diff --git a/bignum-random.c b/bignum-random.c
index 9b1a404b342bf4d241d8467411796fa497c76d00..16029216b404b704f70f6459f5c272e5d8bb7c0e 100644
--- a/bignum-random.c
+++ b/bignum-random.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 
 #include "bignum.h"
+#include "nettle-internal.h"
 
 void
 nettle_mpz_random_size(mpz_t x,
@@ -39,7 +40,8 @@ nettle_mpz_random_size(mpz_t x,
 		       unsigned bits)
 {
   unsigned length = (bits + 7) / 8;
-  uint8_t *data = alloca(length);
+  TMP_DECL(data, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
+  TMP_ALLOC(data, length);
 
   random(ctx, length, data);
 
@@ -49,6 +51,7 @@ nettle_mpz_random_size(mpz_t x,
     mpz_fdiv_r_2exp(x, x, bits);
 }
 
+/* Returns a random number x, 0 <= x < n */
 void
 nettle_mpz_random(mpz_t x,
 		  void *ctx, nettle_random_func random,
diff --git a/cbc.c b/cbc.c
index f28c9f21b5f158510f2fb3ece876938eb0746e0c..72b71c7126bf83717b5a412f1a57ab7f5f0c3d10 100644
--- a/cbc.c
+++ b/cbc.c
@@ -34,6 +34,7 @@
 #include "cbc.h"
 
 #include "memxor.h"
+#include "nettle-internal.h"
 
 void
 cbc_encrypt(void *ctx, void (*f)(void *ctx,
@@ -106,33 +107,31 @@ cbc_decrypt(void *ctx, void (*f)(void *ctx,
        *
        * NOTE: We assume that block_size <= CBC_BUFFER_LIMIT. */
 
-      uint8_t *buffer;
-      
+      unsigned buffer_size;
+
       if (length <= CBC_BUFFER_LIMIT)
-	buffer = alloca(length);
+	buffer_size = length;
       else
-	{
-	  /* The buffer size must be an integral number of blocks. */
-	  unsigned buffer_size
-	    = CBC_BUFFER_LIMIT - (CBC_BUFFER_LIMIT % block_size);
-
-	  buffer = alloca(buffer_size);
-
-	  for ( ; length >= buffer_size;
-		length -= buffer_size, dst += buffer_size, src += buffer_size)
-	    {
-	      memcpy(buffer, src, buffer_size);
-	      cbc_decrypt_internal(ctx, f, block_size, iv,
-				   buffer_size, dst, buffer);
-	    }
-	  if (!length)
-	    return;
-	}
-      /* Now, we have at most CBC_BUFFER_LIMIT octets left */
-      memcpy(buffer, src, length);
-
-      cbc_decrypt_internal(ctx, f, block_size, iv,
-			   length, dst, buffer);
+	buffer_size
+	  = CBC_BUFFER_LIMIT - (CBC_BUFFER_LIMIT % block_size);
+
+      {
+	TMP_DECL(buffer, uint8_t, CBC_BUFFER_LIMIT);
+	TMP_ALLOC(buffer, buffer_size);
+
+	for ( ; length > buffer_size;
+	      length -= buffer_size, dst += buffer_size, src += buffer_size)
+	  {
+	    memcpy(buffer, src, buffer_size);
+	    cbc_decrypt_internal(ctx, f, block_size, iv,
+				 buffer_size, dst, buffer);
+	  }
+	/* Now, we have at most CBC_BUFFER_LIMIT octets left */
+	memcpy(buffer, src, length);
+	
+	cbc_decrypt_internal(ctx, f, block_size, iv,
+			     length, dst, buffer);
+      }
     }
 }
 
diff --git a/dsa-keygen.c b/dsa-keygen.c
index 2bd9fd660398d5008c66368c4aeb22cde3cf67d5..beb895edc6aca96e53d7c70244ccaa6ade6ab6c4 100644
--- a/dsa-keygen.c
+++ b/dsa-keygen.c
@@ -35,6 +35,7 @@
 
 #include "bignum.h"
 #include "memxor.h"
+#include "nettle-internal.h"
 
 /* The (slow) NIST method of generating DSA primes. Algorithm 4.56 of
  * Handbook of Applied Cryptography. */
@@ -118,8 +119,10 @@ dsa_nist_gen(mpz_t p, mpz_t q,
 	progress(progress_ctx, '\n');
       
       {
+	/* Official maximum key size: L = 1024 => n = 6 */
+	TMP_DECL(buffer, uint8_t, (6 + 1) * SHA1_DIGEST_SIZE);
 	unsigned size = (n+1) * SHA1_DIGEST_SIZE;
-	uint8_t *buffer = alloca(size);
+	TMP_ALLOC(buffer, size);
 	unsigned i, j;
 	
 	for (i = 0, j = 2; i<4096; i++, j+= n+1)
diff --git a/hmac.c b/hmac.c
index 5ffae38bc24bf9c9fd495991995bdaf2fee5a226..2534fc146e2be736d064657d858e46aabf1c6920 100644
--- a/hmac.c
+++ b/hmac.c
@@ -33,6 +33,7 @@
 #include "hmac.h"
 
 #include "memxor.h"
+#include "nettle-internal.h"
 
 #define IPAD 0x36
 #define OPAD 0x5c
@@ -42,7 +43,8 @@ hmac_set_key(void *outer, void *inner, void *state,
 	     const struct nettle_hash *hash,
 	     unsigned key_length, const uint8_t *key)
 {
-  uint8_t *pad = alloca(hash->block_size);
+  TMP_DECL(pad, uint8_t, NETTLE_MAX_HASH_BLOCK_SIZE);
+  TMP_ALLOC(pad, hash->block_size);
   
   hash->init(outer);
   hash->init(inner);
@@ -52,7 +54,8 @@ hmac_set_key(void *outer, void *inner, void *state,
       /* Reduce key to the algorithm's hash size. Use the area pointed
        * to by state for the temporary state. */
 
-      uint8_t *digest = alloca(hash->digest_size);
+      TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
+      TMP_ALLOC(digest, hash->digest_size);
 
       hash->init(state);
       hash->update(state, key_length, key);
@@ -90,7 +93,8 @@ hmac_digest(const void *outer, const void *inner, void *state,
 	    const struct nettle_hash *hash, 	    
 	    unsigned length, uint8_t *dst)
 {
-  uint8_t *digest = alloca(hash->digest_size);
+  TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
+  TMP_ALLOC(digest, hash->digest_size);
 
   hash->digest(state, hash->digest_size, digest);
 
diff --git a/pkcs1-rsa-md5.c b/pkcs1-rsa-md5.c
index c337232ddc14a1bb9ce30580940bcd44d83c8508..d3ccd8b055efdbf81bfbe658fb71377637433b84 100644
--- a/pkcs1-rsa-md5.c
+++ b/pkcs1-rsa-md5.c
@@ -38,6 +38,8 @@
 #include "bignum.h"
 #include "pkcs1.h"
 
+#include "nettle-internal.h"
+
 /* From pkcs-1v2
  *
  *   md5 OBJECT IDENTIFIER ::=
@@ -64,7 +66,8 @@ md5_prefix[] =
 void
 pkcs1_rsa_md5_encode(mpz_t m, unsigned length, struct md5_ctx *hash)
 {
-  uint8_t *em = alloca(length);
+  TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
+  TMP_ALLOC(em, length);
 
   assert(length >= MD5_DIGEST_SIZE);
   pkcs1_signature_prefix(length - MD5_DIGEST_SIZE, em,
@@ -78,7 +81,8 @@ pkcs1_rsa_md5_encode(mpz_t m, unsigned length, struct md5_ctx *hash)
 void
 pkcs1_rsa_md5_encode_digest(mpz_t m, unsigned length, const uint8_t *digest)
 {
-  uint8_t *em = alloca(length);
+  TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
+  TMP_ALLOC(em, length);
 
   assert(length >= MD5_DIGEST_SIZE);
   pkcs1_signature_prefix(length - MD5_DIGEST_SIZE, em,
diff --git a/pkcs1-rsa-sha1.c b/pkcs1-rsa-sha1.c
index b2f94a89635c440b9e64bdbc07f8d9bfb0ed75fa..62c51269e0491a537e049b17422d5eb2bc76d852 100644
--- a/pkcs1-rsa-sha1.c
+++ b/pkcs1-rsa-sha1.c
@@ -38,6 +38,8 @@
 #include "bignum.h"
 #include "pkcs1.h"
 
+#include "nettle-internal.h"
+
 /* From pkcs-1v2
  *
  *   id-sha1 OBJECT IDENTIFIER ::=
@@ -64,7 +66,8 @@ sha1_prefix[] =
 void
 pkcs1_rsa_sha1_encode(mpz_t m, unsigned length, struct sha1_ctx *hash)
 {
-  uint8_t *em = alloca(length);
+  TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
+  TMP_ALLOC(em, length);
 
   assert(length >= SHA1_DIGEST_SIZE);
   pkcs1_signature_prefix(length - SHA1_DIGEST_SIZE, em,
@@ -78,7 +81,8 @@ pkcs1_rsa_sha1_encode(mpz_t m, unsigned length, struct sha1_ctx *hash)
 void
 pkcs1_rsa_sha1_encode_digest(mpz_t m, unsigned length, const uint8_t *digest)
 {
-  uint8_t *em = alloca(length);
+  TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
+  TMP_ALLOC(em, length);
 
   assert(length >= SHA1_DIGEST_SIZE);
   pkcs1_signature_prefix(length - SHA1_DIGEST_SIZE, em,
diff --git a/rsa-decrypt.c b/rsa-decrypt.c
index 6f53c3dbf745a3ec25c13993471262f659d38bb1..058a75801c5e8421e8b2b66e7da16964483ac2cf 100644
--- a/rsa-decrypt.c
+++ b/rsa-decrypt.c
@@ -36,13 +36,14 @@
 #include "rsa.h"
 
 #include "bignum.h"
+#include "nettle-internal.h"
 
 int
 rsa_decrypt(const struct rsa_private_key *key,
 	    unsigned *length, uint8_t *message,
 	    const mpz_t gibberish)
 {
-  uint8_t *em;
+  TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
   uint8_t *terminator;
   unsigned padding;
   unsigned message_length;
@@ -52,7 +53,7 @@ rsa_decrypt(const struct rsa_private_key *key,
   mpz_init(m);
   rsa_compute_root(key, m, gibberish);
 
-  em = alloca(key->size);
+  TMP_ALLOC(em, key->size);
   nettle_mpz_get_str_256(key->size, em, m);
   mpz_clear(m);
 
diff --git a/rsa-encrypt.c b/rsa-encrypt.c
index ecc6760b3f6badb228b9621e172b2a3f6813eb10..fab5f82b255bf7406428c57f2eb6e917aec13085 100644
--- a/rsa-encrypt.c
+++ b/rsa-encrypt.c
@@ -36,6 +36,7 @@
 #include "rsa.h"
 
 #include "bignum.h"
+#include "nettle-internal.h"
 
 int
 rsa_encrypt(const struct rsa_public_key *key,
@@ -44,7 +45,7 @@ rsa_encrypt(const struct rsa_public_key *key,
 	    unsigned length, const uint8_t *message,
 	    mpz_t gibbberish)
 {
-  uint8_t *em;
+  TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_BITS / 8);
   unsigned padding;
   unsigned i;
   
@@ -64,7 +65,7 @@ rsa_encrypt(const struct rsa_public_key *key,
   padding = key->size - length - 3;
   assert(padding >= 8);
   
-  em = alloca(key->size - 1);
+  TMP_ALLOC(em, key->size - 1);
   em[0] = 2;
 
   random(random_ctx, padding, em + 1);
diff --git a/sexp.c b/sexp.c
index e6dce172a593351b88ba08384e63f84d393f9e09..1099282191be8a0d6a4e0f7f7d26b86da00d1ca0 100644
--- a/sexp.c
+++ b/sexp.c
@@ -33,6 +33,7 @@
 #include "sexp.h"
 
 #include "macros.h"
+#include "nettle-internal.h"
 
 /* Initializes the iterator, but one has to call next to get to the
  * first element. */
@@ -324,11 +325,11 @@ sexp_iterator_assoc(struct sexp_iterator *iterator,
 		    const uint8_t **keys,
 		    struct sexp_iterator *values)
 {
-  int *found;
+  TMP_DECL(found, int, NETTLE_MAX_SEXP_ASSOC);
   unsigned nfound;
   unsigned i;
-  
-  found = alloca(nkeys * sizeof(*found));
+
+  TMP_ALLOC(found, nkeys);
   for (i = 0; i<nkeys; i++)
     found[i] = 0;