From 742faccd995fcad87d0ff5969502585c8af47c8e Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 9 Jul 2024 17:04:50 +0000
Subject: Use better order in EVP_PKEY_CTRL_TLS_SECRET

Also avoid an unnecessary NULL check.
---
 src/lib/libcrypto/kdf/tls1_prf.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/kdf/tls1_prf.c b/src/lib/libcrypto/kdf/tls1_prf.c
index cefb3e2cad..594537ca3f 100644
--- a/src/lib/libcrypto/kdf/tls1_prf.c
+++ b/src/lib/libcrypto/kdf/tls1_prf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls1_prf.c,v 1.30 2024/07/09 17:01:40 tb Exp $ */
+/*	$OpenBSD: tls1_prf.c,v 1.31 2024/07/09 17:04:50 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 2016.
@@ -119,15 +119,14 @@ pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 	case EVP_PKEY_CTRL_TLS_SECRET:
 		if (p1 < 0)
 			return 0;
-		if (kctx->secret != NULL)
-			freezero(kctx->secret, kctx->secret_len);
-
-		explicit_bzero(kctx->seed, kctx->seed_len);
-		kctx->seed_len = 0;
 
+		freezero(kctx->secret, kctx->secret_len);
 		kctx->secret = NULL;
 		kctx->secret_len = 0;
 
+		explicit_bzero(kctx->seed, kctx->seed_len);
+		kctx->seed_len = 0;
+
 		if (p1 == 0 || p2 == NULL)
 			return 0;
 
-- 
cgit v1.2.3-55-g6feb