From a8fc68d81b3fac7e62c68797832ca5cc2c169bc4 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Tue, 1 Jul 2025 13:05:00 -0500
Subject: [PATCH] wolfcrypt/src/random.c: in Hash_DRBG_Generate(), gate the
 verbose reseed message on DEBUG_WOLFSSL or DEBUG_DRBG_RESEEDS, use
 WOLFSSL_MSG_EX(), and refactor the condition from `drbg->reseedCtr ==
 RESEED_INTERVAL` to `drbg->reseedCtr >= WC_RESEED_INTERVAL`.

also some unrelated cleanup in .wolfssl_known_macro_extras.
---
 .wolfssl_known_macro_extras |  4 +---
 wolfcrypt/src/random.c      | 10 +++++-----
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index 1d1707409..465ae0aa9 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -305,8 +305,8 @@ MAXQ10XX_PRODUCTION_KEY
 MAXQ_EXPORT_TLS_KEYS
 MAXQ_SHA1
 MAXSEG_64K
-MAX_WOLFSSL_FILE_SIZE
 MAX_OID_SZ
+MAX_WOLFSSL_FILE_SIZE
 MDK_CONF_BARE_METAL
 MDK_CONF_FS
 MDK_CONF_RTX_TCP_FS
@@ -612,7 +612,6 @@ WOLFSSL_ALGO_HW_MUTEX
 WOLFSSL_ALLOW_CRIT_AIA
 WOLFSSL_ALLOW_CRIT_AKID
 WOLFSSL_ALLOW_CRIT_SKID
-WOLFSSL_ALLOW_ENCODING_CA_FALSE
 WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
 WOLFSSL_ALLOW_NO_CN_IN_SAN
 WOLFSSL_ALLOW_NO_SUITES
@@ -872,7 +871,6 @@ WOLFSSL_USE_OPTIONS_H
 WOLFSSL_USE_POPEN_HOST
 WOLFSSL_VALIDATE_DH_KEYGEN
 WOLFSSL_WC_LMS_SERIALIZE_STATE
-WOLFSSL_WC_MLKEM
 WOLFSSL_WC_XMSS_NO_SHA256
 WOLFSSL_WC_XMSS_NO_SHAKE256
 WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index 99de26e0a..50ff980a8 100644
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -232,7 +232,6 @@ This library contains implementation for the random number generator.
 
 #define OUTPUT_BLOCK_LEN  (WC_SHA256_DIGEST_SIZE)
 #define MAX_REQUEST_LEN   (0x10000)
-#define RESEED_INTERVAL   WC_RESEED_INTERVAL
 
 
 /* The security strength for the RNG is the target number of bits of
@@ -645,10 +644,11 @@ static int Hash_DRBG_Generate(DRBG_internal* drbg, byte* out, word32 outSz)
         return DRBG_FAILURE;
     }
 
-    if (drbg->reseedCtr == RESEED_INTERVAL) {
-#if FIPS_VERSION3_GE(6,0,0)
-        printf("Reseed triggered\n");
-#endif
+    if (drbg->reseedCtr >= WC_RESEED_INTERVAL) {
+    #if defined(DEBUG_WOLFSSL) || defined(DEBUG_DRBG_RESEEDS)
+        printf("DRBG reseed triggered, reseedCtr == %lu",
+               (unsigned long)drbg->reseedCtr);
+    #endif
         return DRBG_NEED_RESEED;
     }
     else {