diff --git a/contrib/slapd-modules/passwd/apr1.c b/contrib/slapd-modules/passwd/apr1.c
index 856ef5e07f73d3953dfd34ebfa789e71ba8d87a4..0ddb01b7ca317c748ecb039037c8161024779590 100644
--- a/contrib/slapd-modules/passwd/apr1.c
+++ b/contrib/slapd-modules/passwd/apr1.c
@@ -119,21 +119,21 @@ static int chk_phk(
 {
 	unsigned char digest[LUTIL_MD5_BYTES];
 	unsigned char *orig_pass;
-	int rc, n;
+	int rc;
 	struct berval salt;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	n = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
-	if (n <= sizeof(digest))
+	if (decode_len <= sizeof(digest))
 		return LUTIL_PASSWD_ERR;
 
 	/* base64 un-encode password hash */
-	orig_pass = (unsigned char *) ber_memalloc((size_t) (n + 1));
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if (orig_pass == NULL)
 		return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if (rc <= (int) sizeof(digest)) {
 		ber_memfree(orig_pass);
diff --git a/contrib/slapd-modules/passwd/sha2/slapd-sha2.c b/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
index 2674bf945a366c2a78116baebce6ae5f7fc5b9d0..1ec79896ebee1653e2055d145a8d05244deee98b 100644
--- a/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
+++ b/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
@@ -230,19 +230,19 @@ static int chk_ssha256(
 	unsigned char SHAdigest[SHA256_DIGEST_LENGTH];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHAdigest)) {
+	if (decode_len <= sizeof(SHAdigest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if( rc <= sizeof(SHAdigest) ) {
 		ber_memfree(orig_pass);
@@ -274,19 +274,19 @@ static int chk_sha256(
 	unsigned char SHAdigest[SHA256_DIGEST_LENGTH];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHAdigest)) {
+	if (decode_len < sizeof(SHAdigest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if( rc != sizeof(SHAdigest) ) {
 		ber_memfree(orig_pass);
@@ -318,19 +318,19 @@ static int chk_ssha384(
 	unsigned char SHAdigest[SHA384_DIGEST_LENGTH];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHAdigest)) {
+	if (decode_len <= sizeof(SHAdigest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if( rc <= sizeof(SHAdigest) ) {
 		ber_memfree(orig_pass);
@@ -362,19 +362,19 @@ static int chk_sha384(
 	unsigned char SHAdigest[SHA384_DIGEST_LENGTH];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHAdigest)) {
+	if (decode_len < sizeof(SHAdigest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if( rc != sizeof(SHAdigest) ) {
 		ber_memfree(orig_pass);
@@ -406,19 +406,19 @@ static int chk_ssha512(
 	unsigned char SHAdigest[SHA512_DIGEST_LENGTH];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHAdigest)) {
+	if (decode_len <= sizeof(SHAdigest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if( rc <= sizeof(SHAdigest) ) {
 		ber_memfree(orig_pass);
@@ -450,19 +450,19 @@ static int chk_sha512(
 	unsigned char SHAdigest[SHA512_DIGEST_LENGTH];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHAdigest)) {
+	if (decode_len < sizeof(SHAdigest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if( rc != sizeof(SHAdigest) ) {
 		ber_memfree(orig_pass);
diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c
index 6f75d724af3728f7c43cf75aaaa9f4775e62a0b7..383f32d8ffe9c5553f21dffa9362719ac24fe603 100644
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@@ -493,19 +493,19 @@ static int chk_ssha1(
 	unsigned char SHA1digest[LUTIL_SHA1_BYTES];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check -- must have some salt */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHA1digest)) {
+	if (decode_len <= sizeof(SHA1digest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* decode base64 password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	/* safety check -- must have some salt */
 	if (rc <= (int)(sizeof(SHA1digest))) {
@@ -538,19 +538,19 @@ static int chk_sha1(
 	unsigned char SHA1digest[LUTIL_SHA1_BYTES];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
  
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHA1digest)) {
+	if (decode_len < sizeof(SHA1digest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if( rc != sizeof(SHA1digest) ) {
 		ber_memfree(orig_pass);
@@ -580,19 +580,19 @@ static int chk_smd5(
 	unsigned char MD5digest[LUTIL_MD5_BYTES];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) {
+	if (decode_len <= sizeof(MD5digest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 
 	if (rc <= (int)(sizeof(MD5digest))) {
 		ber_memfree(orig_pass);
@@ -625,19 +625,19 @@ static int chk_md5(
 	unsigned char MD5digest[LUTIL_MD5_BYTES];
 	int rc;
 	unsigned char *orig_pass = NULL;
+	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
 
 	/* safety check */
-	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(MD5digest)) {
+	if (decode_len < sizeof(MD5digest)) {
 		return LUTIL_PASSWD_ERR;
 	}
 
 	/* base64 un-encode password */
-	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
-		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
 
 	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
 
-	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
 	if ( rc != sizeof(MD5digest) ) {
 		ber_memfree(orig_pass);
 		return LUTIL_PASSWD_ERR;