Avoid leaking memory when receiving a bad response.

A badly authenticated response message or one that didn't decode or
decrypt correctly was never freed. If caller didn't pass pkt_out, any
response was leaked as well.

As a bonus, the code is now readable too.