Merge pull request #9568 from kareem-wolfssl/zd20947

douzzer · web-flow · commit 019a42018797 · 2025-12-24T17:03:26.000-06:00
Add a flag which allows requesting exactly SEED_SZ and using the full seed to instantiate the DRBG during RNG init.
diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
@@ -859,6 +859,7 @@ WOLFSSL_RENESAS_RZN2L
 WOLFSSL_RENESAS_TLS
 WOLFSSL_RENESAS_TSIP_IAREWRX
 WOLFSSL_REQUIRE_TCA
+WOLFSSL_RNG_USE_FULL_SEED
 WOLFSSL_RSA_CHECK_D_ON_DECRYPT
 WOLFSSL_RSA_DECRYPT_TO_0_LEN
 WOLFSSL_RW_THREADED
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
@@ -739,11 +739,15 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
 {
     int ret = 0;
 #ifdef HAVE_HASHDRBG
+#if !defined(HAVE_FIPS) && defined(WOLFSSL_RNG_USE_FULL_SEED)
+    word32 seedSz = SEED_SZ;
+#else
     word32 seedSz = SEED_SZ + SEED_BLOCK_SZ;
     WC_DECLARE_VAR(seed, byte, MAX_SEED_SZ, rng->heap);
 #ifdef WOLFSSL_SMALL_STACK_CACHE
     int drbg_scratch_instantiated = 0;
 #endif
+#endif
 #endif
 
     (void)nonce;
@@ -945,7 +949,11 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
     #endif
             if (ret == DRBG_SUCCESS)
                 ret = Hash_DRBG_Instantiate((DRBG_internal *)rng->drbg,
+            #if defined(HAVE_FIPS) || !defined(WOLFSSL_RNG_USE_FULL_SEED)
                             seed + SEED_BLOCK_SZ, seedSz - SEED_BLOCK_SZ,
+            #else
+                            seed, seedSz,
+            #endif
                             nonce, nonceSz, rng->heap, devId);
     } /* ret == 0 */
 
