diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h
index 94864faeaf..0008d73129 100644
--- a/include/mbedtls/ecjpake.h
+++ b/include/mbedtls/ecjpake.h
@@ -52,9 +52,9 @@ extern "C" {
  * Roles in the EC J-PAKE exchange
  */
 typedef enum {
-    MBEDTLS_ECJPAKE_NONE = 0,           /**< Undefined                      */
-    MBEDTLS_ECJPAKE_CLIENT,             /**< Client                         */
+    MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
     MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
+    MBEDTLS_ECJPAKE_NONE,               /**< Undefined                      */
 } mbedtls_ecjpake_role;
 
 #if !defined(MBEDTLS_ECJPAKE_ALT)
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index d9b2ecd9ad..4136614f34 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -289,9 +289,6 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
             goto error;
         }
 
-        /* Role has been set, release user/peer buffers. */
-        mbedtls_free(user); mbedtls_free(peer);
-
         operation->buffer_length = 0;
         operation->buffer_offset = 0;
 
@@ -300,6 +297,9 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
             goto error;
         }
 
+        /* Role has been set, release user/peer buffers. */
+        mbedtls_free(user); mbedtls_free(peer);
+
         return PSA_SUCCESS;
     } else
 #else