From 7048fa80d485cd5e339e67bf7e1e1e7d938ff44a Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Tue, 20 Jan 2026 16:48:21 -0600
Subject: [PATCH] wolfcrypt/src/random.c and wolfssl/wolfcrypt/settings.h:
 fixes from CI and peer review: * in wc_GenerateSeed_IntelRD(), use
 stack/register allocation for sanity_word{1,2}, and * don't set
 WC_VERBOSE_RNG if WOLFSSL_DEBUG_PRINTF is missing.

---
 wolfcrypt/src/random.c       | 21 ++++++++++++---------
 wolfssl/wolfcrypt/settings.h |  6 +++---
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index 78b569972..5934c14df 100644
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -1942,29 +1942,32 @@ static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)
     if (!IS_INTEL_RDSEED(intel_flags))
         return -1;
 
+    /* Note, access to rdseed_sanity_status is benignly racey on multithreaded
+     * targets.
+     */
     if (rdseed_sanity_status == 0) {
-        static word64 sanity_words[2] = {0, 0};
+        word64 sanity_word1 = 0, sanity_word2 = 0;
 
-        ret = IntelRDseed64_r(&sanity_words[0]);
+        ret = IntelRDseed64_r(&sanity_word1);
         if (ret != 0)
             return ret;
 
-        ret = IntelRDseed64_r(&sanity_words[1]);
+        ret = IntelRDseed64_r(&sanity_word2);
         if (ret != 0)
             return ret;
 
-        if (sanity_words[0] == sanity_words[1]) {
-            ret = IntelRDseed64_r(&sanity_words[0]);
+        if (sanity_word1 == sanity_word2) {
+            ret = IntelRDseed64_r(&sanity_word1);
             if (ret != 0)
                 return ret;
 
-            if (sanity_words[0] == sanity_words[1]) {
-                rdseed_sanity_status = -1;
+            if (sanity_word1 == sanity_word2) {
 #ifdef WC_VERBOSE_RNG
                 WOLFSSL_DEBUG_PRINTF(
-                    "WARNING: RDSEED disabled due to repeating word 0x%lx -- "
-                    "check CPU microcode version.", sanity_words[1]);
+                    "WARNING: disabling RDSEED due to repeating word 0x%lx -- "
+                    "check CPU microcode version.", sanity_word2);
 #endif
+                rdseed_sanity_status = -1;
                 return -1;
             }
         }
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 8ba9e9a22..a7a70060a 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -378,10 +378,10 @@
 #endif
 
 /* Ensure WC_VERBOSE_RNG is set when DEBUG_WOLFSSL is enabled, unless expressly
- * requested otherwise.
+ * requested otherwise.  Relies on a working WOLFSSL_DEBUG_PRINTF.
  */
-#if defined(DEBUG_WOLFSSL) && !defined(WC_NO_VERBOSE_RNG) && \
-    !defined(WC_VERBOSE_RNG)
+#if defined(DEBUG_WOLFSSL) && defined(WOLFSSL_DEBUG_PRINTF) && \
+    !defined(WC_NO_VERBOSE_RNG) && !defined(WC_VERBOSE_RNG)
     #define WC_VERBOSE_RNG
 #endif