diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 41d8f7d13..ce5a4f8f0 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -25944,7 +25944,9 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
     byte  seq[MAX_SEQ_SZ];
     byte  ver[MAX_VERSION_SZ];
     mp_int* keyInt;
+#ifndef WOLFSSL_NO_MALLOC
     byte* tmps[RSA_INTS];
+#endif
 
     if (key == NULL)
         return BAD_FUNC_ARG;
@@ -25952,25 +25954,17 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
     if (key->type != RSA_PRIVATE)
         return BAD_FUNC_ARG;
 
-    XMEMSET(tmps, 0, sizeof(tmps));
-
+#ifndef WOLFSSL_NO_MALLOC
     for (i = 0; i < RSA_INTS; i++)
         tmps[i] = NULL;
+#endif
 
     /* write all big ints from key to DER tmps */
     for (i = 0; i < RSA_INTS; i++) {
         keyInt = GetRsaInt(key, i);
         ret = mp_unsigned_bin_size(keyInt);
-        if (ret < 0) {
-#ifndef WOLFSSL_NO_MALLOC
-            /* free outstanding tmps */
-            for (i = 0; i < RSA_INTS; i++) {
-                if (tmps[i] != NULL)
-                    XFREE(tmps[i], key->heap, DYNAMIC_TYPE_RSA);
-            }
-#endif
-            return ret;
-        }
+        if (ret < 0)
+            break;
         rawLen = (word32)ret + 1;
         ret = 0;
 #ifndef WOLFSSL_NO_MALLOC
@@ -25982,8 +25976,10 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
                 break;
             }
         }
-#endif
         mpSz = SetASNIntMP(keyInt, MAX_RSA_INT_SZ, tmps[i]);
+#else
+        mpSz = SetASNIntMP(keyInt, MAX_RSA_INT_SZ, NULL);
+#endif
         if (mpSz < 0) {
             ret = mpSz;
             break;
@@ -26025,8 +26021,8 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
             if (ret < 0) {
                 return ret;
             }
-            rawLen = (word32)ret + 1;
             ret = 0;
+            /* This won't overrun output due to the outLen check above */
             mpSz = SetASNIntMP(keyInt, MAX_RSA_INT_SZ, output + j);
             if (mpSz < 0) {
                 ret = mpSz;
@@ -26037,10 +26033,12 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
         }
     }
 
+#ifndef WOLFSSL_NO_MALLOC
     for (i = 0; i < RSA_INTS; i++) {
         if (tmps[i])
             XFREE(tmps[i], key->heap, DYNAMIC_TYPE_RSA);
     }
+#endif
 
     if (ret == 0)
         ret = (int)outLen;
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index 8f4e521a3..220981890 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -4724,6 +4724,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
 #ifndef WOLFSSL_NO_MALLOC
     byte* buf = NULL;
 #else
+    /* RSA_MAX_SIZE is the size of n in bits. */
     byte buf[RSA_MAX_SIZE/16];
 #endif
 #endif /* !WOLFSSL_CRYPTOCELL && !WOLFSSL_SE050 */
@@ -4946,6 +4947,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
         ForceZero(buf, primeSz);
         XFREE(buf, key->heap, DYNAMIC_TYPE_RSA);
     }
+#else
+        ForceZero(buf, primeSz);
 #endif
 
     if (err == MP_OKAY && mp_cmp(p, q) < 0) {