diff --git a/lib/libiscsiutil/keys.c b/lib/libiscsiutil/keys.c
index 8011b0a25329..185a179906b9 100644
--- a/lib/libiscsiutil/keys.c
+++ b/lib/libiscsiutil/keys.c
@@ -1,195 +1,199 @@
 /*-
  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
  *
  * Copyright (c) 2012 The FreeBSD Foundation
  *
  * This software was developed by Edward Tomasz Napierala under sponsorship
  * from the FreeBSD Foundation.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
 #include "libiscsiutil.h"
 
 struct keys *
 keys_new(void)
 {
 	struct keys *keys;
 
 	keys = calloc(1, sizeof(*keys));
 	if (keys == NULL)
 		log_err(1, "calloc");
 
 	return (keys);
 }
 
 void
 keys_delete(struct keys *keys)
 {
 
-	free(keys->keys_data);
+	for (int i = 0; i < KEYS_MAX; i++) {
+		free(keys->keys_names[i]);
+		free(keys->keys_values[i]);
+	}
 	free(keys);
 }
 
 void
 keys_load(struct keys *keys, const struct pdu *pdu)
 {
 	int i;
-	char *pair;
+	char *keys_data, *name, *pair, *value;
 	size_t pair_len;
 
 	if (pdu->pdu_data_len == 0)
 		return;
 
 	if (pdu->pdu_data[pdu->pdu_data_len - 1] != '\0')
 		log_errx(1, "protocol error: key not NULL-terminated\n");
 
-	assert(keys->keys_data == NULL);
-	keys->keys_data_len = pdu->pdu_data_len;
-	keys->keys_data = malloc(keys->keys_data_len);
-	if (keys->keys_data == NULL)
+	keys_data = malloc(pdu->pdu_data_len);
+	if (keys_data == NULL)
 		log_err(1, "malloc");
-	memcpy(keys->keys_data, pdu->pdu_data, keys->keys_data_len);
+	memcpy(keys_data, pdu->pdu_data, pdu->pdu_data_len);
 
 	/*
 	 * XXX: Review this carefully.
 	 */
-	pair = keys->keys_data;
+	pair = keys_data;
 	for (i = 0;; i++) {
 		if (i >= KEYS_MAX)
 			log_errx(1, "too many keys received");
 
 		pair_len = strlen(pair);
 
-		keys->keys_values[i] = pair;
-		keys->keys_names[i] = strsep(&keys->keys_values[i], "=");
-		if (keys->keys_names[i] == NULL || keys->keys_values[i] == NULL)
+		value = pair;
+		name = strsep(&value, "=");
+		if (name == NULL || value == NULL)
 			log_errx(1, "malformed keys");
+		keys->keys_names[i] = checked_strdup(name);
+		keys->keys_values[i] = checked_strdup(value);
 		log_debugx("key received: \"%s=%s\"",
 		    keys->keys_names[i], keys->keys_values[i]);
 
 		pair += pair_len + 1; /* +1 to skip the terminating '\0'. */
-		if (pair == keys->keys_data + keys->keys_data_len)
+		if (pair == keys_data + pdu->pdu_data_len)
 			break;
-		assert(pair < keys->keys_data + keys->keys_data_len);
+		assert(pair < keys_data + pdu->pdu_data_len);
 	}
+	free(keys_data);
 }
 
 void
 keys_save(struct keys *keys, struct pdu *pdu)
 {
 	char *data;
 	size_t len;
 	int i;
 
 	/*
 	 * XXX: Not particularly efficient.
 	 */
 	len = 0;
 	for (i = 0; i < KEYS_MAX; i++) {
 		if (keys->keys_names[i] == NULL)
 			break;
 		/*
 		 * +1 for '=', +1 for '\0'.
 		 */
 		len += strlen(keys->keys_names[i]) +
 		    strlen(keys->keys_values[i]) + 2;
 	}
 
 	if (len == 0)
 		return;
 
 	data = malloc(len);
 	if (data == NULL)
 		log_err(1, "malloc");
 
 	pdu->pdu_data = data;
 	pdu->pdu_data_len = len;
 
 	for (i = 0; i < KEYS_MAX; i++) {
 		if (keys->keys_names[i] == NULL)
 			break;
 		data += sprintf(data, "%s=%s",
 		    keys->keys_names[i], keys->keys_values[i]);
 		data += 1; /* for '\0'. */
 	}
 }
 
 const char *
 keys_find(struct keys *keys, const char *name)
 {
 	int i;
 
 	/*
 	 * Note that we don't handle duplicated key names here,
 	 * as they are not supposed to happen in requests, and if they do,
 	 * it's an initiator error.
 	 */
 	for (i = 0; i < KEYS_MAX; i++) {
 		if (keys->keys_names[i] == NULL)
 			return (NULL);
 		if (strcmp(keys->keys_names[i], name) == 0)
 			return (keys->keys_values[i]);
 	}
 	return (NULL);
 }
 
 void
 keys_add(struct keys *keys, const char *name, const char *value)
 {
 	int i;
 
 	log_debugx("key to send: \"%s=%s\"", name, value);
 
 	/*
 	 * Note that we don't check for duplicates here, as they are perfectly
 	 * fine in responses, e.g. the "TargetName" keys in discovery sesion
 	 * response.
 	 */
 	for (i = 0; i < KEYS_MAX; i++) {
 		if (keys->keys_names[i] == NULL) {
 			keys->keys_names[i] = checked_strdup(name);
 			keys->keys_values[i] = checked_strdup(value);
 			return;
 		}
 	}
 	log_errx(1, "too many keys");
 }
 
 void
 keys_add_int(struct keys *keys, const char *name, int value)
 {
 	char *str;
 	int ret;
 
 	ret = asprintf(&str, "%d", value);
 	if (ret <= 0)
 		log_err(1, "asprintf");
 
 	keys_add(keys, name, str);
 	free(str);
 }
diff --git a/lib/libiscsiutil/libiscsiutil.h b/lib/libiscsiutil/libiscsiutil.h
index 79c79872b2e6..20979626aa3c 100644
--- a/lib/libiscsiutil/libiscsiutil.h
+++ b/lib/libiscsiutil/libiscsiutil.h
@@ -1,148 +1,146 @@
 /*-
  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
  *
  * Copyright (c) 2012 The FreeBSD Foundation
  *
  * This software was developed by Edward Tomasz Napierala under sponsorship
  * from the FreeBSD Foundation.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #ifndef __LIBISCSIUTIL_H__
 #define	__LIBISCSIUTIL_H__
 
 #include <sys/types.h>
 #include <stdbool.h>
 
 struct connection_ops;
 
 #define	CONN_DIGEST_NONE		0
 #define	CONN_DIGEST_CRC32C		1
 
 struct connection {
 	const struct connection_ops *conn_ops;
 	int		conn_socket;
 	uint8_t		conn_isid[6];
 	uint16_t	conn_tsih;
 	uint32_t	conn_cmdsn;
 	uint32_t	conn_statsn;
 	int		conn_header_digest;
 	int		conn_data_digest;
 	bool		conn_immediate_data;
 	bool		conn_use_proxy;
 	int		conn_max_recv_data_segment_length;
 	int		conn_max_send_data_segment_length;
 	int		conn_max_burst_length;
 	int		conn_first_burst_length;
 };
 
 struct pdu {
 	struct connection *pdu_connection;
 	struct iscsi_bhs *pdu_bhs;
 	char		*pdu_data;
 	size_t		pdu_data_len;
 };
 
 struct connection_ops {
 	bool		(*timed_out)(void);
 	void		(*pdu_receive_proxy)(struct pdu *);
 	void		(*pdu_send_proxy)(struct pdu *);
 	void		(*fail)(const struct connection *, const char *);
 };
 
 #define	KEYS_MAX		1024
 
 struct keys {
 	char		*keys_names[KEYS_MAX];
 	char		*keys_values[KEYS_MAX];
-	char		*keys_data;
-	size_t		keys_data_len;
 };
 
 #define	CHAP_CHALLENGE_LEN	1024
 #define	CHAP_DIGEST_LEN		16 /* Equal to MD5 digest size. */
 
 struct chap {
 	unsigned char	chap_id;
 	char		chap_challenge[CHAP_CHALLENGE_LEN];
 	char		chap_response[CHAP_DIGEST_LEN];
 };
 
 struct rchap {
 	char		*rchap_secret;
 	unsigned char	rchap_id;
 	void		*rchap_challenge;
 	size_t		rchap_challenge_len;
 };
 
 struct chap		*chap_new(void);
 char			*chap_get_id(const struct chap *chap);
 char			*chap_get_challenge(const struct chap *chap);
 int			chap_receive(struct chap *chap, const char *response);
 int			chap_authenticate(struct chap *chap,
 			    const char *secret);
 void			chap_delete(struct chap *chap);
 
 struct rchap		*rchap_new(const char *secret);
 int			rchap_receive(struct rchap *rchap,
 			    const char *id, const char *challenge);
 char			*rchap_get_response(struct rchap *rchap);
 void			rchap_delete(struct rchap *rchap);
 
 struct keys		*keys_new(void);
 void			keys_delete(struct keys *key);
 void			keys_load(struct keys *keys, const struct pdu *pdu);
 void			keys_save(struct keys *keys, struct pdu *pdu);
 const char		*keys_find(struct keys *keys, const char *name);
 void			keys_add(struct keys *keys,
 			    const char *name, const char *value);
 void			keys_add_int(struct keys *keys,
 			    const char *name, int value);
 
 struct pdu		*pdu_new(struct connection *ic);
 struct pdu		*pdu_new_response(struct pdu *request);
 int			pdu_ahs_length(const struct pdu *pdu);
 int			pdu_data_segment_length(const struct pdu *pdu);
 void			pdu_set_data_segment_length(struct pdu *pdu,
 			    uint32_t len);
 void			pdu_receive(struct pdu *request);
 void			pdu_send(struct pdu *response);
 void			pdu_delete(struct pdu *ip);
 
 void			connection_init(struct connection *conn,
 			    const struct connection_ops *ops, bool use_proxy);
 
 void			log_init(int level);
 void			log_set_peer_name(const char *name);
 void			log_set_peer_addr(const char *addr);
 void			log_err(int, const char *, ...)
 			    __dead2 __printflike(2, 3);
 void			log_errx(int, const char *, ...)
 			    __dead2 __printflike(2, 3);
 void			log_warn(const char *, ...) __printflike(1, 2);
 void			log_warnx(const char *, ...) __printflike(1, 2);
 void			log_debugx(const char *, ...) __printflike(1, 2);
 
 char			*checked_strdup(const char *);
 
 #endif /* !__LIBISCSIUTIL_H__ */