diff --git a/RSA.xs b/RSA.xs
index 65c8078..61b1bfd 100644
--- a/RSA.xs
+++ b/RSA.xs
@@ -956,10 +956,10 @@ check_key(p_rsa)
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_pkey(NULL, p_rsa->rsa, NULL);
     CHECK_OPEN_SSL(pctx);
-    RETVAL = EVP_PKEY_private_check(pctx);
+    RETVAL = (EVP_PKEY_private_check(pctx) == 1);
     EVP_PKEY_CTX_free(pctx);
 #else
-    RETVAL = RSA_check_key(p_rsa->rsa);
+    RETVAL = (RSA_check_key(p_rsa->rsa) == 1);
 #endif
   OUTPUT:
     RETVAL
@@ -1086,7 +1086,7 @@ sign(p_rsa, text_SV)
     rsaData* p_rsa;
     SV* text_SV;
   PREINIT:
-    UNSIGNED_CHAR *signature;
+    UNSIGNED_CHAR *signature = NULL;
     unsigned char* digest;
     SIZE_T_UNSIGNED_INT signature_length;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -1133,6 +1133,7 @@ sign(p_rsa, text_SV)
 
     goto sign_done;
     err:
+        Safefree(signature);
         if (md) EVP_MD_free(md);
         if (ctx) EVP_PKEY_CTX_free(ctx);
         CHECK_OPEN_SSL(0);
diff --git a/t/check_param.t b/t/check_param.t
index c612039..d58f8fc 100644
--- a/t/check_param.t
+++ b/t/check_param.t
@@ -10,7 +10,7 @@ Crypt::OpenSSL::RSA->import_random_seed();
 my $HAS_BIGNUM = $INC{'Crypt/OpenSSL/Bignum.pm'} ? 1 : 0;
 
 $HAS_BIGNUM
-    ? plan( tests => 7 )
+    ? plan( tests => 9 )
     : plan( skip_all => "Crypt::OpenSSL::Bignum required for check_param tests" );
 
 my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);
@@ -60,3 +60,13 @@ my ( $n, $e, $d, $p, $q ) = $rsa->get_key_parameters();
     };
     ok( !$@, "without check option, valid params succeed as before" );
 }
+
+# 5. check_key() returns exactly 1, not just truthy
+# OpenSSL's RSA_check_key/EVP_PKEY_private_check can return -1 on error,
+# which is truthy in Perl.  The XS code must normalize to 0/1.
+{
+    cmp_ok( $rsa->check_key(), '==', 1,
+        "check_key returns exactly 1 for valid key (not raw OpenSSL int)" );
+    ok( ref(\($rsa->check_key())) ne 'GLOB',
+        "check_key returns a plain scalar" );
+}