diff --git a/cmac_nettle.c b/cmac_nettle.c
index 5b2c0d4..cbbf9dd 100644
--- a/cmac_nettle.c
+++ b/cmac_nettle.c
@@ -30,8 +30,10 @@
 #include "sysincl.h"
 
 #include <nettle/cmac.h>
+#include <nettle/version.h>
 
 #include "cmac.h"
+#include "hash.h"
 #include "memory.h"
 
 struct CMC_Instance_Record {
@@ -86,25 +88,39 @@ CMC_CreateInstance(CMC_Algorithm algorithm, const unsigned char *key, int length
 int
 CMC_Hash(CMC_Instance inst, const void *in, int in_len, unsigned char *out, int out_len)
 {
+  unsigned char buf[MAX_HASH_LENGTH];
+
   if (in_len < 0 || out_len < 0)
     return 0;
 
   if (out_len > CMAC128_DIGEST_SIZE)
     out_len = CMAC128_DIGEST_SIZE;
 
+  assert(CMAC128_DIGEST_SIZE <= sizeof (buf));
+
   switch (inst->key_length) {
     case AES128_KEY_SIZE:
       cmac_aes128_update(&inst->context.aes128, in_len, in);
-      cmac_aes128_digest(&inst->context.aes128, out_len, out);
+      cmac_aes128_digest(&inst->context.aes128,
+#if NETTLE_VERSION_MAJOR < 4
+                         CMAC128_DIGEST_SIZE,
+#endif
+                         buf);
       break;
     case AES256_KEY_SIZE:
       cmac_aes256_update(&inst->context.aes256, in_len, in);
-      cmac_aes256_digest(&inst->context.aes256, out_len, out);
+      cmac_aes256_digest(&inst->context.aes256,
+#if NETTLE_VERSION_MAJOR < 4
+                         CMAC128_DIGEST_SIZE,
+#endif
+                         buf);
       break;
     default:
       assert(0);
   }
 
+  memcpy(out, buf, out_len);
+
   return out_len;
 }
 
diff --git a/configure b/configure
index 1c25443..a98e2e9 100755
--- a/configure
+++ b/configure
@@ -911,7 +911,7 @@ HASH_LINK=""
 if [ $feat_sechash = "1" ] && [ "x$HASH_LINK" = "x" ]  && [ $try_nettle = "1" ]; then
   test_cflags="`pkg_config --cflags nettle`"
   test_link="`pkg_config --libs nettle`"
-  if test_code 'nettle' 'nettle/nettle-meta.h nettle/sha2.h' \
+  if test_code 'nettle' 'nettle/nettle-meta.h nettle/sha2.h nettle/version.h' \
     "$test_cflags" "$test_link" \
     'return nettle_hashes[0]->context_size;'
   then
diff --git a/hash_nettle.c b/hash_nettle.c
index 4a214f6..d6dee58 100644
--- a/hash_nettle.c
+++ b/hash_nettle.c
@@ -30,6 +30,7 @@
 #include "sysincl.h"
 
 #include <nettle/nettle-meta.h>
+#include <nettle/version.h>
 
 #include "hash.h"
 #include "memory.h"
@@ -91,6 +92,7 @@ int
 HSH_Hash(int id, const void *in1, int in1_len, const void *in2, int in2_len,
          unsigned char *out, int out_len)
 {
+  unsigned char buf[MAX_HASH_LENGTH];
   const struct nettle_hash *hash;
   void *context;
 
@@ -103,11 +105,20 @@ HSH_Hash(int id, const void *in1, int in1_len, const void *in2, int in2_len,
   if (out_len > hash->digest_size)
     out_len = hash->digest_size;
 
+  if (hash->digest_size > sizeof (buf))
+    return 0;
+
   hash->init(context);
   hash->update(context, in1_len, in1);
   if (in2)
     hash->update(context, in2_len, in2);
-  hash->digest(context, out_len, out);
+  hash->digest(context,
+#if NETTLE_VERSION_MAJOR < 4
+               hash->digest_size,
+#endif
+               buf);
+
+  memcpy(out, buf, out_len);
 
   return out_len;
 }