diff -r 37fb12574acd -r a316613205dc libidav/resource.c
--- a/libidav/resource.c	Sun Oct 04 15:57:40 2015 +0200
+++ b/libidav/resource.c	Sun Oct 04 18:35:15 2015 +0200
@@ -650,10 +650,11 @@
     
     // check encryption
     AESDecrypter *dec = NULL;
+    DavKey *key = NULL;
     if(DAV_DECRYPT_CONTENT(sn)) {
         char *keyname = dav_get_property_ns(res, DAV_NS, "crypto-key");
         if(keyname) {
-            DavKey *key = dav_context_get_key(sn->context, keyname);
+            key = dav_context_get_key(sn->context, keyname);
             if(key) {
                 dec = aes_decrypter_new(key, stream, write_fnc);
                 stream = dec;
@@ -686,13 +687,13 @@
     curl_easy_getinfo (handle, CURLINFO_RESPONSE_CODE, &status);
     if(ret == CURLE_OK && (status >= 200 && status < 300)) {
         int verify_failed = 0;
-        if(DAV_DECRYPT_CONTENT(sn)) {
+        if(DAV_DECRYPT_CONTENT(sn) && key) {
             // try to verify the content
             char *res_hash = dav_get_property_ns(res, DAV_NS, "crypto-hash");
 
             if(res_hash) {
                 size_t len = 0;
-                char *dec_hash = aes_decrypt(res_hash, &len, sn->key);
+                char *dec_hash = aes_decrypt(res_hash, &len, key);
                 char *hex_hash = util_hexstr(dec_hash, 32);
                 if(strcmp(hash, hex_hash)) {
                     verify_failed = 1;
@@ -701,6 +702,9 @@
                 free(hex_hash);
             }
         }
+        if(hash) {
+            free(hash);
+        }
         
         if(verify_failed) {
             res->session->error = DAV_CONTENT_VERIFICATION_ERROR;
@@ -710,6 +714,9 @@
         res->session->error = DAV_OK;
         return 0;
     } else {
+        if(hash) {
+            free(hash);
+        }
         dav_session_set_error(res->session, ret, status);
         return 1;
     }