diff --git a/CMakeLists.txt b/CMakeLists.txt
index b664ba37..bcda460a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -865,7 +865,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.3.0-dev.1151")
+set(CPACK_PACKAGE_VERSION "3.3.0-dev.1152")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/include/gmssl/kyber.h b/include/gmssl/kyber.h
index a5c41243..b8811534 100644
--- a/include/gmssl/kyber.h
+++ b/include/gmssl/kyber.h
@@ -138,7 +138,6 @@ int kyber_cpa_public_key_print(FILE *fp, int fmt, int ind, const char *label, co
 int kyber_cpa_private_key_to_bytes(const KYBER_CPA_KEY *key, uint8_t **out, size_t *outlen);
 int kyber_cpa_private_key_from_bytes(KYBER_CPA_KEY *key, const uint8_t **in, size_t *inlen);
 int kyber_cpa_private_key_print(FILE *fp, int fmt, int ind, const char *label, const KYBER_CPA_KEY *sk);
-void kyber_cpa_key_cleanup(KYBER_CPA_KEY *key);
 
 typedef struct {
 	uint8_t c1[KYBER_K][KYBER_C1_SIZE];
@@ -172,7 +171,6 @@ int kyber_public_key_print(FILE *fp, int fmt, int ind, const char *label, const
 int kyber_private_key_to_bytes(const KYBER_KEY *key, uint8_t **out, size_t *outlen);
 int kyber_private_key_from_bytes(KYBER_KEY *key, const uint8_t **in, size_t *inlen);
 int kyber_private_key_print(FILE *fp, int fmt, int ind, const char *label, const KYBER_KEY *sk);
-void kyber_key_cleanup(KYBER_KEY *key);
 
 typedef KYBER_CPA_CIPHERTEXT KYBER_CIPHERTEXT;
 
diff --git a/include/gmssl/lms.h b/include/gmssl/lms.h
index 570fbb0d..e28c9856 100644
--- a/include/gmssl/lms.h
+++ b/include/gmssl/lms.h
@@ -216,7 +216,6 @@ int lms_verify_init_ex(LMS_SIGN_CTX *ctx, const LMS_KEY *key, const LMS_SIGNATUR
 int lms_verify_init(LMS_SIGN_CTX *ctx, const LMS_KEY *key, const uint8_t *sig, size_t siglen);
 int lms_verify_update(LMS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int lms_verify_finish(LMS_SIGN_CTX *ctx);
-void lms_sign_ctx_cleanup(LMS_SIGN_CTX *ctx);
 
 
 
@@ -293,7 +292,6 @@ int hss_verify_init_ex(HSS_SIGN_CTX *ctx, const HSS_KEY *key, const HSS_SIGNATUR
 int hss_verify_init(HSS_SIGN_CTX *ctx, const HSS_KEY *key, const uint8_t *sigbuf, size_t siglen);
 int hss_verify_update(HSS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int hss_verify_finish(HSS_SIGN_CTX *ctx);
-void hss_sign_ctx_cleanup(HSS_SIGN_CTX *ctx);
 
 
 #ifdef __cplusplus
diff --git a/include/gmssl/secp256r1_key.h b/include/gmssl/secp256r1_key.h
index 5b7231ec..1be65af8 100644
--- a/include/gmssl/secp256r1_key.h
+++ b/include/gmssl/secp256r1_key.h
@@ -29,7 +29,6 @@ typedef struct {
 int secp256r1_key_generate(SECP256R1_KEY *key);
 int secp256r1_key_set_private_key(SECP256R1_KEY *key, const secp256r1_t private_key);
 int secp256r1_public_key_equ(const SECP256R1_KEY *key, const SECP256R1_KEY *pub);
-void secp256r1_key_cleanup(SECP256R1_KEY *key);
 
 int secp256r1_public_key_print(FILE *fp, int fmt, int ind, const char *label, const SECP256R1_KEY *key);
 int secp256r1_private_key_print(FILE *fp, int fmt, int ind, const char *label, const SECP256R1_KEY *key);
diff --git a/include/gmssl/sphincs.h b/include/gmssl/sphincs.h
index 7ecbcd08..3c39f420 100644
--- a/include/gmssl/sphincs.h
+++ b/include/gmssl/sphincs.h
@@ -336,7 +336,6 @@ int sphincs_public_key_print(FILE *fp, int fmt, int ind, const char *label, cons
 int sphincs_private_key_to_bytes(const SPHINCS_KEY *key, uint8_t **out, size_t *outlen);
 int sphincs_private_key_from_bytes(SPHINCS_KEY *key, const uint8_t **in, size_t *inlen);
 int sphincs_private_key_print(FILE *fp, int fmt, int ind, const char *label, const SPHINCS_KEY *key);
-void sphincs_key_cleanup(SPHINCS_KEY *key);
 
 typedef struct {
 	sphincs_hash128_t random;
@@ -372,11 +371,9 @@ int sphincs_verify_init_ex(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key, const
 int sphincs_verify_init(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key, const uint8_t *sig, size_t siglen);
 int sphincs_verify_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int sphincs_verify_finish(SPHINCS_SIGN_CTX *ctx);
-void sphincs_sign_ctx_cleanup(SPHINCS_SIGN_CTX *ctx);
 
 
 #ifdef __cplusplus
 }
 #endif
 #endif
-
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index b191af8e..07221fef 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30300
-#define GMSSL_VERSION_STR	"GmSSL 3.3.0-dev.1151"
+#define GMSSL_VERSION_STR	"GmSSL 3.3.0-dev.1152"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/include/gmssl/x509_key.h b/include/gmssl/x509_key.h
index f48afaf1..c87141b8 100644
--- a/include/gmssl/x509_key.h
+++ b/include/gmssl/x509_key.h
@@ -282,7 +282,6 @@ int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, int sign_algor, co
 int x509_verify_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int x509_verify_finish(X509_SIGN_CTX *ctx);
 int x509_verify(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
-void x509_sign_ctx_cleanup(X509_SIGN_CTX *ctx);
 
 // ECDH for key->algor == OID_ec_public_key
 int x509_key_do_exchange(const X509_KEY *key, const X509_KEY *peer_pub, uint8_t *out, size_t *outlen);
diff --git a/include/gmssl/xmss.h b/include/gmssl/xmss.h
index a0916293..e176c8bd 100644
--- a/include/gmssl/xmss.h
+++ b/include/gmssl/xmss.h
@@ -276,7 +276,6 @@ int xmss_verify_init_ex(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const XMSS_SIGN
 int xmss_verify_init(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const uint8_t *sigbuf, size_t siglen);
 int xmss_verify_update(XMSS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int xmss_verify_finish(XMSS_SIGN_CTX *ctx);
-void xmss_sign_ctx_cleanup(XMSS_SIGN_CTX *ctx);
 
 
 enum {
@@ -432,7 +431,6 @@ int xmssmt_verify_init_ex(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const XMS
 int xmssmt_verify_init(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const uint8_t *sig, size_t siglen);
 int xmssmt_verify_update(XMSSMT_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
 int xmssmt_verify_finish(XMSSMT_SIGN_CTX *ctx);
-void xmssmt_sign_ctx_cleanup(XMSSMT_SIGN_CTX *ctx);
 
 #ifdef __cplusplus
 }
diff --git a/src/kyber.c b/src/kyber.c
index 09b0b5cd..d0ea1b27 100644
--- a/src/kyber.c
+++ b/src/kyber.c
@@ -658,13 +658,6 @@ int kyber_cpa_key_generate_ex(KYBER_CPA_KEY *key, const uint8_t random[32])
 	return 1;
 }
 
-void kyber_cpa_key_cleanup(KYBER_CPA_KEY *key)
-{
-	if (key) {
-		gmssl_secure_clear(key->s, sizeof(key->s));
-	}
-}
-
 int kyber_cpa_public_key_to_bytes(const KYBER_CPA_KEY *key, uint8_t **out, size_t *outlen)
 {
 	if (!key || !outlen) {
@@ -1014,21 +1007,13 @@ int kyber_key_generate_ex(KYBER_KEY *key, const uint8_t random[32])
 	}
 	kyber_h_hash((uint8_t *)key, sizeof(KYBER_CPA_PUBLIC_KEY), key->pk_hash);
 	if (rand_bytes(key->z, 32) != 1) {
-		kyber_cpa_key_cleanup(&key->cpa_key);
+		gmssl_secure_clear(&key->cpa_key, sizeof(KYBER_CPA_KEY));
 		error_print();
 		return -1;
 	}
 	return 1;
 }
 
-void kyber_key_cleanup(KYBER_KEY *key)
-{
-	if (key) {
-		kyber_cpa_key_cleanup(&key->cpa_key);
-		gmssl_secure_clear(key->z, sizeof(key->z));
-	}
-}
-
 int kyber_public_key_to_bytes(const KYBER_KEY *key, uint8_t **out, size_t *outlen)
 {
 	if (!key || !outlen) {
diff --git a/src/lms.c b/src/lms.c
index 5a4280ac..c1668011 100644
--- a/src/lms.c
+++ b/src/lms.c
@@ -923,13 +923,6 @@ int lms_signature_to_merkle_root(const uint8_t I[16], size_t h, int q,
 	return 1;
 }
 
-void lms_sign_ctx_cleanup(LMS_SIGN_CTX *ctx)
-{
-	if (ctx) {
-		gmssl_secure_clear(ctx->lms_sig.lmots_sig.y, sizeof(lms_hash256_t)*34);
-	}
-}
-
 int lms_sign_init(LMS_SIGN_CTX *ctx, LMS_KEY *key)
 {
 	LMS_SIGNATURE *lms_sig;
@@ -1469,7 +1462,7 @@ int hss_key_generate(HSS_KEY *key, const int *lms_types, size_t levels)
 	ret = 1;
 end:
 	gmssl_secure_clear(seed, sizeof(seed));
-	lms_sign_ctx_cleanup(&ctx);
+	gmssl_secure_clear(&ctx, sizeof(ctx));
 	if (ret != 1) hss_key_cleanup(key);
 	return ret;
 }
@@ -2025,10 +2018,3 @@ int hss_private_key_size(const int *lms_types, size_t levels, size_t *len)
 
 	return 1;
 }
-
-void hss_sign_ctx_cleanup(HSS_SIGN_CTX *ctx)
-{
-	if (ctx) {
-		lms_sign_ctx_cleanup(&ctx->lms_sign_ctx);
-	}
-}
diff --git a/src/ocsp.c b/src/ocsp.c
index 0f4e3669..0945c841 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -14,6 +14,7 @@
 #include <stdint.h>
 #include <gmssl/oid.h>
 #include <gmssl/asn1.h>
+#include <gmssl/mem.h>
 #include <gmssl/error.h>
 #include <gmssl/x509_crl.h>
 #include <gmssl/http.h>
@@ -2135,11 +2136,11 @@ int ocsp_sign(OCSP_SIGN_CTX *ctx,
 	if ((sign_key->algor == OID_ec_public_key
 		&& x509_sign_set_signature_size(&sign_ctx, signature_len) != 1)
 		|| x509_sign(&sign_ctx, response_data, response_data_len, signature, &signature_len) != 1) {
-		x509_sign_ctx_cleanup(&sign_ctx);
+		gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
 		error_print();
 		return -1;
 	}
-	x509_sign_ctx_cleanup(&sign_ctx);
+	gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
 
 	if (ocsp_basic_response_to_der(response_data, response_data_len,
 		sign_algor, signature, signature_len,
diff --git a/src/sdf/sdf.c b/src/sdf/sdf.c
index e712785b..35441369 100755
--- a/src/sdf/sdf.c
+++ b/src/sdf/sdf.c
@@ -12,6 +12,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <gmssl/sdf.h>
+#include <gmssl/mem.h>
 #include <gmssl/sm2.h>
 #include <gmssl/sm4.h>
 #include <gmssl/error.h>
@@ -918,8 +919,15 @@ int sdf_sign_reset(SDF_SIGN_CTX *ctx)
 	return 1;
 }
 
-int sdf_release_key(SDF_PRIVATE_KEY *key)
+int sdf_release_private_key(SDF_PRIVATE_KEY *key)
 {
+	if (!key) {
+		return 1;
+	}
+	if (!key->session) {
+		gmssl_secure_clear(key, sizeof(*key));
+		return 1;
+	}
 	if (SDF_ReleasePrivateKeyAccessRight(key->session, key->index) != SDR_OK) {
 		error_print();
 	}
@@ -927,9 +935,15 @@ int sdf_release_key(SDF_PRIVATE_KEY *key)
 		error_print();
 		return -1;
 	}
+	gmssl_secure_clear(key, sizeof(*key));
 	return 1;
 }
 
+int sdf_release_key(SDF_PRIVATE_KEY *key)
+{
+	return sdf_release_private_key(key);
+}
+
 int sdf_close_device(SDF_DEVICE *dev)
 {
 	if (dev) {
diff --git a/src/secp256r1_key.c b/src/secp256r1_key.c
index 2694b4ef..6455aa88 100644
--- a/src/secp256r1_key.c
+++ b/src/secp256r1_key.c
@@ -66,15 +66,6 @@ int secp256r1_public_key_equ(const SECP256R1_KEY *key, const SECP256R1_KEY *pub)
 }
 
 
-void secp256r1_key_cleanup(SECP256R1_KEY *key)
-{
-	if (key) {
-		gmssl_secure_clear(key->private_key, sizeof(secp256r1_t));
-		memset(key, 0, sizeof(SECP256R1_KEY));
-	}
-}
-
-
 // SM2将这个命名为_to_octets，应该更准确一些
 int secp256r1_public_key_to_bytes(const SECP256R1_KEY *key, uint8_t **out, size_t *outlen)
 {
@@ -316,7 +307,7 @@ int secp256r1_private_key_from_der(SECP256R1_KEY *key, const uint8_t **in, size_
 
 	// check
 	if (secp256r1_public_key_equ(key, &tmp_key) != 1) {
-		secp256r1_key_cleanup(key);
+		gmssl_secure_clear(key, sizeof(SECP256R1_KEY));
 		error_print();
 		return -1;
 	}
diff --git a/src/skf/skf.c b/src/skf/skf.c
index 46a82934..e36946cc 100755
--- a/src/skf/skf.c
+++ b/src/skf/skf.c
@@ -182,6 +182,9 @@ int skf_sign(SKF_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen)
 
 int skf_release_key(SKF_KEY *key)
 {
+	if (!key) {
+		return 1;
+	}
 	if (key->app_handle) {
 		if (SKF_ClearSecureState(key->app_handle) != SAR_OK
 			|| SKF_CloseApplication(key->app_handle) != SAR_OK) {
@@ -202,6 +205,9 @@ int skf_release_key(SKF_KEY *key)
 
 int skf_close_device(SKF_DEVICE *dev)
 {
+	if (!dev || !dev->handle) {
+		return 1;
+	}
 	if (SKF_UnlockDev(dev->handle) != SAR_OK
 		|| SKF_DisConnectDev(dev->handle) != SAR_OK) {
 		error_print();
@@ -211,12 +217,6 @@ int skf_close_device(SKF_DEVICE *dev)
 	return 1;
 }
 
-
-
-
-
-
-
 int skf_list_devices(FILE *fp, int fmt, int ind, const char *label)
 {
 	int ret = -1;
diff --git a/src/sm4_cl.c b/src/sm4_cl.c
index 743eeabd..300b170d 100644
--- a/src/sm4_cl.c
+++ b/src/sm4_cl.c
@@ -14,6 +14,7 @@
 #include <stdint.h>
 #include <gmssl/sm4_cl.h>
 #include <gmssl/endian.h>
+#include <gmssl/mem.h>
 #include <gmssl/error.h>
 
 
@@ -79,10 +80,15 @@ static const char *sm4_cl_src;
 
 void sm4_cl_cleanup(SM4_CL_CTX *ctx)
 {
-	clReleaseContext(ctx->context);
-	clReleaseCommandQueue(ctx->queue);
-	clReleaseProgram(ctx->program);
-	clReleaseKernel(ctx->kernel);
+	if (ctx) {
+		if (ctx->mem_rk) clReleaseMemObject(ctx->mem_rk);
+		if (ctx->mem_io) clReleaseMemObject(ctx->mem_io);
+		if (ctx->kernel) clReleaseKernel(ctx->kernel);
+		if (ctx->program) clReleaseProgram(ctx->program);
+		if (ctx->queue) clReleaseCommandQueue(ctx->queue);
+		if (ctx->context) clReleaseContext(ctx->context);
+		gmssl_secure_clear(ctx, sizeof(*ctx));
+	}
 }
 
 static void clPrintDeviceInfo(cl_device_id device)
@@ -231,6 +237,7 @@ static int sm4_cl_set_key(SM4_CL_CTX *ctx, const uint8_t key[16], int enc)
 
 
 end:
+	sm4_cl_cleanup(ctx);
 	return -1;
 }
 
@@ -393,4 +400,3 @@ __kernel void sm4_ctr32_encrypt_blocks(__global const unsigned int *rkey, __glob
 }
 
 );
-
diff --git a/src/sphincs.c b/src/sphincs.c
index fdc15cd6..61adc54f 100644
--- a/src/sphincs.c
+++ b/src/sphincs.c
@@ -1328,15 +1328,6 @@ int sphincs_private_key_print(FILE *fp, int fmt, int ind, const char *label, con
 	return 1;
 }
 
-void sphincs_key_cleanup(SPHINCS_KEY *key)
-{
-	if (key) {
-		gmssl_secure_clear(key->secret, sizeof(sphincs_hash128_t));
-		gmssl_secure_clear(key->sk_prf, sizeof(sphincs_hash128_t));
-	}
-}
-
-
 int sphincs_key_generate(SPHINCS_KEY *key)
 {
 	if (!key) {
@@ -1746,10 +1737,3 @@ int sphincs_verify_finish(SPHINCS_SIGN_CTX *ctx)
 
 	return 1;
 }
-
-void sphincs_sign_ctx_cleanup(SPHINCS_SIGN_CTX *ctx)
-{
-	if (ctx) {
-		sphincs_key_cleanup(&ctx->key);
-	}
-}
diff --git a/src/tls.c b/src/tls.c
index 80e52b74..4360353f 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -3396,7 +3396,16 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 
 void tls_cleanup(TLS_CONNECT *conn)
 {
-	gmssl_secure_clear(conn, sizeof(TLS_CONNECT));
+	if (conn) {
+		size_t i;
+
+		x509_key_cleanup(&conn->server_enc_key);
+		for (i = 0; i < conn->key_exchanges_cnt; i++) {
+			x509_key_cleanup(&conn->key_exchanges[i]);
+		}
+		tls_client_verify_cleanup(&conn->client_verify_ctx);
+		gmssl_secure_clear(conn, sizeof(TLS_CONNECT));
+	}
 }
 
 int tls_set_verbose(TLS_CONNECT *conn, int verbose)
diff --git a/src/tls12.c b/src/tls12.c
index 653a0478..fbff8359 100644
--- a/src/tls12.c
+++ b/src/tls12.c
@@ -2557,11 +2557,11 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn)
 			|| x509_sign_update(&sign_ctx, conn->server_random, 32) != 1
 			|| x509_sign_update(&sign_ctx, server_ecdh_params, server_ecdh_params_len) != 1
 			|| x509_sign_finish(&sign_ctx, sig, &siglen) != 1) {
-			x509_sign_ctx_cleanup(&sign_ctx);
+			gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
 			error_print();
 			return -1;
 		}
-		x509_sign_ctx_cleanup(&sign_ctx);
+		gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
 
 		if (tls12_record_set_handshake_server_key_exchange(conn->record, &conn->recordlen,
 			TLS_server_key_exchange_ecdhe, server_ecdh_params, server_ecdh_params_len,
diff --git a/src/x509_key.c b/src/x509_key.c
index 1272c90a..a4155a9f 100644
--- a/src/x509_key.c
+++ b/src/x509_key.c
@@ -334,7 +334,7 @@ void x509_key_cleanup(X509_KEY *key)
 				break;
 #ifdef ENABLE_SECP256R1
 			case OID_secp256r1:
-				secp256r1_key_cleanup(&key->u.secp256r1_key);
+				gmssl_secure_clear(&key->u.secp256r1_key, sizeof(SECP256R1_KEY));
 				break;
 #endif
 			default:
@@ -360,12 +360,12 @@ void x509_key_cleanup(X509_KEY *key)
 #endif
 #ifdef ENABLE_SPHINCS
 		case OID_sphincs_hashsig:
-			sphincs_key_cleanup(&key->u.sphincs_key);
+			gmssl_secure_clear(&key->u.sphincs_key, sizeof(SPHINCS_KEY));
 			break;
 #endif
 #ifdef ENABLE_KYBER
 		case OID_kyber_kem:
-			kyber_key_cleanup(&key->u.kyber_key);
+			gmssl_secure_clear(&key->u.kyber_key, sizeof(KYBER_KEY));
 			break;
 #endif
 #ifdef ENABLE_SM9
@@ -1174,7 +1174,7 @@ int ec_private_key_from_der(X509_KEY *key, int opt_curve, const uint8_t **in, si
 				return -1;
 			}
 			if (secp256r1_public_key_equ(&key->u.secp256r1_key, &p256_pub) != 1) {
-				secp256r1_key_cleanup(&key->u.secp256r1_key);
+				gmssl_secure_clear(&key->u.secp256r1_key, sizeof(SECP256R1_KEY));
 				error_print();
 				return -1;
 			}
@@ -2498,50 +2498,6 @@ int x509_verify(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
 	return ret;
 }
 
-void x509_sign_ctx_cleanup(X509_SIGN_CTX *ctx)
-{
-	if (ctx) {
-		switch (ctx->sign_algor) {
-		case OID_sm2sign_with_sm3:
-			gmssl_secure_clear(&ctx->u.sm2_sign_ctx, sizeof(SM2_SIGN_CTX));
-			break;
-#ifdef ENABLE_SECP256R1
-		case OID_ecdsa_with_sha256:
-		case OID_ecdsa_with_sha384:
-		case OID_ecdsa_with_sha512:
-			gmssl_secure_clear(&ctx->u.ecdsa_sign_ctx, sizeof(ECDSA_SIGN_CTX));
-			break;
-#endif
-#ifdef ENABLE_LMS
-		case OID_lms_hashsig:
-			lms_sign_ctx_cleanup(&ctx->u.lms_sign_ctx);
-			break;
-		case OID_hss_lms_hashsig:
-			hss_sign_ctx_cleanup(&ctx->u.hss_sign_ctx);
-			break;
-#endif
-#ifdef ENABLE_XMSS
-		case OID_xmss_hashsig:
-			xmss_sign_ctx_cleanup(&ctx->u.xmss_sign_ctx);
-			break;
-		case OID_xmssmt_hashsig:
-			xmssmt_sign_ctx_cleanup(&ctx->u.xmssmt_sign_ctx);
-			break;
-#endif
-#ifdef ENABLE_SPHINCS
-		case OID_sphincs_hashsig:
-			sphincs_sign_ctx_cleanup(&ctx->u.sphincs_sign_ctx);
-			break;
-#endif
-#ifdef ENABLE_SM9
-		case OID_sm9sign:
-			gmssl_secure_clear(&ctx->u.sm9_sign_ctx, sizeof(SM9_SIGN_CTX));
-#endif
-		}
-		memset(ctx, 0, sizeof(X509_SIGN_CTX));
-	}
-}
-
 // FIXME: add arg max_outlen ?
 int x509_key_do_exchange(const X509_KEY *key, const X509_KEY *pub, uint8_t *out, size_t *outlen)
 {
diff --git a/src/xmss.c b/src/xmss.c
index f3b6d134..ec4f4a62 100644
--- a/src/xmss.c
+++ b/src/xmss.c
@@ -1153,14 +1153,6 @@ int xmss_signature_print(FILE *fp, int fmt, int ind, const char *label, const ui
 	return 1;
 }
 
-void xmss_sign_ctx_cleanup(XMSS_SIGN_CTX *ctx)
-{
-	if (ctx) {
-		gmssl_secure_clear(ctx->xmss_sig.random, sizeof(xmss_hash256_t));
-		gmssl_secure_clear(ctx->xmss_sig.wots_sig, sizeof(xmss_wots_sig_t)); // might cache wots_sk
-	}
-}
-
 int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key)
 {
 	xmss_hash256_t hash256_index = {0};
@@ -2222,14 +2214,6 @@ int xmssmt_signature_print(FILE *fp, int fmt, int ind, const char *label, const
 	return 1;
 }
 
-void xmssmt_sign_ctx_cleanup(XMSSMT_SIGN_CTX *ctx)
-{
-	if (ctx) {
-		gmssl_secure_clear(ctx->xmssmt_sig.random, sizeof(xmss_hash256_t));
-		gmssl_secure_clear(ctx->xmssmt_sig.wots_sigs[0], sizeof(xmss_wots_sig_t));
-	}
-}
-
 int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key)
 {
 	size_t height;
diff --git a/tests/secp256r1_keytest.c b/tests/secp256r1_keytest.c
index 081c47a1..8a63f890 100644
--- a/tests/secp256r1_keytest.c
+++ b/tests/secp256r1_keytest.c
@@ -14,6 +14,7 @@
 #include <stdint.h>
 #include <gmssl/hex.h>
 #include <gmssl/rand.h>
+#include <gmssl/mem.h>
 #include <gmssl/error.h>
 #include <gmssl/secp256r1_key.h>
 
@@ -28,7 +29,7 @@ static int test_secp256r1_key_generate(void)
 	}
 	secp256r1_public_key_print(stderr, 0, 4, "public_key", &key);
 	secp256r1_private_key_print(stderr, 0, 4, "private_key", &key);
-	secp256r1_key_cleanup(&key);
+	gmssl_secure_clear(&key, sizeof(key));
 	secp256r1_private_key_print(stderr, 0, 4, "private_key", &key);
 
 	printf("%s() ok\n", __FUNCTION__);
@@ -289,4 +290,3 @@ err:
 	error_print();
 	return 1;
 }
-
diff --git a/tools/kyberdecap.c b/tools/kyberdecap.c
index 0489bf0e..6aa7b586 100644
--- a/tools/kyberdecap.c
+++ b/tools/kyberdecap.c
@@ -168,7 +168,7 @@ bad:
 	ret = 0;
 
 end:
-	kyber_key_cleanup(&key);
+	gmssl_secure_clear(&key, sizeof(key));
 	gmssl_secure_clear(keybuf, sizeof(keybuf));
 	if (keyfp) fclose(keyfp);
 	if (infp && infp != stdin) fclose(infp);
diff --git a/tools/kyberkeygen.c b/tools/kyberkeygen.c
index a34656aa..03be61aa 100644
--- a/tools/kyberkeygen.c
+++ b/tools/kyberkeygen.c
@@ -123,7 +123,7 @@ bad:
 
 	ret = 0;
 end:
-	kyber_key_cleanup(&key);
+	gmssl_secure_clear(&key, sizeof(key));
 	gmssl_secure_clear(out, outlen);
 	if (outfile && outfp) fclose(outfp);
 	if (puboutfile && puboutfp) fclose(puboutfp);
diff --git a/tools/sdfdecrypt.c b/tools/sdfdecrypt.c
index 7b1a1b93..53933e53 100755
--- a/tools/sdfdecrypt.c
+++ b/tools/sdfdecrypt.c
@@ -215,11 +215,11 @@ bad:
 	ret = 0;
 
 end:
+	gmssl_secure_clear(&ctx, sizeof(ctx));
 	(void)sdf_destroy_key(&key);
 	(void)sdf_close_device(&dev);
 	(void)sdf_unload_library();
 	gmssl_secure_clear(iv, sizeof(iv));
-	gmssl_secure_clear(&ctx, sizeof(ctx));
 	if (infile && infp) fclose(infp);
 	if (outfile && outfp) fclose(outfp);
 	return ret;
diff --git a/tools/sdfdigest.c b/tools/sdfdigest.c
index adbb5d79..61bb6eb6 100644
--- a/tools/sdfdigest.c
+++ b/tools/sdfdigest.c
@@ -82,6 +82,7 @@ int sdfdigest_main(int argc, char **argv)
 	uint8_t dgst[32];
 	int i;
 
+	memset(&dev, 0, sizeof(dev));
 	memset(&ctx, 0, sizeof(ctx));
 
 	argc--;
@@ -261,6 +262,7 @@ bad:
 	ret = 0;
 end:
 	(void)sdf_digest_cleanup(&ctx);
+	(void)sdf_close_device(&dev);
 	if (pubkeyfp) fclose(pubkeyfp);
 	if (infile && infp) fclose(infp);
 	if (outfile && outfp) fclose(outfp);
diff --git a/tools/sdfencrypt.c b/tools/sdfencrypt.c
index e92a4c7f..caa894c6 100755
--- a/tools/sdfencrypt.c
+++ b/tools/sdfencrypt.c
@@ -223,11 +223,11 @@ bad:
 	ret = 0;
 
 end:
+	gmssl_secure_clear(&ctx, sizeof(ctx));
 	(void)sdf_destroy_key(&key);
 	(void)sdf_close_device(&dev);
 	(void)sdf_unload_library();
 	gmssl_secure_clear(iv, sizeof(iv));
-	gmssl_secure_clear(&ctx, sizeof(ctx));
 	if (infile && infp) fclose(infp);
 	if (outfile && outfp) fclose(outfp);
 	return ret;
diff --git a/tools/sdfexport.c b/tools/sdfexport.c
index 62d8d1ec..c28de6a5 100644
--- a/tools/sdfexport.c
+++ b/tools/sdfexport.c
@@ -48,6 +48,8 @@ int sdfexport_main(int argc, char **argv)
 	SDF_DEVICE dev;
 	SM2_KEY sm2_key;
 
+	memset(&dev, 0, sizeof(dev));
+
 	argc--;
 	argv++;
 
@@ -141,10 +143,9 @@ bad:
 		goto end;
 	}
 
-	sdf_close_device(&dev);
-
 	ret = 0;
 end:
+	(void)sdf_close_device(&dev);
 	if (lib) sdf_unload_library();
 	return ret;
 }
diff --git a/tools/sdfsign.c b/tools/sdfsign.c
index 45d12701..0510283f 100644
--- a/tools/sdfsign.c
+++ b/tools/sdfsign.c
@@ -57,6 +57,10 @@ int sdfsign_main(int argc, char **argv)
 	SDF_PRIVATE_KEY key;
 	SDF_SIGN_CTX ctx;
 
+	memset(&dev, 0, sizeof(dev));
+	memset(&key, 0, sizeof(key));
+	memset(&ctx, 0, sizeof(ctx));
+
 	argc--;
 	argv++;
 
@@ -136,19 +140,16 @@ bad:
 	}
 
 	if (sdf_load_private_key(&dev, &key, key_index, pass) != 1) {
-		(void)sdf_close_device(&dev);
 		fprintf(stderr,  "gmssl %s: load signing key #%d failure\n", prog, key_index);
 		goto end;
 	}
 
 	if (sdf_sign_init(&ctx, &key, id, strlen(id)) != 1) {
-		(void)sdf_close_device(&dev);
 		fprintf(stderr, "gmssl %s: inner error\n", prog);
 		goto end;
 	}
 	while ((len = fread(buf, 1, sizeof(buf), infp)) > 0) {
 		if (sdf_sign_update(&ctx, buf, len) != 1) {
-			(void)sdf_close_device(&dev);
 			fprintf(stderr, "gmssl %s: inner error\n", prog);
 			goto end;
 		}
@@ -158,11 +159,9 @@ bad:
 		goto end;
 	}
 	if (sdf_sign_finish(&ctx, sig, &siglen) != 1) {
-		(void)sdf_close_device(&dev);
 		fprintf(stderr, "gmssl %s: inner error\n", prog);
 		goto end;
 	}
-	(void)sdf_close_device(&dev);
 
 	if (fwrite(sig, 1, siglen, outfp) != siglen) {
 		fprintf(stderr, "gmssl %s: output signature failed : %s\n", prog, strerror(errno));
@@ -171,6 +170,9 @@ bad:
 	ret = 0;
 
 end:
+	gmssl_secure_clear(&ctx, sizeof(ctx));
+	(void)sdf_release_private_key(&key);
+	(void)sdf_close_device(&dev);
 	sdf_unload_library();
 	if (infile && infp) fclose(infp);
 	if (outfile && outfp) fclose(outfp);
diff --git a/tools/sdfutil.c b/tools/sdfutil.c
index 19fb5130..a64af0c9 100644
--- a/tools/sdfutil.c
+++ b/tools/sdfutil.c
@@ -211,7 +211,7 @@ bad:
 
 end:
 	gmssl_secure_clear(buf, sizeof(buf));
-	if (key_opened) sdf_release_key(&key);
+	if (key_opened) sdf_destroy_key(&key);
 	if (dev_opened) sdf_close_device(&dev);
 	if (lib) sdf_unload_library();
 	if (infile && infp) fclose(infp);
diff --git a/tools/sphincskeygen.c b/tools/sphincskeygen.c
index caf9d3cb..a103521d 100644
--- a/tools/sphincskeygen.c
+++ b/tools/sphincskeygen.c
@@ -124,7 +124,7 @@ bad:
 
 	ret = 0;
 end:
-	sphincs_key_cleanup(&key);
+	gmssl_secure_clear(&key, sizeof(key));
 	gmssl_secure_clear(out, sizeof(out));
 	if (outfile && outfp) fclose(outfp);
 	if (puboutfile && puboutfp) fclose(puboutfp);
diff --git a/tools/sphincssign.c b/tools/sphincssign.c
index 9a97e5ec..97da3524 100644
--- a/tools/sphincssign.c
+++ b/tools/sphincssign.c
@@ -169,7 +169,7 @@ bad:
 	ret = 0;
 
 end:
-	sphincs_key_cleanup(&key);
+	gmssl_secure_clear(&key, sizeof(key));
 	gmssl_secure_clear(keybuf, keylen);
 	gmssl_secure_clear(&ctx, sizeof(ctx));
 	if (keyfp) fclose(keyfp);
diff --git a/tools/tlcp_client.c b/tools/tlcp_client.c
index 4443e7b8..ab40f59b 100644
--- a/tools/tlcp_client.c
+++ b/tools/tlcp_client.c
@@ -238,6 +238,8 @@ int tlcp_client_main(int argc, char *argv[])
 	char send_buf[1024] = {0};
 	int read_stdin = 1;
 
+	memset(&conn, 0, sizeof(conn));
+
 	argc--;
 	argv++;
 	if (argc < 1) {
diff --git a/tools/tlcp_server.c b/tools/tlcp_server.c
index df423e28..e7c78959 100644
--- a/tools/tlcp_server.c
+++ b/tools/tlcp_server.c
@@ -170,6 +170,8 @@ int tlcp_server_main(int argc , char **argv)
 	tls_socklen_t client_addrlen;
 	size_t i;
 
+	memset(&conn, 0, sizeof(conn));
+
 	argc--;
 	argv++;
 
@@ -268,7 +270,6 @@ bad:
 	}
 
 	memset(&ctx, 0, sizeof(ctx));
-	memset(&conn, 0, sizeof(conn));
 
 	if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_server_mode) != 1
 		|| tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) {
diff --git a/tools/tls12_client.c b/tools/tls12_client.c
index 92b628bf..b29bf03e 100644
--- a/tools/tls12_client.c
+++ b/tools/tls12_client.c
@@ -227,6 +227,8 @@ int tls12_client_main(int argc, char *argv[])
 	size_t len = sizeof(buf);
 	char send_buf[1024] = {0};
 
+	memset(&conn, 0, sizeof(conn));
+
 	argc--;
 	argv++;
 	if (argc < 1) {
diff --git a/tools/tls12_server.c b/tools/tls12_server.c
index bd0a6947..a2866151 100644
--- a/tools/tls12_server.c
+++ b/tools/tls12_server.c
@@ -163,6 +163,8 @@ int tls12_server_main(int argc , char **argv)
 
 	size_t i;
 
+	memset(&conn, 0, sizeof(conn));
+
 	argc--;
 	argv++;
 
diff --git a/tools/tls13_client.c b/tools/tls13_client.c
index 1632cd43..6871ccca 100644
--- a/tools/tls13_client.c
+++ b/tools/tls13_client.c
@@ -226,6 +226,8 @@ int tls13_client_main(int argc, char *argv[])
 	size_t sent_len = 0;
 	size_t sent_offset = 0;
 
+	memset(&conn, 0, sizeof(conn));
+
 	char *host = NULL;
 	int port = 443;