wolfcrypt/src/random.c and wolfssl/wolfcrypt/settings.h: fixes from CI and peer review:

* in wc_GenerateSeed_IntelRD(), use stack/register allocation for sanity_word{1,2}, and * don't set WC_VERBOSE_RNG if WOLFSSL_DEBUG_PRINTF is missing.
2026-01-26 17:32:50 +01:00 · 2026-01-20 16:48:21 -06:00
parent b91272c9a5
commit 7048fa80d4
2 changed files with 15 additions and 12 deletions
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -1942,29 +1942,32 @@ static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)
    if (!IS_INTEL_RDSEED(intel_flags))
        return -1;

+    /* Note, access to rdseed_sanity_status is benignly racey on multithreaded
+     * targets.
+     */
    if (rdseed_sanity_status == 0) {
-        static word64 sanity_words[2] = {0, 0};
+        word64 sanity_word1 = 0, sanity_word2 = 0;

-        ret = IntelRDseed64_r(&sanity_words[0]);
+        ret = IntelRDseed64_r(&sanity_word1);
        if (ret != 0)
            return ret;

-        ret = IntelRDseed64_r(&sanity_words[1]);
+        ret = IntelRDseed64_r(&sanity_word2);
        if (ret != 0)
            return ret;

-        if (sanity_words[0] == sanity_words[1]) {
-            ret = IntelRDseed64_r(&sanity_words[0]);
+        if (sanity_word1 == sanity_word2) {
+            ret = IntelRDseed64_r(&sanity_word1);
            if (ret != 0)
                return ret;

-            if (sanity_words[0] == sanity_words[1]) {
-                rdseed_sanity_status = -1;
+            if (sanity_word1 == sanity_word2) {
 #ifdef WC_VERBOSE_RNG
                WOLFSSL_DEBUG_PRINTF(
-                    "WARNING: RDSEED disabled due to repeating word 0x%lx -- "
-                    "check CPU microcode version.", sanity_words[1]);
+                    "WARNING: disabling RDSEED due to repeating word 0x%lx -- "
+                    "check CPU microcode version.", sanity_word2);
 #endif
+                rdseed_sanity_status = -1;
                return -1;
            }
        }
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -378,10 +378,10 @@
 #endif

 /* Ensure WC_VERBOSE_RNG is set when DEBUG_WOLFSSL is enabled, unless expressly
- * requested otherwise.
+ * requested otherwise.  Relies on a working WOLFSSL_DEBUG_PRINTF.
 */
-#if defined(DEBUG_WOLFSSL) && !defined(WC_NO_VERBOSE_RNG) && \
-    !defined(WC_VERBOSE_RNG)
+#if defined(DEBUG_WOLFSSL) && defined(WOLFSSL_DEBUG_PRINTF) && \
+    !defined(WC_NO_VERBOSE_RNG) && !defined(WC_VERBOSE_RNG)
    #define WC_VERBOSE_RNG
 #endif