From f52930b844e4ab69c83dbb34806e1139ff6c0ee8 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 21 Jan 2026 09:52:48 -0800
Subject: [PATCH] More fixes for NO RNG and NO check key (broken in #9606 and
 #9576)

---
 src/internal.c      |  2 +-
 wolfcrypt/src/rsa.c | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index af622bb8c..3eb6d7f8e 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -29812,7 +29812,7 @@ static int DecodePrivateKey_ex(WOLFSSL *ssl, byte keyType, const DerBuffer* key,
         }
     }
 
-#ifdef WOLF_PRIVATE_KEY_ID
+#if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY)
     if (keyDevId != INVALID_DEVID && (keyIdSet || keyLabelSet)) {
         /* Set hsType */
         if (keyType == rsa_sa_algo)
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index 0d2e25afe..6767231c1 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -3792,7 +3792,7 @@ int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
 {
     WC_RNG* rng;
     int ret;
-#ifdef WC_RSA_BLINDING
+#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
     if (key == NULL) {
         return BAD_FUNC_ARG;
     }
@@ -3816,7 +3816,7 @@ int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
 {
     WC_RNG* rng;
     int ret;
-#ifdef WC_RSA_BLINDING
+#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
     if (key == NULL) {
         return BAD_FUNC_ARG;
     }
@@ -3839,7 +3839,7 @@ int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
 {
     WC_RNG* rng;
     int ret;
-#ifdef WC_RSA_BLINDING
+#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
     if (key == NULL) {
         return BAD_FUNC_ARG;
     }
@@ -3863,7 +3863,7 @@ int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
 {
     WC_RNG* rng;
     int ret;
-#ifdef WC_RSA_BLINDING
+#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
     if (key == NULL) {
         return BAD_FUNC_ARG;
     }
@@ -3931,7 +3931,7 @@ int  wc_RsaSSL_Verify_ex2(const byte* in, word32 inLen, byte* out, word32 outLen
         return BAD_FUNC_ARG;
     }
 
-#ifdef WC_RSA_BLINDING
+#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
     rng = key->rng;
 #else
     rng = NULL;