From d1c321abdc0f1b6fcd029a6305461b59bb39b95b Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Wed, 12 Nov 2025 17:10:45 +0100
Subject: [PATCH] Don't override errors when blinding the priv key

---
 src/ssl_load.c | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/src/ssl_load.c b/src/ssl_load.c
index 95af6d4f6..bb14cbef3 100644
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@@ -1354,26 +1354,31 @@ static int ProcessBufferPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
 #endif /* WOLFSSL_ENCRYPTED_KEYS && !NO_PWDBASED */
 
 #ifdef WOLFSSL_BLIND_PRIVATE_KEY
+    {
+        int blindRet = 0;
 #ifdef WOLFSSL_DUAL_ALG_CERTS
-    if (type == ALT_PRIVATEKEY_TYPE) {
+        if (type == ALT_PRIVATEKEY_TYPE) {
+            if (ssl != NULL) {
+                blindRet = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey,
+                    &ssl->buffers.altKeyMask);
+            }
+            else {
+                blindRet = wolfssl_priv_der_blind(NULL, ctx->altPrivateKey,
+                    &ctx->altPrivateKeyMask);
+            }
+        }
+        else
+#endif
         if (ssl != NULL) {
-            ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey,
-                &ssl->buffers.altKeyMask);
+            blindRet = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
+                &ssl->buffers.keyMask);
         }
         else {
-            ret = wolfssl_priv_der_blind(NULL, ctx->altPrivateKey,
-                &ctx->altPrivateKeyMask);
+            blindRet = wolfssl_priv_der_blind(NULL, ctx->privateKey,
+                &ctx->privateKeyMask);
         }
-    }
-    else
-#endif
-    if (ssl != NULL) {
-        ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
-            &ssl->buffers.keyMask);
-    }
-    else {
-        ret = wolfssl_priv_der_blind(NULL, ctx->privateKey,
-            &ctx->privateKeyMask);
+        if (ret == 0 && blindRet != 0)
+            ret = blindRet;
     }
 #endif