2 files changed, 15 insertions, 10 deletions

diff --git a/src/core/lib/security/credentials/jwt/jwt_verifier.c b/src/core/lib/security/credentials/jwt/jwt_verifier.c
index 6cd558d123..a27284bc50 100644
--- a/src/core/lib/security/credentials/jwt/jwt_verifier.c
+++ b/src/core/lib/security/credentials/jwt/jwt_verifier.c
@@ -442,7 +442,7 @@ static EVP_PKEY *extract_pkey_from_x509(const char *x509_str) {
 
 end:
   BIO_free(bio);
-  if (x509 != NULL) X509_free(x509);
+  X509_free(x509);
   return result;
 }
 
@@ -496,6 +496,8 @@ static EVP_PKEY *pkey_from_jwk(grpc_exec_ctx *exec_ctx, const grpc_json *json,
   const grpc_json *key_prop;
   RSA *rsa = NULL;
   EVP_PKEY *result = NULL;
+  BIGNUM *tmp_n = NULL;
+  BIGNUM *tmp_e = NULL;
 
   GPR_ASSERT(kty != NULL && json != NULL);
   if (strcmp(kty, "RSA") != 0) {
@@ -507,8 +509,6 @@ static EVP_PKEY *pkey_from_jwk(grpc_exec_ctx *exec_ctx, const grpc_json *json,
     gpr_log(GPR_ERROR, "Could not create rsa key.");
     goto end;
   }
-  BIGNUM *tmp_n = NULL;
-  BIGNUM *tmp_e = NULL;
   for (key_prop = json->child; key_prop != NULL; key_prop = key_prop->next) {
     if (strcmp(key_prop->key, "n") == 0) {
       tmp_n =
@@ -528,11 +528,16 @@ static EVP_PKEY *pkey_from_jwk(grpc_exec_ctx *exec_ctx, const grpc_json *json,
     gpr_log(GPR_ERROR, "Cannot set RSA key from inputs.");
     goto end;
   }
+  /* RSA_set0_key takes ownership on success. */
+  tmp_n = NULL;
+  tmp_e = NULL;
   result = EVP_PKEY_new();
   EVP_PKEY_set1_RSA(result, rsa); /* uprefs rsa. */
 
 end:
-  if (rsa != NULL) RSA_free(rsa);
+  RSA_free(rsa);
+  BN_free(tmp_n);
+  BN_free(tmp_e);
   return result;
 }
 
@@ -618,7 +623,7 @@ static int verify_jwt_signature(EVP_PKEY *key, const char *alg,
   result = 1;
 
 end:
-  if (md_ctx != NULL) EVP_MD_CTX_destroy(md_ctx);
+  EVP_MD_CTX_destroy(md_ctx);
   return result;
 }
 
@@ -658,7 +663,7 @@ static void on_keys_retrieved(grpc_exec_ctx *exec_ctx, void *user_data,
 
 end:
   if (json != NULL) grpc_json_destroy(json);
-  if (verification_key != NULL) EVP_PKEY_free(verification_key);
+  EVP_PKEY_free(verification_key);
   ctx->user_cb(exec_ctx, ctx->user_data, status, claims);
   verifier_cb_ctx_destroy(exec_ctx, ctx);
 }
diff --git a/src/core/lib/security/credentials/oauth2/oauth2_credentials.c b/src/core/lib/security/credentials/oauth2/oauth2_credentials.c
index c59e55136c..10b270c49c 100644
--- a/src/core/lib/security/credentials/oauth2/oauth2_credentials.c
+++ b/src/core/lib/security/credentials/oauth2/oauth2_credentials.c
@@ -296,10 +296,10 @@ static bool oauth2_token_fetcher_get_request_metadata(
   gpr_mu_unlock(&c->mu);
   if (start_fetch) {
     grpc_call_credentials_ref(creds);
-    c->fetch_func(exec_ctx, grpc_credentials_metadata_request_create(creds),
-                  &c->httpcli_context, &c->pollent,
-                  on_oauth2_token_fetcher_http_response,
-                  gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), refresh_threshold));
+    c->fetch_func(
+        exec_ctx, grpc_credentials_metadata_request_create(creds),
+        &c->httpcli_context, &c->pollent, on_oauth2_token_fetcher_http_response,
+        gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC), refresh_threshold));
   }
   return false;
 }