Merge pull request #9582 from douzzer/20251224-wc_GenerateSeed-unreachable-code

dgarske · web-flow · commit 48d6811e04db · 2025-12-26T07:38:07.000-08:00
20251224-wc_GenerateSeed-unreachable-code
diff --git a/src/ssl.c b/src/ssl.c
@@ -7468,6 +7468,8 @@ static int check_cert_key(const DerBuffer* cert, const DerBuffer* key,
         }
 
         if (ret == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
+#else
+        if (ret == WOLFSSL_SUCCESS)
 #endif /* WOLF_PRIVATE_KEY_ID */
         {
             ret = wc_CheckPrivateKeyCert(buff, size, der, 1, heap);
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
@@ -3420,14 +3420,20 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
     #ifdef HAVE_ENTROPY_MEMUSE
         ret = wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz);
         if (ret == 0) {
-            return 0;
+            /* success, we're done */
+            return ret;
         }
-     #ifdef ENTROPY_MEMUSE_FORCE_FAILURE
-        /* Don't fallback to /dev/urandom. */
+    #ifdef ENTROPY_MEMUSE_FORCE_FAILURE
+        /* Don't fall back to /dev/urandom. */
         return ret;
+    #else
+        /* Reset error and fall back to using /dev/urandom. */
+        ret = 0;
     #endif
     #endif
 
+    #if !defined(HAVE_ENTROPY_MEMUSE) || !defined(ENTROPY_MEMUSE_FORCE_FAILURE)
+
     #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)
         if (IS_INTEL_RDSEED(intel_flags)) {
              ret = wc_GenerateSeed_IntelRD(NULL, output, sz);
@@ -3436,15 +3442,24 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
                  return ret;
              }
         #ifdef FORCE_FAILURE_RDSEED
-             /* don't fallback to /dev/urandom */
+             /* Don't fall back to /dev/urandom. */
              return ret;
         #else
-             /* reset error and fallback to using /dev/urandom */
+             /* Reset error and fall back to using /dev/urandom. */
              ret = 0;
         #endif
         }
+    #ifdef FORCE_FAILURE_RDSEED
+        else {
+            /* Don't fall back to /dev/urandom */
+            return MISSING_RNG_E;
+        }
+    #endif
     #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
 
+    #if (!defined(HAVE_INTEL_RDSEED) && !defined(HAVE_AMD_RDSEED)) || \
+        !defined(FORCE_FAILURE_RDSEED)
+
     #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM)
         {
             word32 grSz = sz;
@@ -3472,16 +3487,20 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
             if (ret == 0)
                 return ret;
         #ifdef FORCE_FAILURE_GETRANDOM
-            /* don't fallback to /dev/urandom */
+            /* don't fall back to /dev/urandom */
             return ret;
         #elif !defined(NO_FILESYSTEM)
-            /* reset error and fallback to using /dev/urandom if filesystem
+            /* reset error and fall back to using /dev/urandom if filesystem
              * support is compiled in */
             ret = 0;
         #endif
         }
     #endif
 
+    #endif /* (!HAVE_INTEL_RDSEED && !HAVE_AMD_RDSEED) || !FORCE_FAILURE_RDSEED */
+
+    #endif /*!HAVE_ENTROPY_MEMUSE || !ENTROPY_MEMUSE_FORCE_FAILURE */
+
 #ifndef NO_FILESYSTEM
     #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
         os->fd = open("/dev/urandom", O_RDONLY);

Original file line number	Diff line number	Diff line change
`@@ -7468,6 +7468,8 @@ static int check_cert_key(const DerBuffer* cert, const DerBuffer* key,`
`7468`	`7468`	`}`
`7469`	`7469`
`7470`	`7470`	`if (ret == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))`
	`7471`	`+#else`
	`7472`	`+ if (ret == WOLFSSL_SUCCESS)`
`7471`	`7473`	`#endif /* WOLF_PRIVATE_KEY_ID */`
`7472`	`7474`	`{`
`7473`	`7475`	`ret = wc_CheckPrivateKeyCert(buff, size, der, 1, heap);`