new file mode 100644
@@ -0,0 +1,46 @@
+From 6d0ee56813d69eee72108e1dc859743e02f70077 Mon Sep 17 00:00:00 2001
+From: Josh Holtrop <josh@wolfssl.com>
+Date: Thu, 5 Jun 2025 19:48:34 -0400
+Subject: [PATCH] Reseed DRBG in RAND_poll()
+
+CVE: CVE-2025-7394
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0c12337194ee6dd082f082f0ccaed27fc4ee44f5]
+(cherry picked from commit 0c12337194ee6dd082f082f0ccaed27fc4ee44f5)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ssl.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index 9ba891d62..a1421d523 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -24159,11 +24159,25 @@ int wolfSSL_RAND_poll(void)
+ return WOLFSSL_FAILURE;
+ }
+ ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz);
+- if (ret != 0){
++ if (ret != 0) {
+ WOLFSSL_MSG("Bad wc_RNG_GenerateBlock");
+ ret = WOLFSSL_FAILURE;
+- }else
+- ret = WOLFSSL_SUCCESS;
++ }
++ else {
++#ifdef HAVE_HASHDRBG
++ ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
++ if (ret != 0) {
++ WOLFSSL_MSG("Error reseeding DRBG");
++ ret = WOLFSSL_FAILURE;
++ }
++ else {
++ ret = WOLFSSL_SUCCESS;
++ }
++#else
++ WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
++ ret = WOLFSSL_FAILURE;
++#endif
++ }
+
+ return ret;
+ }
new file mode 100644
@@ -0,0 +1,275 @@
+From b506ed4aeb2c86788422427624a03eb9bda52efc Mon Sep 17 00:00:00 2001
+From: JacobBarthelmeh <jacob@wolfssl.com>
+Date: Tue, 10 Jun 2025 12:49:08 -0600
+Subject: [PATCH] add sanity checks on pid with RNG
+
+CVE: CVE-2025-7394
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/31490ab813a5aac096f50800c26c690d8ae586d2]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ CMakeLists.txt | 1 +
+ configure.ac | 4 +-
+ src/ssl.c | 40 +++++++++++-
+ wolfcrypt/src/random.c | 126 ++++++++++++++++++++++---------------
+ wolfssl/wolfcrypt/random.h | 3 +
+ 5 files changed, 118 insertions(+), 56 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 4e6f05fc6..910a36648 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -124,6 +124,7 @@ check_function_exists("memset" HAVE_MEMSET)
+ check_function_exists("socket" HAVE_SOCKET)
+ check_function_exists("strftime" HAVE_STRFTIME)
+ check_function_exists("__atomic_fetch_add" HAVE_C___ATOMIC)
++check_function_exists("getpid" HAVE_GETPID)
+
+ include(CheckTypeSize)
+
+diff --git a/configure.ac b/configure.ac
+index c973b7e39..43ddd4767 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -125,8 +125,8 @@ AC_CHECK_HEADER(stdatomic.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ATOMIC_H"
+ # check if functions of interest are linkable, but also check if
+ # they're declared by the expected headers, and if not, supersede the
+ # unusable positive from AC_CHECK_FUNCS().
+-AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit])
+-AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit], [], [
++AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit getpid])
++AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, getpid], [], [
+ if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes"
+ then
+ AC_MSG_NOTICE([ note: earlier check for $(eval 'echo ${as_decl_name}') superseded.])
+diff --git a/src/ssl.c b/src/ssl.c
+index a1421d523..872aed594 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -23615,6 +23615,10 @@ int wolfSSL_RAND_Init(void)
+ if (initGlobalRNG == 0) {
+ ret = wc_InitRng(&globalRNG);
+ if (ret == 0) {
++ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
++ FIPS_VERSION3_LT(6,0,0)))
++ currentPid = getpid();
++ #endif
+ initGlobalRNG = 1;
+ ret = WOLFSSL_SUCCESS;
+ }
+@@ -24045,8 +24049,30 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num)
+ return ret;
+ }
+
+-/* returns WOLFSSL_SUCCESS if the bytes generated are valid otherwise
+- * WOLFSSL_FAILURE */
++#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
++/* In older FIPS bundles add check for reseed here since it does not exist in
++ * the older random.c certified files. */
++static pid_t currentPid = 0;
++
++/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
++static int RandCheckReSeed()
++{
++ int ret = WOLFSSL_SUCCESS;
++ pid_t p;
++
++ p = getpid();
++ if (p != currentPid) {
++ currentPid = p;
++ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
++ ret = WOLFSSL_FAILURE;
++ }
++ }
++ return ret;
++}
++#endif
++
++/* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0
++ * on failure */
+ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
+ {
+ int ret = 0;
+@@ -24089,6 +24115,16 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
+ */
+ if (initGlobalRNG) {
+ rng = &globalRNG;
++
++ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
++ FIPS_VERSION3_LT(6,0,0)))
++ if (RandCheckReSeed() != WOLFSSL_SUCCESS) {
++ wc_UnLockMutex(&globalRNGMutex);
++ WOLFSSL_MSG("Issue with check pid and reseed");
++ return ret;
++ }
++ #endif
++
+ used_global = 1;
+ }
+ else {
+diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
+index 89c7411c9..b440e274b 100644
+--- a/wolfcrypt/src/random.c
++++ b/wolfcrypt/src/random.c
+@@ -1599,6 +1599,9 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
+ #else
+ rng->heap = heap;
+ #endif
++#ifdef HAVE_GETPID
++ rng->pid = getpid();
++#endif
+ #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+ rng->devId = devId;
+ #if defined(WOLF_CRYPTO_CB)
+@@ -1849,6 +1852,63 @@ int wc_InitRngNonce_ex(WC_RNG* rng, byte* nonce, word32 nonceSz,
+ return _InitRng(rng, nonce, nonceSz, heap, devId);
+ }
+
++#ifdef HAVE_HASHDRBG
++static int PollAndReSeed(WC_RNG* rng)
++{
++ int ret = DRBG_NEED_RESEED;
++ int devId = INVALID_DEVID;
++#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
++ devId = rng->devId;
++#endif
++ if (wc_RNG_HealthTestLocal(1, rng->heap, devId) == 0) {
++ #ifndef WOLFSSL_SMALL_STACK
++ byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
++ ret = DRBG_SUCCESS;
++ #else
++ byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap,
++ DYNAMIC_TYPE_SEED);
++ ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS;
++ #endif
++ if (ret == DRBG_SUCCESS) {
++ #ifdef WC_RNG_SEED_CB
++ if (seedCb == NULL) {
++ ret = DRBG_NO_SEED_CB;
++ }
++ else {
++ ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ);
++ if (ret != 0) {
++ ret = DRBG_FAILURE;
++ }
++ }
++ #else
++ ret = wc_GenerateSeed(&rng->seed, newSeed,
++ SEED_SZ + SEED_BLOCK_SZ);
++ #endif
++ if (ret != 0)
++ ret = DRBG_FAILURE;
++ }
++ if (ret == DRBG_SUCCESS)
++ ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
++
++ if (ret == DRBG_SUCCESS)
++ ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg,
++ newSeed + SEED_BLOCK_SZ, SEED_SZ);
++ #ifdef WOLFSSL_SMALL_STACK
++ if (newSeed != NULL) {
++ ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ);
++ }
++ XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED);
++ #else
++ ForceZero(newSeed, sizeof(newSeed));
++ #endif
++ }
++ else {
++ ret = DRBG_CONT_FAILURE;
++ }
++
++ return ret;
++}
++#endif
+
+ /* place a generated block in output */
+ WOLFSSL_ABI
+@@ -1908,60 +1968,22 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
+ if (rng->status != DRBG_OK)
+ return RNG_FAILURE_E;
+
++#ifdef HAVE_GETPID
++ if (rng->pid != getpid()) {
++ rng->pid = getpid();
++ ret = PollAndReSeed(rng);
++ if (ret != DRBG_SUCCESS) {
++ rng->status = DRBG_FAILED;
++ return RNG_FAILURE_E;
++ }
++ }
++#endif
++
+ ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
+ if (ret == DRBG_NEED_RESEED) {
+- int devId = INVALID_DEVID;
+- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+- devId = rng->devId;
+- #endif
+- if (wc_RNG_HealthTestLocal(1, rng->heap, devId) == 0) {
+- #ifndef WOLFSSL_SMALL_STACK
+- byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
+- ret = DRBG_SUCCESS;
+- #else
+- byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap,
+- DYNAMIC_TYPE_SEED);
+- ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS;
+- #endif
+- if (ret == DRBG_SUCCESS) {
+- #ifdef WC_RNG_SEED_CB
+- if (seedCb == NULL) {
+- ret = DRBG_NO_SEED_CB;
+- }
+- else {
+- ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ);
+- if (ret != 0) {
+- ret = DRBG_FAILURE;
+- }
+- }
+- #else
+- ret = wc_GenerateSeed(&rng->seed, newSeed,
+- SEED_SZ + SEED_BLOCK_SZ);
+- #endif
+- if (ret != 0)
+- ret = DRBG_FAILURE;
+- }
+- if (ret == DRBG_SUCCESS)
+- ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
+-
+- if (ret == DRBG_SUCCESS)
+- ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg,
+- newSeed + SEED_BLOCK_SZ, SEED_SZ);
+- if (ret == DRBG_SUCCESS)
+- ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
+-
+- #ifdef WOLFSSL_SMALL_STACK
+- if (newSeed != NULL) {
+- ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ);
+- }
+- XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED);
+- #else
+- ForceZero(newSeed, sizeof(newSeed));
+- #endif
+- }
+- else {
+- ret = DRBG_CONT_FAILURE;
+- }
++ ret = PollAndReSeed(rng);
++ if (ret == DRBG_SUCCESS)
++ ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
+ }
+
+ if (ret == DRBG_SUCCESS) {
+diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
+index 9dd616328..f472e1f40 100644
+--- a/wolfssl/wolfcrypt/random.h
++++ b/wolfssl/wolfcrypt/random.h
+@@ -183,6 +183,9 @@ struct WC_RNG {
+ #endif
+ byte status;
+ #endif
++#ifdef HAVE_GETPID
++ pid_t pid;
++#endif
+ #ifdef WOLFSSL_ASYNC_CRYPT
+ WC_ASYNC_DEV asyncDev;
+ #endif
new file mode 100644
@@ -0,0 +1,125 @@
+From 62a3a4f0b8b307bdacc34204db44627521de4bf9 Mon Sep 17 00:00:00 2001
+From: JacobBarthelmeh <jacob@wolfssl.com>
+Date: Tue, 10 Jun 2025 14:15:38 -0600
+Subject: [PATCH] add mutex locking and compat layer FIPS case
+
+CVE: CVE-2025-7394
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a]
+(cherry picked from commit fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ssl.c | 62 +++++++++++++++++++++++++++----------------------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index 872aed594..f0186b253 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -23603,6 +23603,12 @@ static int wolfSSL_RAND_InitMutex(void)
+
+ #ifdef OPENSSL_EXTRA
+
++#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
++/* In older FIPS bundles add check for reseed here since it does not exist in
++ * the older random.c certified files. */
++static pid_t currentRandPid = 0;
++#endif
++
+ /* Checks if the global RNG has been created. If not then one is created.
+ *
+ * Returns WOLFSSL_SUCCESS when no error is encountered.
+@@ -23616,8 +23622,8 @@ int wolfSSL_RAND_Init(void)
+ ret = wc_InitRng(&globalRNG);
+ if (ret == 0) {
+ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
+- FIPS_VERSION3_LT(6,0,0)))
+- currentPid = getpid();
++ FIPS_VERSION3_LT(6,0,0)
++ currentRandPid = getpid();
+ #endif
+ initGlobalRNG = 1;
+ ret = WOLFSSL_SUCCESS;
+@@ -24049,28 +24055,6 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num)
+ return ret;
+ }
+
+-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
+-/* In older FIPS bundles add check for reseed here since it does not exist in
+- * the older random.c certified files. */
+-static pid_t currentPid = 0;
+-
+-/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
+-static int RandCheckReSeed()
+-{
+- int ret = WOLFSSL_SUCCESS;
+- pid_t p;
+-
+- p = getpid();
+- if (p != currentPid) {
+- currentPid = p;
+- if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
+- ret = WOLFSSL_FAILURE;
+- }
+- }
+- return ret;
+-}
+-#endif
+-
+ /* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0
+ * on failure */
+ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
+@@ -24114,17 +24098,27 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
+ * have the lock.
+ */
+ if (initGlobalRNG) {
+- rng = &globalRNG;
+-
+ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
+- FIPS_VERSION3_LT(6,0,0)))
+- if (RandCheckReSeed() != WOLFSSL_SUCCESS) {
++ FIPS_VERSION3_LT(6,0,0)
++ pid_t p;
++
++ p = getpid();
++ if (p != currentRandPid) {
+ wc_UnLockMutex(&globalRNGMutex);
+- WOLFSSL_MSG("Issue with check pid and reseed");
+- return ret;
++ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
++ WOLFSSL_MSG("Issue with check pid and reseed");
++ ret = WOLFSSL_FAILURE;
++ }
++
++ /* reclaim lock after wolfSSL_RAND_poll */
++ if (wc_LockMutex(&globalRNGMutex) != 0) {
++ WOLFSSL_MSG("Bad Lock Mutex rng");
++ return ret;
++ }
++ currentRandPid = p;
+ }
+ #endif
+-
++ rng = &globalRNG;
+ used_global = 1;
+ }
+ else {
+@@ -24201,6 +24195,11 @@ int wolfSSL_RAND_poll(void)
+ }
+ else {
+ #ifdef HAVE_HASHDRBG
++ if (wc_LockMutex(&globalRNGMutex) != 0) {
++ WOLFSSL_MSG("Bad Lock Mutex rng");
++ return ret;
++ }
++
+ ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
+ if (ret != 0) {
+ WOLFSSL_MSG("Error reseeding DRBG");
+@@ -24209,6 +24208,7 @@ int wolfSSL_RAND_poll(void)
+ else {
+ ret = WOLFSSL_SUCCESS;
+ }
++ wc_UnLockMutex(&globalRNGMutex);
+ #else
+ WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
+ ret = WOLFSSL_FAILURE;
new file mode 100644
@@ -0,0 +1,85 @@
+From d7a68e85ebe4705e7345b0e5012c806615cd86c7 Mon Sep 17 00:00:00 2001
+From: JacobBarthelmeh <jacob@wolfssl.com>
+Date: Tue, 10 Jun 2025 16:12:09 -0600
+Subject: [PATCH] add a way to restore previous pid behavior
+
+CVE: CVE-2025-7394
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/47cf634965a3aabe82fd97a8feed9efd6688e34a]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ssl.c | 11 ++++++-----
+ wolfcrypt/src/random.c | 4 ++--
+ wolfssl/wolfcrypt/random.h | 2 +-
+ 3 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index f0186b253..e214fa504 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -23603,7 +23603,8 @@ static int wolfSSL_RAND_InitMutex(void)
+
+ #ifdef OPENSSL_EXTRA
+
+-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
++#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
++ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ /* In older FIPS bundles add check for reseed here since it does not exist in
+ * the older random.c certified files. */
+ static pid_t currentRandPid = 0;
+@@ -23621,8 +23622,8 @@ int wolfSSL_RAND_Init(void)
+ if (initGlobalRNG == 0) {
+ ret = wc_InitRng(&globalRNG);
+ if (ret == 0) {
+- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
+- FIPS_VERSION3_LT(6,0,0)
++ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
++ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ currentRandPid = getpid();
+ #endif
+ initGlobalRNG = 1;
+@@ -24098,8 +24099,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
+ * have the lock.
+ */
+ if (initGlobalRNG) {
+- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
+- FIPS_VERSION3_LT(6,0,0)
++ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
++ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ pid_t p;
+
+ p = getpid();
+diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
+index b440e274b..dc89db542 100644
+--- a/wolfcrypt/src/random.c
++++ b/wolfcrypt/src/random.c
+@@ -1599,7 +1599,7 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
+ #else
+ rng->heap = heap;
+ #endif
+-#ifdef HAVE_GETPID
++#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
+ rng->pid = getpid();
+ #endif
+ #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+@@ -1968,7 +1968,7 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
+ if (rng->status != DRBG_OK)
+ return RNG_FAILURE_E;
+
+-#ifdef HAVE_GETPID
++#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
+ if (rng->pid != getpid()) {
+ rng->pid = getpid();
+ ret = PollAndReSeed(rng);
+diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
+index f472e1f40..320641548 100644
+--- a/wolfssl/wolfcrypt/random.h
++++ b/wolfssl/wolfcrypt/random.h
+@@ -183,7 +183,7 @@ struct WC_RNG {
+ #endif
+ byte status;
+ #endif
+-#ifdef HAVE_GETPID
++#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
+ pid_t pid;
+ #endif
+ #ifdef WOLFSSL_ASYNC_CRYPT
new file mode 100644
@@ -0,0 +1,40 @@
+From 670437d91ae3025b4721eb4f450e5dc31fc3d6ee Mon Sep 17 00:00:00 2001
+From: Chris Conlon <chris@wolfssl.com>
+Date: Wed, 18 Jun 2025 16:08:34 -0600
+Subject: [PATCH] Add HAVE_GETPID to options.h if getpid detected, needed for
+ apps to correctly detect size of WC_RNG struct
+
+CVE: CVE-2025-7394
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9c35c0de65e135e621400958f22829c0d2555ed4]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ configure.ac | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 43ddd4767..636c45aef 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -156,6 +156,9 @@ fi
+ #ifdef HAVE_STDLIB_H
+ #include <stdlib.h>
+ #endif
++#ifdef HAVE_UNISTD_H
++ #include <unistd.h>
++#endif
+ ]])
+
+ AC_PROG_INSTALL
+@@ -9479,6 +9482,12 @@ then
+ AM_CFLAGS="$AM_CFLAGS -DHAVE___UINT128_T=1"
+ fi
+
++# Add HAVE_GETPID to AM_CFLAGS for inclusion in options.h
++if test "$ac_cv_func_getpid" = "yes"
++then
++ AM_CFLAGS="$AM_CFLAGS -DHAVE_GETPID=1"
++fi
++
+ LIB_SOCKET_NSL
+ AX_HARDEN_CC_COMPILER_FLAGS
+
new file mode 100644
@@ -0,0 +1,48 @@
+From aaad0035e4e795b8b225bd481e3942de015a362d Mon Sep 17 00:00:00 2001
+From: Chris Conlon <chris@wolfssl.com>
+Date: Wed, 18 Jun 2025 16:57:02 -0600
+Subject: [PATCH] Add check for reseed in ssl.c for HAVE_SELFTEST, similar to
+ old FIPS bundles that do not have older random.c files
+
+CVE: CVE-2025-7394
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/cdd02f9665ef43126503307972e4389070a00a73
+(cherry picked from commit cdd02f9665ef43126503307972e4389070a00a73)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ssl.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index e214fa504..e538233fc 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -23604,7 +23604,7 @@ static int wolfSSL_RAND_InitMutex(void)
+ #ifdef OPENSSL_EXTRA
+
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
++ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || defined(HAVE_SELFTEST))
+ /* In older FIPS bundles add check for reseed here since it does not exist in
+ * the older random.c certified files. */
+ static pid_t currentRandPid = 0;
+@@ -23623,7 +23623,9 @@ int wolfSSL_RAND_Init(void)
+ ret = wc_InitRng(&globalRNG);
+ if (ret == 0) {
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
++ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
++ defined(HAVE_SELFTEST))
++
+ currentRandPid = getpid();
+ #endif
+ initGlobalRNG = 1;
+@@ -24100,7 +24102,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
+ */
+ if (initGlobalRNG) {
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
++ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
++ defined(HAVE_SELFTEST))
+ pid_t p;
+
+ p = getpid();
@@ -17,6 +17,12 @@ SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
file://CVE-2025-7395-1.patch \
file://CVE-2025-7395-2.patch \
file://CVE-2025-7395-3.patch \
+ file://CVE-2025-7394-1.patch \
+ file://CVE-2025-7394-2.patch \
+ file://CVE-2025-7394-3.patch \
+ file://CVE-2025-7394-4.patch \
+ file://CVE-2025-7394-5.patch \
+ file://CVE-2025-7394-6.patch \
"
SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472"