diff --git a/src/asymmetric_cipher.c b/src/asymmetric_cipher.c
index 77ebc9af..61638488 100644
--- a/src/asymmetric_cipher.c
+++ b/src/asymmetric_cipher.c
@@ -308,6 +308,7 @@ static int p11prov_rsaenc_decrypt(void *ctx, unsigned char *out, size_t *outlen,
     CK_ULONG out_size = *outlen;
     int result = RET_OSSL_ERR;
     bool always_auth = false;
+    bool tls_padding = encctx->tls_passing.mode;
     CK_RV ret;
 
     P11PROV_debug("decrypt (ctx=%p)", ctx);
@@ -328,7 +329,7 @@ static int p11prov_rsaenc_decrypt(void *ctx, unsigned char *out, size_t *outlen,
     }
 
     if (outsize < key_size) {
-        if (encctx->tls_padding.mode) {
+        if (tls_padding) {
             if (outsize < SSL_MAX_MASTER_KEY_LENGTH) {
                 ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
                 return RET_OSSL_ERR;
@@ -339,7 +340,7 @@ static int p11prov_rsaenc_decrypt(void *ctx, unsigned char *out, size_t *outlen,
         }
     }
 
-    if (encctx->tls_padding.mode) {
+    if (tls_padding) {
         tmpbuf = OPENSSL_zalloc(key_size);
         if (!tmpbuf) {
             return RET_OSSL_ERR;
@@ -412,7 +413,7 @@ static int p11prov_rsaenc_decrypt(void *ctx, unsigned char *out, size_t *outlen,
 
         /* this conditional is ok because it is not dependent on the
          * decryption computation or any private data */
-        if (encctx->tls_padding.mode) {
+        if (tls_padding) {
             CK_ULONG tls_cond = 0;
 
             result = p11prov_tls_constant_time_depadding(encctx, out, tmpbuf,