diff --git a/src/tls.c b/src/tls.c
index 1ffffe734..b7e087e44 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -1112,9 +1112,6 @@ static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in,
             if (ret != 0)
                 break;
         }
-        /* call final to cleanup */
-        if (ret == 0)
-            ret = wc_HmacFinal(hmac, dummy);
     }
 
     return ret;
diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c
index 41c20947c..16288d4ef 100644
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@@ -1076,6 +1076,17 @@ void wc_HmacFree(Hmac* hmac)
     if (hmac == NULL)
         return;
 
+#ifdef WOLF_CRYPTO_CB
+    /* handle cleanup case where final is not called */
+    if (hmac->devId != INVALID_DEVID && hmac->devCtx != NULL) {
+        int  ret;
+        byte finalHash[WC_HMAC_BLOCK_SIZE];
+        ret = wc_CryptoCb_Hmac(hmac, hmac->macType, NULL, 0, finalHash);
+        (void)ret; /* must ignore return code here */
+        (void)finalHash;
+    }
+#endif
+
     switch (hmac->macType) {
     #ifndef NO_MD5
         case WC_MD5: