diff --git a/src/ssl.c b/src/ssl.c
index 3e54b519f..54198faa5 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -572,6 +572,16 @@ int wolfSSL_negotiate(WOLFSSL* ssl)
 }
 
 
+WC_RNG* wolfSSL_GetRNG(WOLFSSL* ssl)
+{
+    if (ssl) {
+        return ssl->rng;
+    }
+
+    return NULL;
+}
+
+
 #ifndef WOLFSSL_LEANPSK
 /* object size based on build */
 int wolfSSL_GetObjectSize(void)
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index cb7a00322..68675572d 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -1495,6 +1495,9 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
     int encryptedContentSz;
     byte padLen;
     byte* encryptedContent = NULL;
+#ifdef WC_RSA_BLINDING
+    WC_RNG rng;
+#endif
 
     if (pkcs7 == NULL || pkcs7->singleCert == NULL ||
         pkcs7->singleCertSz == 0 || pkcs7->privateKey == NULL ||
@@ -1770,11 +1773,17 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
 
     /* decrypt encryptedKey */
     #ifdef WC_RSA_BLINDING
-        ret = wc_RsaSetRNG(key, ssl->rng);
+        ret = wc_InitRng(&rng);
+        if (ret == 0) {
+            ret = wc_RsaSetRNG(privKey, &rng);
+        }
     #endif
     if (ret == 0) {
         keySz = wc_RsaPrivateDecryptInline(encryptedKey, encryptedKeySz,
                                     &decryptedKey, privKey);
+        #ifdef WC_RSA_BLINDING
+            wc_FreeRng(&rng);
+        #endif
     } else {
         keySz = ret;
     }
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 3c42ea97b..f1b13cf10 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -74,6 +74,7 @@ typedef struct WOLFSSL_X509_CHAIN WOLFSSL_X509_CHAIN;
 typedef struct WOLFSSL_CERT_MANAGER WOLFSSL_CERT_MANAGER;
 typedef struct WOLFSSL_SOCKADDR     WOLFSSL_SOCKADDR;
 
+typedef struct WC_RNG WC_RNG;
 /* redeclare guard */
 #define WOLFSSL_TYPES_DEFINED
 
@@ -991,6 +992,7 @@ WOLFSSL_API int  wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX*, const unsigned char*
 WOLFSSL_API int wolfSSL_CTX_SetMinDhKey_Sz(WOLFSSL_CTX*, unsigned short);
 WOLFSSL_API int wolfSSL_SetMinDhKey_Sz(WOLFSSL*, unsigned short);
 WOLFSSL_API int wolfSSL_GetDhKey_Sz(WOLFSSL*);
+WOLFSSL_API WC_RNG* wolfSSL_GetRNG(WOLFSSL*);
 #endif /* NO_DH */
 
 #ifndef NO_RSA
diff --git a/wolfssl/test.h b/wolfssl/test.h
index c318a6e87..d8922b223 100644
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -1774,7 +1774,7 @@ static INLINE int myRsaDec(WOLFSSL* ssl, byte* in, word32 inSz,
     ret = wc_RsaPrivateKeyDecode(key, &idx, &myKey, keySz);
     if (ret == 0) {
         #ifdef WC_RSA_BLINDING
-            ret = wc_RsaSetRNG(&myKey, ssl->rng);
+            ret = wc_RsaSetRNG(&myKey, wolfSSL_GetRNG(ssl));
             if (ret != 0) {
                 wc_FreeRsaKey(&myKey);
                 return ret;