cipher: fixed key ownership scope
Indicate key ownership earlier, so that it gets destroyed on faulty policy setting.
diff --git a/library/cipher.c b/library/cipher.c
index e479b9c..b81df6b 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -312,6 +312,15 @@
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
+ /* Indicate that we own the key slot and need to
+ * destroy it in mbedtls_cipher_free(). */
+ cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
+
+ /* From that point on, the responsibility for destroying the
+ * key slot is on mbedtls_cipher_free(). This includes the case
+ * where the policy setup or key import below fail, as
+ * mbedtls_cipher_free() needs to be called in any case. */
+
/* Setup policy for the new key slot. */
psa_key_policy_init( &key_policy );
@@ -325,14 +334,6 @@
status = psa_set_key_policy( cipher_psa->slot, &key_policy );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
- /* Indicate that we own the key slot and need to
- * destroy it in mbedtls_cipher_free(). */
- cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
-
- /* From that point on, the responsibility for destroying the
- * key slot is on mbedtls_cipher_free(). This includes the case
- * where the policy setup or key import below fail, as
- * mbedtls_cipher_free() needs to be called in any case. */
/* Populate new key slot. */
status = psa_import_key( cipher_psa->slot,
