION_NIP44), sizeof(nonce));
@@ -507,8 +510,16 @@ static int TestPublicApiArgumentValidation()
         macArgs.payloadSize = 0;
         TEST(NCVerifyMac(ctx, &secKey, &pubKey, &macArgs), ARG_RANGE_ERROR_POS_3)
     }
-    
-    PRINTL("\nPASSED: Public API argument validation tests completed")
+
+    ENSURE(NCDestroyContext(ctx) == NC_SUCCESS);
+
+#ifdef NOSCRYPTUTIL_H
+        NCUtilContextFree(ctx);
+#else
+        free(ctx);
+#endif
+
+    PRINTL("\nPASSED: Public API argument validation tests completed");
 
     return 0;
 }