Dev news

Commit 3f907b6524 for openssl.org

commit 3f907b6524b20d701bd1a458c4694f5130e55719
Author: Emmalee Carpenter <emmiecarpenter13@gmail.com>
Date:   Thu Mar 19 16:04:49 2026 -0400

    Update manuals and demos to consider OSSL_PARAM_clear_free() vs OSSL_PARAM_free()

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    MergeDate: Fri Apr  3 15:14:25 2026
    (Merged from https://github.com/openssl/openssl/pull/30506)

diff --git a/demos/signature/EVP_DSA_Signature_demo.c b/demos/signature/EVP_DSA_Signature_demo.c
index 548860a812..088c568724 100644
--- a/demos/signature/EVP_DSA_Signature_demo.c
+++ b/demos/signature/EVP_DSA_Signature_demo.c
@@ -148,7 +148,7 @@ static int extract_keypair(const EVP_PKEY *pkey,
     ret = 1;
 end:
     if (ret != 1) {
-        OSSL_PARAM_free(keypair);
+        OSSL_PARAM_clear_free(keypair);
         keypair = NULL;
     }
     *p_keypair = keypair;
@@ -306,7 +306,7 @@ end:
     EVP_PKEY_free(params);
     EVP_PKEY_free(pkey);
     OSSL_PARAM_free(public_key);
-    OSSL_PARAM_free(keypair);
+    OSSL_PARAM_clear_free(keypair);
     OSSL_LIB_CTX_free(libctx);

     return ret;
diff --git a/doc/man3/EVP_PKEY_fromdata.pod b/doc/man3/EVP_PKEY_fromdata.pod
index 3e3e7dab8b..44d8788db0 100644
--- a/doc/man3/EVP_PKEY_fromdata.pod
+++ b/doc/man3/EVP_PKEY_fromdata.pod
@@ -203,7 +203,7 @@ TODO Write a set of cookbook documents and link to them.

      EVP_PKEY_free(pkey);
      EVP_PKEY_CTX_free(ctx);
-     OSSL_PARAM_free(params);
+     OSSL_PARAM_clear_free(params);
      OSSL_PARAM_BLD_free(param_bld);
      BN_free(priv);

diff --git a/doc/man3/EVP_PKEY_todata.pod b/doc/man3/EVP_PKEY_todata.pod
index 8e54f228ac..d3455ce1bd 100644
--- a/doc/man3/EVP_PKEY_todata.pod
+++ b/doc/man3/EVP_PKEY_todata.pod
@@ -20,8 +20,8 @@ array of L<OSSL_PARAM(3)>.

 EVP_PKEY_todata() extracts values from a key I<pkey> using the I<selection>.
 I<selection> is described in L<EVP_PKEY_fromdata(3)/Selections>.
-L<OSSL_PARAM_free(3)> should be used to free the returned parameters in
-I<*params>.
+L<OSSL_PARAM_free(3)> or L<OSSL_PARAM_clear_free(3)> should be used to free the
+returned parameters in I<*params>.

 EVP_PKEY_export() is similar to EVP_PKEY_todata() but uses a callback
 I<export_cb> that gets passed the value of I<export_cbarg>.
diff --git a/doc/man3/OSSL_PARAM_BLD.pod b/doc/man3/OSSL_PARAM_BLD.pod
index a9dea41211..b5a2839385 100644
--- a/doc/man3/OSSL_PARAM_BLD.pod
+++ b/doc/man3/OSSL_PARAM_BLD.pod
@@ -58,7 +58,8 @@ If the argument is NULL, nothing is done.
 OSSL_PARAM_BLD_to_param() converts a built up OSSL_PARAM_BLD structure
 I<bld> into an allocated OSSL_PARAM array.
 The OSSL_PARAM array and all associated storage must be freed by calling
-OSSL_PARAM_free() with the functions return value.
+OSSL_PARAM_free(); if the contents of OSSL_PARAM array are confidential call
+OSSL_PARAM_clear_free().
 OSSL_PARAM_BLD_free() can safely be called any time after this function is.

 =begin comment
@@ -177,7 +178,7 @@ private key.
     OSSL_PARAM_BLD_free(bld);
     /* Use params */
     ...
-    OSSL_PARAM_free(params);
+    OSSL_PARAM_clear_free(params);

 =head2 Example 2

@@ -199,7 +200,7 @@ public key.

 =head1 SEE ALSO

-L<OSSL_PARAM_int(3)>, L<OSSL_PARAM(3)>, L<OSSL_PARAM_free(3)>
+L<OSSL_PARAM_int(3)>, L<OSSL_PARAM(3)>, L<OSSL_PARAM_free(3)>, L<OSSL_PARAM_clear_free(3)>

 =head1 HISTORY