diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 589215c57..d0db7af23 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -2920,7 +2920,7 @@ _hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert
 	if (ret)
 	    return 0;
 
-	ret = _hx509_eval_expr(context, env, q->expr);
+	ret = _hx509_expr_eval(context, env, q->expr);
 	hx509_env_free(&env);
 	if (ret == 0)
 	    return 0;
diff --git a/lib/hx509/sel.c b/lib/hx509/sel.c
index 86a5eca7a..80065bab5 100644
--- a/lib/hx509/sel.c
+++ b/lib/hx509/sel.c
@@ -156,7 +156,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr)
 }
 
 int
-_hx509_eval_expr(hx509_context context, hx509_env env, struct hx_expr *expr)
+_hx509_expr_eval(hx509_context context, hx509_env env, struct hx_expr *expr)
 {
     switch (expr->op) {
     case op_TRUE:
@@ -164,13 +164,13 @@ _hx509_eval_expr(hx509_context context, hx509_env env, struct hx_expr *expr)
     case op_FALSE:
 	return 0;
     case op_NOT:
-	return ! _hx509_eval_expr(context, env, expr->arg1);
+	return ! _hx509_expr_eval(context, env, expr->arg1);
     case op_AND:
-	return _hx509_eval_expr(context, env, expr->arg1) && 
-	    _hx509_eval_expr(context, env, expr->arg2);
+	return _hx509_expr_eval(context, env, expr->arg1) && 
+	    _hx509_expr_eval(context, env, expr->arg2);
     case op_OR:
-	return _hx509_eval_expr(context, env, expr->arg1) ||
-	    _hx509_eval_expr(context, env, expr->arg2);
+	return _hx509_expr_eval(context, env, expr->arg1) ||
+	    _hx509_expr_eval(context, env, expr->arg2);
     case op_COMP:
 	return eval_comp(context, env, expr->arg1);
     default:
diff --git a/lib/hx509/test_expr.c b/lib/hx509/test_expr.c
index 52e93c13f..7f2a79589 100644
--- a/lib/hx509/test_expr.c
+++ b/lib/hx509/test_expr.c
@@ -67,16 +67,18 @@ main(int argc, char **argv)
 	if (expr == NULL)
 	    errx(1, "_hx509_expr_parse failed for %d: %s", i, foo[i].str);
 
-	val = _hx509_eval_expr(context, env, expr);
+	val = _hx509_expr_eval(context, env, expr);
 	if (foo[i].val) {
 	    if (val == 0)
-		errx(1, "_hx509_eval_expr not true when it should: %d: %s", 
+		errx(1, "_hx509_expr_eval not true when it should: %d: %s", 
 		     i, foo[i].str);
 	} else {
 	    if (val)
-		errx(1, "_hx509_eval_expr true when it should not: %d: %s", 
+		errx(1, "_hx509_expr_eval true when it should not: %d: %s", 
 		     i, foo[i].str);
 	}
+
+	_hx509_expr_free(expr);
     }
 	
     hx509_env_free(&env);
diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map
index 6d0d0253b..747d23fca 100644
--- a/lib/hx509/version-script.map
+++ b/lib/hx509/version-script.map
@@ -222,6 +222,9 @@ HEIMDAL_X509_1.0 {
 		_hx509_cert_assign_key;
 		_hx509_cert_private_key;
 		_hx509_name_from_Name;
+		_hx509_expr_free;
+		_hx509_expr_eval;
+		_hx509_expr_parse;
 		# pkcs11 symbols
 		C_GetFunctionList;
 	local: