new file mode 100644
@@ -0,0 +1,85 @@
+From 420f3390c4922febaf54d02a81da1fdab0ad5f04 Mon Sep 17 00:00:00 2001
+From: Ruby Martin <ruby@wolfssl.com>
+Date: Mon, 2 Jun 2025 16:38:32 -0600
+Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION,
+ domain name checking
+
+CVE: CVE-2025-7395
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f]
+(cherry picked from commit 9864959e41bd9259f258c09171ae2ec1c43fbc7f)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 6b3a227bc..1b9a469ee 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -211,7 +211,7 @@ int writeAeadAuthData(WOLFSSL* ssl, word16 sz, byte type, byte* additional,
+ #include <Security/SecCertificate.h>
+ #include <Security/SecTrust.h>
+ #include <Security/SecPolicy.h>
+-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
++static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs,
+ int totalCerts);
+ #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
+
+@@ -16775,7 +16775,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+ * into wolfSSL, try to validate against the system certificates
+ * using Apple's native trust APIs */
+ if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
+- if (DoAppleNativeCertValidation(args->certs,
++ if (DoAppleNativeCertValidation(ssl, args->certs,
+ args->totalCerts)) {
+ WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
+ ret = 0;
+@@ -42665,7 +42665,8 @@ cleanup:
+ * wolfSSL's built-in certificate validation mechanisms anymore. We instead
+ * must call into the Security Framework APIs to authenticate peer certificates
+ */
+-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
++static int DoAppleNativeCertValidation(WOLFSSL* ssl,
++ const WOLFSSL_BUFFER_INFO* certs,
+ int totalCerts)
+ {
+ int i;
+@@ -42674,7 +42675,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
+ CFMutableArrayRef certArray = NULL;
+ SecCertificateRef secCert = NULL;
+ SecTrustRef trust = NULL;
+- SecPolicyRef policy = NULL ;
++ SecPolicyRef policy = NULL;
++ CFStringRef hostname = NULL;
+
+ WOLFSSL_ENTER("DoAppleNativeCertValidation");
+
+@@ -42703,7 +42705,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
+ }
+
+ /* Create trust object for SecCertifiate Ref */
+- policy = SecPolicyCreateSSL(true, NULL);
++ if (ssl->buffers.domainName.buffer &&
++ ssl->buffers.domainName.length > 0) {
++ /* Create policy with specified value to require host name match */
++ hostname = CFStringCreateWithCString(kCFAllocatorDefault,
++ (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
++ }
++ if (hostname != NULL) {
++ policy = SecPolicyCreateSSL(true, hostname);
++ } else {
++ policy = SecPolicyCreateSSL(true, NULL);
++ }
+ status = SecTrustCreateWithCertificates(certArray, policy, &trust);
+ if (status != errSecSuccess) {
+ WOLFSSL_MSG_EX("Error creating trust object, "
+@@ -42734,6 +42746,9 @@ cleanup:
+ if (policy) {
+ CFRelease(policy);
+ }
++ if (hostname) {
++ CFRelease(hostname);
++ }
+
+ WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret);
+
new file mode 100644
@@ -0,0 +1,28 @@
+From 7867076975aa84ebaed4001fae1ebffd013322d5 Mon Sep 17 00:00:00 2001
+From: Brett <bigbrett@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 15:48:15 -0600
+Subject: [PATCH] prevent apple native cert validation from overriding error
+ codes other than ASN_NO_SIGNER_E
+
+CVE: CVE-2025-7395
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
+(cherry picked from commit bc8eeea703253bd65d472a9541b54fef326e8050)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 1b9a469ee..6a76eb130 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -16774,7 +16774,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+ /* If we can't validate the peer cert chain against the CAs loaded
+ * into wolfSSL, try to validate against the system certificates
+ * using Apple's native trust APIs */
+- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
++ if ((ret == ASN_NO_SIGNER_E) &&
++ (ssl->ctx->doAppleNativeCertValidationFlag)) {
+ if (DoAppleNativeCertValidation(ssl, args->certs,
+ args->totalCerts)) {
+ WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
new file mode 100644
@@ -0,0 +1,26 @@
+From 70302af2c21a121845e1e721ed27b3b106f186f6 Mon Sep 17 00:00:00 2001
+From: Brett <bigbrett@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 16:56:16 -0600
+Subject: [PATCH] add missing error trace macro
+
+CVE: CVE-2025-7395
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b]
+(cherry picked from commit 0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 6a76eb130..1d01ee095 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -16774,7 +16774,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+ /* If we can't validate the peer cert chain against the CAs loaded
+ * into wolfSSL, try to validate against the system certificates
+ * using Apple's native trust APIs */
+- if ((ret == ASN_NO_SIGNER_E) &&
++ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
+ (ssl->ctx->doAppleNativeCertValidationFlag)) {
+ if (DoAppleNativeCertValidation(ssl, args->certs,
+ args->totalCerts)) {
new file mode 100644
@@ -0,0 +1,27 @@
+From 71d4cb57ceada7830457938787583c2aa6ba3555 Mon Sep 17 00:00:00 2001
+From: Brett <bigbrett@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 18:29:05 -0600
+Subject: [PATCH] formatting
+
+CVE: CVE-2025-7395
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/89be92f1a8b255d85c0d8bfb8849571d259c199c]
+(cherry picked from commit 89be92f1a8b255d85c0d8bfb8849571d259c199c)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 1d01ee095..992c10d2c 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -42710,7 +42710,8 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
+ ssl->buffers.domainName.length > 0) {
+ /* Create policy with specified value to require host name match */
+ hostname = CFStringCreateWithCString(kCFAllocatorDefault,
+- (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
++ (const char*)ssl->buffers.domainName.buffer,
++ kCFStringEncodingUTF8);
+ }
+ if (hostname != NULL) {
+ policy = SecPolicyCreateSSL(true, hostname);
@@ -17,6 +17,10 @@ SRC_URI = " \
file://0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch \
file://run-ptest \
file://CVE-2025-13912.patch \
+ file://CVE-2025-7395-1.patch \
+ file://CVE-2025-7395-2.patch \
+ file://CVE-2025-7395-3.patch \
+ file://CVE-2025-7395-4.patch \
"
SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"