diff --git a/src/common/crypto.c b/src/common/crypto.c
index 6fe3c661c8..ffa2b7c1cf 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -529,7 +529,7 @@ crypto_pk_new,(void))
  * are released, free the key.
  */
 void
-crypto_pk_free(crypto_pk_t *env)
+crypto_pk_free_(crypto_pk_t *env)
 {
   if (!env)
     return;
@@ -592,7 +592,7 @@ crypto_cipher_new(const char *key)
 /** Free a symmetric cipher.
  */
 void
-crypto_cipher_free(crypto_cipher_t *env)
+crypto_cipher_free_(crypto_cipher_t *env)
 {
   if (!env)
     return;
@@ -1967,7 +1967,7 @@ crypto_digest512_new(digest_algorithm_t algorithm)
 /** Deallocate a digest object.
  */
 void
-crypto_digest_free(crypto_digest_t *digest)
+crypto_digest_free_(crypto_digest_t *digest)
 {
   if (!digest)
     return;
@@ -2214,7 +2214,7 @@ crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
 
 /** Cleanse and deallocate a XOF object. */
 void
-crypto_xof_free(crypto_xof_t *xof)
+crypto_xof_free_(crypto_xof_t *xof)
 {
   if (!xof)
     return;
@@ -2767,7 +2767,7 @@ crypto_expand_key_material_rfc5869_sha256(
 /** Free a DH key exchange object.
  */
 void
-crypto_dh_free(crypto_dh_t *dh)
+crypto_dh_free_(crypto_dh_t *dh)
 {
   if (!dh)
     return;
diff --git a/src/common/crypto.h b/src/common/crypto.h
index f9aeeee2c0..f1061467d5 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -19,6 +19,7 @@
 #include "torint.h"
 #include "testsupport.h"
 #include "compat.h"
+#include "util.h"
 
 #include <openssl/engine.h>
 #include "keccak-tiny/keccak-tiny.h"
@@ -146,7 +147,8 @@ int crypto_global_cleanup(void);
 
 /* environment setup */
 MOCK_DECL(crypto_pk_t *,crypto_pk_new,(void));
-void crypto_pk_free(crypto_pk_t *env);
+void crypto_pk_free_(crypto_pk_t *env);
+#define crypto_pk_free(pk) FREE_AND_NULL(crypto_pk, (pk))
 
 void crypto_set_tls_dh_prime(void);
 crypto_cipher_t *crypto_cipher_new(const char *key);
@@ -155,7 +157,8 @@ crypto_cipher_t *crypto_cipher_new_with_iv(const char *key, const char *iv);
 crypto_cipher_t *crypto_cipher_new_with_iv_and_bits(const uint8_t *key,
                                                     const uint8_t *iv,
                                                     int bits);
-void crypto_cipher_free(crypto_cipher_t *env);
+void crypto_cipher_free_(crypto_cipher_t *env);
+#define crypto_cipher_free(c) FREE_AND_NULL(crypto_cipher, (c))
 
 /* public key crypto */
 MOCK_DECL(int, crypto_pk_generate_key_with_bits,(crypto_pk_t *env, int bits));
@@ -258,7 +261,8 @@ int crypto_digest_algorithm_parse_name(const char *name);
 crypto_digest_t *crypto_digest_new(void);
 crypto_digest_t *crypto_digest256_new(digest_algorithm_t algorithm);
 crypto_digest_t *crypto_digest512_new(digest_algorithm_t algorithm);
-void crypto_digest_free(crypto_digest_t *digest);
+void crypto_digest_free_(crypto_digest_t *digest);
+#define crypto_digest_free(d) FREE_AND_NULL(crypto_digest, (d))
 void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
                              size_t len);
 void crypto_digest_get_digest(crypto_digest_t *digest,
@@ -276,7 +280,8 @@ void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
 crypto_xof_t *crypto_xof_new(void);
 void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len);
 void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len);
-void crypto_xof_free(crypto_xof_t *xof);
+void crypto_xof_free_(crypto_xof_t *xof);
+#define crypto_xof_free(xof) FREE_AND_NULL(crypto_xof, (xof))
 
 /* Key negotiation */
 #define DH_TYPE_CIRCUIT 1
@@ -291,7 +296,8 @@ int crypto_dh_get_public(crypto_dh_t *dh, char *pubkey_out,
 ssize_t crypto_dh_compute_secret(int severity, crypto_dh_t *dh,
                              const char *pubkey, size_t pubkey_len,
                              char *secret_out, size_t secret_out_len);
-void crypto_dh_free(crypto_dh_t *dh);
+void crypto_dh_free_(crypto_dh_t *dh);
+#define crypto_dh_free(dh) FREE_AND_NULL(crypto_dh, (dh))
 
 int crypto_expand_key_material_TAP(const uint8_t *key_in,
                                    size_t key_in_len,
diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c
index 94b23e31b9..26523e3126 100644
--- a/src/common/crypto_ed25519.c
+++ b/src/common/crypto_ed25519.c
@@ -622,7 +622,7 @@ ed25519_pubkey_read_from_file(ed25519_public_key_t *pubkey_out,
 
 /** Release all storage held for <b>kp</b>. */
 void
-ed25519_keypair_free(ed25519_keypair_t *kp)
+ed25519_keypair_free_(ed25519_keypair_t *kp)
 {
   if (! kp)
     return;
diff --git a/src/common/crypto_ed25519.h b/src/common/crypto_ed25519.h
index 8d13a487d6..64ccc470ea 100644
--- a/src/common/crypto_ed25519.h
+++ b/src/common/crypto_ed25519.h
@@ -7,6 +7,7 @@
 #include "testsupport.h"
 #include "torint.h"
 #include "crypto_curve25519.h"
+#include "util.h"
 
 #define ED25519_PUBKEY_LEN 32
 #define ED25519_SECKEY_LEN 64
@@ -117,7 +118,8 @@ int ed25519_pubkey_read_from_file(ed25519_public_key_t *pubkey_out,
                                   char **tag_out,
                                   const char *filename);
 
-void ed25519_keypair_free(ed25519_keypair_t *kp);
+void ed25519_keypair_free_(ed25519_keypair_t *kp);
+#define ed25519_keypair_free(kp) FREE_AND_NULL(ed25519_keypair, (kp))
 
 int ed25519_pubkey_eq(const ed25519_public_key_t *key1,
                       const ed25519_public_key_t *key2);
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 197c5e8d3b..407603248f 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -644,7 +644,7 @@ static const char CLIENT_CIPHER_LIST[] =
 
 /** Free all storage held in <b>cert</b> */
 void
-tor_x509_cert_free(tor_x509_cert_t *cert)
+tor_x509_cert_free_(tor_x509_cert_t *cert)
 {
   if (! cert)
     return;
@@ -1792,7 +1792,7 @@ tor_tls_is_server(tor_tls_t *tls)
  * underlying file descriptor.
  */
 void
-tor_tls_free(tor_tls_t *tls)
+tor_tls_free_(tor_tls_t *tls)
 {
   if (!tls)
     return;
diff --git a/src/common/tortls.h b/src/common/tortls.h
index 6145f7dbc9..b293ce20e4 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -216,7 +216,8 @@ void tor_tls_set_renegotiate_callback(tor_tls_t *tls,
                                       void (*cb)(tor_tls_t *, void *arg),
                                       void *arg);
 int tor_tls_is_server(tor_tls_t *tls);
-void tor_tls_free(tor_tls_t *tls);
+void tor_tls_free_(tor_tls_t *tls);
+#define tor_tls_free(tls) FREE_AND_NULL(tor_tls, (tls))
 int tor_tls_peer_has_cert(tor_tls_t *tls);
 MOCK_DECL(tor_x509_cert_t *,tor_tls_get_peer_cert,(tor_tls_t *tls));
 MOCK_DECL(tor_x509_cert_t *,tor_tls_get_own_cert,(tor_tls_t *tls));
@@ -263,7 +264,8 @@ void check_no_tls_errors_(const char *fname, int line);
 void tor_tls_log_one_error(tor_tls_t *tls, unsigned long err,
                            int severity, int domain, const char *doing);
 
-void tor_x509_cert_free(tor_x509_cert_t *cert);
+void tor_x509_cert_free_(tor_x509_cert_t *cert);
+#define tor_x509_cert_free(c) FREE_AND_NULL(tor_x509_cert, (c))
 tor_x509_cert_t *tor_x509_cert_decode(const uint8_t *certificate,
                             size_t certificate_len);
 void tor_x509_cert_get_der(const tor_x509_cert_t *cert,