wolfcrypt/src/random.c and wolfssl/wolfcrypt/settings.h: fixes from CI and peer review:

douzzer · douzzer · commit 7048fa80d485 · 2026-01-20T16:48:21.000-06:00
* in wc_GenerateSeed_IntelRD(), use stack/register allocation for sanity_word{1,2}, and
* don't set WC_VERBOSE_RNG if WOLFSSL_DEBUG_PRINTF is missing.
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
@@ -1942,29 +1942,32 @@ static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)
     if (!IS_INTEL_RDSEED(intel_flags))
         return -1;
 
+    /* Note, access to rdseed_sanity_status is benignly racey on multithreaded
+     * targets.
+     */
     if (rdseed_sanity_status == 0) {
-        static word64 sanity_words[2] = {0, 0};
+        word64 sanity_word1 = 0, sanity_word2 = 0;
 
-        ret = IntelRDseed64_r(&sanity_words[0]);
+        ret = IntelRDseed64_r(&sanity_word1);
         if (ret != 0)
             return ret;
 
-        ret = IntelRDseed64_r(&sanity_words[1]);
+        ret = IntelRDseed64_r(&sanity_word2);
         if (ret != 0)
             return ret;
 
-        if (sanity_words[0] == sanity_words[1]) {
-            ret = IntelRDseed64_r(&sanity_words[0]);
+        if (sanity_word1 == sanity_word2) {
+            ret = IntelRDseed64_r(&sanity_word1);
             if (ret != 0)
                 return ret;
 
-            if (sanity_words[0] == sanity_words[1]) {
-                rdseed_sanity_status = -1;
+            if (sanity_word1 == sanity_word2) {
 #ifdef WC_VERBOSE_RNG
                 WOLFSSL_DEBUG_PRINTF(
-                    "WARNING: RDSEED disabled due to repeating word 0x%lx -- "
-                    "check CPU microcode version.", sanity_words[1]);
+                    "WARNING: disabling RDSEED due to repeating word 0x%lx -- "
+                    "check CPU microcode version.", sanity_word2);
 #endif
+                rdseed_sanity_status = -1;
                 return -1;
             }
         }
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
@@ -378,10 +378,10 @@
 #endif
 
 /* Ensure WC_VERBOSE_RNG is set when DEBUG_WOLFSSL is enabled, unless expressly
- * requested otherwise.
+ * requested otherwise.  Relies on a working WOLFSSL_DEBUG_PRINTF.
  */
-#if defined(DEBUG_WOLFSSL) && !defined(WC_NO_VERBOSE_RNG) && \
-    !defined(WC_VERBOSE_RNG)
+#if defined(DEBUG_WOLFSSL) && defined(WOLFSSL_DEBUG_PRINTF) && \
+    !defined(WC_NO_VERBOSE_RNG) && !defined(WC_VERBOSE_RNG)
     #define WC_VERBOSE_RNG
 #endif
 
