diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml
index 56b37465d9..b8a76ac48e 100644
--- a/.github/workflows/openvpn.yml
+++ b/.github/workflows/openvpn.yml
@@ -30,7 +30,7 @@ jobs:
       fail-fast: false
       matrix:
         # List of refs to test
-        ref: [ release/2.6, v2.6.0 ] # 'master' is currently broken
+        ref: [ release/2.6, v2.6.0, master ]
     name: ${{ matrix.ref }}
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
diff --git a/.gitignore b/.gitignore
index da5f5b1c7b..6eec370c10 100644
--- a/.gitignore
+++ b/.gitignore
@@ -322,6 +322,10 @@ wolfcrypt/src/port/intel/qat_test
 # Arduino Generated Files
 /IDE/ARDUINO/wolfSSL
 scripts/memtest.txt
+/IDE/ARDUINO/Arduino_README_prepend.md.tmp
+/IDE/ARDUINO/library.properties.tmp
+/IDE/ARDUINO/library.properties.tmp.backup
+/IDE/ARDUINO/PREPENDED_README.md
 
 # Doxygen generated files
 doc/doxygen_warnings
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a71ece1226..bd0fe1cbde 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -130,9 +130,15 @@ if(HAVE___UINT128_T)
     list(APPEND WOLFSSL_DEFINITIONS "-DHAVE___UINT128_T")
 endif()
 
-include(TestBigEndian)
-
-test_big_endian(WORDS_BIGENDIAN)
+if(CMAKE_VERSION VERSION_LESS "3.20")
+    # TestBigEndian was deprecated in 3.20
+    include(TestBigEndian)
+    test_big_endian(IS_BIG_ENDIAN)
+    set(CMAKE_C_BYTE_ORDER "LITTLE_ENDIAN")
+    if(IS_BIG_ENDIAN)
+        set(CMAKE_C_BYTE_ORDER "BIG_ENDIAN")
+    endif()
+endif()
 
 # Thread local storage
 include(CheckCSourceCompiles)
@@ -576,7 +582,7 @@ if(WOLFSSL_LEAN_PSK OR (WOLFSSL_LEAN_TLS AND NOT WOLFSSL_TLS13))
     override_cache(WOLFSSL_AESGCM "no")
 endif()
 
-if(WOLFSSL_AESGCM AND NOT WORDS_BIGENDIAN)
+if(WOLFSSL_AESGCM AND CMAKE_C_BYTE_ORDER STREQUAL "LITTLE_ENDIAN")
     override_cache(WOLFSSL_AESGCM "4bit")
 endif()
 
@@ -2081,7 +2087,7 @@ endif()
 # Suppress some warnings about separate compilation, inlining
 add_definitions("-DWOLFSSL_IGNORE_FILE_WARN")
 # Generate user options header
-message("Generating user options header...")
+message(STATUS "Generating user options header...")
 if (${CMAKE_DISABLE_SOURCE_CHANGES})
     set(WOLFSSL_BUILD_OUT_OF_TREE_DEFAULT "${CMAKE_DISABLE_SOURCE_CHANGES}")
 else()
diff --git a/Docker/Dockerfile b/Docker/Dockerfile
index a8654e1d73..b45cff4dec 100644
--- a/Docker/Dockerfile
+++ b/Docker/Dockerfile
@@ -3,10 +3,13 @@ FROM $DOCKER_BASE_IMAGE
 
 USER root
 
+# Set timezone to UTC
+RUN ln -snf /usr/share/zoneinfo/UTC /etc/localtime && echo UTC > /etc/timezone
+
 ARG DEPS_WOLFSSL="build-essential autoconf libtool clang clang-tools zlib1g-dev libuv1-dev libpam0g-dev valgrind git linux-headers-generic gcc-multilib g++-multilib libpcap-dev bubblewrap gdb iputils-ping lldb bsdmainutils netcat binutils-arm-linux-gnueabi binutils-aarch64-linux-gnu"
 ARG DEPS_LIBOQS="astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind git"
 ARG DEPS_UDP_PROXY="wget libevent-dev"
-ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump libpsl-dev python3-pandas python3-tabulate"
+ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump libpsl-dev python3-pandas python3-tabulate libnl-genl-3-dev libcap-ng-dev"
 ARG DEPS_TOOLS="ccache"
 RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y apt-utils \
                     && apt install -y ${DEPS_WOLFSSL} ${DEPS_LIBOQS} ${DEPS_UDP_PROXY} ${DEPS_TESTS} ${DEPS_TOOLS} \
diff --git a/Docker/Dockerfile.cross-compiler b/Docker/Dockerfile.cross-compiler
index a89a9d5b54..a9868d38dd 100644
--- a/Docker/Dockerfile.cross-compiler
+++ b/Docker/Dockerfile.cross-compiler
@@ -3,7 +3,7 @@ FROM $DOCKER_BASE_IMAGE
 
 USER root
 
-ARG DEPS_TESTING="gcc-arm-linux-gnueabi gcc-aarch64-linux-gnu"
+ARG DEPS_TESTING="gcc-arm-linux-gnueabi gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu"
 RUN DEBIAN_FRONTEND=noninteractive apt update \
                     && apt install -y ${DEPS_TESTING} \
                     && apt clean -y && rm -rf /var/lib/apt/lists/*
diff --git a/Docker/yocto/Dockerfile b/Docker/yocto/Dockerfile
new file mode 100644
index 0000000000..ec44aed710
--- /dev/null
+++ b/Docker/yocto/Dockerfile
@@ -0,0 +1,22 @@
+FROM ubuntu
+
+# Set timezone to UTC
+RUN ln -snf /usr/share/zoneinfo/UTC /etc/localtime && echo UTC > /etc/timezone
+
+RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev python3-subunit mesa-common-dev zstd liblz4-tool file locales libacl1 vim && apt clean -y && rm -rf /var/lib/apt/lists/*
+RUN locale-gen en_US.UTF-8
+
+# Add in non-root user
+ENV UID_OF_DOCKERUSER 1000
+RUN useradd -m -s /bin/bash -g users -u ${UID_OF_DOCKERUSER} dockerUser
+RUN chown -R dockerUser:users /home/dockerUser && chown dockerUser:users /opt
+
+USER dockerUser
+
+RUN cd /opt && git clone git://git.yoctoproject.org/poky
+WORKDIR /opt/poky
+
+ARG YOCTO_VERSION=kirkstone
+RUN git checkout -t origin/${YOCTO_VERSION} -b ${YOCTO_VERSION} && git pull
+
+RUN /bin/bash -c "source oe-init-build-env && bitbake core-image-minimal"
diff --git a/Docker/yocto/buildAndPush.sh b/Docker/yocto/buildAndPush.sh
new file mode 100755
index 0000000000..d76a603e8c
--- /dev/null
+++ b/Docker/yocto/buildAndPush.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Assume we're in wolfssl/Docker/yocto
+WOLFSSL_DIR=$(builtin cd ${BASH_SOURCE%/*}/../..; pwd)
+
+DOCKER_BUILD_OPTIONS="$1"
+if [ "${DOCKER_BASE_IMAGE}" != "" ]; then
+    DOCKER_BUILD_OPTIONS+=" --build-arg DOCKER_BASE_IMAGE=${DOCKER_BASE_IMAGE}"
+fi
+
+NUM_FAILURES=0
+
+CUR_DATE=$(date -u +%F)
+for ver in kirkstone dunfell; do
+    echo "Building wolfssl/yocto:${ver}-${CUR_DATE} as ${DOCKER_BUILD_OPTIONS}"
+    docker build -t wolfssl/yocto:${ver}-${CUR_DATE} --build-arg YOCTO_VERSION=${ver} -f Dockerfile "${WOLFSSL_DIR}/Docker/yocto" && \
+        docker tag wolfssl/yocto:${ver}-${CUR_DATE} wolfssl/yocto:${ver}-latest
+    if [ $? -eq 0 ]; then
+        echo "Pushing containers to DockerHub"
+        docker push wolfssl/yocto:${ver}-${CUR_DATE} && docker push wolfssl/yocto:${ver}-latest
+    else
+        echo "Warning: Build wolfssl/yocto:${ver} failed. Continuing"
+        ((NUM_FAILURES++))
+    fi
+done
+
+echo "Script completed in $SECONDS seconds. Had $NUM_FAILURES failures."
diff --git a/IDE/ARDUINO/Arduino_README_prepend.md b/IDE/ARDUINO/Arduino_README_prepend.md
new file mode 100644
index 0000000000..5c789f6090
--- /dev/null
+++ b/IDE/ARDUINO/Arduino_README_prepend.md
@@ -0,0 +1,4 @@
+# Arduino wolfSSL Library
+
+The library is modified from wolfSSL Release ${WOLFSSL_VERSION} for the Arduino platform.
+
diff --git a/IDE/ARDUINO/README.md b/IDE/ARDUINO/README.md
index 4c4e10da42..6ca29942bd 100644
--- a/IDE/ARDUINO/README.md
+++ b/IDE/ARDUINO/README.md
@@ -1,30 +1,80 @@
-### wolfSSL with Arduino
+# wolfSSL with Arduino
 
-##### Reformatting wolfSSL as a compatible Arduino Library
-This is a shell script that will re-organize the wolfSSL library to be 
-compatible with Arduino projects that use Arduino IDE 1.5.0 or newer. 
-The Arduino IDE requires a library's source files to be in the library's root 
-directory with a header file in the name of the library. This script moves all 
-src/ files to the `IDE/ARDUINO/wolfSSL/src` directory and creates a stub header
-file called `wolfssl.h` inside that directory.
+Many of the supported boards are natively built-in to the [Arduino IDE Board Manager](https://docs.arduino.cc/software/ide-v2/tutorials/ide-v2-board-manager/)
+and by adding [additional cores](https://docs.arduino.cc/learn/starting-guide/cores/) as needed.
 
-Step 1: To configure wolfSSL with Arduino, enter the following from within the
-wolfssl/IDE/ARDUINO directory:
+STM32 Support can be added by including this link in the "Additional Boards Managers URLs" field
+from [stm32duino/Arduino_Core_STM32](https://github.com/stm32duino/Arduino_Core_STM32?tab=readme-ov-file#getting-started)   .
 
-        `./wolfssl-arduino.sh`
+```
+https://github.com/stm32duino/BoardManagerFiles/raw/main/package_stmicroelectronics_index.json
+```
 
-Step 2: Copy the directory wolfSSL that was just created to:
-`~/Documents/Arduino/libraries/` directory so the Arduino IDE can find it.
+## Using wolfSSL from the Arduino IDE
 
-Step 3: Edit `<arduino-libraries>/wolfSSL/src/user_settings.h`
+Coming soon! https://github.com/wolfSSL/arduino-wolfSSL See [PR #1](https://github.com/wolfSSL/Arduino-wolfSSL/pull/1).
+
+This option will allow wolfSSL to be installed directly using the native Arduino tools.
+
+## Manually Reformatting wolfSSL as a Compatible Arduino Library
+
+Use [this](./wolfssl-arduino.sh) shell script that will re-organize the wolfSSL library to be 
+compatible with [Arduino Library Specification](https://arduino.github.io/arduino-cli/0.35/library-specification/)
+for projects that use Arduino IDE 1.5.0 or newer.
+
+The Arduino IDE requires a library's source files to be in the library's root directory with a
+header file in the name of the library. This script moves all `src/` files to the `IDE/ARDUINO/wolfSSL/src`
+directory and creates a stub header file called `wolfssl.h` inside that directory.
+
+### Step 1:
+
+To configure wolfSSL with Arduino, enter one of the following commands
+from within the `wolfssl/IDE/ARDUINO` directory:
+
+1. `./wolfssl-arduino.sh`
+    - Creates an Arduino Library directory structure in the local `wolfSSL` directory of `IDE/ARDUINO`.
+    - You can add your own `user_settings.h`, or copy/rename the [default](../../examples/configs/user_settings_arduino.h).
+
+2. `./wolfssl-arduino.sh INSTALL` (The most common option)
+    - Creates an Arduino Library in the local `wolfSSL` directory
+    - Moves that directory to the Arduino library directory:
+        - `$HOME/Arduino/libraries` for most bash environments
+        - `/mnt/c/Users/$USER/Documents/Arduino/libraries` (for WSL)
+    - Adds the [default](../../examples/configs/user_settings_arduino.h) as `user_settings.h`.
+    - The wolfSSL library is now available from the Arduino IDE.
+
+3. `./wolfssl-arduino.sh INSTALL /path/to/repository` (Used to update [arduino-wolfSSL](https://github.com/wolfSSL/arduino-wolfSSL))
+    - Creates an Arduino Library in `wolfSSL` directory
+    - Copies that directory contents to the specified `/path/to/repository`
+    - Adds the [default](../../examples/configs/user_settings_arduino.h) as `user_settings.h`. 
+     
+4. `./wolfssl-arduino.sh INSTALL /path/to/any/other/directory`
+    - Creates an Arduino Library in `wolfSSL` directory
+    - Copies that directory contents to the specified `/path/to/any/other/directory`
+
+### Step 2:
+
+Edit `<arduino-libraries>/wolfSSL/src/user_settings.h`
 If building for Intel Galileo platform add: `#define INTEL_GALILEO`.
-Add any other custom settings, for a good start see the examples in wolfssl root
-"/examples/configs/user_settings_*.h"
+Add any other custom settings. For a good start see the examples in wolfssl root
+"[/examples/configs/user_settings_*.h](https://github.com/wolfssl/wolfssl/tree/master/examples/configs)"
+
+### Step 3:
 
-Step 4: If you experience any issues with custom user_settings.h see the wolfssl
+If you experience any issues with custom `user_settings.h` see the wolfssl
 porting guide here for more assistance: https://www.wolfssl.com/docs/porting-guide/
 
-Step 5: If you still have any issues contact support@wolfssl.com for more help.
+If you have any issues contact support@wolfssl.com for help.
+
+# Including wolfSSL in Arduino Libraries (for Arduino version 2.0 or greater)
+
+1. In the Arduino IDE:
+
+The wolfSSL library should automatically be detected when found in the `libraries`
+directory.
+
+  - In `Sketch -> Include Library` choose wolfSSL for new sketches.
+
 
 ##### Including wolfSSL in Arduino Libraries (for Arduino version 1.6.6)
 
@@ -33,6 +83,73 @@ Step 5: If you still have any issues contact support@wolfssl.com for more help.
         `IDE/ARDUNIO/wolfSSL` folder.
     - In `Sketch -> Include Library` choose wolfSSL.
 
-2. Open an example Arduino sketch for wolfSSL:
-	- wolfSSL Client INO sketch: `sketches/wolfssl_client/wolfssl_client.ino`
-	- wolfSSL Server INO sketch: `sketches/wolfssl_server/wolfssl_server.ino`
+##### wolfSSL Examples
+
+Open an example Arduino sketch for wolfSSL:
+
+  - wolfSSL [Client INO sketch](./sketches/wolfssl_client/README.md): `sketches/wolfssl_client/wolfssl_client.ino`
+
+  - wolfSSL [Server INO sketch](./sketches/wolfssl_server/README.md): `sketches/wolfssl_server/wolfssl_server.ino`
+
+#### Script Examples
+
+Publish wolfSSL from WSL to a repository.
+
+```bash
+rm -rf /mnt/c/Users/$USER/Documents/Arduino/libraries/wolfSSL
+rm -rf /mnt/c/workspace/wolfssl-$USER/IDE/ARDUINO/wolfSSL
+./wolfssl-arduino.sh INSTALL /mnt/c/workspace/Arduino-wolfSSL-$USER/
+```
+
+Publish wolfSSL from WSL to default Windows local library.
+
+```bash
+rm -rf /mnt/c/Users/$USER/Documents/Arduino/libraries/wolfSSL
+rm -rf /mnt/c/workspace/wolfssl-arduino/IDE/ARDUINO/wolfSSL
+./wolfssl-arduino.sh INSTALL
+```
+
+Test the TLS server by running a local command-line client.
+
+```bash
+cd /mnt/c/workspace/wolfssl-$USER
+./examples/client/client -h 192.168.1.43 -p 11111 -v 3
+```
+
+Build wolfSSL to include wolfSSH support to an alternate development directory.
+
+```bash
+cd /mnt/c/workspace/wolfssl-$USER
+./configure --prefix=/mnt/c/workspace/wolfssh-$USER/wolfssl_install --enable-ssh
+make
+make install
+
+```
+
+Build wolfSSH with wolfSSL not installed to default directory.
+
+```bash
+cd /mnt/c/workspace/wolfssh-$USER
+./configure --with-wolfssl=/mnt/c/workspace/wolfssh-$USER/wolfssl_install
+make
+./examples/client/client -u jill -h 192.168.1.34 -p 22222 -P upthehill
+```
+
+Test the current wolfSSL.
+
+```bash
+cd /mnt/c/workspace/wolfssl-arduino
+git status
+./autogen.sh
+./configure --enable-all
+make clean
+make && make test
+```
+
+Build and run `testwolfcrypt`.
+
+```bash
+./autogen.sh
+./configure --enable-all
+make clean && make && ./wolfcrypt/test/testwolfcrypt
+```
diff --git a/IDE/ARDUINO/include.am b/IDE/ARDUINO/include.am
index 19189e82b0..c0214e47c5 100644
--- a/IDE/ARDUINO/include.am
+++ b/IDE/ARDUINO/include.am
@@ -3,6 +3,12 @@
 # All paths should be given relative to the root
 
 EXTRA_DIST+= IDE/ARDUINO/README.md
+EXTRA_DIST+= IDE/ARDUINO/Arduino_README_prepend.md
+EXTRA_DIST+= IDE/ARDUINO/keywords.txt
+EXTRA_DIST+= IDE/ARDUINO/library.properties.template
+EXTRA_DIST+= IDE/ARDUINO/sketches/README.md
+EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_client/README.md
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
+EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_server/README.md
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino
 EXTRA_DIST+= IDE/ARDUINO/wolfssl-arduino.sh
diff --git a/IDE/ARDUINO/keywords.txt b/IDE/ARDUINO/keywords.txt
new file mode 100644
index 0000000000..27d5dc3d66
--- /dev/null
+++ b/IDE/ARDUINO/keywords.txt
@@ -0,0 +1,21 @@
+# Syntax Coloring Map For wolfSSL
+# See https://arduino.github.io/arduino-cli/0.35/library-specification/#keywords
+#
+# Be sure to use tabs, not spaces. This might help:
+#  tr ' ' '\t' < keywords1.txt > keywords.txt
+
+#=============================================
+#	Datatypes	(KEYWORD1)
+#=============================================
+
+
+#=============================================
+#	Methods	and	Functions	(KEYWORD2)
+#=============================================
+wolfSSL_SetIORecv	KEYWORD1
+
+#=============================================
+#	Instances	(KEYWORD2)
+#=============================================
+ctx	KEYWORD2
+
diff --git a/IDE/ARDUINO/library.properties.template b/IDE/ARDUINO/library.properties.template
new file mode 100644
index 0000000000..ae1b5a2879
--- /dev/null
+++ b/IDE/ARDUINO/library.properties.template
@@ -0,0 +1,9 @@
+name=wolfSSL
+version=${WOLFSSL_VERSION}${WOLFSSL_VERSION_ARUINO_SUFFIX}
+author=wolfSSL inc
+maintainer=wolfSSL inc <support@wolfssl.com>
+sentence=A lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments.
+paragraph=Manual: https://www.wolfssl.com/documentation/manuals/wolfssl/index.html.
+category=Communication
+url=https://www.wolfssl.com/
+architectures=*
diff --git a/IDE/ARDUINO/sketches/README.md b/IDE/ARDUINO/sketches/README.md
new file mode 100644
index 0000000000..26a1d1e187
--- /dev/null
+++ b/IDE/ARDUINO/sketches/README.md
@@ -0,0 +1,12 @@
+# wolfSSL Arduino Examples
+
+There are currently two example Arduino sketches:
+
+* [wolfssl_client](./wolfssl_client/README.md): Basic TLS listening client.
+* [wolfssl_server](./wolfssl_server/README.md): Basic TLS server.
+
+Examples have been most recently confirmed operational on the
+[Arduino IDE](https://www.arduino.cc/en/software) 2.2.1.
+
+For examples on other platforms, see the [IDE directory](https://github.com/wolfssl/wolfssl/tree/master/IDE).
+Additional examples can be found on [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).
diff --git a/IDE/ARDUINO/sketches/wolfssl_client/README.md b/IDE/ARDUINO/sketches/wolfssl_client/README.md
new file mode 100644
index 0000000000..caf83c58e1
--- /dev/null
+++ b/IDE/ARDUINO/sketches/wolfssl_client/README.md
@@ -0,0 +1,22 @@
+# Arduino Basic TLS Listening Client
+
+Open the [wolfssl_client.ino](./wolfssl_client.ino) file in the Arduino IDE.
+
+Other IDE products are also supported, such as:
+
+- [PlatformIO in VS Code](https://docs.platformio.org/en/latest/frameworks/arduino.html)
+- [VisualGDB](https://visualgdb.com/tutorials/arduino/)
+- [VisualMicro](https://www.visualmicro.com/)
+
+For examples on other platforms, see the [IDE directory](https://github.com/wolfssl/wolfssl/tree/master/IDE).
+Additional examples can be found on [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).
+
+
+### Troubleshooting
+
+When encountering odd errors such as `undefined reference to ``_impure_ptr'`, try cleaning the Arduino
+cache directories. For Windows, that's typically in:
+
+```text
+C:\Users\%USERNAME%\AppData\Local\Temp\arduino\sketches
+```
diff --git a/IDE/ARDUINO/sketches/wolfssl_server/README.md b/IDE/ARDUINO/sketches/wolfssl_server/README.md
new file mode 100644
index 0000000000..523eb08729
--- /dev/null
+++ b/IDE/ARDUINO/sketches/wolfssl_server/README.md
@@ -0,0 +1,134 @@
+# Arduino Basic TLS Server
+
+Open the [wolfssl_server.ino](./wolfssl_server.ino) file in the Arduino IDE.
+
+Other IDE products are also supported, such as:
+
+- [PlatformIO in VS Code](https://docs.platformio.org/en/latest/frameworks/arduino.html)
+- [VisualGDB](https://visualgdb.com/tutorials/arduino/)
+- [VisualMicro](https://www.visualmicro.com/)
+
+For examples on other platforms, see the [IDE directory](https://github.com/wolfssl/wolfssl/tree/master/IDE).
+Additional examples can be found on [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).
+
+## Connect with an Arduino Sketch
+
+See the companion [Arduino Sketch Client](../wolfssl_client/wolfssl_client.ino). 
+
+## Connect with Linux Client
+
+See also the [wolfSSL Example TLS Client](https://github.com/wolfSSL/wolfssl/tree/master/examples/client)
+and [wolfSSL Example TLS Server](https://github.com/wolfSSL/wolfssl/tree/master/examples/server).
+
+Assuming a listening [Arduino Sketch Server](./wolfssl_server.ino) at `192.168.1.38` on port `11111`,
+connect with the `client` executable:
+
+```
+./examples/client/client -h 192.168.1.38 -p 11111 -v 3
+```
+
+## wolfSSL Error -308 wolfSSL_connect error state on socket
+
+When using a wired Ethernet connection, and this error is encountered, simply
+press the reset button or power cycle the Arduino before making a connection.
+
+Here's one possible script to test the server from a command-line client:
+
+```bash
+#!/bin/bash
+echo "client log " > client_log.txt
+counter=1
+THIS_ERR=0
+while [ $THIS_ERR -eq 0 ]; do
+    ./examples/client/client -h 192.168.1.38 -p 11111 -v 3 >> client_log.txt
+
+    THIS_ERR=$?
+    if [ $? -ne 0 ]; then
+        echo "Failed!"
+        exit 1
+    fi
+    echo "Iteration $counter"
+    echo "Iteration $counter" >> client_log.txt
+    ((counter++))
+done
+```
+
+Output expected from the `client` command:
+
+```
+$ ./examples/client/client -h 192.168.1.38 -p 11111 -v 3
+Alternate cert chain used
+ issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+ subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+ altname = example.com
+ altname = 127.0.0.1
+ serial number:01
+SSL version is TLSv1.2
+SSL cipher suite is ECDHE-RSA-AES128-GCM-SHA256
+SSL curve name is SECP256R1
+---
+Server certificate
+-----BEGIN CERTIFICATE-----
+MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
+d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjMxMjEz
+MjIxOTI4WhcNMjYwOTA4MjIxOTI4WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
+BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
+f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
+GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
+QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
+0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
+6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
+BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
+M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
+bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
+DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFDNEGqhsAez2YPJwUQpM0RT6vOlEMAwG
+A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBK/7nl
+hZvaU2Z/ByK/thnqQuukEQdi/zlfMzc6hyZxPROyyrhkOHuKmUgOpaRrsZlu4EZR
+vRlSrbymfip6fCOnzNteQ31rBMi33ZWt8JGAWcUZkSYnkbhIHOtVtqp9pDjxA7xs
+i6qU1jwFepbFBvEmFC51+93lNbMBLLOtYlohmgi+Vvz5okKHhuWpxZnPrhS+4LkI
+JA0dXNYU4UyfQLOp6S1Si0y/rEQxZ8GNBoXsD+SZ10t7IQZm1OT1nf+O8IY5WB2k
+W+Jj73zJGIeoAiUQPoco+fXvR56lgAgRkGj+0aOoUbk3/9XKfId/a7wsEsjFhYv8
+DMa5hrjJBMNRN9JP
+-----END CERTIFICATE-----
+Session timeout set to 500 seconds
+Client Random : 56A0BB9647B064D3F20947032B74B31FDB4C93DBAC9460BA8AEA213A2B2DD4A8
+SSL-Session:
+    Protocol  : TLSv1.2
+    Cipher    : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    Session-ID: 3255404E997FA9C27ECB4F1A20A70E722E4AA504B63A945FC175434D1907EC31
+    Session-ID-ctx:
+    Master-Key: 67F22168BBADD678643BBA76B398277270C29788AC18FD05B57F6B715F49A7BCEEF75BEAF7FE266B0CC058534AF76C1F
+    TLS session ticket: NONE
+    Start Time: 1705533296
+    Timeout   : 500 (sec)
+    Extended master secret: no
+I hear you fa shizzle!
+```
+
+### Troubleshooting
+
+When encountering odd errors such as `undefined reference to ``_impure_ptr'`, such as this:
+
+```text
+c:/users/gojimmypi/appdata/local/arduino15/packages/esp32/tools/xtensa-esp32-elf-gcc/esp-2021r2-patch5-8.4.0/bin/../lib/gcc/xtensa-esp32-elf/8.4.0/../../../../xtensa-esp32-elf/bin/ld.exe: C:\Users\gojimmypi\AppData\Local\Temp\arduino\sketches\EAB8D79A02D1ECF107884802D893914E\libraries\wolfSSL\wolfcrypt\src\logging.c.o:(.literal.wolfssl_log+0x8): undefined reference to `_impure_ptr'
+collect2.exe: error: ld returned 1 exit status
+
+exit status 1
+
+Compilation error: exit status 1
+```
+
+Try cleaning the Arduino cache directories. For Windows, that's typically in:
+
+```text
+C:\Users\%USERNAME%\AppData\Local\Temp\arduino\sketches
+```
+
+Remove all other boards from other serial ports, leaving one the one being programmed.
diff --git a/IDE/ARDUINO/wolfssl-arduino.sh b/IDE/ARDUINO/wolfssl-arduino.sh
index 107f99b1c8..555a4e3b19 100755
--- a/IDE/ARDUINO/wolfssl-arduino.sh
+++ b/IDE/ARDUINO/wolfssl-arduino.sh
@@ -2,9 +2,100 @@
 
 # this script will reformat the wolfSSL source code to be compatible with
 # an Arduino project
-# run as bash ./wolfssl-arduino.sh
-
+# run as bash ./wolfssl-arduino.sh [INSTALL] [path]
+#
+# The default is to install to a local wolfSSL directory (`ROOT_DIR`).
+# If successfully built, and the INSTALL option is used, tis directory
+# is then moved to the target.
+#
+# To ensure a pristine build, the directory must not exist.
+#
+# Reminder there's typically no $USER for GitHub actions, but:
+# ROOT_DIR="/mnt/c/Users/$USER/Documents/Arduino/libraries"
+#
 ROOT_DIR="/wolfSSL"
+
+# The Arduino Version will initially have a suffix appended during fine tuning stage.
+WOLFSSL_VERSION_ARUINO_SUFFIX="01"
+
+# For verbose copy, set CP_CMD="-v", otherwise clear it: CP_CMD="cp"
+# Do not set to empty string, as copy will fail with this: CP_CMD=""
+# CP_CMD="cp -v "
+CP_CMD="cp "
+
+# Specify the executable shell checker you want to use:
+MY_SHELLCHECK="shellcheck"
+
+# There are special circumstances to publish to GitHub repository.
+# Typically: https://github.com/wolfSSL/Arduino-wolfSSL
+#
+# Unlike a local Arduino library that requires a clean directory,
+# we'll allow extra files, overwrites, etc.
+#
+# Note in all cases, the local IDE/ARDUINO/wolfSSL must be empty.
+THIS_INSTALL_IS_GITHUB="false"
+
+# Check if the executable is available in the PATH
+if command -v "$MY_SHELLCHECK" >/dev/null 2>&1; then
+    # Run your command here
+    shellcheck "$0" || exit 1
+else
+    echo "$MY_SHELLCHECK is not installed. Please install it if changes to this script have been made."
+fi
+
+if ! [ "$CP_CMD" = "cp " ]; then
+    if [ "$CP_CMD" = "cp -v" ]; then
+        echo "Copy verbose mode"
+    else
+        echo "ERROR: Copy mode not supported: $CP_CMD"
+        exit 1
+    fi
+fi
+
+# Check environment
+if [ -n "$WSL_DISTRO_NAME" ]; then
+    # we found a non-blank WSL environment distro name
+    current_path="$(pwd)"
+    pattern="/mnt/?"
+    if echo "$current_path" | grep -Eq "^$pattern"; then
+        # if we are in WSL and shared Windows file system, 'ln' does not work.
+        ARDUINO_ROOT="/mnt/c/Users/$USER/Documents/Arduino/libraries"
+    else
+        ARDUINO_ROOT="$HOME/Arduino/libraries"
+    fi
+fi
+echo "The Arduino library root is: $ARDUINO_ROOT"
+
+if [ $# -gt 0 ]; then
+    THIS_OPERATION="$1"
+    if [ "$THIS_OPERATION" = "INSTALL" ]; then
+        THIS_INSTALL_DIR=$2
+
+        echo "Install is active."
+
+        if [ "$THIS_INSTALL_DIR" = "" ]; then
+            if [ -d "$ARDUINO_ROOT$ROOT_DIR" ]; then
+                echo "Error: the installation directory already exists: $ARDUINO_ROOT$ROOT_DIR"
+                echo "A new directory needs to be created to ensure there are no stray files"
+                echo "Please delete or move the directory and try again."
+                exit 1
+            fi
+        else
+            echo "Installing to $THIS_INSTALL_DIR"
+            if [ -d "$THIS_INSTALL_DIR/.git" ];then
+                echo "Target is a GitHub repository."
+                THIS_INSTALL_IS_GITHUB="true"
+            else
+                echo "Target is NOT a GitHub repository."
+            fi
+        fi
+    else
+        echo "Error: not a valid operation: $THIS_OPERATION"
+        exit 1
+    fi
+fi
+
+
 ROOT_SRC_DIR="${ROOT_DIR}/src"
 WOLFSSL_SRC="${ROOT_SRC_DIR}/src"
 WOLFSSL_HEADERS="${ROOT_SRC_DIR}/wolfssl"
@@ -12,9 +103,9 @@ WOLFCRYPT_ROOT="${ROOT_SRC_DIR}/wolfcrypt"
 WOLFCRYPT_SRC="${WOLFCRYPT_ROOT}/src"
 WOLFCRYPT_HEADERS="${WOLFSSL_HEADERS}/wolfcrypt"
 OPENSSL_DIR="${WOLFSSL_HEADERS}/openssl"
-WOLFSSL_VERSION="5.6.4"
 
-# TOP indicates the file directory comes from the top level of the wolfssl repo
+
+# TOP indicates the file directory for top level of the wolfssl repository.
 TOP_DIR="../.."
 WOLFSSL_SRC_TOP="${TOP_DIR}/src"
 WOLFSSL_HEADERS_TOP="${TOP_DIR}/wolfssl"
@@ -24,57 +115,98 @@ WOLFCRYPT_HEADERS_TOP="${WOLFSSL_HEADERS_TOP}/wolfcrypt"
 OPENSSL_DIR_TOP="${WOLFSSL_HEADERS_TOP}/openssl"
 
 
-# TODO: Parse version number
 WOLFSSL_VERSION=$(grep -i "LIBWOLFSSL_VERSION_STRING" ${TOP_DIR}/wolfssl/version.h | cut -d '"' -f 2)
+if [ "$WOLFSSL_VERSION" = "" ]; then
+    echo "ERROR: Could not find wolfSSL Version in ${TOP_DIR}/wolfssl/version.h"
+    exit 1
+else
+    echo "Found wolfSSL version $WOLFSSL_VERSION"
+fi
 
+THIS_DIR=${PWD##*/}
 
-DIR=${PWD##*/}
-
-if [ "$DIR" = "ARDUINO" ]; then
-	if [ ! -d ".${ROOT_DIR}" ]; then
-	    mkdir .${ROOT_DIR}
+if [ "$THIS_DIR" = "ARDUINO" ]; then
+    # mkdir ./wolfSSL
+    if [ -d ".${ROOT_DIR}" ]; then
+        echo "ERROR: $(realpath ".${ROOT_DIR}") is not empty"
+        exit 1
+    else
+        echo "Step 01: mkdir .${ROOT_DIR}"
+        mkdir .${ROOT_DIR}
     fi
+
+    # mkdir ./wolfSSL/src
     if [ ! -d ".${ROOT_SRC_DIR}" ]; then
-	    mkdir .${ROOT_SRC_DIR}
+        echo "Step 02: mkdir .${ROOT_SRC_DIR}"
+        mkdir .${ROOT_SRC_DIR}
     fi
 
+    # mkdir ./wolfSSL/src/wolfssl
     if [ ! -d ".${WOLFSSL_HEADERS}" ]; then
-	    mkdir .${WOLFSSL_HEADERS}
+        echo "Step 03: mkdir .${WOLFSSL_HEADERS}"
+        mkdir .${WOLFSSL_HEADERS}
     fi
 
-    cp ${WOLFSSL_HEADERS_TOP}/*.h .${WOLFSSL_HEADERS}
+    #  cp ../../wolfssl/*.h  ./wolfSSL/src/wolfssl
+    echo "Step 04: cp    ${WOLFSSL_HEADERS_TOP}/*.h               .${WOLFSSL_HEADERS}"
+    $CP_CMD ${WOLFSSL_HEADERS_TOP}/*.h .${WOLFSSL_HEADERS}
     if [ ! -d ".${WOLFCRYPT_HEADERS}" ]; then
+        #  mkdir ./wolfSSL/src/wolfssl/wolfcrypt
+        echo "Step 05: mkdir .${WOLFCRYPT_HEADERS}"
         mkdir .${WOLFCRYPT_HEADERS}
+        mkdir .${WOLFCRYPT_HEADERS}/port
+        mkdir .${WOLFCRYPT_HEADERS}/port/atmel
+        mkdir .${WOLFCRYPT_HEADERS}/port/Espressif
     fi
-    cp ${WOLFCRYPT_HEADERS_TOP}/*.h .${WOLFCRYPT_HEADERS}
+
+    # cp  ../../wolfssl/wolfcrypt/*.h  ./wolfSSL/src/wolfssl/wolfcrypt
+    echo "Step 06: cp    ${WOLFCRYPT_HEADERS_TOP}/*.h     .${WOLFCRYPT_HEADERS}"
+    $CP_CMD ${WOLFCRYPT_HEADERS_TOP}/*.h                .${WOLFCRYPT_HEADERS}                 || exit 1
+    $CP_CMD ${WOLFCRYPT_HEADERS_TOP}/port/atmel/*.h     .${WOLFCRYPT_HEADERS}/port/atmel      || exit 1
+    $CP_CMD ${WOLFCRYPT_HEADERS_TOP}/port/Espressif/*.h .${WOLFCRYPT_HEADERS}/port/Espressif  || exit 1
 
     # Add in source files to wolfcrypt/src
     if [ ! -d ".${WOLFCRYPT_ROOT}" ]; then
+        # mkdir ./wolfSSL/src/wolfcrypt
+        echo "Step 07: mkdir .${WOLFCRYPT_ROOT}"
         mkdir .${WOLFCRYPT_ROOT}
     fi
+
+    # mkdir ./wolfSSL/src/wolfcrypt/src
     if [ ! -d ".${WOLFCRYPT_SRC}" ]; then
+        echo "Step 08: mkdir .${WOLFCRYPT_SRC}"
         mkdir .${WOLFCRYPT_SRC}
+        mkdir .${WOLFCRYPT_SRC}/port
+        mkdir .${WOLFCRYPT_SRC}/port/atmel
+        mkdir .${WOLFCRYPT_SRC}/port/Espressif
     fi
-    cp ${WOLFCRYPT_SRC_TOP}/*.c .${WOLFCRYPT_SRC}
-    
+
+    # cp  ../../wolfcrypt/src/*.c  ./wolfSSL/src/wolfcrypt/src
+    echo "Step 09: cp    ${WOLFCRYPT_SRC_TOP}/*.c         .${WOLFCRYPT_SRC}"
+    $CP_CMD -r ${WOLFCRYPT_SRC_TOP}/*.c                  .${WOLFCRYPT_SRC}                || exit 1
+    $CP_CMD -r ${WOLFCRYPT_SRC_TOP}/port/atmel/*.c       .${WOLFCRYPT_SRC}/port/atmel     || exit 1
+    $CP_CMD -r ${WOLFCRYPT_SRC_TOP}/port/Espressif/*.c   .${WOLFCRYPT_SRC}/port/Espressif || exit 1
+
     # Add in source files to top level src folders
     if [ ! -d ".${WOLFSSL_SRC}" ]; then
+        # mkdir ./wolfSSL/src/src
+        echo "Step 10: mkdir .${WOLFSSL_SRC}"
         mkdir .${WOLFSSL_SRC}
     fi
-    cp ${WOLFSSL_SRC_TOP}/*.c .${WOLFSSL_SRC}
+    $CP_CMD ${WOLFSSL_SRC_TOP}/*.c .${WOLFSSL_SRC}                                        || exit 1
     # put bio and evp as includes
-    cp .${WOLFSSL_SRC}/bio.c .${WOLFSSL_HEADERS}
-    cp .${WOLFCRYPT_SRC}/evp.c .${WOLFSSL_HEADERS}
+    $CP_CMD .${WOLFSSL_SRC}/bio.c .${WOLFSSL_HEADERS}                                     || exit 1
+    $CP_CMD .${WOLFCRYPT_SRC}/evp.c .${WOLFSSL_HEADERS}                                   || exit 1
 
     # make a copy of evp.c and bio.c for ssl.c to include inline
-    cp .${WOLFSSL_HEADERS}/evp.c .${WOLFCRYPT_SRC}/evp.c
-    cp .${WOLFSSL_HEADERS}/bio.c .${WOLFCRYPT_SRC}/bio.c
-    
+    $CP_CMD .${WOLFSSL_HEADERS}/evp.c .${WOLFCRYPT_SRC}/evp.c                             || exit 1
+    $CP_CMD .${WOLFSSL_HEADERS}/bio.c .${WOLFCRYPT_SRC}/bio.c                             || exit 1
+
     # copy openssl compatibility headers to their appropriate location
     if [ ! -d ".${OPENSSL_DIR}" ]; then
         mkdir .${OPENSSL_DIR}
     fi
-    cp ${OPENSSL_DIR_TOP}/* .${OPENSSL_DIR}
+    $CP_CMD ${OPENSSL_DIR_TOP}/* .${OPENSSL_DIR}                                          || exit 1
 
 
     cat > .${ROOT_SRC_DIR}/wolfssl.h <<EOF
@@ -84,62 +216,72 @@ if [ "$DIR" = "ARDUINO" ]; then
 #include <wolfssl/ssl.h>
 EOF
 
+else
+    echo "ERROR: You must be in the IDE/ARDUINO directory to run this script"
+    exit 1
+fi
 
-# Creates user_settings file if one does not exist
-    if [ ! -f ".${ROOT_SRC_DIR}/user_settings.h" ]; then
-    	cat > .${ROOT_SRC_DIR}/user_settings.h <<EOF
-/* Generated wolfSSL user_settings.h file for Arduino */
-#ifndef ARDUINO_USER_SETTINGS_H
-#define ARDUINO_USER_SETTINGS_H
+# At this point, the library is complete, but we need some additional files.
+#
+# optional diagnostics:
+# echo ".${ROOT_DIR}"
+# echo "${TOP_DIR}"
+# echo "cp ${TOP_DIR}/README.md     .${ROOT_DIR}/"
 
-/* Platform */
-#define WOLFSSL_ARDUINO
+# Replace the `${WOLFSSL_VERSION}` text in Arduino_README_prepend.md,
+# saving it to a .tmp file. Prepend that file to the wolfSSL README.md
+# file as PREPENDED_README.md, then copy that to the publish directory
+# as an Arduino-specific README.md file.
+VERSION_PLACEHOLDER="\${WOLFSSL_VERSION}"
+ARDUINO_VERSION_SUFFIX_PLACEHOLDER="\${WOLFSSL_VERSION_ARUINO_SUFFIX}"
+PREPEND_FILE="Arduino_README_prepend.md"
+PROPERTIES_FILE_TEMPLATE="library.properties.template"
+sed s/"$VERSION_PLACEHOLDER"/"$WOLFSSL_VERSION"/ "$PREPEND_FILE" > "$PREPEND_FILE.tmp"
+cat "$PREPEND_FILE.tmp" ${TOP_DIR}/README.md > PREPENDED_README.md
 
-/* Math library (remove this to use normal math)*/
-#define USE_FAST_MATH
-#define TFM_NO_ASM
-#define NO_ASN_TIME
+# Here we'll insert the wolfSSL version into the `library.properties.tmp` file, along with an Arduino version suffix.
+# The result should be something like version=5.6.601 (for the 1st incremental version on top of 5.6.6)
+sed            s/"$VERSION_PLACEHOLDER"/"$WOLFSSL_VERSION"/                              "$PROPERTIES_FILE_TEMPLATE" > "library.properties.tmp"
+sed -i.backup  s/"$ARDUINO_VERSION_SUFFIX_PLACEHOLDER"/"$WOLFSSL_VERSION_ARUINO_SUFFIX"/ "library.properties.tmp"
 
-/* When using Intel Galileo Uncomment the line below */
-/* #define INTEL_GALILEO */
+# cat library.properties.tmp
+# echo "${WOLFSSL_VERSION_ARUINO_SUFFIX}"
 
-/* RNG DEFAULT !!FOR TESTING ONLY!! */
-/* comment out the error below to get started w/ bad entropy source
- * This will need fixed before distribution but is OK to test with */
-#error "needs solved, see: https://www.wolfssl.com/docs/porting-guide/"
-#define WOLFSSL_GENSEED_FORTEST
+echo "Step 11: Final root file copy"
+$CP_CMD  PREPENDED_README.md        .${ROOT_DIR}/README.md           || exit 1
+$CP_CMD  library.properties.tmp     .${ROOT_DIR}/library.properties  || exit 1
+$CP_CMD  ${TOP_DIR}/"LICENSING"     .${ROOT_DIR}/                    || exit 1
+$CP_CMD  ${TOP_DIR}/"README"        .${ROOT_DIR}/                    || exit 1
+$CP_CMD  ${TOP_DIR}/"COPYING"       .${ROOT_DIR}/                    || exit 1
+$CP_CMD  ${TOP_DIR}/"ChangeLog.md"  .${ROOT_DIR}/                    || exit 1
+$CP_CMD  ${TOP_DIR}/".editorconfig" .${ROOT_DIR}/                    || exit 1
+$CP_CMD  ${TOP_DIR}/".gitignore"    .${ROOT_DIR}/                    || exit 1
 
-#endif /* ARDUINO_USER_SETTINGS_H */
-EOF
-    fi
+$CP_CMD  "keywords.txt"             .${ROOT_DIR}/                    || exit 1
 
-    cp .${WOLFCRYPT_HEADERS}/settings.h .${WOLFCRYPT_HEADERS}/settings.h.bak
-    cat > .${WOLFCRYPT_HEADERS}/settings.h <<EOF
-/*wolfSSL Generated ARDUINO settings */
-#ifndef WOLFSSL_USER_SETTINGS
-    #define WOLFSSL_USER_SETTINGS
-#endif /* WOLFSSL_USER_SETTINGS */ 
-/*wolfSSL Generated ARDUINO settings: END */	
 
-EOF
-    cat .${WOLFCRYPT_HEADERS}/settings.h.bak >> .${WOLFCRYPT_HEADERS}/settings.h
-
-    #Creating library.properties file based off of: 
-    #https://arduino.github.io/arduino-cli/0.35/library-specification/#libraryproperties-file-format
-
-    cat > .${ROOT_DIR}/library.properties <<EOF
-name=wolfSSL
-version=${WOLFSSL_VERSION}
-author=wolfSSL inc
-maintainer=wolfSSL inc <support@wolfssl.com>
-sentence=A lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments.
-paragraph=Manual: https://www.wolfssl.com/documentation/manuals/wolfssl/index.html.
-category=Communication
-url=https://www.wolfssl.com/
-architectures=*
+echo "Step 12: workspace to publish:"
+echo ""
+head -n 3  PREPENDED_README.md
+echo ""
+ls ./wolfSSL -al
+echo ""
 
-EOF
+# Optionally install to a separate directory.
+# Note we should have exited above if a problem was encountered,
+# as we'll never want to install a bad library.
+if [ "$THIS_OPERATION" = "INSTALL" ]; then
+    if [ "$THIS_INSTALL_IS_GITHUB" = "true" ]; then
+        echo "Installing to GitHub directory: $THIS_INSTALL_DIR"
+        cp -r ".$ROOT_DIR"/* "$THIS_INSTALL_DIR" || exit 1
+    else
+        echo "Install:"
+        echo "cp ../../examples/configs/user_settings_arduino.h  .${ROOT_SRC_DIR}/user_settings.h"
+        cp ../../examples/configs/user_settings_arduino.h  ".${ROOT_SRC_DIR}/user_settings.h" || exit 1
 
-else
-    echo "ERROR: You must be in the IDE/ARDUINO directory to run this script"
+        echo "mv $ROOT_DIR $ARDUINO_ROOT"
+        mv ".$ROOT_DIR" "$ARDUINO_ROOT" || exit 1
+    fi
 fi
+
+echo "Done!"
diff --git a/IDE/Renesas/e2studio/RA6M4/common/user_settings.h b/IDE/Renesas/e2studio/RA6M4/common/user_settings.h
index 4263164e82..485415317c 100644
--- a/IDE/Renesas/e2studio/RA6M4/common/user_settings.h
+++ b/IDE/Renesas/e2studio/RA6M4/common/user_settings.h
@@ -115,4 +115,5 @@
 #endif
 
 #define CUSTOM_RAND_GENERATE_BLOCK wc_fspsm_GenerateRandBlock
-
+/* use original asn parsing */
+#define WOLFSSL_ASN_ORIGINAL
diff --git a/IDE/STM32Cube/STM32_Benchmarks.md b/IDE/STM32Cube/STM32_Benchmarks.md
index 129cbdd47c..674ddabab3 100644
--- a/IDE/STM32Cube/STM32_Benchmarks.md
+++ b/IDE/STM32Cube/STM32_Benchmarks.md
@@ -59,6 +59,81 @@ Benchmark complete
 Benchmark Test: Return code 0
 ```
 
+### STM32H753ZI (-O2, Thumb2 ARM ASM, SP-ASM Cortex M small)
+
+Enable CPU I-Cache and D-Cache by calling:
+
+```c
+SCB_EnableICache();
+SCB_EnableDCache();
+```
+
+Build options for ARM ASM:
+
+```c
+#define WOLFSSL_ARMASM
+#define WOLFSSL_ARMASM_INLINE
+#define WOLFSSL_ARMASM_NO_HW_CRYPTO
+#define WOLFSSL_ARMASM_NO_NEON
+#define WOLFSSL_ARM_ARCH 7
+```
+
+```
+------------------------------------------------------------------------------
+ wolfSSL version 5.6.6
+------------------------------------------------------------------------------
+wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
+RNG                          6 MiB took 1.000 seconds,    6.079 MiB/s
+AES-128-CBC-enc             17 MiB took 1.000 seconds,   17.261 MiB/s
+AES-128-CBC-dec             17 MiB took 1.000 seconds,   16.748 MiB/s
+AES-192-CBC-enc             15 MiB took 1.000 seconds,   14.575 MiB/s
+AES-192-CBC-dec             14 MiB took 1.000 seconds,   14.209 MiB/s
+AES-256-CBC-enc             13 MiB took 1.000 seconds,   12.622 MiB/s
+AES-256-CBC-dec             12 MiB took 1.000 seconds,   12.378 MiB/s
+AES-128-GCM-enc              8 MiB took 1.000 seconds,    8.374 MiB/s
+AES-128-GCM-dec              8 MiB took 1.000 seconds,    8.374 MiB/s
+AES-192-GCM-enc              8 MiB took 1.000 seconds,    7.690 MiB/s
+AES-192-GCM-dec              8 MiB took 1.000 seconds,    7.690 MiB/s
+AES-256-GCM-enc              7 MiB took 1.000 seconds,    7.129 MiB/s
+AES-256-GCM-dec              7 MiB took 1.000 seconds,    7.104 MiB/s
+AES-128-GCM-enc-no_AAD       8 MiB took 1.000 seconds,    8.472 MiB/s
+AES-128-GCM-dec-no_AAD       8 MiB took 1.000 seconds,    8.472 MiB/s
+AES-192-GCM-enc-no_AAD       8 MiB took 1.000 seconds,    7.764 MiB/s
+AES-192-GCM-dec-no_AAD       8 MiB took 1.000 seconds,    7.715 MiB/s
+AES-256-GCM-enc-no_AAD       7 MiB took 1.000 seconds,    7.153 MiB/s
+AES-256-GCM-dec-no_AAD       7 MiB took 1.000 seconds,    7.153 MiB/s
+GMAC Table 4-bit            17 MiB took 1.000 seconds,   16.617 MiB/s
+CHACHA                      29 MiB took 1.000 seconds,   28.662 MiB/s
+CHA-POLY                    19 MiB took 1.000 seconds,   18.848 MiB/s
+POLY1305                    90 MiB took 1.000 seconds,   89.771 MiB/s
+SHA-224                     18 MiB took 1.000 seconds,   18.042 MiB/s
+SHA-256                     18 MiB took 1.000 seconds,   18.042 MiB/s
+SHA-384                      8 MiB took 1.000 seconds,    7.544 MiB/s
+SHA-512                      8 MiB took 1.000 seconds,    7.568 MiB/s
+SHA-512/224                  8 MiB took 1.000 seconds,    7.544 MiB/s
+SHA-512/256                  8 MiB took 1.000 seconds,    7.520 MiB/s
+HMAC-SHA224                 18 MiB took 1.000 seconds,   17.896 MiB/s
+HMAC-SHA256                 18 MiB took 1.000 seconds,   17.896 MiB/s
+HMAC-SHA384                  7 MiB took 1.000 seconds,    7.373 MiB/s
+HMAC-SHA512                  7 MiB took 1.000 seconds,    7.397 MiB/s
+RSA     2048   public       508 ops took 1.000 sec, avg 1.969 ms, 508.000 ops/sec
+RSA     2048  private        14 ops took 1.020 sec, avg 72.857 ms, 13.725 ops/sec
+DH      2048  key gen        30 ops took 1.012 sec, avg 33.733 ms, 29.644 ops/sec
+DH      2048    agree        30 ops took 1.012 sec, avg 33.733 ms, 29.644 ops/sec
+ECC   [      SECP256R1]   256  key gen       982 ops took 1.000 sec, avg 1.018 ms, 982.000 ops/sec
+ECDHE [      SECP256R1]   256    agree       456 ops took 1.000 sec, avg 2.193 ms, 456.000 ops/sec
+ECDSA [      SECP256R1]   256     sign       520 ops took 1.000 sec, avg 1.923 ms, 520.000 ops/sec
+ECDSA [      SECP256R1]   256   verify       288 ops took 1.004 sec, avg 3.486 ms, 286.853 ops/sec
+CURVE  25519  key gen      1112 ops took 1.000 sec, avg 0.899 ms, 1112.000 ops/sec
+CURVE  25519    agree      1144 ops took 1.000 sec, avg 0.874 ms, 1144.000 ops/sec
+ED     25519  key gen      2358 ops took 1.000 sec, avg 0.424 ms, 2358.000 ops/sec
+ED     25519     sign      1716 ops took 1.000 sec, avg 0.583 ms, 1716.000 ops/sec
+ED     25519   verify       862 ops took 1.000 sec, avg 1.160 ms, 862.000 ops/sec
+Benchmark complete
+Benchmark Test: Return code 0
+```
+
+
 ### STM32H753ZI (No HW Crypto, -Os, FastMath)
 
 ```
diff --git a/cmake/config.in b/cmake/config.in
index 4082325b5d..d1b61aa147 100644
--- a/cmake/config.in
+++ b/cmake/config.in
@@ -1,6 +1,12 @@
 /* Define to 1 if you have the <arpa/inet.h> header file. */
 #cmakedefine HAVE_ARPA_INET_H @HAVE_ARPA_INET_H@
 
+/* Define to 1 if you have the <sys/ioctl.h> header file. */
+#cmakedefine HAVE_SYS_IOCTL_H @HAVE_SYS_IOCTL_H@
+
+/* Define to 1 if you have the <netdb.h> header file. */
+#cmakedefine HAVE_NETDB_H @HAVE_NETDB_H@
+
 /* Define to 1 if you have the <sys/socket.h> header file. */
 #cmakedefine HAVE_SYS_SOCKET_H @HAVE_SYS_SOCKET_H@
 
diff --git a/configure.ac b/configure.ac
index 132f14b0ce..97d19e07a2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -451,9 +451,35 @@ then
         RANLIB=ranlib
     fi
     xxx_ranlib_flags=$(${RANLIB} --help 2>&1)
-    AM_CFLAGS="$AM_CFLAGS -DHAVE_REPRODUCIBLE_BUILD"
+
     AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[AR_FLAGS="Dcr" lt_ar_flags="Dcr"])
     AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[RANLIB="${RANLIB} -D"])
+
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_REPRODUCIBLE_BUILD -g0"
+
+    # opportunistically use -ffile-prefix-map (added in GCC8 and LLVM10)
+
+    if "$CC" -ffile-prefix-map=/tmp=. -x c - -o /dev/null >/dev/null 2>&1 <<'        EOF'
+        #include <stdlib.h>
+        int main(int argc, char **argv) {
+            (void)argc; (void)argv; return 0;
+        }
+        EOF
+    then
+        AM_CFLAGS="$AM_CFLAGS -ffile-prefix-map=\$(abs_top_srcdir)/= -ffile-prefix-map=\$(top_srcdir)/="
+    fi
+
+    # opportunistically use linker option --build-id=none
+
+    if "$CC" -Wl,--build-id=none -x c - -o /dev/null >/dev/null 2>&1 <<'        EOF'
+        #include <stdlib.h>
+        int main(int argc, char **argv) {
+            (void)argc; (void)argv; return 0;
+        }
+        EOF
+    then
+        AM_LDFLAGS="$AM_LDFLAGS -Wl,--build-id=none"
+    fi
 fi
 
 
diff --git a/doc/dox_comments/header_files/ssl.h b/doc/dox_comments/header_files/ssl.h
index a96b3888fe..7569daf4c1 100644
--- a/doc/dox_comments/header_files/ssl.h
+++ b/doc/dox_comments/header_files/ssl.h
@@ -2086,15 +2086,18 @@ int  wolfSSL_get_using_nonblock(WOLFSSL*);
     \brief This function writes sz bytes from the buffer, data, to the SSL
     connection, ssl. If necessary, wolfSSL_write() will negotiate an SSL/TLS
     session if the handshake has not already been performed yet by
-    wolfSSL_connect() or wolfSSL_accept(). wolfSSL_write() works with both
-    blocking and non-blocking I/O.  When the underlying I/O is non-blocking,
-    wolfSSL_write() will return when the underlying I/O could not satisfy the
-    needs of wolfSSL_write() to continue.  In this case, a call to
-    wolfSSL_get_error() will yield either SSL_ERROR_WANT_READ or
-    SSL_ERROR_WANT_WRITE.  The calling process must then repeat the call to
-    wolfSSL_write() when the underlying I/O is ready. If the underlying I/O
-    is blocking, wolfSSL_write() will only return once the buffer data of
-    size sz has been completely written or an error occurred.
+    wolfSSL_connect() or wolfSSL_accept(). When using (D)TLSv1.3 and early data
+    feature is compiled in, this function progresses the handshake only up to
+    the point when it is possible to send data. Next invokations of
+    wolfSSL_Connect()/wolfSSL_Accept()/wolfSSL_read() will complete the
+    handshake. wolfSSL_write() works with both blocking and non-blocking I/O.
+    When the underlying I/O is non-blocking, wolfSSL_write() will return when
+    the underlying I/O could not satisfy the needs of wolfSSL_write() to
+    continue.  In this case, a call to wolfSSL_get_error() will yield either
+    SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.  The calling process must then
+    repeat the call to wolfSSL_write() when the underlying I/O is ready. If the
+    underlying I/O is blocking, wolfSSL_write() will only return once the buffer
+    data of size sz has been completely written or an error occurred.
 
     \return >0 the number of bytes written upon success.
     \return 0 will be returned upon failure.  Call wolfSSL_get_error() for
@@ -7596,18 +7599,49 @@ int wolfSSL_writev(WOLFSSL* ssl, const struct iovec* iov,
     WOLFSSL_METHOD method = wolfTLSv1_2_client_method();
     WOLFSSL_CTX* ctx = WOLFSSL_CTX_new(method);
     …
-    if(!wolfSSL_CTX_UnloadCAs(ctx)){
+    if(wolfSSL_CTX_UnloadCAs(ctx) != SSL_SUCCESS){
     	// The function did not unload CAs
     }
     \endcode
 
     \sa wolfSSL_CertManagerUnloadCAs
     \sa LockMutex
-    \sa FreeSignerTable
     \sa UnlockMutex
 */
 int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX*);
 
+
+/*!
+    \ingroup Setup
+
+    \brief This function unloads intermediate certificates added to the CA
+    signer list and frees them.
+
+    \return SSL_SUCCESS returned on successful execution of the function.
+    \return BAD_FUNC_ARG returned if the WOLFSSL_CTX struct is NULL or there
+    are otherwise unpermitted argument values passed in a subroutine.
+    \return BAD_STATE_E returned if the WOLFSSL_CTX has a reference count > 1.
+    \return BAD_MUTEX_E returned if there was a mutex error. The LockMutex()
+    did not return 0.
+
+    \param ctx a pointer to a WOLFSSL_CTX structure, created using
+    wolfSSL_CTX_new().
+
+    _Example_
+    \code
+    WOLFSSL_METHOD method = wolfTLSv1_2_client_method();
+    WOLFSSL_CTX* ctx = WOLFSSL_CTX_new(method);
+    …
+    if(wolfSSL_CTX_UnloadIntermediateCerts(ctx) != NULL){
+        // The function did not unload CAs
+    }
+    \endcode
+
+    \sa wolfSSL_CTX_UnloadCAs
+    \sa wolfSSL_CertManagerUnloadIntermediateCerts
+*/
+int wolfSSL_CTX_UnloadIntermediateCerts(WOLFSSL_CTX* ctx);
+
 /*!
     \ingroup Setup
 
@@ -9548,18 +9582,45 @@ int wolfSSL_CertManagerLoadCABuffer(WOLFSSL_CERT_MANAGER* cm,
     #include <wolfssl/ssl.h>
 
     WOLFSSL_CTX* ctx = wolfSSL_CTX_new(protocol method);
-    WOLFSSL_CERT_MANAGER* cm = wolfSSL_CertManagerNew();
+    WOLFSSL_CERT_MANAGER* cm = wolfSSL_CTX_GetCertManager(ctx);
     ...
-    if(wolfSSL_CertManagerUnloadCAs(ctx->cm) != SSL_SUCCESS){
-    	Failure case.
+    if(wolfSSL_CertManagerUnloadCAs(cm) != SSL_SUCCESS){
+        Failure case.
     }
     \endcode
 
-    \sa FreeSignerTable
     \sa UnlockMutex
 */
 int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm);
 
+/*!
+    \ingroup CertManager
+    \brief This function unloads intermediate certificates add to the CA
+    signer list.
+
+    \return SSL_SUCCESS returned on successful execution of the function.
+    \return BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER is NULL.
+    \return BAD_MUTEX_E returned if there was a mutex error.
+
+    \param cm a pointer to a WOLFSSL_CERT_MANAGER structure,
+    created using wolfSSL_CertManagerNew().
+
+    _Example_
+    \code
+    #include <wolfssl/ssl.h>
+
+    WOLFSSL_CTX* ctx = wolfSSL_CTX_new(protocol method);
+    WOLFSSL_CERT_MANAGER* cm = wolfSSL_CTX_GetCertManager(ctx);
+    ...
+    if(wolfSSL_CertManagerUnloadIntermediateCerts(cm) != SSL_SUCCESS){
+    	Failure case.
+    }
+    \endcode
+
+    \sa UnlockMutex
+*/
+int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER* cm);
+
 /*!
     \ingroup CertManager
     \brief The function will free the Trusted Peer linked list and unlocks
@@ -13938,9 +13999,11 @@ int  wolfSSL_write_early_data(WOLFSSL* ssl, const void* data,
 
     \brief This function reads any early data from a client on resumption.
     Call this function instead of wolfSSL_accept() or wolfSSL_accept_TLSv13()
-    to accept a client and read any early data in the handshake.
-    If there is no early data than the handshake will be processed as normal.
-    This function is only used with servers.
+    to accept a client and read any early data in the handshake. The function
+    should be invoked until wolfSSL_is_init_finished() returns true. Early data
+    may be sent by the client in multiple messsages. If there is no early data
+    then the handshake will be processed as normal. This function is only used
+    with servers.
 
     \param [in,out] ssl a pointer to a WOLFSSL structure, created using wolfSSL_new().
     \param [out] data a buffer to hold the early data read from client.
@@ -13951,7 +14014,7 @@ int  wolfSSL_write_early_data(WOLFSSL* ssl, const void* data,
     not using TLSv1.3.
     \return SIDE_ERROR if called with a client.
     \return WOLFSSL_FATAL_ERROR if accepting a connection fails.
-    \return WOLFSSL_SUCCESS if successful.
+    \return Number of early data bytes read (may be zero).
 
     _Example_
     \code
@@ -13963,19 +14026,16 @@ int  wolfSSL_write_early_data(WOLFSSL* ssl, const void* data,
     char buffer[80];
     ...
 
-    ret = wolfSSL_read_early_data(ssl, earlyData, sizeof(earlyData), &outSz);
-    if (ret != SSL_SUCCESS) {
-        err = wolfSSL_get_error(ssl, ret);
-        printf(“error = %d, %s\n”, err, wolfSSL_ERR_error_string(err, buffer));
-    }
-    if (outSz > 0) {
-        // early data available
-    }
-    ret = wolfSSL_accept_TLSv13(ssl);
-    if (ret != SSL_SUCCESS) {
-        err = wolfSSL_get_error(ssl, ret);
-        printf(“error = %d, %s\n”, err, wolfSSL_ERR_error_string(err, buffer));
-    }
+    do {
+        ret = wolfSSL_read_early_data(ssl, earlyData, sizeof(earlyData), &outSz);
+        if (ret < 0) {
+            err = wolfSSL_get_error(ssl, ret);
+            printf(“error = %d, %s\n”, err, wolfSSL_ERR_error_string(err, buffer));
+        }
+        if (outSz > 0) {
+            // early data available
+        }
+    } while (!wolfSSL_is_init_finished(ssl));
     \endcode
 
     \sa wolfSSL_write_early_data
diff --git a/examples/configs/include.am b/examples/configs/include.am
index a507e1c4ec..61154167a1 100644
--- a/examples/configs/include.am
+++ b/examples/configs/include.am
@@ -3,6 +3,7 @@
 
 EXTRA_DIST += examples/configs/README.md
 EXTRA_DIST += examples/configs/user_settings_all.h
+EXTRA_DIST += examples/configs/user_settings_arduino.h
 EXTRA_DIST += examples/configs/user_settings_min_ecc.h
 EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h
 EXTRA_DIST += examples/configs/user_settings_template.h
diff --git a/examples/configs/user_settings_arduino.h b/examples/configs/user_settings_arduino.h
new file mode 100644
index 0000000000..a9486a82e2
--- /dev/null
+++ b/examples/configs/user_settings_arduino.h
@@ -0,0 +1,429 @@
+/* examples/configs/user_settings_arduino.h
+ *
+ * Copyright (C) 2006-2023 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* This is a sample Arduino user_settings.h for wolfSSL */
+
+#define NO_FILESYSTEM
+#define USE_CERT_BUFFERS_2048
+
+/* Make sure this is not an ESP-IDF file */
+#undef  WOLFSSL_ESPIDF
+
+#define HAVE_ECC
+#define WOLFSSL_SMALL_STACK
+/* #define WOLFSSL_SMALL_STACK_EXTRA */
+/* #define WOLFSSL_SMALL_STACK_CIPHERS */
+/* #define NO_DH */
+
+/* RSA must be enabled for examples, but can be disabled like this: */
+/* #define NO_RSA */
+#define RSA_LOW_MEM
+
+/* #define NO_OLD_TLS */
+
+/* Cannot use WOLFSSL_NO_MALLOC with small stack */
+/* #define WOLFSSL_NO_MALLOC */
+
+#define HAVE_TLS_EXTENSIONS
+#define HAVE_SUPPORTED_CURVES
+
+#define HAVE_AESGCM
+
+/* optionally turn off SHA512/224 SHA512/256 */
+/* #define WOLFSSL_NOSHA512_224 */
+/* #define WOLFSSL_NOSHA512_256 */
+
+/* when you want to use SINGLE THREAD. Note Default ESP-IDF is FreeRTOS */
+#define SINGLE_THREADED
+
+
+/* Optional OPENSSL compatibility */
+/* #define OPENSSL_EXTRA */
+/* #define OPENSSL_ALL */
+
+/* when you want to use pkcs7 */
+/* #define HAVE_PKCS7 */
+
+/* when you want to use AES counter mode */
+/* #define WOLFSSL_AES_DIRECT */
+/* #define WOLFSSL_AES_COUNTER */
+
+/* esp32-wroom-32se specific definition */
+#if defined(WOLFSSL_ESPWROOM32SE)
+    #define WOLFSSL_ATECC508A
+    #define HAVE_PK_CALLBACKS
+    /* when you want to use a custom slot allocation for ATECC608A */
+    /* unless your configuration is unusual, you can use default   */
+    /* implementation.                                             */
+    /* #define CUSTOM_SLOT_ALLOCATION                              */
+#endif
+
+/* RSA primitive specific definition */
+#if defined(WOLFSSL_ESP32) || defined(WOLFSSL_ESPWROOM32SE)
+    /* Define USE_FAST_MATH and SMALL_STACK                        */
+    #define ESP32_USE_RSA_PRIMITIVE
+
+    #if defined(CONFIG_IDF_TARGET_ESP32)
+
+        /* NOTE HW unreliable for small values! */
+        /* threshold for performance adjustment for HW primitive use   */
+        /* X bits of G^X mod P greater than                            */
+        #undef  ESP_RSA_EXPT_XBITS
+        #define ESP_RSA_EXPT_XBITS 32
+
+        /* X and Y of X * Y mod P greater than                         */
+        #undef  ESP_RSA_MULM_BITS
+        #define ESP_RSA_MULM_BITS  16
+
+    #endif
+#endif
+
+/* #define WOLFSSL_ATECC508A_DEBUG         */
+
+/* date/time                               */
+/* if it cannot adjust time in the device, */
+/* enable macro below                      */
+/* #define NO_ASN_TIME */
+/* #define XTIME time */
+
+
+/* adjust wait-timeout count if you see timeout in RSA HW acceleration */
+#define ESP_RSA_TIMEOUT_CNT    0x249F00
+
+#define HASH_SIZE_LIMIT /* for test.c */
+
+/* USE_FAST_MATH is default */
+#define USE_FAST_MATH
+
+/*****      Use SP_MATH      *****/
+/* #undef USE_FAST_MATH          */
+/* #define SP_MATH               */
+/* #define WOLFSSL_SP_MATH_ALL   */
+
+/***** Use Integer Heap Math *****/
+/* #undef USE_FAST_MATH          */
+/* #define USE_INTEGER_HEAP_MATH */
+
+/* Default is HW enabled unless turned off.
+** Uncomment these lines to force SW instead of HW acceleration */
+
+#if defined(CONFIG_IDF_TARGET_ESP32)
+    /* wolfSSL HW Acceleration supported on ESP32. Uncomment to disable: */
+    /*  #define NO_ESP32_CRYPT                 */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_HASH    */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_AES     */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
+
+    /*  These are defined automatically in esp32-crypt.h, here for clarity:  */
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 /* no SHA224 HW on ESP32  */
+
+    #undef  ESP_RSA_MULM_BITS
+    #define ESP_RSA_MULM_BITS 16 /* TODO add compile-time warning */
+    /***** END CONFIG_IDF_TARGET_ESP32 *****/
+
+#elif defined(CONFIG_IDF_TARGET_ESP32S2)
+    /* wolfSSL HW Acceleration supported on ESP32-S2. Uncomment to disable: */
+    /*  #define NO_ESP32_CRYPT                 */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_HASH    */
+    /* Note: There's no AES192 HW on the ESP32-S2; falls back to SW */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_AES     */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
+    /***** END CONFIG_IDF_TARGET_ESP32S2 *****/
+
+#elif defined(CONFIG_IDF_TARGET_ESP32S3)
+    /* wolfSSL HW Acceleration supported on ESP32-S3. Uncomment to disable: */
+    /*  #define NO_ESP32_CRYPT                         */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_HASH            */
+    /* Note: There's no AES192 HW on the ESP32-S3; falls back to SW */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_AES             */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI         */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
+    /***** END CONFIG_IDF_TARGET_ESP32S3 *****/
+
+#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
+      defined(CONFIG_IDF_TARGET_ESP8684)
+    /* ESP8684 is essentially ESP32-C2 chip + flash embedded together in a
+     * single QFN 4x4 mm package. Out of released documentation, Technical
+     * Reference Manual as well as ESP-IDF Programming Guide is applicable
+     * to both ESP32-C2 and ESP8684.
+     *
+     * See: https://www.esp32.com/viewtopic.php?f=5&t=27926#:~:text=ESP8684%20is%20essentially%20ESP32%2DC2,both%20ESP32%2DC2%20and%20ESP8684. */
+
+    /* wolfSSL HW Acceleration supported on ESP32-C2. Uncomment to disable: */
+    /*  #define NO_ESP32_CRYPT                 */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_HASH    */ /* to disable all SHA HW   */
+
+    /* These are defined automatically in esp32-crypt.h, here for clarity    */
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384    /* no SHA384 HW on C2  */
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512    /* no SHA512 HW on C2  */
+
+    /* There's no AES or RSA/Math accelerator on the ESP32-C2
+     * Auto defined with NO_WOLFSSL_ESP32_CRYPT_RSA_PRI, for clarity: */
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD
+    /***** END CONFIG_IDF_TARGET_ESP32C2 *****/
+
+#elif defined(CONFIG_IDF_TARGET_ESP32C3)
+    /* wolfSSL HW Acceleration supported on ESP32-C3. Uncomment to disable: */
+
+    /*  #define NO_ESP32_CRYPT                 */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_HASH    */ /* to disable all SHA HW   */
+
+    /* These are defined automatically in esp32-crypt.h, here for clarity:  */
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384    /* no SHA384 HW on C6  */
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512    /* no SHA512 HW on C6  */
+
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_AES             */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI         */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
+    /***** END CONFIG_IDF_TARGET_ESP32C3 *****/
+
+#elif defined(CONFIG_IDF_TARGET_ESP32C6)
+    /* wolfSSL HW Acceleration supported on ESP32-C6. Uncomment to disable: */
+
+    /*  #define NO_ESP32_CRYPT                 */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_HASH    */
+    /*  These are defined automatically in esp32-crypt.h, here for clarity:  */
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384    /* no SHA384 HW on C6  */
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512    /* no SHA512 HW on C6  */
+
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_AES             */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI         */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD  */
+    /*  #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
+    /***** END CONFIG_IDF_TARGET_ESP32C6 *****/
+
+#elif defined(CONFIG_IDF_TARGET_ESP32H2)
+    /*  wolfSSL Hardware Acceleration not yet implemented */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP32H2 *****/
+
+#elif defined(CONFIG_IDF_TARGET_ESP8266)
+    /*  TODO: Revisit ESP8266 */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP266 *****/
+#else
+    /* Anything else encountered, disable HW accleration */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+#endif /* CONFIG_IDF_TARGET Check */
+
+/* Debug options:
+
+#define ESP_VERIFY_MEMBLOCK
+#define DEBUG_WOLFSSL
+#define DEBUG_WOLFSSL_VERBOSE
+#define DEBUG_WOLFSSL_SHA_MUTEX
+#define WOLFSSL_ESP32_CRYPT_DEBUG
+#define WOLFSSL_ESP32_CRYPT_HASH_SHA224_DEBUG
+#define NO_RECOVER_SOFTWARE_CALC
+#define WOLFSSL_TEST_STRAY 1
+#define USE_ESP_DPORT_ACCESS_READ_BUFFER
+#define WOLFSSL_ESP32_HW_LOCK_DEBUG
+#define WOLFSSL_DEBUG_ESP_RSA_MULM_BITS
+#define ESP_DISABLE_HW_TASK_LOCK
+*/
+
+#define WOLFSSL_ESPIDF_ERROR_PAUSE /* Pause in a loop rather than exit. */
+#define WOLFSSL_HW_METRICS
+
+/* #define HASH_SIZE_LIMIT */ /* for test.c */
+
+/* #define NO_HW_MATH_TEST */ /* Optionall turn off HW math checks */
+
+/* Optionally include alternate HW test library: alt_hw_test.h */
+/* When enabling, the ./components/wolfssl/CMakeLists.txt file
+ * will need the name of the library in the idf_component_register
+ * for the PRIV_REQUIRES list. */
+/* #define INCLUDE_ALT_HW_TEST */
+
+/* optionally turn off individual math HW acceleration features */
+
+/* Turn off Large Number ESP32 HW Multiplication:
+** [Z = X * Y] in esp_mp_mul()                                  */
+/* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL                */
+
+/* Turn off Large Number ESP32 HW Modular Exponentiation:
+** [Z = X^Y mod M] in esp_mp_exptmod()                          */
+/* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD               */
+
+/* Turn off Large Number ESP32 HW Modular Multiplication
+** [Z = X * Y mod M] in esp_mp_mulmod()                         */
+/* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD                */
+
+
+#define WOLFSSL_PUBLIC_MP /* used by benchmark */
+
+/* when turning on ECC508 / ECC608 support
+#define WOLFSSL_ESPWROOM32SE
+#define HAVE_PK_CALLBACKS
+#define WOLFSSL_ATECC508A
+#define ATCA_WOLFSSL
+*/
+
+/* The section below defines macros used in typically all of the wolfSSL
+ * examples such as the client and server for certs stored in header files.
+ *
+ * There are various certificate examples in this header file:
+ * https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/certs_test.h
+ *
+ * To use the sets of macros below, define *one* of these:
+ *
+ *    USE_CERT_BUFFERS_1024  - ECC 1024 bit encoded ASN1
+ *    USE_CERT_BUFFERS_2048  - RSA 2048 bit encoded ASN1
+ *    WOLFSSL_SM[2,3,4]      - SM Ciphers
+ *
+ * For example: define USE_CERT_BUFFERS_2048 to use CA Certs used in this
+ *  wolfSSL function for the `ca_cert_der_2048` buffer, size and types:
+ *
+ *     ret = wolfSSL_CTX_load_verify_buffer(ctx,
+ *                                          CTX_CA_CERT,
+ *                                          CTX_CA_CERT_SIZE,
+ *                                          CTX_CA_CERT_TYPE);
+ *
+ * See https://www.wolfssl.com/documentation/manuals/wolfssl/group__CertsKeys.html#function-wolfssl_ctx_load_verify_buffer
+ *
+ * In this case the CTX_CA_CERT will be defined as `ca_cert_der_2048` as
+ * defined here: https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/certs_test.h
+ *
+ * The CTX_CA_CERT_SIZE and CTX_CA_CERT_TYPE are similarly used to reference
+ * array size and cert type respectively.
+ *
+ * Similarly for loading the private client key:
+ *
+ *  ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
+ *                                          CTX_CLIENT_KEY,
+ *                                          CTX_CLIENT_KEY_SIZE,
+ *                                          CTX_CLIENT_KEY_TYPE);
+ *
+ * see https://www.wolfssl.com/documentation/manuals/wolfssl/group__CertsKeys.html#function-wolfssl_ctx_use_privatekey_buffer
+ *
+ * Similarly, the other macros are for server certificates and keys:
+ *   `CTX_SERVER_CERT` and `CTX_SERVER_KEY` are available.
+ *
+ * The certificate and key names are typically `static const unsigned char`
+ * arrays. The [NAME]_size are typically `sizeof([array name])`, and the types
+ * are the known wolfSSL encoding type integers (e.g. WOLFSSL_FILETYPE_PEM).
+ *
+ * See `SSL_FILETYPE_[name]` in
+ *   https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/ssl.h
+ *
+ * See Abstract Syntax Notation One (ASN.1) in:
+ *   https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/wolfcrypt/asn.h
+ *
+ * Optional SM4 Ciphers:
+ *
+ * Although the SM ciphers are shown here, the `certs_test_sm.h` may not yet
+ * be available. See:
+ *   https://github.com/wolfSSL/wolfssl/pull/6825
+ *   https://github.com/wolfSSL/wolfsm
+ *
+ * Uncomment these 3 macros to enable the SM Ciphers and use the macros below.
+ */
+
+/*
+#define WOLFSSL_SM2
+#define WOLFSSL_SM3
+#define WOLFSSL_SM4
+*/
+
+/* Conditional macros used in wolfSSL TLS client and server examples */
+#if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4)
+    #include <wolfssl/certs_test_sm.h>
+    #define CTX_CA_CERT          root_sm2
+    #define CTX_CA_CERT_SIZE     sizeof_root_sm2
+    #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_PEM
+    #define CTX_SERVER_CERT      server_sm2
+    #define CTX_SERVER_CERT_SIZE sizeof_server_sm2
+    #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM
+    #define CTX_SERVER_KEY       server_sm2_priv
+    #define CTX_SERVER_KEY_SIZE  sizeof_server_sm2_priv
+    #define CTX_SERVER_KEY_TYPE  WOLFSSL_FILETYPE_PEM
+
+    #undef  WOLFSSL_BASE16
+    #define WOLFSSL_BASE16
+#else
+    #if defined(USE_CERT_BUFFERS_2048)
+        #include <wolfssl/certs_test.h>
+        #define CTX_CA_CERT          ca_cert_der_2048
+        #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_2048
+        #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
+
+        #define CTX_SERVER_CERT      server_cert_der_2048
+        #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048
+        #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1
+        #define CTX_SERVER_KEY       server_key_der_2048
+        #define CTX_SERVER_KEY_SIZE  sizeof_server_key_der_2048
+        #define CTX_SERVER_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
+
+        #define CTX_CLIENT_CERT      client_cert_der_2048
+        #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048
+        #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1
+        #define CTX_CLIENT_KEY       client_key_der_2048
+        #define CTX_CLIENT_KEY_SIZE  sizeof_client_key_der_2048
+        #define CTX_CLIENT_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
+
+    #elif defined(USE_CERT_BUFFERS_1024)
+        #include <wolfssl/certs_test.h>
+        #define CTX_CA_CERT          ca_cert_der_1024
+        #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_1024
+        #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
+
+        #define CTX_CLIENT_CERT      client_cert_der_1024
+        #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024
+        #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1
+        #define CTX_CLIENT_KEY       client_key_der_1024
+        #define CTX_CLIENT_KEY_SIZE  sizeof_client_key_der_1024
+        #define CTX_CLIENT_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
+
+        #define CTX_SERVER_CERT      server_cert_der_1024
+        #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_1024
+        #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1
+        #define CTX_SERVER_KEY       server_key_der_1024
+        #define CTX_SERVER_KEY_SIZE  sizeof_server_key_der_1024
+        #define CTX_SERVER_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
+    #else
+        /* Optionally define custom cert arrays, sizes, and types here */
+        #error "Must define USE_CERT_BUFFERS_2048 or USE_CERT_BUFFERS_1024"
+    #endif
+#endif /* Conditional key and cert constant names */
diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild
index aa1e1c661a..29e8092ab6 100644
--- a/linuxkm/Kbuild
+++ b/linuxkm/Kbuild
@@ -99,10 +99,8 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
     $(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS)
 endif
 
-ifeq "$(ENABLED_LINUXKM_BENCHMARKS)" "yes"
-    $(obj)/linuxkm/module_hooks.o: ccflags-y = $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS)
-    $(obj)/linuxkm/module_hooks.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE)
-endif
+$(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y = $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION
+$(obj)/wolfcrypt/benchmark/benchmark.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE)
 
 asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPUSIMD_DISABLE)
 
diff --git a/linuxkm/Makefile b/linuxkm/Makefile
index 667015fbe0..4830458cc7 100644
--- a/linuxkm/Makefile
+++ b/linuxkm/Makefile
@@ -47,6 +47,10 @@ else
     WOLFSSL_CFLAGS+=-DNO_CRYPT_TEST
 endif
 
+ifeq "$(ENABLED_LINUXKM_BENCHMARKS)" "yes"
+    WOLFSSL_OBJ_FILES+=wolfcrypt/benchmark/benchmark.o
+endif
+
 ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
     WOLFCRYPT_PIE_FILES := linuxkm/pie_first.o $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o linuxkm/pie_last.o
     WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES))
diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c
index 76c104db9b..6030480eee 100644
--- a/linuxkm/module_hooks.c
+++ b/linuxkm/module_hooks.c
@@ -121,11 +121,7 @@ static int updateFipsHash(void);
 #endif
 
 #ifdef WOLFSSL_LINUXKM_BENCHMARKS
-#define STRING_USER
-#define NO_MAIN_FUNCTION
-#define current_time benchmark_current_time
-#define WOLFSSL_NO_FLOAT_FMT
-#include "wolfcrypt/benchmark/benchmark.c"
+extern int wolfcrypt_benchmark_main(int argc, char** argv);
 #endif /* WOLFSSL_LINUXKM_BENCHMARKS */
 
 #ifdef LINUXKM_LKCAPI_REGISTER
diff --git a/scripts/openssl.test b/scripts/openssl.test
index 9bd98e5f17..7cbe3833a4 100755
--- a/scripts/openssl.test
+++ b/scripts/openssl.test
@@ -1143,7 +1143,7 @@ do
                 do_wolfssl_client
                 psk=""
                 adh=""
-                openssl_psk="-psk 0123456789abcdef0123456789abcdef"
+                openssl_psk="-psk 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
                 open_temp_cases_total=$((open_temp_cases_total + 1))
                 port=$wolfssl_port
                 do_openssl_client
diff --git a/src/crl.c b/src/crl.c
index 3a64d28a76..3e61ec95e4 100644
--- a/src/crl.c
+++ b/src/crl.c
@@ -69,9 +69,9 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
     crl->cm = cm;
     crl->crlList  = NULL;
     crl->currentEntry = NULL;
+#ifdef HAVE_CRL_MONITOR
     crl->monitors[0].path = NULL;
     crl->monitors[1].path = NULL;
-#ifdef HAVE_CRL_MONITOR
     crl->tid = INVALID_THREAD_VAL;
     crl->mfd = WOLFSSL_CRL_MFD_INIT_VAL;
     crl->setup = 0; /* thread setup done predicate */
@@ -249,11 +249,13 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
 
     tmp = crl->crlList;
     WOLFSSL_ENTER("FreeCRL");
+#ifdef HAVE_CRL_MONITOR
     if (crl->monitors[0].path)
         XFREE(crl->monitors[0].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
 
     if (crl->monitors[1].path)
         XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
+#endif
 
     XFREE(crl->currentEntry, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
     crl->currentEntry = NULL;
@@ -840,6 +842,7 @@ static int DupX509_CRL(WOLFSSL_X509_CRL *dupl, const WOLFSSL_X509_CRL* crl)
         return BAD_FUNC_ARG;
     }
 
+#ifdef HAVE_CRL_MONITOR
     if (crl->monitors[0].path) {
         int pathSz = (int)XSTRLEN(crl->monitors[0].path) + 1;
         dupl->monitors[0].path = (char*)XMALLOC(pathSz, dupl->heap,
@@ -867,6 +870,7 @@ static int DupX509_CRL(WOLFSSL_X509_CRL *dupl, const WOLFSSL_X509_CRL* crl)
             return MEMORY_E;
         }
     }
+#endif
 
     dupl->crlList = DupCRL_list(crl->crlList, dupl->heap);
 #ifdef HAVE_CRL_IO
diff --git a/src/internal.c b/src/internal.c
index 596f986c3b..157e44749a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -24040,6 +24040,52 @@ static int CheckTLS13AEADSendLimit(WOLFSSL* ssl)
 }
 #endif /* WOLFSSL_TLS13 && !WOLFSSL_TLS13_IGNORE_AEAD_LIMITS */
 
+/**
+ * ssl_in_handshake():
+ * Invoked in wolfSSL_read/wolfSSL_write to check if wolfSSL_negotiate() is
+ * needed in the handshake.
+ *
+ * In TLSv1.2 negotiate until the end of the handshake, unless:
+ * 1 in SCR and sending data or
+ * 2 in SCR and we have plain data ready
+ * Early data logic may bypass this logic in TLSv1.3 when appropriate.
+ */
+static int ssl_in_handshake(WOLFSSL *ssl, int send)
+{
+    if (IsSCR(ssl)) {
+        if (send) {
+            /* allow sending data in SCR */
+            return 0;
+        } else {
+            /* allow reading buffered data in SCR */
+            if (ssl->buffers.clearOutputBuffer.length != 0)
+                return 0;
+        }
+        return 1;
+    }
+
+    if (ssl->options.handShakeState != HANDSHAKE_DONE)
+        return 1;
+
+    if (ssl->options.side == WOLFSSL_SERVER_END) {
+        if (IsAtLeastTLSv1_3(ssl->version))
+            return ssl->options.acceptState < TLS13_TICKET_SENT;
+        if (IsAtLeastTLSv1_2(ssl))
+            return ssl->options.acceptState < ACCEPT_THIRD_REPLY_DONE;
+        return 0;
+    }
+
+    if (ssl->options.side == WOLFSSL_CLIENT_END) {
+        if (IsAtLeastTLSv1_3(ssl->version))
+            return ssl->options.connectState < FINISHED_DONE;
+        if (IsAtLeastTLSv1_2(ssl))
+            return ssl->options.connectState < SECOND_REPLY_DONE;
+        return 0;
+    }
+
+    return 0;
+}
+
 int SendData(WOLFSSL* ssl, const void* data, int sz)
 {
     int sent = 0,  /* plainText size */
@@ -24091,7 +24137,7 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
     }
     else
 #endif
-    if (ssl->options.handShakeState != HANDSHAKE_DONE && !IsSCR(ssl)) {
+    if (ssl_in_handshake(ssl, 1)) {
         int err;
         WOLFSSL_MSG("handshake not complete, trying to finish");
         if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
@@ -24343,19 +24389,7 @@ int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
     else
 #endif
     {
-        int negotiate = 0;
-#ifdef HAVE_SECURE_RENEGOTIATION
-        if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
-            if (ssl->options.handShakeState != HANDSHAKE_DONE
-                && ssl->buffers.clearOutputBuffer.length == 0)
-                negotiate = 1;
-        }
-        else
-#endif
-        if (ssl->options.handShakeState != HANDSHAKE_DONE)
-            negotiate = 1;
-
-        if (negotiate) {
+        if (ssl_in_handshake(ssl, 0)) {
             int err;
             WOLFSSL_MSG("Handshake not complete, trying to finish");
             if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
@@ -29648,8 +29682,6 @@ typedef struct DskeArgs {
     word16 verifySigSz;
 #endif
     word16 sigSz;
-    byte   sigAlgo;
-    byte   hashAlgo;
 #if !defined(NO_RSA) && defined(WC_RSA_PSS)
     int    bits;
 #endif
@@ -29968,8 +30000,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
         XMEMSET(args, 0, sizeof(DskeArgs));
         args->idx = *inOutIdx;
         args->begin = *inOutIdx;
-        args->sigAlgo = ssl->specs.sig_algo;
-        args->hashAlgo = sha_mac;
+        ssl->options.peerSigAlgo = ssl->specs.sig_algo;
+        ssl->options.peerHashAlgo = sha_mac;
     #ifdef WOLFSSL_ASYNC_CRYPT
         ssl->async->freeArgs = FreeDskeArgs;
     #endif
@@ -30420,43 +30452,43 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                             ERROR_OUT(BUFFER_ERROR, exit_dske);
                         }
 
-                        DecodeSigAlg(&input[args->idx], &args->hashAlgo,
+                        DecodeSigAlg(&input[args->idx], &ssl->options.peerHashAlgo,
                                      &sigAlgo);
                     #ifndef NO_RSA
                         if (sigAlgo == rsa_pss_sa_algo &&
-                                                 args->sigAlgo == rsa_sa_algo) {
-                            args->sigAlgo = sigAlgo;
+                                                 ssl->options.peerSigAlgo == rsa_sa_algo) {
+                            ssl->options.peerSigAlgo = sigAlgo;
                         }
                         else
                     #endif
                     #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
                         if (sigAlgo == sm2_sa_algo &&
-                                             args->sigAlgo == ecc_dsa_sa_algo) {
-                            args->sigAlgo = sigAlgo;
+                                             ssl->options.peerSigAlgo == ecc_dsa_sa_algo) {
+                            ssl->options.peerSigAlgo = sigAlgo;
                         }
                         else
                     #endif
                     #ifdef HAVE_ED25519
                         if (sigAlgo == ed25519_sa_algo &&
-                                             args->sigAlgo == ecc_dsa_sa_algo) {
-                            args->sigAlgo = sigAlgo;
+                                             ssl->options.peerSigAlgo == ecc_dsa_sa_algo) {
+                            ssl->options.peerSigAlgo = sigAlgo;
                         }
                         else
                     #endif
                     #ifdef HAVE_ED448
                         if (sigAlgo == ed448_sa_algo &&
-                                             args->sigAlgo == ecc_dsa_sa_algo) {
-                            args->sigAlgo = sigAlgo;
+                                             ssl->options.peerSigAlgo == ecc_dsa_sa_algo) {
+                            ssl->options.peerSigAlgo = sigAlgo;
                         }
                         else
                     #endif
                         /* Signature algorithm from message must match signature
                          * algorithm in cipher suite. */
-                        if (sigAlgo != args->sigAlgo) {
+                        if (sigAlgo != ssl->options.peerSigAlgo) {
                             ERROR_OUT(ALGO_ID_E, exit_dske);
                         }
                         args->idx += 2;
-                        hashType = HashAlgoToType(args->hashAlgo);
+                        hashType = HashAlgoToType(ssl->options.peerHashAlgo);
                         if (hashType == WC_HASH_TYPE_NONE) {
                             ERROR_OUT(ALGO_ID_E, exit_dske);
                         }
@@ -30464,7 +30496,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                         /* only using sha and md5 for rsa */
                         #ifndef NO_OLD_TLS
                             hashType = WC_HASH_TYPE_SHA;
-                            if (args->sigAlgo == rsa_sa_algo) {
+                            if (ssl->options.peerSigAlgo == rsa_sa_algo) {
                                 hashType = WC_HASH_TYPE_MD5_SHA;
                             }
                         #else
@@ -30485,12 +30517,12 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                     }
 
                     ret = HashSkeData(ssl, hashType, input + args->begin,
-                        verifySz, args->sigAlgo);
+                        verifySz, ssl->options.peerSigAlgo);
                     if (ret != 0) {
                         goto exit_dske;
                     }
 
-                    switch (args->sigAlgo)
+                    switch (ssl->options.peerSigAlgo)
                     {
                     #ifndef NO_RSA
                     #ifdef WC_RSA_PSS
@@ -30538,7 +30570,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
 
                     default:
                         ret = ALGO_ID_E;
-                    } /* switch (args->sigAlgo) */
+                    } /* switch (ssl->options.peerSigAlgo) */
 
             #endif /* NO_DH && !HAVE_ECC && !HAVE_ED25519 && !HAVE_ED448 */
                     break;
@@ -30590,7 +30622,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                                                             args->verifySigSz);
                     }
 
-                    switch (args->sigAlgo)
+                    switch (ssl->options.peerSigAlgo)
                     {
                     #ifndef NO_RSA
                     #ifdef WC_RSA_PSS
@@ -30601,7 +30633,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                             ret = RsaVerify(ssl,
                                 args->verifySig, args->verifySigSz,
                                 &args->output,
-                                args->sigAlgo, args->hashAlgo,
+                                ssl->options.peerSigAlgo, ssl->options.peerHashAlgo,
                                 ssl->peerRsaKey,
                             #ifdef HAVE_PK_CALLBACKS
                                 &ssl->buffers.peerRsaKey
@@ -30639,7 +30671,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                         #ifdef HAVE_PK_CALLBACKS
                             if (ssl->ctx && ssl->ctx->ProcessServerSigKexCb) {
                                 ret = ssl->ctx->ProcessServerSigKexCb(ssl,
-                                    args->sigAlgo,
+                                    ssl->options.peerSigAlgo,
                                     args->verifySig, args->verifySigSz,
                                     ssl->buffers.sig.buffer, SEED_LEN,
                                     &ssl->buffers.sig.buffer[SEED_LEN],
@@ -30648,7 +30680,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                         #endif /* HAVE_PK_CALLBACKS */
                             if (ret == NOT_COMPILED_IN) {
                             #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
-                                if (args->sigAlgo == sm2_sa_algo) {
+                                if (ssl->options.peerSigAlgo == sm2_sa_algo) {
                                     ret = Sm2wSm3Verify(ssl,
                                         TLS12_SM2_SIG_ID, TLS12_SM2_SIG_ID_SZ,
                                         args->verifySig, args->verifySigSz,
@@ -30801,7 +30833,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                     /* increment index after verify is done */
                     args->idx += args->verifySigSz;
 
-                    switch(args->sigAlgo)
+                    switch(ssl->options.peerSigAlgo)
                     {
                     #ifndef NO_RSA
                     #ifdef WC_RSA_PSS
@@ -30811,13 +30843,13 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                                              ssl->buffers.digest.buffer,
                                              ssl->buffers.digest.length,
                                              args->output, args->sigSz,
-                                             HashAlgoToType(args->hashAlgo));
+                                             HashAlgoToType(ssl->options.peerHashAlgo));
                         #else
                             ret = wc_RsaPSS_CheckPadding_ex(
                                              ssl->buffers.digest.buffer,
                                              ssl->buffers.digest.length,
                                              args->output, args->sigSz,
-                                             HashAlgoToType(args->hashAlgo),
+                                             HashAlgoToType(ssl->options.peerHashAlgo),
                                              -1, args->bits);
                         #endif
                             if (ret != 0)
@@ -30857,7 +30889,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                                 encSigSz = wc_EncodeSignature(encodedSig,
                                     ssl->buffers.digest.buffer,
                                     ssl->buffers.digest.length,
-                                    TypeHash(args->hashAlgo));
+                                    TypeHash(ssl->options.peerHashAlgo));
                                 if (encSigSz != args->sigSz || !args->output ||
                                     XMEMCMP(args->output, encodedSig,
                                             min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) {
@@ -33047,6 +33079,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             case PSK_KEY_ERROR:
             case INVALID_PARAMETER:
             case HRR_COOKIE_ERROR:
+            case BAD_BINDER:
                 return illegal_parameter;
             case INCOMPLETE_DATA:
                 return missing_extension;
@@ -36249,8 +36282,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         word32 sigSz;
         word32 idx;
         word32 begin;
-        byte   hashAlgo;
-        byte   sigAlgo;
     } DcvArgs;
 
     static void FreeDcvArgs(WOLFSSL* ssl, void* pArgs)
@@ -36299,8 +36330,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             ret = 0;
             ssl->options.asyncState = TLS_ASYNC_BEGIN;
             XMEMSET(args, 0, sizeof(DcvArgs));
-            args->hashAlgo = sha_mac;
-            args->sigAlgo = anonymous_sa_algo;
+            ssl->options.peerHashAlgo = sha_mac;
+            ssl->options.peerSigAlgo = anonymous_sa_algo;
             args->idx = *inOutIdx;
             args->begin = *inOutIdx;
         #ifdef WOLFSSL_ASYNC_CRYPT
@@ -36331,34 +36362,34 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                         ERROR_OUT(BUFFER_ERROR, exit_dcv);
                     }
 
-                    DecodeSigAlg(&input[args->idx], &args->hashAlgo,
-                                 &args->sigAlgo);
+                    DecodeSigAlg(&input[args->idx], &ssl->options.peerHashAlgo,
+                                 &ssl->options.peerSigAlgo);
                     args->idx += 2;
                 }
             #ifndef NO_RSA
                 else if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0)
-                    args->sigAlgo = rsa_sa_algo;
+                    ssl->options.peerSigAlgo = rsa_sa_algo;
             #endif
             #ifdef HAVE_ECC
                 else if (ssl->peerEccDsaKeyPresent) {
                 #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
                     if (ssl->peerEccDsaKey->dp->id == ECC_SM2P256V1) {
-                        args->sigAlgo = sm2_sa_algo;
+                        ssl->options.peerSigAlgo = sm2_sa_algo;
                     }
                     else
                 #endif
                     {
-                        args->sigAlgo = ecc_dsa_sa_algo;
+                        ssl->options.peerSigAlgo = ecc_dsa_sa_algo;
                     }
                 }
             #endif
             #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
                 else if (ssl->peerEd25519KeyPresent)
-                    args->sigAlgo = ed25519_sa_algo;
+                    ssl->options.peerSigAlgo = ed25519_sa_algo;
             #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
             #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
                 else if (ssl->peerEd448KeyPresent)
-                    args->sigAlgo = ed448_sa_algo;
+                    ssl->options.peerSigAlgo = ed448_sa_algo;
             #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
 
                 if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
@@ -36394,15 +36425,15 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 #endif
 
                     if (IsAtLeastTLSv1_2(ssl)) {
-                        if (args->sigAlgo != ecc_dsa_sa_algo
+                        if (ssl->options.peerSigAlgo != ecc_dsa_sa_algo
                         #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
-                            && args->sigAlgo != sm2_sa_algo
+                            && ssl->options.peerSigAlgo != sm2_sa_algo
                         #endif
                             ) {
                             WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
                         }
 
-                        SetDigest(ssl, args->hashAlgo);
+                        SetDigest(ssl, ssl->options.peerHashAlgo);
                     }
                 }
             #endif /* HAVE_ECC */
@@ -36410,7 +36441,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 if (ssl->peerEd25519KeyPresent) {
                     WOLFSSL_MSG("Doing ED25519 peer cert verify");
                     if (IsAtLeastTLSv1_2(ssl) &&
-                                             args->sigAlgo != ed25519_sa_algo) {
+                                             ssl->options.peerSigAlgo != ed25519_sa_algo) {
                         WOLFSSL_MSG(
                                "Oops, peer sent ED25519 key but not in verify");
                     }
@@ -36420,7 +36451,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 if (ssl->peerEd448KeyPresent) {
                     WOLFSSL_MSG("Doing ED448 peer cert verify");
                     if (IsAtLeastTLSv1_2(ssl) &&
-                                               args->sigAlgo != ed448_sa_algo) {
+                                               ssl->options.peerSigAlgo != ed448_sa_algo) {
                         WOLFSSL_MSG(
                                  "Oops, peer sent ED448 key but not in verify");
                     }
@@ -36442,7 +36473,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                         input + args->idx,
                         args->sz,
                         &args->output,
-                        args->sigAlgo, args->hashAlgo,
+                        ssl->options.peerSigAlgo, ssl->options.peerHashAlgo,
                         ssl->peerRsaKey,
                     #ifdef HAVE_PK_CALLBACKS
                         &ssl->buffers.peerRsaKey
@@ -36451,7 +36482,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                     #endif
                     );
                     if (ret >= 0) {
-                        if (args->sigAlgo == rsa_sa_algo)
+                        if (ssl->options.peerSigAlgo == rsa_sa_algo)
                             args->sendSz = ret;
                         else {
                             args->sigSz = ret;
@@ -36466,7 +36497,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                     WOLFSSL_MSG("Doing ECC peer cert verify");
 
                 #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
-                    if (args->sigAlgo == sm2_sa_algo) {
+                    if (ssl->options.peerSigAlgo == sm2_sa_algo) {
                         ret = Sm2wSm3Verify(ssl,
                             TLS12_SM2_SIG_ID, TLS12_SM2_SIG_ID_SZ,
                             input + args->idx, args->sz,
@@ -36561,21 +36592,21 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
                     if (IsAtLeastTLSv1_2(ssl)) {
                     #ifdef WC_RSA_PSS
-                        if (args->sigAlgo == rsa_pss_sa_algo) {
-                            SetDigest(ssl, args->hashAlgo);
+                        if (ssl->options.peerSigAlgo == rsa_pss_sa_algo) {
+                            SetDigest(ssl, ssl->options.peerHashAlgo);
 
                         #ifdef HAVE_SELFTEST
                             ret = wc_RsaPSS_CheckPadding(
                                             ssl->buffers.digest.buffer,
                                             ssl->buffers.digest.length,
                                             args->output, args->sigSz,
-                                            HashAlgoToType(args->hashAlgo));
+                                            HashAlgoToType(ssl->options.peerHashAlgo));
                         #else
                             ret = wc_RsaPSS_CheckPadding_ex(
                                             ssl->buffers.digest.buffer,
                                             ssl->buffers.digest.length,
                                             args->output, args->sigSz,
-                                            HashAlgoToType(args->hashAlgo), -1,
+                                            HashAlgoToType(ssl->options.peerHashAlgo), -1,
                                             mp_count_bits(&ssl->peerRsaKey->n));
                         #endif
                             if (ret != 0) {
@@ -36596,17 +36627,17 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                             }
                         #endif
 
-                            if (args->sigAlgo != rsa_sa_algo) {
+                            if (ssl->options.peerSigAlgo != rsa_sa_algo) {
                                 WOLFSSL_MSG("Oops, peer sent RSA key but not "
                                             "in verify");
                             }
 
-                            SetDigest(ssl, args->hashAlgo);
+                            SetDigest(ssl, ssl->options.peerHashAlgo);
 
                             args->sigSz = wc_EncodeSignature(encodedSig,
                                 ssl->buffers.digest.buffer,
                                 ssl->buffers.digest.length,
-                                TypeHash(args->hashAlgo));
+                                TypeHash(ssl->options.peerHashAlgo));
 
                             if (args->sendSz != args->sigSz || !args->output ||
                                 XMEMCMP(args->output, encodedSig,
diff --git a/src/ssl.c b/src/ssl.c
index 16c61dec73..aae12f0b23 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -5954,6 +5954,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
         cert->permittedNames = NULL;
         cert->excludedNames = NULL;
     #endif
+        signer->type = (byte)type;
 
     #ifndef NO_SKID
         row = HashSigner(signer->subjectKeyIdHash);
@@ -16355,6 +16356,22 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
         return wolfSSL_CertManagerUnloadCAs(ctx->cm);
     }
 
+    int wolfSSL_CTX_UnloadIntermediateCerts(WOLFSSL_CTX* ctx)
+    {
+        WOLFSSL_ENTER("wolfSSL_CTX_UnloadIntermediateCerts");
+
+        if (ctx == NULL)
+            return BAD_FUNC_ARG;
+
+        if (ctx->ref.count > 1) {
+            WOLFSSL_MSG("ctx object must have a ref count of 1 before "
+                        "unloading intermediate certs");
+            return BAD_STATE_E;
+        }
+
+        return wolfSSL_CertManagerUnloadIntermediateCerts(ctx->cm);
+    }
+
 
 #ifdef WOLFSSL_TRUST_PEER_CERT
     int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX* ctx)
@@ -24612,119 +24629,167 @@ int wolfSSL_set1_sigalgs_list(WOLFSSL* ssl, const char* list)
     return SetSuitesHashSigAlgo(ssl->suites, list);
 }
 
-struct WOLFSSL_HashSigInfo {
-    int hashAlgo;
-    int sigAlgo;
-    int nid;
-}  wolfssl_hash_sig_info[] =
+static int HashToNid(byte hashAlgo, int* nid)
 {
-#ifndef NO_RSA
-    #ifndef NO_SHA256
-        { sha256_mac, rsa_sa_algo, CTC_SHA256wRSA },
-    #endif
-    #ifdef WOLFSSL_SHA384
-        { sha384_mac, rsa_sa_algo, CTC_SHA384wRSA },
-    #endif
-    #ifdef WOLFSSL_SHA512
-        { sha512_mac, rsa_sa_algo, CTC_SHA512wRSA },
-    #endif
-    #ifdef WOLFSSL_SHA224
-        { sha224_mac, rsa_sa_algo, CTC_SHA224wRSA },
-    #endif
-    #ifndef NO_SHA
-        { sha_mac,    rsa_sa_algo, CTC_SHAwRSA },
-    #endif
-    #ifdef WC_RSA_PSS
-        #ifndef NO_SHA256
-            { sha256_mac, rsa_pss_sa_algo, CTC_SHA256wRSA },
-        #endif
-        #ifdef WOLFSSL_SHA384
-            { sha384_mac, rsa_pss_sa_algo, CTC_SHA384wRSA },
-        #endif
-        #ifdef WOLFSSL_SHA512
-            { sha512_mac, rsa_pss_sa_algo, CTC_SHA512wRSA },
-        #endif
-        #ifdef WOLFSSL_SHA224
-            { sha224_mac, rsa_pss_sa_algo, CTC_SHA224wRSA },
-        #endif
-    #endif
-#endif
-#ifdef HAVE_ECC
-    #ifndef NO_SHA256
-        { sha256_mac, ecc_dsa_sa_algo, CTC_SHA256wECDSA },
-    #endif
-    #ifdef WOLFSSL_SHA384
-        { sha384_mac, ecc_dsa_sa_algo, CTC_SHA384wECDSA },
-    #endif
-    #ifdef WOLFSSL_SHA512
-        { sha512_mac, ecc_dsa_sa_algo, CTC_SHA512wECDSA },
-    #endif
-    #ifdef WOLFSSL_SHA224
-        { sha224_mac, ecc_dsa_sa_algo, CTC_SHA224wECDSA },
-    #endif
-    #ifndef NO_SHA
-        { sha_mac,    ecc_dsa_sa_algo, CTC_SHAwECDSA },
-    #endif
-#endif
-#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
-    { sm3_mac, sm2_sa_algo, CTC_SM3wSM2 },
-#endif
+    int ret = WOLFSSL_SUCCESS;
+
+    /* Cast for compiler to check everything is implemented */
+    switch ((enum wc_MACAlgorithm)hashAlgo) {
+        case no_mac:
+        case rmd_mac:
+            *nid = NID_undef;
+            break;
+        case md5_mac:
+            *nid = NID_md5;
+            break;
+        case sha_mac:
+            *nid = NID_sha1;
+            break;
+        case sha224_mac:
+            *nid = NID_sha224;
+            break;
+        case sha256_mac:
+            *nid = NID_sha256;
+            break;
+        case sha384_mac:
+            *nid = NID_sha384;
+            break;
+        case sha512_mac:
+            *nid = NID_sha512;
+            break;
+        case blake2b_mac:
+            *nid = NID_blake2b512;
+            break;
+        case sm3_mac:
+            *nid = NID_sm3;
+            break;
+        default:
+            ret = WOLFSSL_FAILURE;
+            break;
+    }
+
+    return ret;
+}
+
+static int SaToNid(byte sa, int* nid)
+{
+    int ret = WOLFSSL_SUCCESS;
+    /* Cast for compiler to check everything is implemented */
+    switch ((enum SignatureAlgorithm)sa) {
+        case anonymous_sa_algo:
+            *nid = NID_undef;
+            break;
+        case rsa_sa_algo:
+            *nid = NID_rsaEncryption;
+            break;
+        case dsa_sa_algo:
+            *nid = NID_dsa;
+            break;
+        case ecc_dsa_sa_algo:
+            *nid = NID_X9_62_id_ecPublicKey;
+            break;
+        case rsa_pss_sa_algo:
+            *nid = NID_rsassaPss;
+            break;
+        case ed25519_sa_algo:
 #ifdef HAVE_ED25519
-    { no_mac, ed25519_sa_algo, CTC_ED25519 },
+            *nid = NID_ED25519;
+#else
+            ret = WOLFSSL_FAILURE;
 #endif
+            break;
+        case rsa_pss_pss_algo:
+            *nid = NID_rsassaPss;
+            break;
+        case ed448_sa_algo:
 #ifdef HAVE_ED448
-    { no_mac, ed448_sa_algo, CTC_ED448 },
-#endif
-#ifdef HAVE_PQC
-#ifdef HAVE_FALCON
-    { no_mac, falcon_level1_sa_algo, CTC_FALCON_LEVEL1 },
-    { no_mac, falcon_level5_sa_algo, CTC_FALCON_LEVEL5 },
-#endif /* HAVE_FALCON */
-#ifdef HAVE_DILITHIUM
-    { no_mac, dilithium_level2_sa_algo, CTC_DILITHIUM_LEVEL2 },
-    { no_mac, dilithium_level3_sa_algo, CTC_DILITHIUM_LEVEL3 },
-    { no_mac, dilithium_level5_sa_algo, CTC_DILITHIUM_LEVEL5 },
-#endif /* HAVE_DILITHIUM */
-#endif /* HAVE_PQC */
-#ifndef NO_DSA
-    #ifndef NO_SHA
-        { sha_mac,    dsa_sa_algo, CTC_SHAwDSA },
-    #endif
+            *nid = NID_ED448;
+#else
+            ret = WOLFSSL_FAILURE;
 #endif
-};
-#define WOLFSSL_HASH_SIG_INFO_SZ \
-    (int)(sizeof(wolfssl_hash_sig_info)/sizeof(*wolfssl_hash_sig_info))
+            break;
+        case falcon_level1_sa_algo:
+            *nid = CTC_FALCON_LEVEL1;
+            break;
+        case falcon_level5_sa_algo:
+            *nid = CTC_FALCON_LEVEL5;
+            break;
+        case dilithium_level2_sa_algo:
+            *nid = CTC_DILITHIUM_LEVEL2;
+            break;
+        case dilithium_level3_sa_algo:
+            *nid = CTC_DILITHIUM_LEVEL3;
+            break;
+        case dilithium_level5_sa_algo:
+            *nid = CTC_DILITHIUM_LEVEL5;
+            break;
+        case sm2_sa_algo:
+            *nid = NID_sm2;
+            break;
+        case invalid_sa_algo:
+        default:
+            ret = WOLFSSL_FAILURE;
+            break;
+    }
+    return ret;
+}
 
+/* This API returns the hash selected. */
 int wolfSSL_get_signature_nid(WOLFSSL *ssl, int* nid)
 {
-    int i;
-    int ret = WOLFSSL_FAILURE;
-
     WOLFSSL_MSG("wolfSSL_get_signature_nid");
 
-    if (ssl == NULL) {
+    if (ssl == NULL || nid == NULL) {
         WOLFSSL_MSG("Bad function arguments");
         return WOLFSSL_FAILURE;
     }
 
-    for (i = 0; i < WOLFSSL_HASH_SIG_INFO_SZ; i++) {
-        if (ssl->options.hashAlgo == wolfssl_hash_sig_info[i].hashAlgo &&
-                     ssl->options.sigAlgo == wolfssl_hash_sig_info[i].sigAlgo) {
-            *nid = wolfssl_hash_sig_info[i].nid;
-            ret = WOLFSSL_SUCCESS;
-            break;
-        }
+    return HashToNid(ssl->options.hashAlgo, nid);
+}
+
+/* This API returns the signature selected. */
+int wolfSSL_get_signature_type_nid(const WOLFSSL* ssl, int* nid)
+{
+    WOLFSSL_MSG("wolfSSL_get_signature_type_nid");
+
+    if (ssl == NULL || nid == NULL) {
+        WOLFSSL_MSG("Bad function arguments");
+        return WOLFSSL_FAILURE;
     }
 
-    return ret;
+    return SaToNid(ssl->options.sigAlgo, nid);
+}
+
+int wolfSSL_get_peer_signature_nid(WOLFSSL* ssl, int* nid)
+{
+    WOLFSSL_MSG("wolfSSL_get_peer_signature_nid");
+
+    if (ssl == NULL || nid == NULL) {
+        WOLFSSL_MSG("Bad function arguments");
+        return WOLFSSL_FAILURE;
+    }
+
+    return HashToNid(ssl->options.peerHashAlgo, nid);
+}
+
+int wolfSSL_get_peer_signature_type_nid(const WOLFSSL* ssl, int* nid)
+{
+    WOLFSSL_MSG("wolfSSL_get_peer_signature_type_nid");
+
+    if (ssl == NULL || nid == NULL) {
+        WOLFSSL_MSG("Bad function arguments");
+        return WOLFSSL_FAILURE;
+    }
+
+    return SaToNid(ssl->options.peerSigAlgo, nid);
 }
 
 #ifdef HAVE_ECC
 
 #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
-static int populate_groups(int* groups, int max_count, char *list)
+static int populate_groups(int* groups, int max_count, const char *list)
 {
-    char *end;
+    const char *end;
     int count = 0;
     const WOLF_EC_NIST_NAME* nist_name;
 
@@ -24764,7 +24829,7 @@ static int populate_groups(int* groups, int max_count, char *list)
     return count;
 }
 
-int wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, char *list)
+int wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, const char *list)
 {
     int groups[WOLFSSL_MAX_GROUP_COUNT];
     int count = 0;
@@ -24781,7 +24846,7 @@ int wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, char *list)
     return wolfSSL_CTX_set1_groups(ctx, groups, count);
 }
 
-int wolfSSL_set1_groups_list(WOLFSSL *ssl, char *list)
+int wolfSSL_set1_groups_list(WOLFSSL *ssl, const char *list)
 {
     int groups[WOLFSSL_MAX_GROUP_COUNT];
     int count = 0;
diff --git a/src/ssl_certman.c b/src/ssl_certman.c
index 84f51df209..e074996afc 100644
--- a/src/ssl_certman.c
+++ b/src/ssl_certman.c
@@ -457,6 +457,31 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm)
     return ret;
 }
 
+int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER* cm)
+{
+    int ret = WOLFSSL_SUCCESS;
+
+    WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCerts");
+
+    /* Validate parameter. */
+    if (cm == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    /* Lock CA table. */
+    if ((ret == WOLFSSL_SUCCESS) && (wc_LockMutex(&cm->caLock) != 0)) {
+        ret = BAD_MUTEX_E;
+    }
+    if (ret == WOLFSSL_SUCCESS) {
+        /* Dispose of CA table. */
+        FreeSignerTableType(cm->caTable, CA_TABLE_SIZE, WOLFSSL_CHAIN_CA,
+                cm->heap);
+
+        /* Unlock CA table. */
+        wc_UnLockMutex(&cm->caLock);
+    }
+
+    return ret;
+}
 
 #ifdef WOLFSSL_TRUST_PEER_CERT
 /* Unload the trusted peers table.
diff --git a/src/tls.c b/src/tls.c
index 2e367c5ace..588c1642ce 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -182,6 +182,7 @@ int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
     byte handshake_hash[HSHASH_SZ];
 #else
     WC_DECLARE_VAR(handshake_hash, byte, HSHASH_SZ, ssl->heap);
+    WC_ALLOC_VAR(handshake_hash, byte, HSHASH_SZ, ssl->heap);
     if (handshake_hash == NULL)
         return MEMORY_E;
 #endif
@@ -317,6 +318,7 @@ static int _DeriveTlsKeys(byte* key_dig, word32 key_dig_len,
     int ret;
 #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
     WC_DECLARE_VAR(seed, byte, SEED_LEN, heap);
+    WC_ALLOC_VAR(seed, byte, SEED_LEN, heap);
     if (seed == NULL)
         return MEMORY_E;
 #else
@@ -422,6 +424,7 @@ static int _MakeTlsMasterSecret(byte* ms, word32 msLen,
     byte seed[SEED_LEN];
 #else
     WC_DECLARE_VAR(seed, byte, SEED_LEN, heap);
+    WC_ALLOC_VAR(seed, byte, SEED_LEN, heap);
     if (seed == NULL)
         return MEMORY_E;
 #endif
diff --git a/src/tls13.c b/src/tls13.c
index cf4a5a1864..cb27926d09 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -9420,8 +9420,6 @@ typedef struct Dcv13Args {
     word32 sigSz;
     word32 idx;
     word32 begin;
-    byte   hashAlgo;
-    byte   sigAlgo;
 
     byte*  sigData;
     word16 sigDataSz;
@@ -9575,8 +9573,8 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
         ret = 0;
         ssl->options.asyncState = TLS_ASYNC_BEGIN;
         XMEMSET(args, 0, sizeof(Dcv13Args));
-        args->hashAlgo = sha_mac;
-        args->sigAlgo = anonymous_sa_algo;
+        ssl->options.peerHashAlgo = sha_mac;
+        ssl->options.peerSigAlgo = anonymous_sa_algo;
         args->idx = *inOutIdx;
         args->begin = *inOutIdx;
     #ifdef WOLFSSL_ASYNC_CRYPT
@@ -9625,14 +9623,14 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_NATIVE ||
                 *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
-                ret = DecodeTls13SigAlg(input + args->idx, &args->hashAlgo,
-                                        &args->sigAlgo);
+                ret = DecodeTls13SigAlg(input + args->idx,
+                        &ssl->options.peerHashAlgo, &ssl->options.peerSigAlgo);
 #ifdef WOLFSSL_DUAL_ALG_CERTS
             }
             else {
                 ret = DecodeTls13HybridSigAlg(input + args->idx,
-                                              &args->hashAlgo,
-                                              &args->sigAlgo,
+                                              &ssl->options.peerHashAlgo,
+                                              &ssl->options.peerSigAlgo,
                                               &args->altSigAlgo);
             }
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
@@ -9661,7 +9659,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
 
                 word16 sa;
                 if (args->altSigAlgo == 0)
-                    sa = args->sigAlgo;
+                    sa = ssl->options.peerSigAlgo;
                 else
                     sa = args->altSigAlgo;
 
@@ -9747,66 +9745,66 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
             /* Assume invalid unless signature algo matches the key provided */
             validSigAlgo = 0;
         #ifdef HAVE_ED25519
-            if (args->sigAlgo == ed25519_sa_algo) {
+            if (ssl->options.peerSigAlgo == ed25519_sa_algo) {
                 WOLFSSL_MSG("Peer sent ED25519 sig");
                 validSigAlgo = (ssl->peerEd25519Key != NULL) &&
                                                      ssl->peerEd25519KeyPresent;
             }
         #endif
         #ifdef HAVE_ED448
-            if (args->sigAlgo == ed448_sa_algo) {
+            if (ssl->options.peerSigAlgo == ed448_sa_algo) {
                 WOLFSSL_MSG("Peer sent ED448 sig");
                 validSigAlgo = (ssl->peerEd448Key != NULL) &&
                                                        ssl->peerEd448KeyPresent;
             }
         #endif
         #ifdef HAVE_ECC
-            if (args->sigAlgo == ecc_dsa_sa_algo) {
+            if (ssl->options.peerSigAlgo == ecc_dsa_sa_algo) {
                 WOLFSSL_MSG("Peer sent ECC sig");
                 validSigAlgo = (ssl->peerEccDsaKey != NULL) &&
                                                       ssl->peerEccDsaKeyPresent;
             }
         #endif
         #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
-            if (args->sigAlgo == sm2_sa_algo) {
+            if (ssl->options.peerSigAlgo == sm2_sa_algo) {
                 WOLFSSL_MSG("Peer sent SM2 sig");
                 validSigAlgo = (ssl->peerEccDsaKey != NULL) &&
                                                       ssl->peerEccDsaKeyPresent;
             }
         #endif
         #ifdef HAVE_PQC
-            if (args->sigAlgo == falcon_level1_sa_algo) {
+            if (ssl->options.peerSigAlgo == falcon_level1_sa_algo) {
                 WOLFSSL_MSG("Peer sent Falcon Level 1 sig");
                 validSigAlgo = (ssl->peerFalconKey != NULL) &&
                                ssl->peerFalconKeyPresent;
             }
-            if (args->sigAlgo == falcon_level5_sa_algo) {
+            if (ssl->options.peerSigAlgo == falcon_level5_sa_algo) {
                 WOLFSSL_MSG("Peer sent Falcon Level 5 sig");
                 validSigAlgo = (ssl->peerFalconKey != NULL) &&
                                ssl->peerFalconKeyPresent;
             }
-            if (args->sigAlgo == dilithium_level2_sa_algo) {
+            if (ssl->options.peerSigAlgo == dilithium_level2_sa_algo) {
                 WOLFSSL_MSG("Peer sent Dilithium Level 2 sig");
                 validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
                                ssl->peerDilithiumKeyPresent;
             }
-            if (args->sigAlgo == dilithium_level3_sa_algo) {
+            if (ssl->options.peerSigAlgo == dilithium_level3_sa_algo) {
                 WOLFSSL_MSG("Peer sent Dilithium Level 3 sig");
                 validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
                                ssl->peerDilithiumKeyPresent;
             }
-            if (args->sigAlgo == dilithium_level5_sa_algo) {
+            if (ssl->options.peerSigAlgo == dilithium_level5_sa_algo) {
                 WOLFSSL_MSG("Peer sent Dilithium Level 5 sig");
                 validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
                                ssl->peerDilithiumKeyPresent;
             }
         #endif
         #ifndef NO_RSA
-            if (args->sigAlgo == rsa_sa_algo) {
+            if (ssl->options.peerSigAlgo == rsa_sa_algo) {
                 WOLFSSL_MSG("Peer sent PKCS#1.5 algo - not valid TLS 1.3");
                 ERROR_OUT(INVALID_PARAMETER, exit_dcv);
             }
-            if (args->sigAlgo == rsa_pss_sa_algo) {
+            if (ssl->options.peerSigAlgo == rsa_pss_sa_algo) {
                 WOLFSSL_MSG("Peer sent RSA sig");
                 validSigAlgo = (ssl->peerRsaKey != NULL) &&
                                                          ssl->peerRsaKeyPresent;
@@ -9830,10 +9828,10 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                  * don't do:
                  *   sig->length -= args->altSignatureSz; */
                 #define RSA3072_SIG_LEN 384
-                if (args->sigAlgo == rsa_pss_sa_algo) {
+                if (ssl->options.peerSigAlgo == rsa_pss_sa_algo) {
                     sig->length = RSA3072_SIG_LEN;
                 }
-                else if (args->sigAlgo == ecc_dsa_sa_algo) {
+                else if (ssl->options.peerSigAlgo == ecc_dsa_sa_algo) {
                     word32 tmpIdx = args->idx;
                     sig->length = wc_SignatureGetSize(WC_SIGNATURE_TYPE_ECC,
                                       ssl->peerEccDsaKey,
@@ -9873,11 +9871,11 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 if (ret != 0)
                     goto exit_dcv;
             #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
-                if (args->sigAlgo != sm2_sa_algo)
+                if (ssl->options.peerSigAlgo != sm2_sa_algo)
             #endif
                 {
                     ret = CreateECCEncodedSig(args->sigData,
-                        args->sigDataSz, args->hashAlgo);
+                        args->sigDataSz, ssl->options.peerHashAlgo);
                     if (ret < 0)
                         goto exit_dcv;
                     args->sigDataSz = (word16)ret;
@@ -9957,7 +9955,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
         #ifndef NO_RSA
             if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
                 ret = RsaVerify(ssl, sig->buffer, (word32)sig->length, &args->output,
-                    args->sigAlgo, args->hashAlgo, ssl->peerRsaKey,
+                    ssl->options.peerSigAlgo, ssl->options.peerHashAlgo, ssl->peerRsaKey,
                 #ifdef HAVE_PK_CALLBACKS
                     &ssl->buffers.peerRsaKey
                 #else
@@ -9973,7 +9971,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
         #ifdef HAVE_ECC
             if (ssl->peerEccDsaKeyPresent) {
             #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
-                if (args->sigAlgo == sm2_sa_algo) {
+                if (ssl->options.peerSigAlgo == sm2_sa_algo) {
                     ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID,
                         TLS13_SM2_SIG_ID_SZ, input + args->idx, args->sz,
                         args->sigData, args->sigDataSz,
@@ -10153,8 +10151,8 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
         {
         #if !defined(NO_RSA) && defined(WC_RSA_PSS)
             if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
-                ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
-                                        args->output, args->sendSz);
+                ret = CheckRSASignature(ssl, ssl->options.peerSigAlgo,
+                        ssl->options.peerHashAlgo, args->output, args->sendSz);
                 if (ret != 0)
                     goto exit_dcv;
 
@@ -14357,6 +14355,7 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
     if (!IsAtLeastTLSv1_3(ssl->version))
         return BAD_FUNC_ARG;
 
+    *outSz = 0;
 #ifndef NO_WOLFSSL_SERVER
     if (ssl->options.side == WOLFSSL_CLIENT_END)
         return SIDE_ERROR;
diff --git a/tests/api.c b/tests/api.c
index d5d710ef23..1d7c55d410 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -441,6 +441,7 @@ typedef struct test_ssl_cbf {
     ctx_cb ctx_ready;
     ssl_cb ssl_ready;
     ssl_cb on_result;
+    ctx_cb on_ctx_cleanup;
     ssl_cb on_cleanup;
     hs_cb  on_handshake;
     WOLFSSL_CTX* ctx;
@@ -6149,8 +6150,10 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
     int c_sharedCtx = 0;
     int s_sharedCtx = 0;
 #endif
-    const char* certFile = svrCertFile;
-    const char* keyFile = svrKeyFile;
+    const char* clientCertFile = cliCertFile;
+    const char* clientKeyFile = cliKeyFile;
+    const char* serverCertFile = svrCertFile;
+    const char* serverKeyFile = svrKeyFile;
 
     /********************************
      * Create WOLFSSL_CTX for client.
@@ -6182,13 +6185,19 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
     else
         ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx,
                 caCertFile, 0), WOLFSSL_SUCCESS);
+    if (ctx->c_cb.certPemFile != NULL) {
+        clientCertFile = ctx->c_cb.certPemFile;
+    }
+    if (ctx->c_cb.keyPemFile != NULL) {
+        clientKeyFile = ctx->c_cb.keyPemFile;
+    }
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
     if (!c_sharedCtx)
 #endif
     {
         ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx->c_ctx,
-            cliCertFile), WOLFSSL_SUCCESS);
-        ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx->c_ctx, cliKeyFile,
+            clientCertFile), WOLFSSL_SUCCESS);
+        ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx->c_ctx, clientKeyFile,
             WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
     }
 #ifdef HAVE_CRL
@@ -6255,23 +6264,23 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
     wolfSSL_CTX_set_default_passwd_cb(ctx->s_ctx, PasswordCallBack);
 #endif
     if (ctx->s_cb.certPemFile != NULL) {
-        certFile = ctx->s_cb.certPemFile;
+        serverCertFile = ctx->s_cb.certPemFile;
     }
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
     if (!s_sharedCtx)
 #endif
     {
         ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx->s_ctx,
-            certFile), WOLFSSL_SUCCESS);
+            serverCertFile), WOLFSSL_SUCCESS);
     }
     if (ctx->s_cb.keyPemFile != NULL) {
-        keyFile = ctx->s_cb.keyPemFile;
+        serverKeyFile = ctx->s_cb.keyPemFile;
     }
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
     if (!s_sharedCtx)
 #endif
     {
-        ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx->s_ctx, keyFile,
+        ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx->s_ctx, serverKeyFile,
             WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
     }
     if (ctx->s_ciphers != NULL) {
@@ -6295,9 +6304,9 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
 #endif
         )
     {
-        ExpectIntEQ(wolfSSL_use_certificate_chain_file(ctx->c_ssl, cliCertFile),
-            WOLFSSL_SUCCESS);
-        ExpectIntEQ(wolfSSL_use_PrivateKey_file(ctx->c_ssl, cliKeyFile,
+        ExpectIntEQ(wolfSSL_use_certificate_chain_file(ctx->c_ssl,
+                clientCertFile), WOLFSSL_SUCCESS);
+        ExpectIntEQ(wolfSSL_use_PrivateKey_file(ctx->c_ssl, clientKeyFile,
             WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
     }
     if (ctx->c_cb.ssl_ready != NULL) {
@@ -6316,9 +6325,9 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
 #endif
         )
     {
-        ExpectIntEQ(wolfSSL_use_certificate_chain_file(ctx->s_ssl, certFile),
-            WOLFSSL_SUCCESS);
-        ExpectIntEQ(wolfSSL_use_PrivateKey_file(ctx->s_ssl, keyFile,
+        ExpectIntEQ(wolfSSL_use_certificate_chain_file(ctx->s_ssl,
+                serverCertFile), WOLFSSL_SUCCESS);
+        ExpectIntEQ(wolfSSL_use_PrivateKey_file(ctx->s_ssl, serverKeyFile,
             WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
     }
 #if !defined(NO_FILESYSTEM) && !defined(NO_DH)
@@ -6360,6 +6369,9 @@ static int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds,
                 err = wolfSSL_get_error(ctx->c_ssl, ret);
                 if (err != WOLFSSL_ERROR_WANT_READ &&
                     err != WOLFSSL_ERROR_WANT_WRITE) {
+                    char buff[WOLFSSL_MAX_ERROR_SZ];
+                    fprintf(stderr, "error = %d, %s\n", err,
+                        wolfSSL_ERR_error_string(err, buff));
                     failing_c = 1;
                     hs_c = 1;
                     if (failing_c && failing_s) {
@@ -6379,6 +6391,9 @@ static int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds,
                 err = wolfSSL_get_error(ctx->s_ssl, ret);
                 if (err != WOLFSSL_ERROR_WANT_READ &&
                     err != WOLFSSL_ERROR_WANT_WRITE) {
+                    char buff[WOLFSSL_MAX_ERROR_SZ];
+                    fprintf(stderr, "error = %d, %s\n", err,
+                        wolfSSL_ERR_error_string(err, buff));
                     failing_s = 1;
                     hs_s = 1;
                     if (failing_c && failing_s) {
@@ -6394,7 +6409,7 @@ static int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds,
         }
     }
 
-    if (!handshake_complete) {
+    if (!handshake_complete || failing_c || failing_s) {
         return TEST_FAIL;
     }
 
@@ -6462,14 +6477,20 @@ static void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx)
     wolfSSL_shutdown(ctx->c_ssl);
     wolfSSL_free(ctx->s_ssl);
     wolfSSL_free(ctx->c_ssl);
-    if (!ctx->s_cb.isSharedCtx) {
-        wolfSSL_CTX_free(ctx->s_ctx);
-        ctx->s_ctx = NULL;
+    if (ctx->c_cb.on_ctx_cleanup != NULL) {
+        ctx->c_cb.on_ctx_cleanup(ctx->c_ctx);
     }
     if (!ctx->c_cb.isSharedCtx) {
         wolfSSL_CTX_free(ctx->c_ctx);
         ctx->c_ctx = NULL;
     }
+    if (ctx->s_cb.on_ctx_cleanup != NULL) {
+        ctx->s_cb.on_ctx_cleanup(ctx->s_ctx);
+    }
+    if (!ctx->s_cb.isSharedCtx) {
+        wolfSSL_CTX_free(ctx->s_ctx);
+        ctx->s_ctx = NULL;
+    }
 
     if (!ctx->s_cb.ticNoInit) {
 #if defined(HAVE_SESSION_TICKET) && \
@@ -18496,9 +18517,15 @@ static int test_wc_AesGcmEncryptDecrypt(void)
     ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
         sizeof(iv)/sizeof(byte), NULL, sizeof(resultT), a, sizeof(a)),
         BAD_FUNC_ARG);
+    #if (defined(HAVE_FIPS) && FIPS_VERSION_LE(2,0) && defined(WOLFSSL_ARMASM))
+    ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
+        sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) + 1, a, sizeof(a)),
+        AES_GCM_AUTH_E);
+    #else
     ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
         sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) + 1, a, sizeof(a)),
         BAD_FUNC_ARG);
+    #endif
     #if ((defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
             (HAVE_FIPS_VERSION == 2)) || defined(HAVE_SELFTEST)) && \
             !defined(WOLFSSL_AES_GCM_FIXED_IV_AAD)
@@ -19748,6 +19775,10 @@ static int test_wc_RsaPublicEncryptDecrypt(void)
     WC_DECLARE_VAR(plain, byte, TEST_STRING_SZ, NULL);
     WC_DECLARE_VAR(cipher, byte, TEST_RSA_BYTES, NULL);
 
+    WC_ALLOC_VAR(in, byte, TEST_STRING_SZ, NULL);
+    WC_ALLOC_VAR(plain, byte, TEST_STRING_SZ, NULL);
+    WC_ALLOC_VAR(cipher, byte, TEST_RSA_BYTES, NULL);
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     ExpectNotNull(in);
     ExpectNotNull(plain);
@@ -19810,6 +19841,10 @@ static int test_wc_RsaPublicEncryptDecrypt_ex(void)
     WC_DECLARE_VAR(plain, byte, TEST_STRING_SZ, NULL);
     WC_DECLARE_VAR(cipher, byte, TEST_RSA_BYTES, NULL);
 
+    WC_ALLOC_VAR(in, byte, TEST_STRING_SZ, NULL);
+    WC_ALLOC_VAR(plain, byte, TEST_STRING_SZ, NULL);
+    WC_ALLOC_VAR(cipher, byte, TEST_RSA_BYTES, NULL);
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     ExpectNotNull(in);
     ExpectNotNull(plain);
@@ -19875,6 +19910,10 @@ static int test_wc_RsaSSL_SignVerify(void)
     WC_DECLARE_VAR(out, byte, TEST_RSA_BYTES, NULL);
     WC_DECLARE_VAR(plain, byte, TEST_STRING_SZ, NULL);
 
+    WC_ALLOC_VAR(in, byte, TEST_STRING_SZ, NULL);
+    WC_ALLOC_VAR(out, byte, TEST_RSA_BYTES, NULL);
+    WC_ALLOC_VAR(plain, byte, TEST_STRING_SZ, NULL);
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     ExpectNotNull(in);
     ExpectNotNull(out);
@@ -25046,14 +25085,15 @@ static int test_wc_ecc_pointFns(void)
 
 
 /*
- * Testing wc_ecc_sahred_secret_ssh()
+ * Testing wc_ecc_shared_secret_ssh()
  */
 static int test_wc_ecc_shared_secret_ssh(void)
 {
     EXPECT_DECLS;
 #if defined(HAVE_ECC) && defined(HAVE_ECC_DHE) && \
     !defined(WC_NO_RNG) && !defined(WOLFSSL_ATECC508A) && \
-    !defined(WOLFSSL_ATECC608A)
+    !defined(WOLFSSL_ATECC608A) && !defined(PLUTON_CRYPTO_ECC) && \
+    !defined(WOLFSSL_CRYPTOCELL)
     ecc_key key;
     ecc_key key2;
     WC_RNG  rng;
@@ -66130,6 +66170,77 @@ static int test_extra_alerts_bad_psk(void)
 }
 #endif
 
+#if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)\
+    && !defined(NO_PSK)
+static unsigned int test_tls13_bad_psk_binder_client_cb(WOLFSSL* ssl,
+        const char* hint, char* identity, unsigned int id_max_len,
+        unsigned char* key, unsigned int key_max_len)
+{
+    (void)ssl;
+    (void)hint;
+    (void)key_max_len;
+
+    /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
+    XSTRNCPY(identity, "Client_identity", id_max_len);
+
+    key[0] = 0x20;
+    return 1;
+}
+
+static unsigned int test_tls13_bad_psk_binder_server_cb(WOLFSSL* ssl,
+        const char* id, unsigned char* key, unsigned int key_max_len)
+{
+    (void)ssl;
+    (void)id;
+    (void)key_max_len;
+    /* zero means error */
+    key[0] = 0x10;
+    return 1;
+}
+#endif
+
+static int test_tls13_bad_psk_binder(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)\
+    && !defined(NO_PSK)
+    WOLFSSL_CTX *ctx_c = NULL;
+    WOLFSSL_CTX *ctx_s = NULL;
+    WOLFSSL *ssl_c = NULL;
+    WOLFSSL *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
+    WOLFSSL_ALERT_HISTORY h;
+
+    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+        wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
+
+    wolfSSL_set_psk_client_callback(ssl_c, test_tls13_bad_psk_binder_client_cb);
+    wolfSSL_set_psk_server_callback(ssl_s, test_tls13_bad_psk_binder_server_cb);
+
+    ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
+        WOLFSSL_ERROR_WANT_READ);
+
+    ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
+    ExpectIntEQ( wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
+        BAD_BINDER);
+
+    ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
+        FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_get_alert_history(ssl_c, &h), WOLFSSL_SUCCESS);
+    ExpectIntEQ(h.last_rx.code, illegal_parameter);
+    ExpectIntEQ(h.last_rx.level, alert_fatal);
+
+    wolfSSL_free(ssl_c);
+    wolfSSL_CTX_free(ctx_c);
+    wolfSSL_free(ssl_s);
+    wolfSSL_CTX_free(ctx_s);
+#endif
+    return EXPECT_RESULT();
+}
+
 #if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12) && \
         defined(HAVE_IO_TESTS_DEPENDENCIES)
 static int test_harden_no_secure_renegotiation_io_cb(WOLFSSL *ssl, char *buf,
@@ -69268,6 +69379,7 @@ static int test_tls13_early_data(void)
                 ExpectFalse(wolfSSL_is_init_finished(ssl_s));
                 ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, sizeof(msgBuf),
                         &read), 0);
+                ExpectIntEQ(read, 0);
                 ExpectTrue(wolfSSL_is_init_finished(ssl_s));
 
                 ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
@@ -69278,7 +69390,7 @@ static int test_tls13_early_data(void)
                 ExpectFalse(wolfSSL_is_init_finished(ssl_s));
                 ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, sizeof(msgBuf),
                         &read), 0);
-
+                ExpectIntEQ(read, 0);
                 ExpectTrue(wolfSSL_is_init_finished(ssl_s));
 
                 /* Read server 0.5-RTT data */
@@ -69598,6 +69710,430 @@ static int test_write_dup(void)
     return EXPECT_RESULT();
 }
 
+static int test_read_write_hs(void)
+{
+
+    EXPECT_DECLS;
+#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && !defined(WOLFSSL_NO_TLS12)
+    WOLFSSL_CTX *ctx_s = NULL, *ctx_c = NULL;
+    WOLFSSL *ssl_s = NULL, *ssl_c = NULL;
+    struct test_memio_ctx test_ctx;
+    uint8_t test_buffer[16];
+    unsigned int test;
+
+    /* test == 0 : client writes, server reads */
+    /* test == 1 : server writes, client reads */
+    for (test = 0; test < 2; test++) {
+        XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+        ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s,  &ssl_c, &ssl_s,
+                                     wolfTLSv1_2_client_method,
+                                     wolfTLSv1_2_server_method), 0);
+        ExpectIntEQ(wolfSSL_set_group_messages(ssl_s), WOLFSSL_SUCCESS);
+        /* CH -> */
+        if (test == 0) {
+            ExpectIntEQ(wolfSSL_write(ssl_c, "hello", 5), -1);
+        } else {
+            ExpectIntEQ(wolfSSL_read(ssl_c, test_buffer,
+                                     sizeof(test_buffer)),  -1);
+        }
+        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+        /* <- SH + SKE + SHD */
+        if (test == 0) {
+            ExpectIntEQ(wolfSSL_read(ssl_s, test_buffer,
+                                     sizeof(test_buffer)), -1);
+        } else {
+            ExpectIntEQ(wolfSSL_write(ssl_s, "hello", 5), -1);
+        }
+        ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
+
+        /* -> CKE + CLIENT FINISHED */
+        if (test == 0) {
+            ExpectIntEQ(wolfSSL_write(ssl_c, "hello", 5), -1);
+        } else {
+            ExpectIntEQ(wolfSSL_read(ssl_c, test_buffer,
+                                     sizeof(test_buffer)), -1);
+        }
+        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+        /* abide clang static analyzer */
+        if (ssl_s != NULL) {
+            /* disable group message to separate sending of ChangeCipherspec
+             * from Finished */
+            ssl_s->options.groupMessages = 0;
+        }
+        /* allow writing of CS, but not FINISHED */
+        test_ctx.c_len = TEST_MEMIO_BUF_SZ - 6;
+
+        /* <- CS */
+        if (test == 0) {
+            ExpectIntEQ(wolfSSL_read(ssl_s, test_buffer,
+                                     sizeof(test_buffer)), -1);
+        } else {
+            ExpectIntEQ(wolfSSL_write(ssl_s, "hello", 5), -1);
+        }
+        ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_WRITE);
+
+        /* move CS message where the client can read it */
+        memmove(test_ctx.c_buff,
+                (test_ctx.c_buff + TEST_MEMIO_BUF_SZ - 6), 6);
+        test_ctx.c_len = 6;
+        /* read CS */
+        if (test == 0) {
+            ExpectIntEQ(wolfSSL_write(ssl_c, "hello", 5), -1);
+        } else {
+            ExpectIntEQ(wolfSSL_read(ssl_c, test_buffer,
+                                     sizeof(test_buffer)), -1);
+        }
+        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+        ExpectIntEQ(test_ctx.c_len, 0);
+
+        if (test == 0) {
+            /* send SERVER FINISHED */
+            ExpectIntEQ(wolfSSL_read(ssl_s, test_buffer,
+                                     sizeof(test_buffer)), -1);
+            ExpectIntEQ(wolfSSL_get_error(ssl_s, -1),
+                        WOLFSSL_ERROR_WANT_READ);
+        } else {
+            /* send SERVER FINISHED + App Data */
+            ExpectIntEQ(wolfSSL_write(ssl_s, "hello", 5), 5);
+        }
+
+        ExpectIntGT(test_ctx.c_len, 0);
+
+        /* Send and receive the data */
+        if (test == 0) {
+            ExpectIntEQ(wolfSSL_write(ssl_c, "hello", 5), 5);
+            ExpectIntEQ(wolfSSL_read(ssl_s, test_buffer,
+                                     sizeof(test_buffer)), 5);
+        } else {
+            ExpectIntEQ(wolfSSL_read(ssl_c, test_buffer,
+                                     sizeof(test_buffer)), 5);
+        }
+
+        ExpectBufEQ(test_buffer, "hello", 5);
+
+        wolfSSL_free(ssl_c);
+        wolfSSL_free(ssl_s);
+        wolfSSL_CTX_free(ctx_c);
+        wolfSSL_CTX_free(ctx_s);
+        ssl_c = ssl_s = NULL;
+        ctx_c = ctx_s = NULL;
+    }
+
+#endif
+    return EXPECT_RESULT();
+}
+
+#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(OPENSSL_EXTRA)
+static const char* test_get_signature_nid_siglag;
+static int test_get_signature_nid_sig;
+static int test_get_signature_nid_hash;
+
+static int test_get_signature_nid_ssl_ready(WOLFSSL* ssl)
+{
+    EXPECT_DECLS;
+    ExpectIntEQ(wolfSSL_set_cipher_list(ssl, "ALL"), WOLFSSL_SUCCESS);
+    if (!wolfSSL_is_server(ssl)) {
+        ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl,
+            test_get_signature_nid_siglag), WOLFSSL_SUCCESS);
+    }
+    return EXPECT_RESULT();
+}
+
+static int test_get_signature_nid_on_hs_client(WOLFSSL_CTX **ctx, WOLFSSL **ssl)
+{
+    EXPECT_DECLS;
+    int nid = 0;
+    (void)ctx;
+    if (XSTRSTR(wolfSSL_get_cipher(*ssl), "TLS_RSA_") == NULL) {
+        ExpectIntEQ(SSL_get_peer_signature_type_nid(*ssl, &nid), WOLFSSL_SUCCESS);
+        ExpectIntEQ(nid, test_get_signature_nid_sig);
+        ExpectIntEQ(SSL_get_peer_signature_nid(*ssl, &nid), WOLFSSL_SUCCESS);
+        ExpectIntEQ(nid, test_get_signature_nid_hash);
+    }
+    else /* No sigalg info on static ciphersuite */
+        return TEST_SUCCESS;
+    return EXPECT_RESULT();
+}
+
+static int test_get_signature_nid_on_hs_server(WOLFSSL_CTX **ctx, WOLFSSL **ssl)
+{
+    EXPECT_DECLS;
+    int nid = 0;
+    (void)ctx;
+    ExpectIntEQ(SSL_get_signature_type_nid(*ssl, &nid), WOLFSSL_SUCCESS);
+    ExpectIntEQ(nid, test_get_signature_nid_sig);
+    ExpectIntEQ(SSL_get_signature_nid(*ssl, &nid), WOLFSSL_SUCCESS);
+    ExpectIntEQ(nid, test_get_signature_nid_hash);
+    return EXPECT_RESULT();
+}
+#endif
+
+static int test_get_signature_nid(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(OPENSSL_EXTRA)
+    test_ssl_cbf client_cbf;
+    test_ssl_cbf server_cbf;
+    size_t i;
+#define TGSN_TLS12_RSA(sigalg, sig_nid, hash_nid) \
+        { sigalg, sig_nid, hash_nid, WOLFSSL_TLSV1_2, svrCertFile, svrKeyFile, \
+          caCertFile }
+#define TGSN_TLS12_ECDSA(sigalg, sig_nid, hash_nid) \
+        { sigalg, sig_nid, hash_nid, WOLFSSL_TLSV1_2, eccCertFile, eccKeyFile, \
+          caEccCertFile }
+#define TGSN_TLS13_RSA(sigalg, sig_nid, hash_nid) \
+        { sigalg, sig_nid, hash_nid, WOLFSSL_TLSV1_3, svrCertFile, svrKeyFile, \
+          caCertFile }
+#define TGSN_TLS13_ECDSA(sigalg, sig_nid, hash_nid) \
+        { sigalg, sig_nid, hash_nid, WOLFSSL_TLSV1_3, eccCertFile, eccKeyFile, \
+          caEccCertFile }
+#define TGSN_TLS13_ED25519(sigalg, sig_nid, hash_nid) \
+        { sigalg, sig_nid, hash_nid, WOLFSSL_TLSV1_3, edCertFile, edKeyFile, \
+            caEdCertFile }
+#define TGSN_TLS13_ED448(sigalg, sig_nid, hash_nid) \
+        { sigalg, sig_nid, hash_nid, WOLFSSL_TLSV1_3, ed448CertFile, ed448KeyFile, \
+            caEd448CertFile }
+    struct {
+        const char* siglag;
+        int sig_nid;
+        int hash_nid;
+        int tls_ver;
+        const char* server_cert;
+        const char* server_key;
+        const char* client_ca;
+    } params[] = {
+#ifndef NO_RSA
+    #ifndef NO_SHA256
+        TGSN_TLS12_RSA("RSA+SHA256", NID_rsaEncryption, NID_sha256),
+        #ifdef WC_RSA_PSS
+        TGSN_TLS12_RSA("RSA-PSS+SHA256", NID_rsassaPss, NID_sha256),
+        TGSN_TLS13_RSA("RSA-PSS+SHA256", NID_rsassaPss, NID_sha256),
+        #endif
+    #endif
+    #ifdef WOLFSSL_SHA512
+        TGSN_TLS12_RSA("RSA+SHA512", NID_rsaEncryption, NID_sha512),
+        #ifdef WC_RSA_PSS
+        TGSN_TLS12_RSA("RSA-PSS+SHA512", NID_rsassaPss, NID_sha512),
+        TGSN_TLS13_RSA("RSA-PSS+SHA512", NID_rsassaPss, NID_sha512),
+        #endif
+    #endif
+#endif
+#ifdef HAVE_ECC
+    #ifndef NO_SHA256
+        TGSN_TLS12_ECDSA("ECDSA+SHA256", NID_X9_62_id_ecPublicKey, NID_sha256),
+        TGSN_TLS13_ECDSA("ECDSA+SHA256", NID_X9_62_id_ecPublicKey, NID_sha256),
+    #endif
+#endif
+#ifdef HAVE_ED25519
+        TGSN_TLS13_ED25519("ED25519", NID_ED25519, NID_sha512),
+#endif
+#ifdef HAVE_ED448
+        TGSN_TLS13_ED448("ED448", NID_ED448, NID_sha512),
+#endif
+    };
+
+    printf("\n");
+
+    for (i = 0; i < XELEM_CNT(params) && !EXPECT_FAIL(); i++) {
+
+        XMEMSET(&client_cbf, 0, sizeof(client_cbf));
+        XMEMSET(&server_cbf, 0, sizeof(server_cbf));
+
+        printf("Testing %s with %s...", tls_desc[params[i].tls_ver],
+                params[i].siglag);
+
+        switch (params[i].tls_ver) {
+#ifndef WOLFSSL_NO_TLS12
+            case WOLFSSL_TLSV1_2:
+                client_cbf.method = wolfTLSv1_2_client_method;
+                server_cbf.method = wolfTLSv1_2_server_method;
+                break;
+#endif
+#ifdef WOLFSSL_TLS13
+            case WOLFSSL_TLSV1_3:
+                client_cbf.method = wolfTLSv1_3_client_method;
+                server_cbf.method = wolfTLSv1_3_server_method;
+                break;
+#endif
+            default:
+                printf("skipping\n");
+                continue;
+        }
+
+        test_get_signature_nid_siglag = params[i].siglag;
+        test_get_signature_nid_sig = params[i].sig_nid;
+        test_get_signature_nid_hash = params[i].hash_nid;
+
+        client_cbf.ssl_ready = test_get_signature_nid_ssl_ready;
+        server_cbf.ssl_ready = test_get_signature_nid_ssl_ready;
+
+        client_cbf.on_handshake = test_get_signature_nid_on_hs_client;
+        server_cbf.on_handshake = test_get_signature_nid_on_hs_server;
+
+        server_cbf.certPemFile = params[i].server_cert;
+        server_cbf.keyPemFile = params[i].server_key;
+
+        client_cbf.caPemFile = params[i].client_ca;
+
+        ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf,
+            &server_cbf, NULL), TEST_SUCCESS);
+        if (EXPECT_SUCCESS())
+            printf("passed\n");
+    }
+
+#endif
+    return EXPECT_RESULT();
+}
+
+#if !defined(NO_CERTS) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
+static word32 test_tls_cert_store_unchanged_HashCaTable(Signer** caTable)
+{
+#ifndef NO_MD5
+    enum wc_HashType hashType = WC_HASH_TYPE_MD5;
+#elif !defined(NO_SHA)
+    enum wc_HashType hashType = WC_HASH_TYPE_SHA;
+#elif !defined(NO_SHA256)
+    enum wc_HashType hashType = WC_HASH_TYPE_SHA256;
+#else
+    #error "We need a digest to hash the Signer object"
+#endif
+    byte hashBuf[WC_MAX_DIGEST_SIZE];
+    wc_HashAlg hash;
+    size_t i;
+
+    AssertIntEQ(wc_HashInit(&hash, hashType), 0);
+    for (i = 0; i < CA_TABLE_SIZE; i++) {
+        Signer* cur;
+        for (cur = caTable[i]; cur != NULL; cur = cur->next)
+            AssertIntEQ(wc_HashUpdate(&hash, hashType, (byte*)cur,
+                    sizeof(*cur)), 0);
+    }
+    AssertIntEQ(wc_HashFinal(&hash, hashType, hashBuf), 0);
+    AssertIntEQ(wc_HashFree(&hash, hashType), 0);
+
+    return MakeWordFromHash(hashBuf);
+}
+
+static word32 test_tls_cert_store_unchanged_before_hashes[2];
+static size_t test_tls_cert_store_unchanged_before_hashes_idx;
+static word32 test_tls_cert_store_unchanged_after_hashes[2];
+static size_t test_tls_cert_store_unchanged_after_hashes_idx;
+
+static int test_tls_cert_store_unchanged_ctx_ready(WOLFSSL_CTX* ctx)
+{
+    EXPECT_DECLS;
+
+    ExpectIntNE(test_tls_cert_store_unchanged_before_hashes
+        [test_tls_cert_store_unchanged_before_hashes_idx++] =
+            test_tls_cert_store_unchanged_HashCaTable(ctx->cm->caTable), 0);
+
+    wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER |
+            WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
+
+    return EXPECT_RESULT();
+}
+
+static int test_tls_cert_store_unchanged_ctx_cleanup(WOLFSSL_CTX* ctx)
+{
+    EXPECT_DECLS;
+    ExpectIntEQ(wolfSSL_CTX_UnloadIntermediateCerts(ctx), WOLFSSL_SUCCESS);
+    ExpectIntNE(test_tls_cert_store_unchanged_after_hashes
+        [test_tls_cert_store_unchanged_after_hashes_idx++] =
+            test_tls_cert_store_unchanged_HashCaTable(ctx->cm->caTable), 0);
+
+    return EXPECT_RESULT();
+}
+
+static int test_tls_cert_store_unchanged_on_hs(WOLFSSL_CTX **ctx, WOLFSSL **ssl)
+{
+    EXPECT_DECLS;
+    WOLFSSL_CERT_MANAGER* cm;
+
+    (void)ssl;
+    /* WARNING: this approach bypasses the reference counter check in
+     * wolfSSL_CTX_UnloadIntermediateCerts. It is not recommended as it may
+     * cause unexpected behaviour when other active connections try accessing
+     * the caTable. */
+    ExpectNotNull(cm = wolfSSL_CTX_GetCertManager(*ctx));
+    ExpectIntEQ(wolfSSL_CertManagerUnloadIntermediateCerts(cm),
+            WOLFSSL_SUCCESS);
+    ExpectIntNE(test_tls_cert_store_unchanged_after_hashes
+        [test_tls_cert_store_unchanged_after_hashes_idx++] =
+            test_tls_cert_store_unchanged_HashCaTable((*ctx)->cm->caTable), 0);
+
+    return EXPECT_RESULT();
+}
+
+static int test_tls_cert_store_unchanged_ssl_ready(WOLFSSL* ssl)
+{
+    EXPECT_DECLS;
+    WOLFSSL_CTX* ctx;
+
+    ExpectNotNull(ctx = wolfSSL_get_SSL_CTX(ssl));
+
+    return EXPECT_RESULT();
+}
+#endif
+
+static int test_tls_cert_store_unchanged(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_CERTS) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
+    test_ssl_cbf client_cbf;
+    test_ssl_cbf server_cbf;
+    int i;
+
+    for (i = 0; i < 2; i++) {
+        XMEMSET(&client_cbf, 0, sizeof(client_cbf));
+        XMEMSET(&server_cbf, 0, sizeof(server_cbf));
+
+        test_tls_cert_store_unchanged_before_hashes_idx = 0;
+        XMEMSET(test_tls_cert_store_unchanged_before_hashes, 0,
+                sizeof(test_tls_cert_store_unchanged_before_hashes));
+        test_tls_cert_store_unchanged_after_hashes_idx = 0;
+        XMEMSET(test_tls_cert_store_unchanged_after_hashes, 0,
+                sizeof(test_tls_cert_store_unchanged_after_hashes));
+
+        client_cbf.ctx_ready = test_tls_cert_store_unchanged_ctx_ready;
+        server_cbf.ctx_ready = test_tls_cert_store_unchanged_ctx_ready;
+
+        client_cbf.ssl_ready = test_tls_cert_store_unchanged_ssl_ready;
+        server_cbf.ssl_ready = test_tls_cert_store_unchanged_ssl_ready;
+
+        switch (i) {
+            case 0:
+                client_cbf.on_ctx_cleanup =
+                        test_tls_cert_store_unchanged_ctx_cleanup;
+                server_cbf.on_ctx_cleanup =
+                        test_tls_cert_store_unchanged_ctx_cleanup;
+                break;
+            case 1:
+                client_cbf.on_handshake = test_tls_cert_store_unchanged_on_hs;
+                server_cbf.on_handshake = test_tls_cert_store_unchanged_on_hs;
+                break;
+            default:
+                Fail(("Should not enter here"), ("Entered here"));
+        }
+
+
+        client_cbf.certPemFile = "certs/intermediate/client-chain.pem";
+        server_cbf.certPemFile = "certs/intermediate/server-chain.pem";
+
+        server_cbf.caPemFile = caCertFile;
+
+        ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf,
+            &server_cbf, NULL), TEST_SUCCESS);
+
+        ExpectBufEQ(test_tls_cert_store_unchanged_before_hashes,
+                test_tls_cert_store_unchanged_after_hashes,
+                sizeof(test_tls_cert_store_unchanged_after_hashes));
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
 /*----------------------------------------------------------------------------*
  | Main
  *----------------------------------------------------------------------------*/
@@ -70872,6 +71408,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_extra_alerts_wrong_cs),
     TEST_DECL(test_extra_alerts_skip_hs),
     TEST_DECL(test_extra_alerts_bad_psk),
+    TEST_DECL(test_tls13_bad_psk_binder),
     /* Can't memory test as client/server Asserts. */
     TEST_DECL(test_harden_no_secure_renegotiation),
     TEST_DECL(test_override_alt_cert_chain),
@@ -70904,6 +71441,9 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_tls13_early_data),
     TEST_DECL(test_tls_multi_handshakes_one_record),
     TEST_DECL(test_write_dup),
+    TEST_DECL(test_read_write_hs),
+    TEST_DECL(test_get_signature_nid),
+    TEST_DECL(test_tls_cert_store_unchanged),
     /* This test needs to stay at the end to clean up any caches allocated. */
     TEST_DECL(test_wolfSSL_Cleanup)
 };
diff --git a/tests/utils.h b/tests/utils.h
index 601c56ca5e..cf57e336fd 100644
--- a/tests/utils.h
+++ b/tests/utils.h
@@ -431,3 +431,9 @@ void join_thread(THREAD_TYPE thread)
     THREAD_CHECK_RET(wolfSSL_JoinThread(thread));
 }
 #endif /* SINGLE_THREADED */
+
+/* These correspond to WOLFSSL_SSLV3...WOLFSSL_DTLSV1_3 */
+const char* tls_desc[] = {
+    "SSLv3", "TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3",
+    "DTLSv1.0", "DTLSv1.2", "DTLSv1.3"
+};
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index d3b331afd9..e8ebccfe9c 100644
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -55,7 +55,6 @@
  *
  */
 
-
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -68,6 +67,8 @@
 /* Macro to disable benchmark */
 #ifndef NO_CRYPT_BENCHMARK
 
+#define WC_ALLOC_DO_ON_FAILURE() do { printf("out of memory at benchmark.c L %d\n", __LINE__); ret = MEMORY_E; goto exit; } while (0)
+
 #include <wolfssl/wolfcrypt/types.h>
 #include <wolfssl/wolfcrypt/wc_port.h>
 #include <wolfssl/wolfcrypt/wolfmath.h>
@@ -77,6 +78,11 @@
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/version.h>
 
+#ifdef WOLFSSL_LINUXKM
+    /* remap current_time() -- collides with a function in kernel linux/fs.h */
+    #define current_time benchmark_current_time
+#endif /* WOLFSSL_LINUXKM */
+
 #ifdef HAVE_CHACHA
     #include <wolfssl/wolfcrypt/chacha.h>
 #endif
@@ -224,7 +230,6 @@
     #include "wolfcrypt/benchmark/benchmark.h"
 #endif
 
-
 /* define the max length for each string of metric reported */
 #ifndef WC_BENCH_MAX_LINE_LEN
 #define WC_BENCH_MAX_LINE_LEN 150
@@ -467,7 +472,7 @@
         #include <stdlib.h>  /* we're using malloc / free direct here */
     #endif
 
-    #ifndef STRING_USER
+    #if !defined(STRING_USER) && !defined(NO_STDIO_FILESYSTEM)
         #include <string.h>
         #include <stdio.h>
     #endif
@@ -1873,21 +1878,33 @@ static const char* bench_result_words2[][5] = {
 
 /* use kB instead of mB for embedded benchmarking */
 #ifdef BENCH_EMBEDDED
+    #ifndef BENCH_NTIMES
+    #define BENCH_NTIMES 2
+    #endif
+    #ifndef BENCH_AGREETIMES
+    #define BENCH_AGREETIMES 2
+    #endif
     enum BenchmarkBounds {
         scryptCnt  = 1,
-        ntimes     = 2,
+        ntimes     = BENCH_NTIMES,
         genTimes   = BENCH_MAX_PENDING,
-        agreeTimes = 2
+        agreeTimes = BENCH_AGREETIMES
     };
     /* how many kB to test (en/de)cryption */
     #define NUM_BLOCKS 25
     #define BENCH_SIZE (1024uL)
 #else
+    #ifndef BENCH_NTIMES
+    #define BENCH_NTIMES 100
+    #endif
+    #ifndef BENCH_AGREETIMES
+    #define BENCH_AGREETIMES 100
+    #endif
     enum BenchmarkBounds {
         scryptCnt  = 10,
-        ntimes     = 100,
+        ntimes     = BENCH_NTIMES,
         genTimes   = BENCH_MAX_PENDING, /* must be at least BENCH_MAX_PENDING */
-        agreeTimes = 100
+        agreeTimes = BENCH_AGREETIMES
     };
     /* how many megs to test (en/de)cryption */
     #define NUM_BLOCKS 5
@@ -4066,22 +4083,23 @@ static void bench_aescbc_internal(int useDeviceID,
                                   const char* decLabel)
 {
     int    ret = 0, i, count = 0, times, pending = 0;
-    Aes    enc[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(enc, Aes, BENCH_MAX_PENDING,
+                     sizeof(Aes), HEAP_HINT);
     double start;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-    /* clear for done cleanup */
-    XMEMSET(enc, 0, sizeof(enc));
+    WC_CALLOC_ARRAY(enc, Aes, BENCH_MAX_PENDING,
+                     sizeof(Aes), HEAP_HINT);
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        if ((ret = wc_AesInit(&enc[i], HEAP_HINT,
+        if ((ret = wc_AesInit(enc[i], HEAP_HINT,
                                 useDeviceID ? devId: INVALID_DEVID)) != 0) {
-            printf("AesInit failed, ret = %d\n", ret);
+            printf("AesInit failed at L%d, ret = %d\n", __LINE__, ret);
             goto exit;
         }
 
-        ret = wc_AesSetKey(&enc[i], key, keySz, iv, AES_ENCRYPTION);
+        ret = wc_AesSetKey(enc[i], key, keySz, iv, AES_ENCRYPTION);
         if (ret != 0) {
             printf("AesSetKey failed, ret = %d\n", ret);
             goto exit;
@@ -4095,12 +4113,12 @@ static void bench_aescbc_internal(int useDeviceID,
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(enc[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_AesCbcEncrypt(&enc[i], bench_plain, bench_cipher,
+                    ret = wc_AesCbcEncrypt(enc[i], bench_plain, bench_cipher,
                         bench_size);
 
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(enc[i]),
                                             0, &times, &pending)) {
                         goto exit_aes_enc;
                     }
@@ -4129,7 +4147,7 @@ static void bench_aescbc_internal(int useDeviceID,
 #ifdef HAVE_AES_DECRYPT
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        ret = wc_AesSetKey(&enc[i], key, keySz, iv, AES_DECRYPTION);
+        ret = wc_AesSetKey(enc[i], key, keySz, iv, AES_DECRYPTION);
         if (ret != 0) {
             printf("AesSetKey failed, ret = %d\n", ret);
             goto exit;
@@ -4145,12 +4163,12 @@ static void bench_aescbc_internal(int useDeviceID,
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(enc[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_AesCbcDecrypt(&enc[i], bench_cipher, bench_plain,
+                    ret = wc_AesCbcDecrypt(enc[i], bench_cipher, bench_plain,
                         bench_size);
 
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(enc[i]),
                                             0, &times, &pending)) {
                         goto exit_aes_dec;
                     }
@@ -4177,8 +4195,11 @@ static void bench_aescbc_internal(int useDeviceID,
     (void)decLabel;
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_AesFree(&enc[i]);
+    if (WC_ARRAY_OK(enc)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_AesFree(enc[i]);
+        }
+        WC_FREE_ARRAY(enc, BENCH_MAX_PENDING, HEAP_HINT);
     }
 }
 
@@ -4217,42 +4238,38 @@ static void bench_aesgcm_internal(int useDeviceID,
                                   const char* encLabel, const char* decLabel)
 {
     int    ret = 0, i, count = 0, times, pending = 0;
-    Aes    enc[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(enc, Aes, BENCH_MAX_PENDING,
+                     sizeof(Aes), HEAP_HINT);
 #ifdef HAVE_AES_DECRYPT
-    Aes    dec[BENCH_MAX_PENDING+1];
+    WC_DECLARE_ARRAY(dec, Aes, BENCH_MAX_PENDING,
+                     sizeof(Aes), HEAP_HINT);
 #endif
     double start;
     DECLARE_MULTI_VALUE_STATS_VARS()
-
     WC_DECLARE_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
     WC_DECLARE_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
-#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
-    if (bench_additional == NULL || bench_tag == NULL) {
-        printf("bench_aesgcm_internal malloc failed\n");
-        goto exit;
-    }
-#endif
 
-    /* clear for done cleanup */
-    XMEMSET(enc, 0, sizeof(enc));
-#ifdef WOLFSSL_ASYNC_CRYPT
-    if (bench_additional)
-#endif
-        XMEMSET(bench_additional, 0, AES_AUTH_ADD_SZ);
-#ifdef WOLFSSL_ASYNC_CRYPT
-    if (bench_tag)
+    WC_ALLOC_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
+    WC_ALLOC_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
+    WC_CALLOC_ARRAY(enc, Aes, BENCH_MAX_PENDING,
+                  sizeof(Aes), HEAP_HINT);
+#ifdef HAVE_AES_DECRYPT
+    WC_CALLOC_ARRAY(dec, Aes, BENCH_MAX_PENDING,
+                  sizeof(Aes), HEAP_HINT);
 #endif
-        XMEMSET(bench_tag, 0, AES_AUTH_TAG_SZ);
+
+    XMEMSET(bench_additional, 0, AES_AUTH_ADD_SZ);
+    XMEMSET(bench_tag, 0, AES_AUTH_TAG_SZ);
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        if ((ret = wc_AesInit(&enc[i], HEAP_HINT,
+        if ((ret = wc_AesInit(enc[i], HEAP_HINT,
                         useDeviceID ? devId: INVALID_DEVID)) != 0) {
-            printf("AesInit failed, ret = %d\n", ret);
+            printf("AesInit failed at L%d, ret = %d\n", __LINE__, ret);
             goto exit;
         }
 
-        ret = wc_AesGcmSetKey(&enc[i], key, keySz);
+        ret = wc_AesGcmSetKey(enc[i], key, keySz);
         if (ret != 0) {
             printf("AesGcmSetKey failed, ret = %d\n", ret);
             goto exit;
@@ -4267,13 +4284,13 @@ static void bench_aesgcm_internal(int useDeviceID,
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(enc[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_AesGcmEncrypt(&enc[i], bench_cipher,
+                    ret = wc_AesGcmEncrypt(enc[i], bench_cipher,
                         bench_plain, bench_size,
                         iv, ivSz, bench_tag, AES_AUTH_TAG_SZ,
                         bench_additional, aesAuthAddSz);
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(enc[i]),
                                             0, &times, &pending)) {
                         goto exit_aes_gcm;
                     }
@@ -4296,19 +4313,18 @@ static void bench_aesgcm_internal(int useDeviceID,
 #endif
 
 #ifdef HAVE_AES_DECRYPT
-    XMEMSET(dec, 0, sizeof(dec));
 
     RESET_MULTI_VALUE_STATS_VARS();
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        if ((ret = wc_AesInit(&dec[i], HEAP_HINT,
+        if ((ret = wc_AesInit(dec[i], HEAP_HINT,
                         useDeviceID ? devId: INVALID_DEVID)) != 0) {
-            printf("AesInit failed, ret = %d\n", ret);
+            printf("AesInit failed at L%d, ret = %d\n", __LINE__, ret);
             goto exit;
         }
 
-        ret = wc_AesGcmSetKey(&dec[i], key, keySz);
+        ret = wc_AesGcmSetKey(dec[i], key, keySz);
         if (ret != 0) {
             printf("AesGcmSetKey failed, ret = %d\n", ret);
             goto exit;
@@ -4322,13 +4338,13 @@ static void bench_aesgcm_internal(int useDeviceID,
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&dec[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(dec[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_AesGcmDecrypt(&dec[i], bench_plain,
+                    ret = wc_AesGcmDecrypt(dec[i], bench_plain,
                         bench_cipher, bench_size,
                         iv, ivSz, bench_tag, AES_AUTH_TAG_SZ,
                         bench_additional, aesAuthAddSz);
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&dec[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(dec[i]),
                                             0, &times, &pending)) {
                         goto exit_aes_gcm_dec;
                     }
@@ -4359,12 +4375,18 @@ static void bench_aesgcm_internal(int useDeviceID,
         printf("bench_aesgcm failed: %d\n", ret);
     }
 #ifdef HAVE_AES_DECRYPT
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_AesFree(&dec[i]);
+    if (WC_ARRAY_OK(dec)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_AesFree(dec[i]);
+        }
+        WC_FREE_ARRAY(dec, BENCH_MAX_PENDING, HEAP_HINT);
     }
 #endif
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_AesFree(&enc[i]);
+    if (WC_ARRAY_OK(enc)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_AesFree(enc[i]);
+        }
+        WC_FREE_ARRAY(enc, BENCH_MAX_PENDING, HEAP_HINT);
     }
 
     WC_FREE_VAR(bench_additional, HEAP_HINT);
@@ -4377,45 +4399,40 @@ static void bench_aesgcm_stream_internal(int useDeviceID,
     const char* encLabel, const char* decLabel)
 {
     int    ret = 0, i, count = 0, times, pending = 0;
-    Aes    enc[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(enc, Aes, BENCH_MAX_PENDING,
+                     sizeof(Aes), HEAP_HINT);
 #ifdef HAVE_AES_DECRYPT
-    Aes    dec[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(dec, Aes, BENCH_MAX_PENDING,
+                     sizeof(Aes), HEAP_HINT);
 #endif
     double start;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
     WC_DECLARE_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
     WC_DECLARE_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
-#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
-    if (bench_additional == NULL || bench_tag == NULL) {
-        printf("bench_aesgcm_internal malloc failed\n");
-        goto exit;
-    }
-#endif
 
-    /* clear for done cleanup */
-    XMEMSET(enc, 0, sizeof(enc));
+    WC_ALLOC_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
+    WC_ALLOC_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
+
+    WC_CALLOC_ARRAY(enc, Aes, BENCH_MAX_PENDING,
+                  sizeof(Aes), HEAP_HINT);
 #ifdef HAVE_AES_DECRYPT
-    XMEMSET(dec, 0, sizeof(dec));
-#endif
-#ifdef WOLFSSL_ASYNC_CRYPT
-    if (bench_additional)
-#endif
-        XMEMSET(bench_additional, 0, AES_AUTH_ADD_SZ);
-#ifdef WOLFSSL_ASYNC_CRYPT
-    if (bench_tag)
+    WC_CALLOC_ARRAY(dec, Aes, BENCH_MAX_PENDING,
+                  sizeof(Aes), HEAP_HINT);
 #endif
-        XMEMSET(bench_tag, 0, AES_AUTH_TAG_SZ);
+
+    XMEMSET(bench_additional, 0, AES_AUTH_ADD_SZ);
+    XMEMSET(bench_tag, 0, AES_AUTH_TAG_SZ);
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        if ((ret = wc_AesInit(&enc[i], HEAP_HINT,
+        if ((ret = wc_AesInit(enc[i], HEAP_HINT,
                         useDeviceID ? devId: INVALID_DEVID)) != 0) {
-            printf("AesInit failed, ret = %d\n", ret);
+            printf("AesInit failed at L%d, ret = %d\n", __LINE__, ret);
             goto exit;
         }
 
-        ret = wc_AesGcmSetKey(&enc[i], key, keySz);
+        ret = wc_AesGcmSetKey(enc[i], key, keySz);
         if (ret != 0) {
             printf("AesGcmSetKey failed, ret = %d\n", ret);
             goto exit;
@@ -4430,19 +4447,19 @@ static void bench_aesgcm_stream_internal(int useDeviceID,
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(enc[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_AesGcmEncryptInit(&enc[i], NULL, 0, iv, ivSz);
+                    ret = wc_AesGcmEncryptInit(enc[i], NULL, 0, iv, ivSz);
                     if (ret == 0) {
-                        ret = wc_AesGcmEncryptUpdate(&enc[i], bench_cipher,
+                        ret = wc_AesGcmEncryptUpdate(enc[i], bench_cipher,
                             bench_plain, bench_size, bench_additional,
                             aesAuthAddSz);
                     }
                     if (ret == 0) {
-                        ret = wc_AesGcmEncryptFinal(&enc[i], bench_tag,
+                        ret = wc_AesGcmEncryptFinal(enc[i], bench_tag,
                             AES_AUTH_TAG_SZ);
                     }
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(enc[i]),
                                             0, &times, &pending)) {
                         goto exit_aes_gcm;
                     }
@@ -4467,13 +4484,13 @@ static void bench_aesgcm_stream_internal(int useDeviceID,
 #ifdef HAVE_AES_DECRYPT
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        if ((ret = wc_AesInit(&dec[i], HEAP_HINT,
+        if ((ret = wc_AesInit(dec[i], HEAP_HINT,
                         useDeviceID ? devId: INVALID_DEVID)) != 0) {
-            printf("AesInit failed, ret = %d\n", ret);
+            printf("AesInit failed at L%d, ret = %d\n", __LINE__, ret);
             goto exit;
         }
 
-        ret = wc_AesGcmSetKey(&dec[i], key, keySz);
+        ret = wc_AesGcmSetKey(dec[i], key, keySz);
         if (ret != 0) {
             printf("AesGcmSetKey failed, ret = %d\n", ret);
             goto exit;
@@ -4489,19 +4506,19 @@ static void bench_aesgcm_stream_internal(int useDeviceID,
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&dec[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(dec[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_AesGcmDecryptInit(&enc[i], NULL, 0, iv, ivSz);
+                    ret = wc_AesGcmDecryptInit(enc[i], NULL, 0, iv, ivSz);
                     if (ret == 0) {
-                        ret = wc_AesGcmDecryptUpdate(&enc[i], bench_plain,
+                        ret = wc_AesGcmDecryptUpdate(enc[i], bench_plain,
                             bench_cipher, bench_size, bench_additional,
                             aesAuthAddSz);
                     }
                     if (ret == 0) {
-                        ret = wc_AesGcmDecryptFinal(&enc[i], bench_tag,
+                        ret = wc_AesGcmDecryptFinal(enc[i], bench_tag,
                             AES_AUTH_TAG_SZ);
                     }
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&dec[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(dec[i]),
                                             0, &times, &pending)) {
                         goto exit_aes_gcm_dec;
                     }
@@ -4532,12 +4549,18 @@ static void bench_aesgcm_stream_internal(int useDeviceID,
         printf("bench_aesgcm failed: %d\n", ret);
     }
 #ifdef HAVE_AES_DECRYPT
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_AesFree(&dec[i]);
+    if (WC_ARRAY_OK(dec)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_AesFree(dec[i]);
+        }
+        WC_FREE_ARRAY(dec, BENCH_MAX_PENDING, HEAP_HINT);
     }
 #endif
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_AesFree(&enc[i]);
+    if (WC_ARRAY_OK(enc)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_AesFree(enc[i]);
+        }
+        WC_FREE_ARRAY(enc, BENCH_MAX_PENDING, HEAP_HINT);
     }
 
     WC_FREE_VAR(bench_additional, HEAP_HINT);
@@ -4659,7 +4682,8 @@ static void bench_aesecb_internal(int useDeviceID,
                                   const char* encLabel, const char* decLabel)
 {
     int    ret = 0, i, count = 0, times, pending = 0;
-    Aes    enc[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(enc, Aes, BENCH_MAX_PENDING,
+                     sizeof(Aes), HEAP_HINT);
     double start;
     DECLARE_MULTI_VALUE_STATS_VARS()
 #ifdef HAVE_FIPS
@@ -4668,18 +4692,18 @@ static void bench_aesecb_internal(int useDeviceID,
     const int benchSz = (int)bench_size;
 #endif
 
-    /* clear for done cleanup */
-    XMEMSET(enc, 0, sizeof(enc));
+    WC_CALLOC_ARRAY(enc, Aes, BENCH_MAX_PENDING,
+                     sizeof(Aes), HEAP_HINT);
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        if ((ret = wc_AesInit(&enc[i], HEAP_HINT,
+        if ((ret = wc_AesInit(enc[i], HEAP_HINT,
                                 useDeviceID ? devId: INVALID_DEVID)) != 0) {
-            printf("AesInit failed, ret = %d\n", ret);
+            printf("AesInit failed at L%d, ret = %d\n", __LINE__, ret);
             goto exit;
         }
 
-        ret = wc_AesSetKey(&enc[i], key, keySz, bench_iv, AES_ENCRYPTION);
+        ret = wc_AesSetKey(enc[i], key, keySz, bench_iv, AES_ENCRYPTION);
         if (ret != 0) {
             printf("AesSetKey failed, ret = %d\n", ret);
             goto exit;
@@ -4696,16 +4720,16 @@ static void bench_aesecb_internal(int useDeviceID,
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0,
-                                      &times, numBlocks, &pending)) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(enc[i]), 0,
+                                      &times, outer_loop_limit, &pending)) {
                 #ifdef HAVE_FIPS
-                    wc_AesEncryptDirect(&enc[i], bench_cipher, bench_plain);
+                    wc_AesEncryptDirect(enc[i], bench_cipher, bench_plain);
                 #else
-                    wc_AesEcbEncrypt(&enc[i], bench_cipher, bench_plain,
+                    wc_AesEcbEncrypt(enc[i], bench_cipher, bench_plain,
                         benchSz);
                 #endif
                     ret = 0;
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(enc[i]),
                                             0, &times, &pending)) {
                         goto exit_aes_enc;
                     }
@@ -4730,7 +4754,7 @@ static void bench_aesecb_internal(int useDeviceID,
 #ifdef HAVE_AES_DECRYPT
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        ret = wc_AesSetKey(&enc[i], key, keySz, bench_iv, AES_DECRYPTION);
+        ret = wc_AesSetKey(enc[i], key, keySz, bench_iv, AES_DECRYPTION);
         if (ret != 0) {
             printf("AesSetKey failed, ret = %d\n", ret);
             goto exit;
@@ -4747,16 +4771,16 @@ static void bench_aesecb_internal(int useDeviceID,
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0,
-                                      &times, numBlocks, &pending)) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(enc[i]), 0,
+                                      &times, outer_loop_limit, &pending)) {
                 #ifdef HAVE_FIPS
-                    wc_AesDecryptDirect(&enc[i], bench_plain, bench_cipher);
+                    wc_AesDecryptDirect(enc[i], bench_plain, bench_cipher);
                 #else
-                    wc_AesEcbDecrypt(&enc[i], bench_plain, bench_cipher,
+                    wc_AesEcbDecrypt(enc[i], bench_plain, bench_cipher,
                         benchSz);
                 #endif
                     ret = 0;
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(enc[i]),
                                             0, &times, &pending)) {
                         goto exit_aes_dec;
                     }
@@ -4782,8 +4806,11 @@ static void bench_aesecb_internal(int useDeviceID,
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_AesFree(&enc[i]);
+    if (WC_ARRAY_OK(enc)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_AesFree(enc[i]);
+        }
+        WC_FREE_ARRAY(enc, BENCH_MAX_PENDING, HEAP_HINT);
     }
 }
 
@@ -4816,14 +4843,14 @@ static void bench_aescfb_internal(const byte* key,
 
     ret = wc_AesInit(&enc, HEAP_HINT, INVALID_DEVID);
     if (ret != 0) {
-        printf("AesInit failed, ret = %d\n", ret);
+        printf("AesInit failed at L%d, ret = %d\n", __LINE__, ret);
         return;
     }
 
     ret = wc_AesSetKey(&enc, key, keySz, iv, AES_ENCRYPTION);
     if (ret != 0) {
         printf("AesSetKey failed, ret = %d\n", ret);
-        return;
+        goto out;
     }
 
     bench_stats_start(&count, &start);
@@ -4832,7 +4859,7 @@ static void bench_aescfb_internal(const byte* key,
             if((ret = wc_AesCfbEncrypt(&enc, bench_plain, bench_cipher,
                             bench_size)) != 0) {
                 printf("wc_AesCfbEncrypt failed, ret = %d\n", ret);
-                return;
+                goto out;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -4847,6 +4874,11 @@ static void bench_aescfb_internal(const byte* key,
 #ifdef MULTI_VALUE_STATISTICS
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
+
+out:
+
+    wc_AesFree(&enc);
+    return;
 }
 
 void bench_aescfb(void)
@@ -4876,7 +4908,7 @@ static void bench_aesofb_internal(const byte* key,
 
     ret = wc_AesInit(&enc, NULL, INVALID_DEVID);
     if (ret != 0) {
-        printf("AesInit failed, ret = %d\n", ret);
+        printf("AesInit failed at L%d, ret = %d\n", __LINE__, ret);
         return;
     }
 
@@ -4929,37 +4961,39 @@ void bench_aesofb(void)
 #ifdef WOLFSSL_AES_XTS
 void bench_aesxts(void)
 {
-    XtsAes aes;
+    WC_DECLARE_VAR(aes, XtsAes, 1, HEAP_HINT);
     double start;
     int    i, count, ret;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-    static unsigned char k1[] = {
+    static const unsigned char k1[] = {
         0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35,
         0x3b, 0x2c, 0x34, 0x38, 0x76, 0x08, 0x17, 0x62,
         0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
         0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
     };
 
-    static unsigned char i1[] = {
+    static const unsigned char i1[] = {
         0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6,
         0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
     };
 
-    ret = wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_ENCRYPTION,
+    WC_ALLOC_VAR(aes, XtsAes, 1, HEAP_HINT);
+
+    ret = wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_ENCRYPTION,
             HEAP_HINT, devId);
     if (ret != 0) {
         printf("wc_AesXtsSetKey failed, ret = %d\n", ret);
-        return;
+        goto exit;
     }
 
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < numBlocks; i++) {
-            if ((ret = wc_AesXtsEncrypt(&aes, bench_cipher, bench_plain,
+            if ((ret = wc_AesXtsEncrypt(aes, bench_cipher, bench_plain,
                             bench_size, i1, sizeof(i1))) != 0) {
                 printf("wc_AesXtsEncrypt failed, ret = %d\n", ret);
-                return;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -4974,14 +5008,14 @@ void bench_aesxts(void)
 #ifdef MULTI_VALUE_STATISTICS
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
-    wc_AesXtsFree(&aes);
+    wc_AesXtsFree(aes);
 
     /* decryption benchmark */
-    ret = wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_DECRYPTION,
+    ret = wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_DECRYPTION,
             HEAP_HINT, devId);
     if (ret != 0) {
         printf("wc_AesXtsSetKey failed, ret = %d\n", ret);
-        return;
+        goto exit;
     }
 
     RESET_MULTI_VALUE_STATS_VARS();
@@ -4989,10 +5023,10 @@ void bench_aesxts(void)
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < numBlocks; i++) {
-            if ((ret = wc_AesXtsDecrypt(&aes, bench_plain, bench_cipher,
+            if ((ret = wc_AesXtsDecrypt(aes, bench_plain, bench_cipher,
                             bench_size, i1, sizeof(i1))) != 0) {
                 printf("wc_AesXtsDecrypt failed, ret = %d\n", ret);
-                return;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -5007,7 +5041,11 @@ void bench_aesxts(void)
 #ifdef MULTI_VALUE_STATISTICS
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
-    wc_AesXtsFree(&aes);
+
+exit:
+
+    wc_AesXtsFree(aes);
+    WC_FREE_VAR(aes, HEAP_HINT);
 }
 #endif /* WOLFSSL_AES_XTS */
 
@@ -5076,6 +5114,7 @@ void bench_aesctr(int useDeviceID)
 void bench_aesccm(int useDeviceID)
 {
     Aes    enc;
+    int    enc_inited = 0;
     double start;
     int    ret, i, count;
     DECLARE_MULTI_VALUE_STATS_VARS()
@@ -5083,18 +5122,15 @@ void bench_aesccm(int useDeviceID)
     WC_DECLARE_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
     WC_DECLARE_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
 
-#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
-    if (bench_additional == NULL || bench_tag == NULL) {
-        printf("bench_aesccm malloc failed\n");
-        goto exit;
-    }
-#endif
+    WC_ALLOC_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
+    WC_ALLOC_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
 
     XMEMSET(bench_tag, 0, AES_AUTH_TAG_SZ);
     XMEMSET(bench_additional, 0, AES_AUTH_ADD_SZ);
 
     if ((ret = wc_AesInit(&enc, HEAP_HINT,
-        useDeviceID ? devId : INVALID_DEVID)) != 0) {
+        useDeviceID ? devId : INVALID_DEVID)) != 0)
+    {
         printf("wc_AesInit failed, ret = %d\n", ret);
         goto exit;
     }
@@ -5103,6 +5139,7 @@ void bench_aesccm(int useDeviceID)
         printf("wc_AesCcmSetKey failed, ret = %d\n", ret);
         goto exit;
     }
+    enc_inited = 1;
 
     bench_stats_start(&count, &start);
     do {
@@ -5158,6 +5195,9 @@ void bench_aesccm(int useDeviceID)
 
   exit:
 
+    if (enc_inited)
+        wc_AesFree(&enc);
+
     WC_FREE_VAR(bench_additional, HEAP_HINT);
     WC_FREE_VAR(bench_tag, HEAP_HINT);
 }
@@ -5424,17 +5464,14 @@ void bench_sm4_gcm(void)
 
     WC_DECLARE_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
     WC_DECLARE_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
-#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
-    if (bench_additional == NULL || bench_tag == NULL) {
-        printf("bench_aesgcm_internal malloc failed\n");
-        return;
-    }
-#endif
+
+    WC_ALLOC_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
+    WC_ALLOC_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
 
     ret = wc_Sm4GcmSetKey(&sm4, bench_key, SM4_KEY_SIZE);
     if (ret != 0) {
         printf("Sm4GcmSetKey failed, ret = %d\n", ret);
-        return;
+        goto exit;
     }
 
     bench_stats_start(&count, &start);
@@ -5445,7 +5482,7 @@ void bench_sm4_gcm(void)
                 bench_additional, aesAuthAddSz);
             if (ret < 0) {
                 printf("Sm4GcmEncrypt failed: %d\n", ret);
-                return;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -5471,7 +5508,7 @@ void bench_sm4_gcm(void)
                 bench_additional, aesAuthAddSz);
             if (ret < 0) {
                 printf("Sm4GcmDecrypt failed: %d\n", ret);
-                return;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -5486,6 +5523,11 @@ void bench_sm4_gcm(void)
 #ifdef MULTI_VALUE_STATISTICS
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
+
+exit:
+
+    WC_FREE_VAR(bench_additional);
+    WC_FREE_VAR(bench_tag);
 }
 #endif
 
@@ -5500,12 +5542,8 @@ void bench_sm4_ccm()
     WC_DECLARE_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
     WC_DECLARE_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
 
-#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
-    if (bench_additional == NULL || bench_tag == NULL) {
-        printf("bench_aesccm malloc failed\n");
-        goto exit;
-    }
-#endif
+    WC_ALLOC_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
+    WC_ALLOC_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
 
     XMEMSET(bench_tag, 0, AES_AUTH_TAG_SZ);
     XMEMSET(bench_additional, 0, AES_AUTH_ADD_SZ);
@@ -5575,22 +5613,23 @@ void bench_sm4_ccm()
 void bench_des(int useDeviceID)
 {
     int    ret = 0, i, count = 0, times, pending = 0;
-    Des3   enc[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(enc, Des3, BENCH_MAX_PENDING,
+                     sizeof(Des3), HEAP_HINT);
     double start;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-    /* clear for done cleanup */
-    XMEMSET(enc, 0, sizeof(enc));
+    WC_CALLOC_ARRAY(enc, Des3, BENCH_MAX_PENDING,
+                     sizeof(Des3), HEAP_HINT);
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        if ((ret = wc_Des3Init(&enc[i], HEAP_HINT,
+        if ((ret = wc_Des3Init(enc[i], HEAP_HINT,
                                 useDeviceID ? devId : INVALID_DEVID)) != 0) {
             printf("Des3Init failed, ret = %d\n", ret);
             goto exit;
         }
 
-        ret = wc_Des3_SetKey(&enc[i], bench_key, bench_iv, DES_ENCRYPTION);
+        ret = wc_Des3_SetKey(enc[i], bench_key, bench_iv, DES_ENCRYPTION);
         if (ret != 0) {
             printf("Des3_SetKey failed, ret = %d\n", ret);
             goto exit;
@@ -5604,12 +5643,12 @@ void bench_des(int useDeviceID)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(enc[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_Des3_CbcEncrypt(&enc[i],
+                    ret = wc_Des3_CbcEncrypt(enc[i],
                                              bench_cipher,
                                              bench_plain, bench_size);
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(enc[i]),
                                             0, &times, &pending)) {
                         goto exit_3des;
                     }
@@ -5632,8 +5671,11 @@ void bench_des(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Des3Free(&enc[i]);
+    if (WC_ARRAY_OK(enc)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Des3Free(enc[i]);
+        }
+        WC_FREE_ARRAY(enc, BENCH_MAX_PENDING, HEAP_HINT);
     }
 }
 #endif /* !NO_DES3 */
@@ -5643,22 +5685,23 @@ void bench_des(int useDeviceID)
 void bench_arc4(int useDeviceID)
 {
     int    ret = 0, i, count = 0, times, pending = 0;
-    Arc4   enc[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(enc, Arc4, BENCH_MAX_PENDING,
+                     sizeof(Arc4), HEAP_HINT);
     double start;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-    /* clear for done cleanup */
-    XMEMSET(enc, 0, sizeof(enc));
+    WC_CALLOC_ARRAY(enc, Arc4, BENCH_MAX_PENDING,
+                     sizeof(Arc4), HEAP_HINT);
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        if ((ret = wc_Arc4Init(&enc[i], HEAP_HINT,
+        if ((ret = wc_Arc4Init(enc[i], HEAP_HINT,
                             useDeviceID ? devId : INVALID_DEVID)) != 0) {
             printf("Arc4Init failed, ret = %d\n", ret);
             goto exit;
         }
 
-        ret = wc_Arc4SetKey(&enc[i], bench_key, 16);
+        ret = wc_Arc4SetKey(enc[i], bench_key, 16);
         if (ret != 0) {
             printf("Arc4SetKey failed, ret = %d\n", ret);
             goto exit;
@@ -5672,11 +5715,11 @@ void bench_arc4(int useDeviceID)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(enc[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_Arc4Process(&enc[i], bench_cipher, bench_plain,
+                    ret = wc_Arc4Process(enc[i], bench_cipher, bench_plain,
                                          bench_size);
-                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]),
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(enc[i]),
                                             0, &times, &pending)) {
                         goto exit_arc4;
                     }
@@ -5699,8 +5742,11 @@ void bench_arc4(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Arc4Free(&enc[i]);
+    if (WC_ARRAY_OK(enc)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Arc4Free(enc[i]);
+        }
+        WC_FREE_ARRAY(enc, BENCH_MAX_PENDING, HEAP_HINT);
     }
 }
 #endif /* !NO_RC4 */
@@ -5777,30 +5823,30 @@ void bench_chacha20_poly1305_aead(void)
 #ifndef NO_MD5
 void bench_md5(int useDeviceID)
 {
-    wc_Md5 hash[BENCH_MAX_PENDING];
-    double start;
+    WC_DECLARE_ARRAY(hash, wc_Md5, BENCH_MAX_PENDING,
+                     sizeof(wc_Md5), HEAP_HINT);
+    double start = 0;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
-
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_MD5_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_MD5_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Md5, BENCH_MAX_PENDING,
+                     sizeof(wc_Md5), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_MD5_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitMd5_ex(&hash[i], HEAP_HINT,
+            ret = wc_InitMd5_ex(hash[i], HEAP_HINT,
                         useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitMd5_ex failed, ret = %d\n", ret);
                 goto exit;
             }
         #ifdef WOLFSSL_PIC32MZ_HASH
-            wc_Md5SizeSet(&hash[i], numBlocks * bench_size);
+            wc_Md5SizeSet(hash[i], numBlocks * bench_size);
         #endif
         }
 
@@ -5811,12 +5857,12 @@ void bench_md5(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Md5Update(&hash[i], bench_plain,
+                        ret = wc_Md5Update(hash[i], bench_plain,
                                            bench_size);
                         if (!bench_async_handle(&ret,
-                                                BENCH_ASYNC_GET_DEV(&hash[i]),
+                                                BENCH_ASYNC_GET_DEV(hash[i]),
                                                 0, &times, &pending)) {
                             goto exit_md5;
                         }
@@ -5831,11 +5877,11 @@ void bench_md5(int useDeviceID)
                 bench_async_poll(&pending);
 
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Md5Final(&hash[i], digest[i]);
+                        ret = wc_Md5Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_md5;
                         }
@@ -5852,11 +5898,11 @@ void bench_md5(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitMd5_ex(hash, HEAP_HINT, INVALID_DEVID);
+                ret = wc_InitMd5_ex(hash[0], HEAP_HINT, INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Md5Update(hash, bench_plain, bench_size);
+                    ret = wc_Md5Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Md5Final(hash, digest[0]);
+                    ret = wc_Md5Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_md5;
                 RECORD_MULTI_VALUE_STATS();
@@ -5877,11 +5923,14 @@ void bench_md5(int useDeviceID)
 exit:
 
 #ifdef WOLFSSL_ASYNC_CRYPT
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Md5Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Md5Free(hash[i]);
+        }
     }
 #endif
 
+    WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* !NO_MD5 */
@@ -5890,29 +5939,30 @@ void bench_md5(int useDeviceID)
 #ifndef NO_SHA
 void bench_sha(int useDeviceID)
 {
-    wc_Sha hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha_ex(&hash[i], HEAP_HINT,
+            ret = wc_InitSha_ex(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha failed, ret = %d\n", ret);
                 goto exit;
             }
         #ifdef WOLFSSL_PIC32MZ_HASH
-            wc_ShaSizeSet(&hash[i], numBlocks * bench_size);
+            wc_ShaSizeSet(hash[i], numBlocks * bench_size);
         #endif
         }
 
@@ -5923,12 +5973,12 @@ void bench_sha(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_ShaUpdate(&hash[i], bench_plain,
+                        ret = wc_ShaUpdate(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha;
                         }
@@ -5943,11 +5993,11 @@ void bench_sha(int useDeviceID)
                 bench_async_poll(&pending);
 
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_ShaFinal(&hash[i], digest[i]);
+                        ret = wc_ShaFinal(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha;
                         }
@@ -5964,12 +6014,12 @@ void bench_sha(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha_ex(hash, HEAP_HINT,
+                ret = wc_InitSha_ex(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_ShaUpdate(hash, bench_plain, bench_size);
+                    ret = wc_ShaUpdate(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_ShaFinal(hash, digest[0]);
+                    ret = wc_ShaFinal(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha;
                 RECORD_MULTI_VALUE_STATS();
@@ -5989,10 +6039,12 @@ void bench_sha(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_ShaFree(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_ShaFree(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* NO_SHA */
@@ -6001,22 +6053,23 @@ void bench_sha(int useDeviceID)
 #ifdef WOLFSSL_SHA224
 void bench_sha224(int useDeviceID)
 {
-    wc_Sha224 hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha224, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha224), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA224_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA224_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha224, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha224), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA224_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha224_ex(&hash[i], HEAP_HINT,
+            ret = wc_InitSha224_ex(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha224_ex failed, ret = %d\n", ret);
@@ -6031,12 +6084,12 @@ void bench_sha224(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha224Update(&hash[i], bench_plain,
+                        ret = wc_Sha224Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha224;
                         }
@@ -6050,11 +6103,11 @@ void bench_sha224(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha224Final(&hash[i], digest[i]);
+                        ret = wc_Sha224Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha224;
                         }
@@ -6071,12 +6124,12 @@ void bench_sha224(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha224_ex(hash, HEAP_HINT,
+                ret = wc_InitSha224_ex(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha224Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha224Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha224Final(hash, digest[0]);
+                    ret = wc_Sha224Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha224;
             } /* for times */
@@ -6096,10 +6149,12 @@ void bench_sha224(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha224Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha224Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif
@@ -6108,29 +6163,30 @@ void bench_sha224(int useDeviceID)
 #ifndef NO_SHA256
 void bench_sha256(int useDeviceID)
 {
-    wc_Sha256 hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha256, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha256), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA256_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA256_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha256, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha256), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA256_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha256_ex(&hash[i], HEAP_HINT,
+            ret = wc_InitSha256_ex(hash[i], HEAP_HINT,
                 useDeviceID ? devId: INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha256_ex failed, ret = %d\n", ret);
                 goto exit;
             }
         #ifdef WOLFSSL_PIC32MZ_HASH
-            wc_Sha256SizeSet(&hash[i], numBlocks * bench_size);
+            wc_Sha256SizeSet(hash[i], numBlocks * bench_size);
         #endif
         }
 
@@ -6141,12 +6197,12 @@ void bench_sha256(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha256Update(&hash[i], bench_plain,
+                        ret = wc_Sha256Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha256;
                         }
@@ -6160,11 +6216,11 @@ void bench_sha256(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha256Final(&hash[i], digest[i]);
+                        ret = wc_Sha256Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha256;
                         }
@@ -6181,12 +6237,12 @@ void bench_sha256(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha256_ex(hash, HEAP_HINT,
+                ret = wc_InitSha256_ex(hash[0], HEAP_HINT,
                     useDeviceID ? devId: INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha256Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha256Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha256Final(hash, digest[0]);
+                    ret = wc_Sha256Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha256;
                 RECORD_MULTI_VALUE_STATS();
@@ -6205,10 +6261,12 @@ void bench_sha256(int useDeviceID)
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
 exit:
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha256Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha256Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif
@@ -6216,22 +6274,23 @@ void bench_sha256(int useDeviceID)
 #ifdef WOLFSSL_SHA384
 void bench_sha384(int useDeviceID)
 {
-    wc_Sha384 hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha384, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha384), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA384_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA384_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha384, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha384), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA384_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha384_ex(&hash[i], HEAP_HINT,
+            ret = wc_InitSha384_ex(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha384_ex failed, ret = %d\n", ret);
@@ -6246,12 +6305,12 @@ void bench_sha384(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha384Update(&hash[i], bench_plain,
+                        ret = wc_Sha384Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha384;
                         }
@@ -6265,11 +6324,11 @@ void bench_sha384(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha384Final(&hash[i], digest[i]);
+                        ret = wc_Sha384Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha384;
                         }
@@ -6286,12 +6345,12 @@ void bench_sha384(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha384_ex(hash, HEAP_HINT,
+                ret = wc_InitSha384_ex(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha384Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha384Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha384Final(hash, digest[0]);
+                    ret = wc_Sha384Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha384;
                 RECORD_MULTI_VALUE_STATS();
@@ -6312,10 +6371,12 @@ void bench_sha384(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha384Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha384Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif
@@ -6323,22 +6384,23 @@ void bench_sha384(int useDeviceID)
 #ifdef WOLFSSL_SHA512
 void bench_sha512(int useDeviceID)
 {
-    wc_Sha512 hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha512, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha512), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA512_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA512_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha512, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha512), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA512_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha512_ex(&hash[i], HEAP_HINT,
+            ret = wc_InitSha512_ex(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha512_ex failed, ret = %d\n", ret);
@@ -6353,12 +6415,12 @@ void bench_sha512(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha512Update(&hash[i], bench_plain,
+                        ret = wc_Sha512Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha512;
                         }
@@ -6372,11 +6434,11 @@ void bench_sha512(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha512Final(&hash[i], digest[i]);
+                        ret = wc_Sha512Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha512;
                         }
@@ -6393,12 +6455,12 @@ void bench_sha512(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha512_ex(hash, HEAP_HINT,
+                ret = wc_InitSha512_ex(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha512Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha512Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha512Final(hash, digest[0]);
+                    ret = wc_Sha512Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha512;
                 RECORD_MULTI_VALUE_STATS();
@@ -6419,10 +6481,12 @@ void bench_sha512(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha512Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha512Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 
@@ -6430,22 +6494,23 @@ void bench_sha512(int useDeviceID)
    (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
 void bench_sha512_224(int useDeviceID)
 {
-    wc_Sha512_224 hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha512_224, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha512_224), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
-   WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
+    WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA512_224_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA512_224_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha512_224, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha512_224), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA512_224_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha512_224_ex(&hash[i], HEAP_HINT,
+            ret = wc_InitSha512_224_ex(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha512_224_ex failed, ret = %d\n", ret);
@@ -6460,12 +6525,12 @@ void bench_sha512_224(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha512_224Update(&hash[i], bench_plain,
+                        ret = wc_Sha512_224Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha512_224;
                         }
@@ -6479,11 +6544,11 @@ void bench_sha512_224(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha512_224Final(&hash[i], digest[i]);
+                        ret = wc_Sha512_224Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha512_224;
                         }
@@ -6500,12 +6565,12 @@ void bench_sha512_224(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha512_224_ex(hash, HEAP_HINT,
+                ret = wc_InitSha512_224_ex(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha512_224Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha512_224Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha512_224Final(hash, digest[0]);
+                    ret = wc_Sha512_224Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha512_224;
                 RECORD_MULTI_VALUE_STATS();
@@ -6526,10 +6591,12 @@ void bench_sha512_224(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha512_224Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha512_224Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* WOLFSSL_NOSHA512_224 && !FIPS ... */
@@ -6538,22 +6605,23 @@ void bench_sha512_224(int useDeviceID)
    (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
 void bench_sha512_256(int useDeviceID)
 {
-    wc_Sha512_256 hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha512_256, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha512_256), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA512_256_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA512_256_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha512_256, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha512_256), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA512_256_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha512_256_ex(&hash[i], HEAP_HINT,
+            ret = wc_InitSha512_256_ex(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha512_256_ex failed, ret = %d\n", ret);
@@ -6568,12 +6636,12 @@ void bench_sha512_256(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha512_256Update(&hash[i], bench_plain,
+                        ret = wc_Sha512_256Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha512_256;
                         }
@@ -6587,11 +6655,11 @@ void bench_sha512_256(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha512_256Final(&hash[i], digest[i]);
+                        ret = wc_Sha512_256Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha512_256;
                         }
@@ -6608,12 +6676,12 @@ void bench_sha512_256(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha512_256_ex(hash, HEAP_HINT,
+                ret = wc_InitSha512_256_ex(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha512_256Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha512_256Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha512_256Final(hash, digest[0]);
+                    ret = wc_Sha512_256Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha512_256;
                 RECORD_MULTI_VALUE_STATS();
@@ -6634,10 +6702,12 @@ void bench_sha512_256(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha512_256Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha512_256Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* WOLFSSL_NOSHA512_256 && !FIPS ... */
@@ -6649,22 +6719,23 @@ void bench_sha512_256(int useDeviceID)
 #ifndef WOLFSSL_NOSHA3_224
 void bench_sha3_224(int useDeviceID)
 {
-    wc_Sha3   hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha3), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA3_224_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA3_224_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha3), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA3_224_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha3_224(&hash[i], HEAP_HINT,
+            ret = wc_InitSha3_224(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha3_224 failed, ret = %d\n", ret);
@@ -6679,12 +6750,12 @@ void bench_sha3_224(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha3_224_Update(&hash[i], bench_plain,
+                        ret = wc_Sha3_224_Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha3_224;
                         }
@@ -6698,11 +6769,11 @@ void bench_sha3_224(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha3_224_Final(&hash[i], digest[i]);
+                        ret = wc_Sha3_224_Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha3_224;
                         }
@@ -6719,12 +6790,12 @@ void bench_sha3_224(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha3_224(hash, HEAP_HINT,
+                ret = wc_InitSha3_224(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha3_224_Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha3_224_Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha3_224_Final(hash, digest[0]);
+                    ret = wc_Sha3_224_Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha3_224;
                 RECORD_MULTI_VALUE_STATS();
@@ -6745,10 +6816,12 @@ void bench_sha3_224(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha3_224_Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha3_224_Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* WOLFSSL_NOSHA3_224 */
@@ -6756,22 +6829,23 @@ void bench_sha3_224(int useDeviceID)
 #ifndef WOLFSSL_NOSHA3_256
 void bench_sha3_256(int useDeviceID)
 {
-    wc_Sha3   hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha3), HEAP_HINT);
     double start;
     DECLARE_MULTI_VALUE_STATS_VARS()
     int    ret = 0, i, count = 0, times, pending = 0;
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA3_256_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA3_256_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha3), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA3_256_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha3_256(&hash[i], HEAP_HINT,
+            ret = wc_InitSha3_256(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha3_256 failed, ret = %d\n", ret);
@@ -6786,12 +6860,12 @@ void bench_sha3_256(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha3_256_Update(&hash[i], bench_plain,
+                        ret = wc_Sha3_256_Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha3_256;
                         }
@@ -6805,11 +6879,11 @@ void bench_sha3_256(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha3_256_Final(&hash[i], digest[i]);
+                        ret = wc_Sha3_256_Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha3_256;
                         }
@@ -6826,12 +6900,12 @@ void bench_sha3_256(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha3_256(hash, HEAP_HINT,
+                ret = wc_InitSha3_256(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha3_256_Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha3_256_Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha3_256_Final(hash, digest[0]);
+                    ret = wc_Sha3_256_Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha3_256;
                 RECORD_MULTI_VALUE_STATS();
@@ -6852,10 +6926,12 @@ void bench_sha3_256(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha3_256_Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha3_256_Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* WOLFSSL_NOSHA3_256 */
@@ -6863,22 +6939,23 @@ void bench_sha3_256(int useDeviceID)
 #ifndef WOLFSSL_NOSHA3_384
 void bench_sha3_384(int useDeviceID)
 {
-    wc_Sha3   hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha3), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA3_384_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA3_384_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha3), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA3_384_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha3_384(&hash[i], HEAP_HINT,
+            ret = wc_InitSha3_384(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha3_384 failed, ret = %d\n", ret);
@@ -6893,12 +6970,12 @@ void bench_sha3_384(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha3_384_Update(&hash[i], bench_plain,
+                        ret = wc_Sha3_384_Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha3_384;
                         }
@@ -6912,11 +6989,11 @@ void bench_sha3_384(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha3_384_Final(&hash[i], digest[i]);
+                        ret = wc_Sha3_384_Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha3_384;
                         }
@@ -6933,12 +7010,12 @@ void bench_sha3_384(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha3_384(hash, HEAP_HINT,
+                ret = wc_InitSha3_384(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha3_384_Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha3_384_Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha3_384_Final(hash, digest[0]);
+                    ret = wc_Sha3_384_Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha3_384;
                 RECORD_MULTI_VALUE_STATS();
@@ -6959,10 +7036,12 @@ void bench_sha3_384(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha3_384_Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha3_384_Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* WOLFSSL_NOSHA3_384 */
@@ -6970,22 +7049,23 @@ void bench_sha3_384(int useDeviceID)
 #ifndef WOLFSSL_NOSHA3_512
 void bench_sha3_512(int useDeviceID)
 {
-    wc_Sha3   hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sha3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha3), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA3_512_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA3_512_DIGEST_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sha3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sha3), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA3_512_DIGEST_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSha3_512(&hash[i], HEAP_HINT,
+            ret = wc_InitSha3_512(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSha3_512 failed, ret = %d\n", ret);
@@ -7000,12 +7080,12 @@ void bench_sha3_512(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha3_512_Update(&hash[i], bench_plain,
+                        ret = wc_Sha3_512_Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha3_512;
                         }
@@ -7019,11 +7099,11 @@ void bench_sha3_512(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Sha3_512_Final(&hash[i], digest[i]);
+                        ret = wc_Sha3_512_Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_sha3_512;
                         }
@@ -7040,12 +7120,12 @@ void bench_sha3_512(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitSha3_512(hash, HEAP_HINT,
+                ret = wc_InitSha3_512(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Sha3_512_Update(hash, bench_plain, bench_size);
+                    ret = wc_Sha3_512_Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Sha3_512_Final(hash, digest[0]);
+                    ret = wc_Sha3_512_Final(hash[0], digest[0]);
                 if (ret != 0)
                     goto exit_sha3_512;
                 RECORD_MULTI_VALUE_STATS();
@@ -7066,10 +7146,12 @@ void bench_sha3_512(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sha3_512_Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sha3_512_Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* WOLFSSL_NOSHA3_512 */
@@ -7077,22 +7159,23 @@ void bench_sha3_512(int useDeviceID)
 #ifdef WOLFSSL_SHAKE128
 void bench_shake128(int useDeviceID)
 {
-    wc_Shake hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Shake, BENCH_MAX_PENDING,
+                     sizeof(wc_Shake), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA3_128_BLOCK_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA3_128_BLOCK_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Shake, BENCH_MAX_PENDING,
+                     sizeof(wc_Shake), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA3_128_BLOCK_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitShake128(&hash[i], HEAP_HINT,
+            ret = wc_InitShake128(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitShake128 failed, ret = %d\n", ret);
@@ -7107,12 +7190,12 @@ void bench_shake128(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Shake128_Update(&hash[i], bench_plain,
+                        ret = wc_Shake128_Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_shake128;
                         }
@@ -7126,12 +7209,12 @@ void bench_shake128(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Shake128_Final(&hash[i], digest[i],
+                        ret = wc_Shake128_Final(hash[i], digest[i],
                             WC_SHA3_128_BLOCK_SIZE);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_shake128;
                         }
@@ -7148,12 +7231,12 @@ void bench_shake128(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitShake128(hash, HEAP_HINT,
+                ret = wc_InitShake128(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Shake128_Update(hash, bench_plain, bench_size);
+                    ret = wc_Shake128_Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Shake128_Final(hash, digest[0],
+                    ret = wc_Shake128_Final(hash[0], digest[0],
                         WC_SHA3_128_BLOCK_SIZE);
                 if (ret != 0)
                     goto exit_shake128;
@@ -7175,10 +7258,12 @@ void bench_shake128(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Shake128_Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Shake128_Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* WOLFSSL_SHAKE128 */
@@ -7186,22 +7271,23 @@ void bench_shake128(int useDeviceID)
 #ifdef WOLFSSL_SHAKE256
 void bench_shake256(int useDeviceID)
 {
-    wc_Shake hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Shake, BENCH_MAX_PENDING,
+                     sizeof(wc_Shake), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_SHA3_256_BLOCK_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
-                  WC_SHA3_256_BLOCK_SIZE, HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Shake, BENCH_MAX_PENDING,
+                     sizeof(wc_Shake), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
+                  WC_SHA3_256_BLOCK_SIZE, HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitShake256(&hash[i], HEAP_HINT,
+            ret = wc_InitShake256(hash[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
             if (ret != 0) {
                 printf("InitShake256 failed, ret = %d\n", ret);
@@ -7216,12 +7302,12 @@ void bench_shake256(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Shake256_Update(&hash[i], bench_plain,
+                        ret = wc_Shake256_Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_shake256;
                         }
@@ -7235,12 +7321,12 @@ void bench_shake256(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                           0, &times, numBlocks, &pending)) {
-                        ret = wc_Shake256_Final(&hash[i], digest[i],
+                        ret = wc_Shake256_Final(hash[i], digest[i],
                             WC_SHA3_256_BLOCK_SIZE);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0,
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0,
                                                 &times, &pending)) {
                             goto exit_shake256;
                         }
@@ -7257,12 +7343,12 @@ void bench_shake256(int useDeviceID)
         bench_stats_start(&count, &start);
         do {
             for (times = 0; times < numBlocks; times++) {
-                ret = wc_InitShake256(hash, HEAP_HINT,
+                ret = wc_InitShake256(hash[0], HEAP_HINT,
                     useDeviceID ? devId : INVALID_DEVID);
                 if (ret == 0)
-                    ret = wc_Shake256_Update(hash, bench_plain, bench_size);
+                    ret = wc_Shake256_Update(hash[0], bench_plain, bench_size);
                 if (ret == 0)
-                    ret = wc_Shake256_Final(hash, digest[0],
+                    ret = wc_Shake256_Final(hash[0], digest[0],
                         WC_SHA3_256_BLOCK_SIZE);
                 if (ret != 0)
                     goto exit_shake256;
@@ -7284,10 +7370,12 @@ void bench_shake256(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Shake256_Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Shake256_Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* WOLFSSL_SHAKE256 */
@@ -7296,22 +7384,23 @@ void bench_shake256(int useDeviceID)
 #ifdef WOLFSSL_SM3
 void bench_sm3(int useDeviceID)
 {
-    wc_Sm3 hash[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hash, wc_Sm3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sm3), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SM3_DIGEST_SIZE,
         HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SM3_DIGEST_SIZE,
-        HEAP_HINT);
 
-    /* clear for done cleanup */
-    XMEMSET(hash, 0, sizeof(hash));
+    WC_CALLOC_ARRAY(hash, wc_Sm3, BENCH_MAX_PENDING,
+                     sizeof(wc_Sm3), HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SM3_DIGEST_SIZE,
+        HEAP_HINT);
 
     if (digest_stream) {
         /* init keys */
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            ret = wc_InitSm3(&hash[i], HEAP_HINT,
+            ret = wc_InitSm3(hash[i], HEAP_HINT,
                 useDeviceID ? devId: INVALID_DEVID);
             if (ret != 0) {
                 printf("InitSm3 failed, ret = %d\n", ret);
@@ -7326,12 +7415,12 @@ void bench_sm3(int useDeviceID)
 
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                               0, &times, numBlocks, &pending)) {
-                        ret = wc_Sm3Update(&hash[i], bench_plain,
+                        ret = wc_Sm3Update(hash[i], bench_plain,
                             bench_size);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0, &times, &pending)) {
                             goto exit_sm3;
                         }
                     }
@@ -7344,11 +7433,11 @@ void bench_sm3(int useDeviceID)
             do {
                 bench_async_poll(&pending);
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]),
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(hash[i]),
                                               0, &times, numBlocks, &pending)) {
-                        ret = wc_Sm3Final(&hash[i], digest[i]);
+                        ret = wc_Sm3Final(hash[i], digest[i]);
                         if (!bench_async_handle(&ret,
-                            BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            BENCH_ASYNC_GET_DEV(hash[i]), 0, &times, &pending)) {
                             goto exit_sm3;
                         }
                     }
@@ -7389,10 +7478,12 @@ void bench_sm3(int useDeviceID)
 
 exit:
 
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_Sm3Free(&hash[i]);
+    if (WC_ARRAY_OK(hash)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_Sm3Free(hash[i]);
+        }
+        WC_FREE_ARRAY(hash, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif
@@ -7751,14 +7842,15 @@ void bench_scrypt(void)
 static void bench_hmac(int useDeviceID, int type, int digestSz,
                        const byte* key, word32 keySz, const char* label)
 {
-    Hmac   hmac[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(hmac, Hmac, BENCH_MAX_PENDING,
+                     sizeof(Hmac), HEAP_HINT);
     double start;
     int    ret = 0, i, count = 0, times, pending = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
 #ifdef WOLFSSL_ASYNC_CRYPT
     WC_DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING,
                      WC_MAX_DIGEST_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING,
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING,
                   WC_MAX_DIGEST_SIZE, HEAP_HINT);
 #else
     byte digest[BENCH_MAX_PENDING][WC_MAX_DIGEST_SIZE];
@@ -7766,19 +7858,19 @@ static void bench_hmac(int useDeviceID, int type, int digestSz,
 
     (void)digestSz;
 
-    /* clear for done cleanup */
-    XMEMSET(hmac, 0, sizeof(hmac));
+    WC_CALLOC_ARRAY(hmac, Hmac, BENCH_MAX_PENDING,
+                     sizeof(Hmac), HEAP_HINT);
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        ret = wc_HmacInit(&hmac[i], HEAP_HINT,
+        ret = wc_HmacInit(hmac[i], HEAP_HINT,
                 useDeviceID ? devId : INVALID_DEVID);
         if (ret != 0) {
             printf("wc_HmacInit failed for %s, ret = %d\n", label, ret);
             goto exit;
         }
 
-        ret = wc_HmacSetKey(&hmac[i], type, key, keySz);
+        ret = wc_HmacSetKey(hmac[i], type, key, keySz);
         if (ret != 0) {
             printf("wc_HmacSetKey failed for %s, ret = %d\n", label, ret);
             goto exit;
@@ -7793,11 +7885,11 @@ static void bench_hmac(int useDeviceID, int type, int digestSz,
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
                 if (bench_async_check(&ret,
-                                      BENCH_ASYNC_GET_DEV(&hmac[i]), 0,
+                                      BENCH_ASYNC_GET_DEV(hmac[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_HmacUpdate(&hmac[i], bench_plain, bench_size);
+                    ret = wc_HmacUpdate(hmac[i], bench_plain, bench_size);
                     if (!bench_async_handle(&ret,
-                                            BENCH_ASYNC_GET_DEV(&hmac[i]),
+                                            BENCH_ASYNC_GET_DEV(hmac[i]),
                                             0, &times, &pending)) {
                         goto exit_hmac;
                     }
@@ -7812,11 +7904,11 @@ static void bench_hmac(int useDeviceID, int type, int digestSz,
 
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
                 if (bench_async_check(&ret,
-                                      BENCH_ASYNC_GET_DEV(&hmac[i]), 0,
+                                      BENCH_ASYNC_GET_DEV(hmac[i]), 0,
                                       &times, numBlocks, &pending)) {
-                    ret = wc_HmacFinal(&hmac[i], digest[i]);
+                    ret = wc_HmacFinal(hmac[i], digest[i]);
                     if (!bench_async_handle(&ret,
-                                            BENCH_ASYNC_GET_DEV(&hmac[i]),
+                                            BENCH_ASYNC_GET_DEV(hmac[i]),
                                             0, &times, &pending)) {
                         goto exit_hmac;
                     }
@@ -7839,9 +7931,10 @@ static void bench_hmac(int useDeviceID, int type, int digestSz,
 exit:
 
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_HmacFree(&hmac[i]);
+        wc_HmacFree(hmac[i]);
     }
 
+    WC_FREE_ARRAY(hmac, BENCH_MAX_PENDING, HEAP_HINT);
 #ifdef WOLFSSL_ASYNC_CRYPT
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 #endif
@@ -8141,28 +8234,16 @@ void bench_srtpkdf(void)
 #if defined(WOLFSSL_KEY_GEN)
 static void bench_rsaKeyGen_helper(int useDeviceID, word32 keySz)
 {
-#ifdef WOLFSSL_SMALL_STACK
-    RsaKey *genKey;
-#else
-    RsaKey genKey[BENCH_MAX_PENDING];
-#endif
-    double start;
+    WC_DECLARE_ARRAY(genKey, RsaKey, BENCH_MAX_PENDING,
+                     sizeof(RsaKey), HEAP_HINT);
+    double start = 0;
     int    ret = 0, i, count = 0, times, pending = 0;
     const long rsa_e_val = WC_RSA_EXPONENT;
     const char**desc = bench_desc_words[lng_index];
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-#ifdef WOLFSSL_SMALL_STACK
-    genKey = (RsaKey *)XMALLOC(sizeof(*genKey) * BENCH_MAX_PENDING,
-                               HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (genKey == NULL) {
-        printf("bench_rsaKeyGen_helper malloc failed\n");
-        return;
-    }
-#endif
-
-    /* clear for done cleanup */
-    XMEMSET(genKey, 0, sizeof(*genKey) * BENCH_MAX_PENDING);
+    WC_CALLOC_ARRAY(genKey, RsaKey, BENCH_MAX_PENDING,
+                     sizeof(RsaKey), HEAP_HINT);
 
     bench_stats_start(&count, &start);
     do {
@@ -8171,19 +8252,18 @@ static void bench_rsaKeyGen_helper(int useDeviceID, word32 keySz)
             bench_async_poll(&pending);
 
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]),
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(genKey[i]),
                                       0, &times, genTimes, &pending)) {
-
-                    wc_FreeRsaKey(&genKey[i]);
-                    ret = wc_InitRsaKey_ex(&genKey[i], HEAP_HINT, devId);
+                    wc_FreeRsaKey(genKey[i]);
+                    ret = wc_InitRsaKey_ex(genKey[i], HEAP_HINT, devId);
                     if (ret < 0) {
                         goto exit;
                     }
 
-                    ret = wc_MakeRsaKey(&genKey[i], (int)keySz, rsa_e_val,
+                    ret = wc_MakeRsaKey(genKey[i], (int)keySz, rsa_e_val,
                                         &gRng);
                     if (!bench_async_handle(&ret,
-                        BENCH_ASYNC_GET_DEV(&genKey[i]), 0,
+                        BENCH_ASYNC_GET_DEV(genKey[i]), 0,
                                             &times, &pending)) {
                         goto exit;
                     }
@@ -8207,12 +8287,10 @@ static void bench_rsaKeyGen_helper(int useDeviceID, word32 keySz)
 
     /* cleanup */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_FreeRsaKey(&genKey[i]);
+        wc_FreeRsaKey(genKey[i]);
     }
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(genKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    WC_FREE_ARRAY(genKey, BENCH_MAX_PENDING, HEAP_HINT);
 }
 
 void bench_rsaKeyGen(int useDeviceID)
@@ -8343,7 +8421,11 @@ static const unsigned char rsa_3072_sig[] = {
 #endif
 #endif /* WOLFSSL_RSA_VERIFY_INLINE || WOLFSSL_RSA_PUBLIC_ONLY */
 
-static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
+static void bench_rsa_helper(int useDeviceID,
+                             WC_ARRAY_ARG(rsaKey,
+                                          RsaKey,
+                                          BENCH_MAX_PENDING,
+                                          sizeof(RsaKey)),
                              word32 rsaKeySz)
 {
     int         ret = 0, i, times, count = 0, pending = 0;
@@ -8358,41 +8440,38 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
 #ifndef WOLFSSL_RSA_VERIFY_ONLY
     WC_DECLARE_VAR(message, byte, TEST_STRING_SZ, HEAP_HINT);
 #endif
-    WC_DECLARE_ARRAY_DYNAMIC_DEC(enc, byte, BENCH_MAX_PENDING,
+    WC_DECLARE_HEAP_ARRAY(enc, byte, BENCH_MAX_PENDING,
                                  rsaKeySz, HEAP_HINT);
 
-    #if (  !defined(WOLFSSL_RSA_VERIFY_INLINE) \
-        && !defined(WOLFSSL_RSA_PUBLIC_ONLY)   )
-        WC_DECLARE_ARRAY_DYNAMIC_DEC(out, byte, BENCH_MAX_PENDING,
-                                     rsaKeySz, HEAP_HINT);
-    #else
-        byte* out[BENCH_MAX_PENDING];
-    #endif
+#if (!defined(WOLFSSL_RSA_VERIFY_INLINE) && \
+     !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+    WC_DECLARE_HEAP_ARRAY(out, byte, BENCH_MAX_PENDING,
+                                    rsaKeySz, HEAP_HINT);
+#else
+    byte* out[BENCH_MAX_PENDING];
+#endif
+
+    XMEMSET(out, 0, sizeof(out));
 
-    WC_DECLARE_ARRAY_DYNAMIC_EXE(enc, byte, BENCH_MAX_PENDING,
+    WC_ALLOC_HEAP_ARRAY(enc, byte, BENCH_MAX_PENDING,
                                  rsaKeySz, HEAP_HINT);
 
-    #if (  !defined(WOLFSSL_RSA_VERIFY_INLINE) \
-        && !defined(WOLFSSL_RSA_PUBLIC_ONLY)   )
-        WC_DECLARE_ARRAY_DYNAMIC_EXE(out, byte, BENCH_MAX_PENDING,
-                                     rsaKeySz, HEAP_HINT);
-        if (out[0] == NULL) {
-            ret = MEMORY_E;
-            goto exit;
-        }
-    #endif
-    if (enc[0] == NULL) {
+#if (!defined(WOLFSSL_RSA_VERIFY_INLINE) && \
+     !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+    WC_ALLOC_HEAP_ARRAY(out, byte, BENCH_MAX_PENDING,
+                                    rsaKeySz, HEAP_HINT);
+    if (out[0] == NULL) {
         ret = MEMORY_E;
         goto exit;
     }
-
-#ifndef WOLFSSL_RSA_VERIFY_ONLY
-    #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
-    if (message == NULL) {
+#endif
+    if (enc[0] == NULL) {
         ret = MEMORY_E;
         goto exit;
     }
-    #endif
+
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    WC_ALLOC_VAR(message, byte, TEST_STRING_SZ, HEAP_HINT);
     XMEMCPY(message, messageStr, len);
 #endif
 
@@ -8407,14 +8486,14 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
                     if (bench_async_check(&ret,
-                                          BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                          BENCH_ASYNC_GET_DEV(rsaKey[i]),
                                           1, &times, ntimes, &pending)) {
                         ret = wc_RsaPublicEncrypt(message, (word32)len, enc[i],
-                                                  rsaKeySz/8, &rsaKey[i],
+                                                  rsaKeySz/8, rsaKey[i],
                                                   GLOBAL_RNG);
                         if (!bench_async_handle(&ret,
                                                 BENCH_ASYNC_GET_DEV(
-                                                &rsaKey[i]), 1, &times,
+                                                rsaKey[i]), 1, &times,
                                                 &pending)) {
                             goto exit_rsa_verify;
                         }
@@ -8456,12 +8535,12 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
                     if (bench_async_check(&ret,
-                                          BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                          BENCH_ASYNC_GET_DEV(rsaKey[i]),
                                           1, &times, ntimes, &pending)) {
                         ret = wc_RsaPrivateDecrypt(enc[i], idx, out[i],
-                                                   rsaKeySz/8, &rsaKey[i]);
+                                                   rsaKeySz/8, rsaKey[i]);
                         if (!bench_async_handle(&ret,
-                                           BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                           BENCH_ASYNC_GET_DEV(rsaKey[i]),
                                                 1, &times, &pending)) {
                             goto exit_rsa_pub;
                         }
@@ -8495,12 +8574,12 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
                     if (bench_async_check(&ret,
-                                          BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                          BENCH_ASYNC_GET_DEV(rsaKey[i]),
                                           1, &times, ntimes, &pending)) {
                         ret = wc_RsaSSL_Sign(message, len, enc[i],
-                                            rsaKeySz/8, &rsaKey[i], GLOBAL_RNG);
+                                            rsaKeySz/8, rsaKey[i], GLOBAL_RNG);
                         if (!bench_async_handle(&ret,
-                                           BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                           BENCH_ASYNC_GET_DEV(rsaKey[i]),
                                            1, &times, &pending)) {
                             goto exit_rsa_sign;
                         }
@@ -8541,18 +8620,18 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
                 /* while free pending slots in queue, submit ops */
                 for (i = 0; i < BENCH_MAX_PENDING; i++) {
                     if (bench_async_check(&ret,
-                                          BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                          BENCH_ASYNC_GET_DEV(rsaKey[i]),
                                           1, &times, ntimes, &pending)) {
                     #if !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
                         !defined(WOLFSSL_RSA_PUBLIC_ONLY)
                         ret = wc_RsaSSL_Verify(enc[i], idx, out[i],
-                                                      rsaKeySz/8, &rsaKey[i]);
+                                                      rsaKeySz/8, rsaKey[i]);
                     #elif defined(USE_CERT_BUFFERS_2048)
                         XMEMCPY(enc[i], rsa_2048_sig, sizeof(rsa_2048_sig));
                         idx = sizeof(rsa_2048_sig);
                         out[i] = NULL;
                         ret = wc_RsaSSL_VerifyInline(enc[i], idx,
-                                                     &out[i], &rsaKey[i]);
+                                                     &out[i], rsaKey[i]);
                         if (ret > 0) {
                             ret = 0;
                         }
@@ -8562,12 +8641,12 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
                         idx = sizeof(rsa_3072_sig);
                         out[i] = NULL;
                         ret = wc_RsaSSL_VerifyInline(enc[i], idx,
-                                                     &out[i], &rsaKey[i]);
+                                                     &out[i], rsaKey[i]);
                         if (ret > 0)
                             ret = 0;
                     #endif
                         if (!bench_async_handle(&ret,
-                                              BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                              BENCH_ASYNC_GET_DEV(rsaKey[i]),
                                               1, &times, &pending)) {
                             goto exit_rsa_verifyinline;
                         }
@@ -8592,9 +8671,9 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
 
 exit:
 
-    WC_FREE_ARRAY_DYNAMIC(enc, BENCH_MAX_PENDING, HEAP_HINT);
+    WC_FREE_HEAP_ARRAY(enc, BENCH_MAX_PENDING, HEAP_HINT);
 #if !defined(WOLFSSL_RSA_VERIFY_INLINE) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
-    WC_FREE_ARRAY_DYNAMIC(out, BENCH_MAX_PENDING, HEAP_HINT);
+    WC_FREE_HEAP_ARRAY(out, BENCH_MAX_PENDING, HEAP_HINT);
 #endif
 #ifndef WOLFSSL_RSA_VERIFY_ONLY
     WC_FREE_VAR(message, HEAP_HINT);
@@ -8604,11 +8683,8 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
 void bench_rsa(int useDeviceID)
 {
     int         i;
-#ifdef WOLFSSL_SMALL_STACK
-    RsaKey      *rsaKey;
-#else
-    RsaKey      rsaKey[BENCH_MAX_PENDING];
-#endif
+    WC_DECLARE_ARRAY(rsaKey, RsaKey, BENCH_MAX_PENDING,
+                     sizeof(RsaKey), HEAP_HINT);
     int         ret = 0;
     word32      rsaKeySz = 0;
     const byte* tmp;
@@ -8617,14 +8693,8 @@ void bench_rsa(int useDeviceID)
     word32      idx;
 #endif
 
-#ifdef WOLFSSL_SMALL_STACK
-    rsaKey = (RsaKey *)XMALLOC(sizeof(*rsaKey) * BENCH_MAX_PENDING,
-                               HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (rsaKey == NULL) {
-        printf("bench_rsa malloc failed\n");
-        return;
-    }
-#endif
+    WC_CALLOC_ARRAY(rsaKey, RsaKey, BENCH_MAX_PENDING,
+                     sizeof(RsaKey), HEAP_HINT);
 
 #ifdef USE_CERT_BUFFERS_1024
     tmp = rsa_key_der_1024;
@@ -8646,23 +8716,20 @@ void bench_rsa(int useDeviceID)
     #error "need a cert buffer size"
 #endif /* USE_CERT_BUFFERS */
 
-    /* clear for done cleanup */
-    XMEMSET(rsaKey, 0, sizeof(*rsaKey) * BENCH_MAX_PENDING);
-
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
         /* setup an async context for each key */
-        ret = wc_InitRsaKey_ex(&rsaKey[i], HEAP_HINT,
+        ret = wc_InitRsaKey_ex(rsaKey[i], HEAP_HINT,
             useDeviceID ? devId : INVALID_DEVID);
         if (ret < 0) {
-            goto exit_bench_rsa;
+            goto exit;
         }
 
 #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
     #ifdef WC_RSA_BLINDING
-        ret = wc_RsaSetRNG(&rsaKey[i], &gRng);
+        ret = wc_RsaSetRNG(rsaKey[i], &gRng);
         if (ret != 0)
-            goto exit_bench_rsa;
+            goto exit;
     #endif
 #endif
 
@@ -8670,9 +8737,9 @@ void bench_rsa(int useDeviceID)
         /* decode the private key */
         idx = 0;
         if ((ret = wc_RsaPrivateKeyDecode(tmp, &idx,
-                                          &rsaKey[i], (word32)bytes)) != 0) {
+                                          rsaKey[i], (word32)bytes)) != 0) {
             printf("wc_RsaPrivateKeyDecode failed! %d\n", ret);
-            goto exit_bench_rsa;
+            goto exit;
         }
 #elif defined(WOLFSSL_PUBLIC_MP)
         /* get offset to public portion of the RSA key */
@@ -8681,15 +8748,15 @@ void bench_rsa(int useDeviceID)
     #elif defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_3072)
         bytes = 12;
     #endif
-        ret = mp_read_unsigned_bin(&rsaKey[i].n, &tmp[bytes], rsaKeySz/8);
+        ret = mp_read_unsigned_bin(rsaKey[i].n, &tmp[bytes], rsaKeySz/8);
         if (ret != 0) {
             printf("wc_RsaPrivateKeyDecode failed! %d\n", ret);
-            goto exit_bench_rsa;
+            goto exit;
         }
-        ret = mp_set_int(&rsaKey[i].e, WC_RSA_EXPONENT);
+        ret = mp_set_int(rsaKey[i].e, WC_RSA_EXPONENT);
         if (ret != 0) {
             printf("wc_RsaPrivateKeyDecode failed! %d\n", ret);
-            goto exit_bench_rsa;
+            goto exit;
         }
 #else
         /* Note: To benchmark public only define WOLFSSL_PUBLIC_MP */
@@ -8704,15 +8771,14 @@ void bench_rsa(int useDeviceID)
     (void)bytes;
     (void)tmp;
 
-exit_bench_rsa:
+exit:
     /* cleanup */
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_FreeRsaKey(&rsaKey[i]);
+    if (WC_ARRAY_OK(rsaKey)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_FreeRsaKey(rsaKey[i]);
+        }
+        WC_FREE_ARRAY(rsaKey, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(rsaKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
 }
 
 
@@ -8721,27 +8787,17 @@ void bench_rsa(int useDeviceID)
 void bench_rsa_key(int useDeviceID, word32 rsaKeySz)
 {
     int     ret = 0, i, pending = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    RsaKey *rsaKey;
-#else
-    RsaKey  rsaKey[BENCH_MAX_PENDING];
-#endif
-    int     isPending[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(rsaKey, RsaKey, BENCH_MAX_PENDING,
+                     sizeof(RsaKey), HEAP_HINT);
+    int isPending[BENCH_MAX_PENDING];
     long    exp = 65537L;
 
-#ifdef WOLFSSL_SMALL_STACK
-    rsaKey = (RsaKey *)XMALLOC(sizeof(*rsaKey) * BENCH_MAX_PENDING,
-                               HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (rsaKey == NULL) {
-        printf("bench_rsa_key malloc failed\n");
-        return;
-    }
-#endif
-
     /* clear for done cleanup */
-    XMEMSET(rsaKey, 0, sizeof(*rsaKey) * BENCH_MAX_PENDING);
     XMEMSET(isPending, 0, sizeof(isPending));
 
+    WC_CALLOC_ARRAY(rsaKey, RsaKey, BENCH_MAX_PENDING,
+                     sizeof(RsaKey), HEAP_HINT);
+
     /* init keys */
     do {
         pending = 0;
@@ -8749,42 +8805,41 @@ void bench_rsa_key(int useDeviceID, word32 rsaKeySz)
             if (!isPending[i]) { /* if making the key is pending then just call
                                   * wc_MakeRsaKey again */
                 /* setup an async context for each key */
-                if (wc_InitRsaKey_ex(&rsaKey[i], HEAP_HINT,
+                if (wc_InitRsaKey_ex(rsaKey[i], HEAP_HINT,
                         useDeviceID ? devId : INVALID_DEVID) < 0) {
-                    goto exit_bench_rsa_key;
+                    goto exit;
                 }
 
             #ifdef WC_RSA_BLINDING
-                ret = wc_RsaSetRNG(&rsaKey[i], &gRng);
+                ret = wc_RsaSetRNG(rsaKey[i], &gRng);
                 if (ret != 0)
-                    goto exit_bench_rsa_key;
+                    goto exit;
             #endif
             }
 
             /* create the RSA key */
-            ret = wc_MakeRsaKey(&rsaKey[i], (int)rsaKeySz, exp, &gRng);
+            ret = wc_MakeRsaKey(rsaKey[i], (int)rsaKeySz, exp, &gRng);
             if (ret == WC_PENDING_E) {
                 isPending[i] = 1;
                 pending      = 1;
             }
             else if (ret != 0) {
                 printf("wc_MakeRsaKey failed! %d\n", ret);
-                goto exit_bench_rsa_key;
+                goto exit;
             }
         } /* for i */
     } while (pending > 0);
 
     bench_rsa_helper(useDeviceID, rsaKey, rsaKeySz);
-exit_bench_rsa_key:
+exit:
 
     /* cleanup */
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_FreeRsaKey(&rsaKey[i]);
+    if (WC_ARRAY_OK(rsaKey)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_FreeRsaKey(rsaKey[i]);
+        }
+        WC_FREE_ARRAY(rsaKey, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(rsaKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
 }
 #endif /* WOLFSSL_KEY_GEN */
 #endif /* !NO_RSA */
@@ -8820,11 +8875,8 @@ void bench_dh(int useDeviceID)
     int    count = 0, times, pending = 0;
     const byte* tmp = NULL;
     double start = 0.0F;
-#ifdef WOLFSSL_SMALL_STACK
-    DhKey *dhKey = NULL;
-#else
-    DhKey  dhKey[BENCH_MAX_PENDING];
-#endif
+    WC_DECLARE_ARRAY(dhKey, DhKey, BENCH_MAX_PENDING,
+                     sizeof(DhKey), HEAP_HINT);
     int    dhKeySz = BENCH_DH_KEY_SIZE * 8; /* used in printf */
     const char**desc = bench_desc_words[lng_index];
 #ifndef NO_ASN
@@ -8856,28 +8908,22 @@ void bench_dh(int useDeviceID)
     WC_DECLARE_VAR(priv2, byte,
                      BENCH_DH_PRIV_SIZE, HEAP_HINT);
 
-    WC_INIT_ARRAY(pub, byte,
+    /* old scan-build misfires -Wmaybe-uninitialized on these. */
+    XMEMSET(pub, 0, sizeof(pub));
+    XMEMSET(agree, 0, sizeof(agree));
+    XMEMSET(priv, 0, sizeof(priv));
+
+    WC_CALLOC_ARRAY(dhKey, DhKey, BENCH_MAX_PENDING,
+                     sizeof(DhKey), HEAP_HINT);
+    WC_ALLOC_ARRAY(pub, byte,
                   BENCH_MAX_PENDING, BENCH_DH_KEY_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(agree, byte,
+    WC_ALLOC_ARRAY(agree, byte,
                   BENCH_MAX_PENDING, BENCH_DH_KEY_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(priv, byte,
+    WC_ALLOC_ARRAY(priv, byte,
                   BENCH_MAX_PENDING, BENCH_DH_PRIV_SIZE, HEAP_HINT);
 
-#ifdef WOLFSSL_SMALL_STACK
-    dhKey = (DhKey *)XMALLOC(sizeof(DhKey) * BENCH_MAX_PENDING, HEAP_HINT,
-                             DYNAMIC_TYPE_TMP_BUFFER);
-    if (! dhKey) {
-        ret = MEMORY_E;
-        goto exit;
-    }
-#endif
-
-#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
-    if (pub[0] == NULL || pub2 == NULL || agree[0] == NULL || priv[0] == NULL || priv2 == NULL) {
-        ret = MEMORY_E;
-        goto exit;
-    }
-#endif
+    WC_ALLOC_VAR(pub2, byte, BENCH_DH_KEY_SIZE, HEAP_HINT);
+    WC_ALLOC_VAR(priv2, byte, BENCH_DH_PRIV_SIZE, HEAP_HINT);
 
     (void)tmp;
 
@@ -8936,18 +8982,10 @@ void bench_dh(int useDeviceID)
     }
 #endif
 
-    /* clear for done cleanup */
-    XMEMSET(dhKey, 0, sizeof(DhKey) * BENCH_MAX_PENDING);
-#if 0
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        XMEMSET(dhKey[i], 0, sizeof(DhKey));
-    }
-#endif
-
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
         /* setup an async context for each key */
-        ret = wc_InitDhKey_ex(&dhKey[i], HEAP_HINT,
+        ret = wc_InitDhKey_ex(dhKey[i], HEAP_HINT,
                         useDeviceID ? devId : INVALID_DEVID);
         if (ret != 0)
             goto exit;
@@ -8955,22 +8993,22 @@ void bench_dh(int useDeviceID)
         /* setup key */
         if (!use_ffdhe) {
     #ifdef NO_ASN
-            ret = wc_DhSetKey(&dhKey[i], dh_p,
+            ret = wc_DhSetKey(dhKey[i], dh_p,
                               sizeof(dh_p), dh_g, sizeof(dh_g));
     #else
             idx = 0;
-            ret = wc_DhKeyDecode(tmp, &idx, &dhKey[i], (word32)bytes);
+            ret = wc_DhKeyDecode(tmp, &idx, dhKey[i], (word32)bytes);
     #endif
         }
     #if defined(HAVE_FFDHE_2048) || defined(HAVE_FFDHE_3072)
     #ifdef HAVE_PUBLIC_FFDHE
         else if (params != NULL) {
-            ret = wc_DhSetKey(&dhKey[i], params->p, params->p_len,
+            ret = wc_DhSetKey(dhKey[i], params->p, params->p_len,
                               params->g, params->g_len);
         }
     #else
         else if (paramName != 0) {
-            ret = wc_DhSetNamedKey(&dhKey[i], paramName);
+            ret = wc_DhSetNamedKey(dhKey[i], paramName);
         }
     #endif
     #endif
@@ -8990,15 +9028,15 @@ void bench_dh(int useDeviceID)
             bench_async_poll(&pending);
 
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&dhKey[i]),
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(dhKey[i]),
                                       0, &times, genTimes, &pending)) {
                     privSz[i] = BENCH_DH_PRIV_SIZE;
                     pubSz[i] = BENCH_DH_KEY_SIZE;
-                    ret = wc_DhGenerateKeyPair(&dhKey[i], &gRng,
+                    ret = wc_DhGenerateKeyPair(dhKey[i], &gRng,
                                                priv[i], &privSz[i],
                                                pub[i], &pubSz[i]);
                     if (!bench_async_handle(&ret,
-                                            BENCH_ASYNC_GET_DEV(&dhKey[i]),
+                                            BENCH_ASYNC_GET_DEV(dhKey[i]),
                                             0, &times, &pending)) {
                         goto exit_dh_gen;
                     }
@@ -9029,11 +9067,11 @@ void bench_dh(int useDeviceID)
 
     /* Generate key to use as other public */
     PRIVATE_KEY_UNLOCK();
-    ret = wc_DhGenerateKeyPair(&dhKey[0], &gRng,
+    ret = wc_DhGenerateKeyPair(dhKey[0], &gRng,
                                priv2, &privSz2, pub2, &pubSz2);
     PRIVATE_KEY_LOCK();
 #ifdef WOLFSSL_ASYNC_CRYPT
-    ret = wc_AsyncWait(ret, &dhKey[0].asyncDev, WC_ASYNC_FLAG_NONE);
+    ret = wc_AsyncWait(ret, &dhKey[0]->asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
 
     /* Key Agree */
@@ -9045,12 +9083,12 @@ void bench_dh(int useDeviceID)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&dhKey[i]),
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(dhKey[i]),
                                       0, &times, agreeTimes, &pending)) {
-                    ret = wc_DhAgree(&dhKey[i], agree[i], &agreeSz[i], priv[i],
+                    ret = wc_DhAgree(dhKey[i], agree[i], &agreeSz[i], priv[i],
                                      privSz[i], pub2, pubSz2);
                     if (!bench_async_handle(&ret,
-                        BENCH_ASYNC_GET_DEV(&dhKey[i]), 0, &times, &pending)) {
+                        BENCH_ASYNC_GET_DEV(dhKey[i]), 0, &times, &pending)) {
                         goto exit;
                     }
                 }
@@ -9074,19 +9112,12 @@ void bench_dh(int useDeviceID)
 #endif
 
     /* cleanup */
-#ifdef WOLFSSL_SMALL_STACK
-    if (dhKey) {
+    if (WC_ARRAY_OK(dhKey)) {
         for (i = 0; i < BENCH_MAX_PENDING; i++) {
-            wc_FreeDhKey(&dhKey[i]);
+            wc_FreeDhKey(dhKey[i]);
         }
-        XFREE(dhKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    }
-#else
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_FreeDhKey(&dhKey[i]);
+        WC_FREE_ARRAY(dhKey, BENCH_MAX_PENDING, HEAP_HINT);
     }
-#endif
-
     WC_FREE_ARRAY(pub, BENCH_MAX_PENDING, HEAP_HINT);
     WC_FREE_VAR(pub2, HEAP_HINT);
     WC_FREE_ARRAY(priv, BENCH_MAX_PENDING, HEAP_HINT);
@@ -10174,34 +10205,22 @@ void bench_ecc_curve(int curveId)
 
 void bench_eccMakeKey(int useDeviceID, int curveId)
 {
-    int ret = 0, i, times, count, pending = 0;
+    int ret = 0, i, times, count = 0, pending = 0;
     int deviceID;
-    int keySize;
-#ifdef WOLFSSL_SMALL_STACK
-    ecc_key *genKey;
-#else
-    ecc_key genKey[BENCH_MAX_PENDING];
-#endif
+    int keySize = 0;
+    WC_DECLARE_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
     char name[BENCH_ECC_NAME_SZ];
-    double start;
+    double start = 0;
     const char**desc = bench_desc_words[lng_index];
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-#ifdef WOLFSSL_SMALL_STACK
-    genKey = (ecc_key *)XMALLOC(sizeof(*genKey) * BENCH_MAX_PENDING,
-                                HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (genKey == NULL) {
-        printf("bench_eccMakeKey malloc failed\n");
-        return;
-    }
-#endif
+    WC_CALLOC_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 
     deviceID = useDeviceID ? devId : INVALID_DEVID;
     keySize = wc_ecc_get_curve_size_from_id(curveId);
 
-    /* clear for done cleanup */
-    XMEMSET(genKey, 0, sizeof(*genKey) * BENCH_MAX_PENDING);
-
     /* ECC Make Key */
     bench_stats_start(&count, &start);
     do {
@@ -10211,19 +10230,19 @@ void bench_eccMakeKey(int useDeviceID, int curveId)
 
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
                 if (bench_async_check(&ret,
-                                      BENCH_ASYNC_GET_DEV(&genKey[i]), 0,
+                                      BENCH_ASYNC_GET_DEV(genKey[i]), 0,
                                       &times, agreeTimes, &pending)) {
 
-                    wc_ecc_free(&genKey[i]);
-                    ret = wc_ecc_init_ex(&genKey[i], HEAP_HINT, deviceID);
+                    wc_ecc_free(genKey[i]);
+                    ret = wc_ecc_init_ex(genKey[i], HEAP_HINT, deviceID);
                     if (ret < 0) {
                         goto exit;
                     }
 
-                    ret = wc_ecc_make_key_ex(&gRng, keySize, &genKey[i],
+                    ret = wc_ecc_make_key_ex(&gRng, keySize, genKey[i],
                             curveId);
                     if (!bench_async_handle(&ret,
-                                BENCH_ASYNC_GET_DEV(&genKey[i]), 0, &times,
+                                BENCH_ASYNC_GET_DEV(genKey[i]), 0, &times,
                                 &pending)) {
                         goto exit;
                     }
@@ -10248,13 +10267,12 @@ void bench_eccMakeKey(int useDeviceID, int curveId)
 #endif
 
     /* cleanup */
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_ecc_free(&genKey[i]);
+    if (WC_ARRAY_OK(genKey)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_ecc_free(genKey[i]);
+        }
+        WC_FREE_ARRAY(genKey, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(genKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
 }
 
 
@@ -10264,22 +10282,16 @@ void bench_ecc(int useDeviceID, int curveId)
     int deviceID;
     int  keySize;
     char name[BENCH_ECC_NAME_SZ];
-#ifdef WOLFSSL_SMALL_STACK
-    ecc_key *genKey;
-#else
-    ecc_key genKey[BENCH_MAX_PENDING];
-#endif
+    WC_DECLARE_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 #ifdef HAVE_ECC_DHE
-#ifdef WOLFSSL_SMALL_STACK
-    ecc_key *genKey2;
-#else
-    ecc_key genKey2[BENCH_MAX_PENDING];
-#endif
+    WC_DECLARE_ARRAY(genKey2, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 #endif
 
 #if !defined(NO_ASN) && defined(HAVE_ECC_SIGN)
     #ifdef HAVE_ECC_VERIFY
-        int    verify[BENCH_MAX_PENDING];
+        int verify[BENCH_MAX_PENDING];
     #endif
 #endif
 
@@ -10300,61 +10312,48 @@ void bench_ecc(int useDeviceID, int curveId)
                      BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
 #endif
 
-#ifdef WOLFSSL_SMALL_STACK
-    genKey = (ecc_key *)XMALLOC(sizeof(*genKey) * BENCH_MAX_PENDING,
-                                HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (genKey == NULL) {
-        printf("bench_eccMakeKey malloc failed\n");
-        return;
-    }
-#ifdef HAVE_ECC_DHE
-    genKey2 = (ecc_key *)XMALLOC(sizeof(*genKey2) * BENCH_MAX_PENDING,
-                                 HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (genKey2 == NULL) {
-        XFREE(genKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        printf("bench_eccMakeKey malloc failed\n");
-        return;
-    }
-#endif
-#endif
+    /* old scan-build misfires -Wmaybe-uninitialized on these. */
+    XMEMSET(sig, 0, sizeof(sig));
+    XMEMSET(digest, 0, sizeof(digest));
+    XMEMSET(shared, 0, sizeof(shared));
+
+    WC_CALLOC_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 
 #ifdef HAVE_ECC_DHE
-    WC_INIT_ARRAY(shared, byte,
+    WC_CALLOC_ARRAY(genKey2, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
+    WC_ALLOC_ARRAY(shared, byte,
                   BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
 #endif
 
 #if !defined(NO_ASN) && defined(HAVE_ECC_SIGN)
-    WC_INIT_ARRAY(sig, byte, BENCH_MAX_PENDING, ECC_MAX_SIG_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
+    WC_ALLOC_ARRAY(sig, byte, BENCH_MAX_PENDING, ECC_MAX_SIG_SIZE, HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
 #endif
     deviceID = useDeviceID ? devId : INVALID_DEVID;
 
-    /* clear for done cleanup */
-    XMEMSET(genKey, 0, sizeof(*genKey) * BENCH_MAX_PENDING);
-#ifdef HAVE_ECC_DHE
-    XMEMSET(genKey2, 0, sizeof(*genKey2) * BENCH_MAX_PENDING);
-#endif
     keySize = wc_ecc_get_curve_size_from_id(curveId);
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
         /* setup an context for each key */
-        if ((ret = wc_ecc_init_ex(&genKey[i], HEAP_HINT, deviceID)) < 0) {
+        if ((ret = wc_ecc_init_ex(genKey[i], HEAP_HINT, deviceID)) < 0) {
             goto exit;
         }
-        ret = wc_ecc_make_key_ex(&gRng, keySize, &genKey[i], curveId);
+        ret = wc_ecc_make_key_ex(&gRng, keySize, genKey[i], curveId);
     #ifdef WOLFSSL_ASYNC_CRYPT
-        ret = wc_AsyncWait(ret, &genKey[i].asyncDev, WC_ASYNC_FLAG_NONE);
+        ret = wc_AsyncWait(ret, &genKey[i]->asyncDev, WC_ASYNC_FLAG_NONE);
     #endif
         if (ret < 0) {
             goto exit;
         }
 
     #ifdef HAVE_ECC_DHE
-        if ((ret = wc_ecc_init_ex(&genKey2[i], HEAP_HINT, deviceID)) < 0) {
+        if ((ret = wc_ecc_init_ex(genKey2[i], HEAP_HINT, deviceID)) < 0) {
             goto exit;
         }
-        if ((ret = wc_ecc_make_key_ex(&gRng, keySize, &genKey2[i],
+        if ((ret = wc_ecc_make_key_ex(&gRng, keySize, genKey2[i],
                     curveId)) > 0) {
             goto exit;
         }
@@ -10366,7 +10365,7 @@ void bench_ecc(int useDeviceID, int curveId)
     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
     !defined(HAVE_SELFTEST)
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        (void)wc_ecc_set_rng(&genKey[i], &gRng);
+        (void)wc_ecc_set_rng(genKey[i], &gRng);
     }
 #endif
 
@@ -10379,13 +10378,13 @@ void bench_ecc(int useDeviceID, int curveId)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(genKey[i]), 1,
                                       &times, agreeTimes, &pending)) {
                     x[i] = (word32)keySize;
-                    ret = wc_ecc_shared_secret(&genKey[i], &genKey2[i],
+                    ret = wc_ecc_shared_secret(genKey[i], genKey2[i],
                             shared[i], &x[i]);
                     if (!bench_async_handle(&ret,
-                                BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times,
+                                BENCH_ASYNC_GET_DEV(genKey[i]), 1, &times,
                                 &pending)) {
                         goto exit_ecdhe;
                     }
@@ -10436,18 +10435,18 @@ void bench_ecc(int useDeviceID, int curveId)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(genKey[i]), 1,
                                       &times, agreeTimes, &pending)) {
 
-                    if (genKey[i].state == 0) {
+                    if (genKey[i]->state == 0) {
                         x[i] = ECC_MAX_SIG_SIZE;
                     }
 
                     ret = wc_ecc_sign_hash(digest[i], (word32)keySize, sig[i],
-                                           &x[i], GLOBAL_RNG, &genKey[i]);
+                                           &x[i], GLOBAL_RNG, genKey[i]);
 
                     if (!bench_async_handle(&ret,
-                                BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times,
+                                BENCH_ASYNC_GET_DEV(genKey[i]), 1, &times,
                                 &pending)) {
                         goto exit_ecdsa_sign;
                     }
@@ -10488,18 +10487,18 @@ void bench_ecc(int useDeviceID, int curveId)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(genKey[i]), 1,
                                       &times, agreeTimes, &pending)) {
-                    if (genKey[i].state == 0) {
+                    if (genKey[i]->state == 0) {
                         verify[i] = 0;
                     }
 
                     ret = wc_ecc_verify_hash(sig[i], x[i], digest[i],
                                              (word32)keySize, &verify[i],
-                                             &genKey[i]);
+                                             genKey[i]);
 
                     if (!bench_async_handle(&ret,
-                                            BENCH_ASYNC_GET_DEV(&genKey[i]),
+                                            BENCH_ASYNC_GET_DEV(genKey[i]),
                                                                 1, &times,
                                                                 &pending)) {
                         goto exit_ecdsa_verify;
@@ -10530,19 +10529,18 @@ void bench_ecc(int useDeviceID, int curveId)
 exit:
 
     /* cleanup */
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_ecc_free(&genKey[i]);
-    #ifdef HAVE_ECC_DHE
-        wc_ecc_free(&genKey2[i]);
-    #endif
+    if (WC_ARRAY_OK(genKey)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++)
+            wc_ecc_free(genKey[i]);
+        WC_FREE_ARRAY(genKey, BENCH_MAX_PENDING, HEAP_HINT);
     }
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(genKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     #ifdef HAVE_ECC_DHE
-    XFREE(genKey2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (WC_ARRAY_OK(genKey2)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++)
+            wc_ecc_free(genKey2[i]);
+        WC_FREE_ARRAY(genKey2, BENCH_MAX_PENDING, HEAP_HINT);
+    }
     #endif
-#endif
 
 #ifdef HAVE_ECC_DHE
     WC_FREE_ARRAY(shared, BENCH_MAX_PENDING, HEAP_HINT);
@@ -10732,7 +10730,8 @@ static void bench_sm2_MakeKey(int useDeviceID)
     int ret = 0, i, times, count, pending = 0;
     int deviceID;
     int keySize;
-    ecc_key genKey[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
     char name[BENCH_ECC_NAME_SZ];
     double start;
     const char**desc = bench_desc_words[lng_index];
@@ -10741,8 +10740,8 @@ static void bench_sm2_MakeKey(int useDeviceID)
     deviceID = useDeviceID ? devId : INVALID_DEVID;
     keySize = wc_ecc_get_curve_size_from_id(ECC_SM2P256V1);
 
-    /* clear for done cleanup */
-    XMEMSET(&genKey, 0, sizeof(genKey));
+    WC_CALLOC_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 
     /* ECC Make Key */
     bench_stats_start(&count, &start);
@@ -10752,19 +10751,19 @@ static void bench_sm2_MakeKey(int useDeviceID)
             bench_async_poll(&pending);
 
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 0,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(genKey[i]), 0,
                             &times, agreeTimes, &pending)) {
 
-                    wc_ecc_free(&genKey[i]);
-                    ret = wc_ecc_init_ex(&genKey[i], HEAP_HINT, deviceID);
+                    wc_ecc_free(genKey[i]);
+                    ret = wc_ecc_init_ex(genKey[i], HEAP_HINT, deviceID);
                     if (ret < 0) {
                         goto exit;
                     }
 
-                    ret = wc_ecc_sm2_make_key(&gRng, &genKey[i],
+                    ret = wc_ecc_sm2_make_key(&gRng, genKey[i],
                         WC_ECC_FLAG_NONE);
                     if (!bench_async_handle(&ret,
-                                BENCH_ASYNC_GET_DEV(&genKey[i]), 0, &times,
+                                BENCH_ASYNC_GET_DEV(genKey[i]), 0, &times,
                                 &pending)) {
                         goto exit;
                     }
@@ -10789,8 +10788,11 @@ static void bench_sm2_MakeKey(int useDeviceID)
 #endif
 
     /* cleanup */
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_ecc_free(&genKey[i]);
+    if (WC_ARRAY_OK(genKey)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            wc_ecc_free(genKey[i]);
+        }
+        WC_FREE_ARRAY(genKey, BENCH_MAX_PENDING, HEAP_HINT);
     }
 }
 
@@ -10801,13 +10803,16 @@ void bench_sm2(int useDeviceID)
     int deviceID;
     int  keySize;
     char name[BENCH_ECC_NAME_SZ];
-    ecc_key genKey[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 #ifdef HAVE_ECC_DHE
-    ecc_key genKey2[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(genKey2, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 #endif
 #if !defined(NO_ASN) && defined(HAVE_ECC_SIGN)
 #ifdef HAVE_ECC_VERIFY
-    int    verify[BENCH_MAX_PENDING];
+    WC_DECLARE_ARRAY(verify, int, BENCH_MAX_PENDING,
+                     sizeof(int), HEAP_HINT);
 #endif
 #endif
     word32 x[BENCH_MAX_PENDING];
@@ -10824,20 +10829,21 @@ void bench_sm2(int useDeviceID)
 #endif
 
 #ifdef HAVE_ECC_DHE
-    WC_INIT_ARRAY(shared, byte, BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
+    WC_ALLOC_ARRAY(shared, byte, BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
 #endif
 #if !defined(NO_ASN) && defined(HAVE_ECC_SIGN)
-    WC_INIT_ARRAY(sig, byte, BENCH_MAX_PENDING, ECC_MAX_SIG_SIZE, HEAP_HINT);
-    WC_INIT_ARRAY(digest, byte, BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
+    WC_ALLOC_ARRAY(sig, byte, BENCH_MAX_PENDING, ECC_MAX_SIG_SIZE, HEAP_HINT);
+    WC_ALLOC_ARRAY(digest, byte, BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
 #endif
     deviceID = useDeviceID ? devId : INVALID_DEVID;
 
     bench_sm2_MakeKey(useDeviceID);
 
-    /* clear for done cleanup */
-    XMEMSET(&genKey, 0, sizeof(genKey));
+    WC_CALLOC_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 #ifdef HAVE_ECC_DHE
-    XMEMSET(&genKey2, 0, sizeof(genKey2));
+    WC_CALLOC_ARRAY(genKey2, ecc_key, BENCH_MAX_PENDING,
+                     sizeof(ecc_key), HEAP_HINT);
 #endif
 
     keySize = wc_ecc_get_curve_size_from_id(ECC_SM2P256V1);
@@ -10845,22 +10851,22 @@ void bench_sm2(int useDeviceID)
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
         /* setup an context for each key */
-        if ((ret = wc_ecc_init_ex(&genKey[i], HEAP_HINT, deviceID)) < 0) {
+        if ((ret = wc_ecc_init_ex(genKey[i], HEAP_HINT, deviceID)) < 0) {
             goto exit;
         }
-        ret = wc_ecc_sm2_make_key(&gRng, &genKey[i], WC_ECC_FLAG_NONE);
+        ret = wc_ecc_sm2_make_key(&gRng, genKey[i], WC_ECC_FLAG_NONE);
     #ifdef WOLFSSL_ASYNC_CRYPT
-        ret = wc_AsyncWait(ret, &genKey[i].asyncDev, WC_ASYNC_FLAG_NONE);
+        ret = wc_AsyncWait(ret, genKey[i].asyncDev, WC_ASYNC_FLAG_NONE);
     #endif
         if (ret < 0) {
             goto exit;
         }
 
     #ifdef HAVE_ECC_DHE
-        if ((ret = wc_ecc_init_ex(&genKey2[i], HEAP_HINT, deviceID)) < 0) {
+        if ((ret = wc_ecc_init_ex(genKey2[i], HEAP_HINT, deviceID)) < 0) {
             goto exit;
         }
-        if ((ret = wc_ecc_sm2_make_key(&gRng, &genKey2[i],
+        if ((ret = wc_ecc_sm2_make_key(&gRng, genKey2[i],
                 WC_ECC_FLAG_NONE)) > 0) {
             goto exit;
         }
@@ -10872,7 +10878,7 @@ void bench_sm2(int useDeviceID)
     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
     !defined(HAVE_SELFTEST)
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        (void)wc_ecc_set_rng(&genKey[i], &gRng);
+        (void)wc_ecc_set_rng(genKey[i], &gRng);
     }
 #endif
 
@@ -10885,13 +10891,13 @@ void bench_sm2(int useDeviceID)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(genKey[i]), 1,
                             &times, agreeTimes, &pending)) {
                     x[i] = (word32)keySize;
-                    ret = wc_ecc_sm2_shared_secret(&genKey[i], &genKey2[i],
+                    ret = wc_ecc_sm2_shared_secret(genKey[i], genKey2[i],
                             shared[i], &x[i]);
                     if (!bench_async_handle(&ret,
-                                BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times,
+                                BENCH_ASYNC_GET_DEV(genKey[i]), 1, &times,
                                 &pending)) {
                         goto exit_ecdhe;
                     }
@@ -10941,14 +10947,14 @@ void bench_sm2(int useDeviceID)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(genKey[i]), 1,
                             &times, agreeTimes, &pending)) {
                     if (genKey[i].state == 0)
                         x[i] = ECC_MAX_SIG_SIZE;
                     ret = wc_ecc_sm2_sign_hash(digest[i], (word32)keySize,
-                            sig[i], &x[i], &gRng, &genKey[i]);
+                            sig[i], x[i], &gRng, genKey[i]);
                     if (!bench_async_handle(&ret,
-                                BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times,
+                                BENCH_ASYNC_GET_DEV(genKey[i]), 1, &times,
                                 &pending)) {
                         goto exit_ecdsa_sign;
                     }
@@ -10987,14 +10993,14 @@ void bench_sm2(int useDeviceID)
 
             /* while free pending slots in queue, submit ops */
             for (i = 0; i < BENCH_MAX_PENDING; i++) {
-                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1,
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(genKey[i]), 1,
                             &times, agreeTimes, &pending)) {
                     if (genKey[i].state == 0)
                         verify[i] = 0;
                     ret = wc_ecc_sm2_verify_hash(sig[i], x[i], digest[i],
-                                       (word32)keySize, &verify[i], &genKey[i]);
+                                       (word32)keySize, verify[i], genKey[i]);
                     if (!bench_async_handle(&ret,
-                                BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times,
+                                BENCH_ASYNC_GET_DEV(genKey[i]), 1, &times,
                                 &pending)) {
                         goto exit_ecdsa_verify;
                     }
@@ -11025,12 +11031,18 @@ void bench_sm2(int useDeviceID)
 exit:
 
     /* cleanup */
-    for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        wc_ecc_free(&genKey[i]);
+    if (WC_ARRAY_OK(genKey)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++)
+            wc_ecc_free(genKey[i]);
+        WC_FREE_ARRAY(genKey, BENCH_MAX_PENDING, HEAP_HINT);
+    }
     #ifdef HAVE_ECC_DHE
-        wc_ecc_free(&genKey2[i]);
-    #endif
+    if (WC_ARRAY_OK(genKey2)) {
+        for (i = 0; i < BENCH_MAX_PENDING; i++)
+            wc_ecc_free(genKey2[i]);
+        WC_FREE_ARRAY(genKey2, BENCH_MAX_PENDING, HEAP_HINT);
     }
+    #endif
 
 #ifdef HAVE_ECC_DHE
     WC_FREE_ARRAY(shared, BENCH_MAX_PENDING, HEAP_HINT);
@@ -11040,6 +11052,7 @@ void bench_sm2(int useDeviceID)
     WC_FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 #endif
 
+
     (void)useDeviceID;
     (void)pending;
     (void)x;
@@ -11399,11 +11412,10 @@ void bench_ed448KeyGen(void)
 #endif
 }
 
-
 void bench_ed448KeySign(void)
 {
     int    ret;
-    ed448_key genKey;
+    WC_DECLARE_VAR(genKey, ed448_key, 1, HEAP_HINT);
 #ifdef HAVE_ED448_SIGN
     double start;
     int    i, count;
@@ -11414,12 +11426,14 @@ void bench_ed448KeySign(void)
     DECLARE_MULTI_VALUE_STATS_VARS()
 #endif
 
-    wc_ed448_init(&genKey);
+    WC_ALLOC_VAR(genKey, ed448_key, 1, HEAP_HINT);
 
-    ret = wc_ed448_make_key(&gRng, ED448_KEY_SIZE, &genKey);
+    wc_ed448_init(genKey);
+
+    ret = wc_ed448_make_key(&gRng, ED448_KEY_SIZE, genKey);
     if (ret != 0) {
         printf("ed448_make_key failed\n");
-        return;
+        goto exit;
     }
 
 #ifdef HAVE_ED448_SIGN
@@ -11431,11 +11445,11 @@ void bench_ed448KeySign(void)
     do {
         for (i = 0; i < agreeTimes; i++) {
             x = sizeof(sig);
-            ret = wc_ed448_sign_msg(msg, sizeof(msg), sig, &x, &genKey,
+            ret = wc_ed448_sign_msg(msg, sizeof(msg), sig, &x, genKey,
                                     NULL, 0);
             if (ret != 0) {
                 printf("ed448_sign_msg failed\n");
-                goto exit_ed_sign;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -11446,7 +11460,6 @@ void bench_ed448KeySign(void)
 #endif
        );
 
-exit_ed_sign:
     bench_stats_asym_finish("ED", 448, desc[4], 0, count, start, ret);
 #ifdef MULTI_VALUE_STATISTICS
     bench_multi_value_stats(max, min, sum, squareSum, runs);
@@ -11460,10 +11473,10 @@ void bench_ed448KeySign(void)
         for (i = 0; i < agreeTimes; i++) {
             int verify = 0;
             ret = wc_ed448_verify_msg(sig, x, msg, sizeof(msg), &verify,
-                                      &genKey, NULL, 0);
+                                      genKey, NULL, 0);
             if (ret != 0 || verify != 1) {
                 printf("ed448_verify_msg failed\n");
-                goto exit_ed_verify;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -11474,7 +11487,6 @@ void bench_ed448KeySign(void)
 #endif
        );
 
-exit_ed_verify:
     bench_stats_asym_finish("ED", 448, desc[5], 0, count, start, ret);
 #ifdef MULTI_VALUE_STATISTICS
     bench_multi_value_stats(max, min, sum, squareSum, runs);
@@ -11482,7 +11494,10 @@ void bench_ed448KeySign(void)
 #endif /* HAVE_ED448_VERIFY */
 #endif /* HAVE_ED448_SIGN */
 
-    wc_ed448_free(&genKey);
+exit:
+
+    wc_ed448_free(genKey);
+    WC_FREE_VAR(genKey, HEAP_HINT);
 }
 #endif /* HAVE_ED448 */
 
@@ -11490,24 +11505,26 @@ void bench_ed448KeySign(void)
 #ifdef WOLFCRYPT_ECCSI_KMS
 void bench_eccsiKeyGen(void)
 {
-    EccsiKey genKey;
+    WC_DECLARE_VAR(genKey, EccsiKey, 1, HEAP_HINT);
     double start;
     int    i, count;
     const char**desc = bench_desc_words[lng_index];
     int    ret;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
+    WC_ALLOC_VAR(genKey, EccsiKey, 1, HEAP_HINT);
+
     /* Key Gen */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID);
-            ret = wc_MakeEccsiKey(&genKey, &gRng);
+            wc_InitEccsiKey(genKey, NULL, INVALID_DEVID);
+            ret = wc_MakeEccsiKey(genKey, &gRng);
+            wc_FreeEccsiKey(genKey);
             if (ret != 0) {
                 printf("wc_MakeEccsiKey failed: %d\n", ret);
-                break;
+                goto exit;
             }
-            wc_FreeEccsiKey(&genKey);
             RECORD_MULTI_VALUE_STATS();
         }
         count += i;
@@ -11521,34 +11538,41 @@ void bench_eccsiKeyGen(void)
 #ifdef MULTI_VALUE_STATISTICS
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
+
+exit:
+
+    WC_FREE_VAR(genKey, HEAP_HINT);
 }
 
 void bench_eccsiPairGen(void)
 {
-    EccsiKey genKey;
+    WC_DECLARE_VAR(genKey, EccsiKey, 1, HEAP_HINT);
     double start;
     int    i, count;
     const char**desc = bench_desc_words[lng_index];
-    mp_int ssk;
+    WC_DECLARE_VAR(ssk, mp_int, 1, HEAP_HINT);
     ecc_point* pvt;
     static const byte id[] = { 0x01, 0x23, 0x34, 0x45 };
     int ret;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-    (void)mp_init(&ssk);
+    WC_ALLOC_VAR(genKey, EccsiKey, 1, HEAP_HINT);
+    WC_ALLOC_VAR(ssk, mp_int, 1, HEAP_HINT);
+
+    (void)mp_init(ssk);
     pvt = wc_ecc_new_point();
-    wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID);
-    (void)wc_MakeEccsiKey(&genKey, &gRng);
+    wc_InitEccsiKey(genKey, NULL, INVALID_DEVID);
+    (void)wc_MakeEccsiKey(genKey, &gRng);
 
     /* RSK Gen */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            ret = wc_MakeEccsiPair(&genKey, &gRng, WC_HASH_TYPE_SHA256, id,
-                                   sizeof(id), &ssk, pvt);
+            ret = wc_MakeEccsiPair(genKey, &gRng, WC_HASH_TYPE_SHA256, id,
+                                   sizeof(id), ssk, pvt);
             if (ret != 0) {
                 printf("wc_MakeEccsiPair failed: %d\n", ret);
-                break;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -11564,43 +11588,51 @@ void bench_eccsiPairGen(void)
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
 
-    wc_FreeEccsiKey(&genKey);
+    wc_FreeEccsiKey(genKey);
     wc_ecc_del_point(pvt);
-    mp_free(&ssk);
+    mp_free(ssk);
+
+exit:
+
+    WC_FREE_VAR(genKey, HEAP_HINT);
+    WC_FREE_VAR(ssk, HEAP_HINT);
 }
 #endif
 
 #ifdef WOLFCRYPT_ECCSI_CLIENT
 void bench_eccsiValidate(void)
 {
-    EccsiKey genKey;
+    WC_DECLARE_VAR(genKey, EccsiKey, 1, HEAP_HINT);
     double start;
     int    i, count;
     const char**desc = bench_desc_words[lng_index];
-    mp_int ssk;
+    WC_DECLARE_VAR(ssk, mp_int, 1, HEAP_HINT);
     ecc_point* pvt;
     static const byte id[] = { 0x01, 0x23, 0x34, 0x45 };
     int valid;
     int ret;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-    (void)mp_init(&ssk);
+    WC_ALLOC_VAR(genKey, EccsiKey, 1, HEAP_HINT);
+    WC_ALLOC_VAR(ssk, mp_int, 1, HEAP_HINT);
+
+    (void)mp_init(ssk);
     pvt = wc_ecc_new_point();
-    wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID);
-    (void)wc_MakeEccsiKey(&genKey, &gRng);
-    (void)wc_MakeEccsiPair(&genKey, &gRng, WC_HASH_TYPE_SHA256, id, sizeof(id),
-                           &ssk, pvt);
+    wc_InitEccsiKey(genKey, NULL, INVALID_DEVID);
+    (void)wc_MakeEccsiKey(genKey, &gRng);
+    (void)wc_MakeEccsiPair(genKey, &gRng, WC_HASH_TYPE_SHA256, id, sizeof(id),
+                           ssk, pvt);
 
     /* Validation of RSK */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            ret = wc_ValidateEccsiPair(&genKey, WC_HASH_TYPE_SHA256, id,
-                                       sizeof(id), &ssk, pvt, &valid);
+            ret = wc_ValidateEccsiPair(genKey, WC_HASH_TYPE_SHA256, id,
+                                       sizeof(id), ssk, pvt, &valid);
             if (ret != 0 || !valid) {
                 printf("wc_ValidateEccsiPair failed: %d (valid=%d))\n", ret,
                        valid);
-                break;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -11616,18 +11648,23 @@ void bench_eccsiValidate(void)
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
 
-    wc_FreeEccsiKey(&genKey);
+    wc_FreeEccsiKey(genKey);
     wc_ecc_del_point(pvt);
-    mp_free(&ssk);
+    mp_free(ssk);
+
+exit:
+
+    WC_FREE_VAR(genKey, HEAP_HINT);
+    WC_FREE_VAR(ssk, HEAP_HINT);
 }
 
 void bench_eccsi(void)
 {
-    EccsiKey genKey;
+    WC_DECLARE_VAR(genKey, EccsiKey, 1, HEAP_HINT);
     double start;
     int    i, count;
     const char**desc = bench_desc_words[lng_index];
-    mp_int ssk;
+    WC_DECLARE_VAR(ssk, mp_int, 1, HEAP_HINT);
     ecc_point* pvt;
     static const byte id[] = { 0x01, 0x23, 0x34, 0x45 };
     static const byte msg[] = { 0x01, 0x23, 0x34, 0x45 };
@@ -11639,22 +11676,25 @@ void bench_eccsi(void)
     int verified;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
-    (void)mp_init(&ssk);
+    WC_ALLOC_VAR(genKey, EccsiKey, 1, HEAP_HINT);
+    WC_ALLOC_VAR(ssk, mp_int, 1, HEAP_HINT);
+
+    (void)mp_init(ssk);
     pvt = wc_ecc_new_point();
-    (void)wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID);
-    (void)wc_MakeEccsiKey(&genKey, &gRng);
-    (void)wc_MakeEccsiPair(&genKey, &gRng, WC_HASH_TYPE_SHA256, id, sizeof(id),
-                           &ssk, pvt);
-    (void)wc_HashEccsiId(&genKey, WC_HASH_TYPE_SHA256, id, sizeof(id), pvt,
+    (void)wc_InitEccsiKey(genKey, NULL, INVALID_DEVID);
+    (void)wc_MakeEccsiKey(genKey, &gRng);
+    (void)wc_MakeEccsiPair(genKey, &gRng, WC_HASH_TYPE_SHA256, id, sizeof(id),
+                           ssk, pvt);
+    (void)wc_HashEccsiId(genKey, WC_HASH_TYPE_SHA256, id, sizeof(id), pvt,
                          hash, &hashSz);
-    (void)wc_SetEccsiHash(&genKey, hash, hashSz);
-    (void)wc_SetEccsiPair(&genKey, &ssk, pvt);
+    (void)wc_SetEccsiHash(genKey, hash, hashSz);
+    (void)wc_SetEccsiPair(genKey, ssk, pvt);
 
     /* Encapsulate */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            ret = wc_SignEccsiHash(&genKey, &gRng, WC_HASH_TYPE_SHA256, msg,
+            ret = wc_SignEccsiHash(genKey, &gRng, WC_HASH_TYPE_SHA256, msg,
                                    sizeof(msg), sig, &sigSz);
             if (ret != 0) {
                 printf("wc_SignEccsiHash failed: %d\n", ret);
@@ -11680,13 +11720,13 @@ void bench_eccsi(void)
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            ret = wc_VerifyEccsiHash(&genKey, WC_HASH_TYPE_SHA256, msg,
+            ret = wc_VerifyEccsiHash(genKey, WC_HASH_TYPE_SHA256, msg,
                                      sizeof(msg), sig, sigSz, &verified);
 
             if (ret != 0 || !verified) {
                 printf("wc_VerifyEccsiHash failed: %d (verified: %d)\n", ret,
                        verified);
-                break;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -11702,8 +11742,13 @@ void bench_eccsi(void)
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
 
-    wc_FreeEccsiKey(&genKey);
+    wc_FreeEccsiKey(genKey);
     wc_ecc_del_point(pvt);
+
+exit:
+
+    WC_FREE_VAR(genKey, HEAP_HINT);
+    WC_FREE_VAR(ssk, HEAP_HINT);
 }
 #endif /* WOLFCRYPT_ECCSI_CLIENT */
 #endif /* WOLFCRYPT_HAVE_ECCSI */
@@ -11712,24 +11757,26 @@ void bench_eccsi(void)
 #ifdef WOLFCRYPT_SAKKE_KMS
 void bench_sakkeKeyGen(void)
 {
-    SakkeKey genKey;
+    WC_DECLARE_VAR(genKey, SakkeKey, 1, HEAP_HINT);
     double start;
     int    i, count;
     const char**desc = bench_desc_words[lng_index];
     int    ret;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
+    WC_ALLOC_VAR(genKey, SakkeKey, 1, HEAP_HINT);
+
     /* Key Gen */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            wc_InitSakkeKey_ex(&genKey, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
-            ret = wc_MakeSakkeKey(&genKey, &gRng);
+            wc_InitSakkeKey_ex(genKey, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
+            ret = wc_MakeSakkeKey(genKey, &gRng);
             if (ret != 0) {
                 printf("wc_MakeSakkeKey failed: %d\n", ret);
-                break;
+                goto exit;
             }
-            wc_FreeSakkeKey(&genKey);
+            wc_FreeSakkeKey(genKey);
             RECORD_MULTI_VALUE_STATS();
         }
         count += i;
@@ -11743,11 +11790,15 @@ void bench_sakkeKeyGen(void)
 #ifdef MULTI_VALUE_STATISTICS
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
+
+exit:
+
+    WC_FREE_VAR(genKey, HEAP_HINT);
 }
 
 void bench_sakkeRskGen(void)
 {
-    SakkeKey genKey;
+    WC_DECLARE_VAR(genKey, SakkeKey, 1, HEAP_HINT);
     double start;
     int    i, count;
     const char**desc = bench_desc_words[lng_index];
@@ -11756,18 +11807,20 @@ void bench_sakkeRskGen(void)
     int ret;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
+    WC_ALLOC_VAR(genKey, SakkeKey, 1, HEAP_HINT);
+
     rsk = wc_ecc_new_point();
-    wc_InitSakkeKey_ex(&genKey, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
-    (void)wc_MakeSakkeKey(&genKey, &gRng);
+    wc_InitSakkeKey_ex(genKey, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
+    (void)wc_MakeSakkeKey(genKey, &gRng);
 
     /* RSK Gen */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            ret = wc_MakeSakkeRsk(&genKey, id, sizeof(id), rsk);
+            ret = wc_MakeSakkeRsk(genKey, id, sizeof(id), rsk);
             if (ret != 0) {
                 printf("wc_MakeSakkeRsk failed: %d\n", ret);
-                break;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -11783,15 +11836,19 @@ void bench_sakkeRskGen(void)
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
 
-    wc_FreeSakkeKey(&genKey);
+    wc_FreeSakkeKey(genKey);
     wc_ecc_del_point(rsk);
+
+exit:
+
+    WC_FREE_VAR(genKey, HEAP_HINT);
 }
 #endif
 
 #ifdef WOLFCRYPT_SAKKE_CLIENT
 void bench_sakkeValidate(void)
 {
-    SakkeKey genKey;
+    WC_DECLARE_VAR(genKey, SakkeKey, 1, HEAP_HINT);
     double start;
     int    i, count;
     const char**desc = bench_desc_words[lng_index];
@@ -11801,21 +11858,23 @@ void bench_sakkeValidate(void)
     int ret;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
+    WC_ALLOC_VAR(genKey, SakkeKey, 1, HEAP_HINT);
+
     rsk = wc_ecc_new_point();
-    (void)wc_InitSakkeKey_ex(&genKey, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
-    (void)wc_MakeSakkeKey(&genKey, &gRng);
-    (void)wc_MakeSakkeRsk(&genKey, id, sizeof(id), rsk);
-    (void)wc_ValidateSakkeRsk(&genKey, id, sizeof(id), rsk, &valid);
+    (void)wc_InitSakkeKey_ex(genKey, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
+    (void)wc_MakeSakkeKey(genKey, &gRng);
+    (void)wc_MakeSakkeRsk(genKey, id, sizeof(id), rsk);
+    (void)wc_ValidateSakkeRsk(genKey, id, sizeof(id), rsk, &valid);
 
     /* Validation of RSK */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            ret = wc_ValidateSakkeRsk(&genKey, id, sizeof(id), rsk, &valid);
+            ret = wc_ValidateSakkeRsk(genKey, id, sizeof(id), rsk, &valid);
             if (ret != 0 || !valid) {
                 printf("wc_ValidateSakkeRsk failed: %d (valid=%d))\n", ret,
                        valid);
-                break;
+                goto exit;
             }
             RECORD_MULTI_VALUE_STATS();
         }
@@ -11831,13 +11890,17 @@ void bench_sakkeValidate(void)
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
 
-    wc_FreeSakkeKey(&genKey);
+    wc_FreeSakkeKey(genKey);
     wc_ecc_del_point(rsk);
+
+exit:
+
+    WC_FREE_VAR(genKey, HEAP_HINT);
 }
 
 void bench_sakke(void)
 {
-    SakkeKey genKey;
+    WC_DECLARE_VAR(genKey, SakkeKey, 1, HEAP_HINT);
     double start;
     int    i, count;
     const char**desc = bench_desc_words[lng_index];
@@ -11855,20 +11918,22 @@ void bench_sakke(void)
     word32 iTableLen = 0;
     DECLARE_MULTI_VALUE_STATS_VARS()
 
+    WC_ALLOC_VAR(genKey, SakkeKey, 1, HEAP_HINT);
+
     XMEMCPY(ssv, ssv_init, sizeof ssv);
 
     rsk = wc_ecc_new_point();
-    (void)wc_InitSakkeKey_ex(&genKey, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
-    (void)wc_MakeSakkeKey(&genKey, &gRng);
-    (void)wc_MakeSakkeRsk(&genKey, id, sizeof(id), rsk);
-    (void)wc_SetSakkeRsk(&genKey, rsk, NULL, 0);
-    (void)wc_SetSakkeIdentity(&genKey, id, sizeof(id));
+    (void)wc_InitSakkeKey_ex(genKey, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
+    (void)wc_MakeSakkeKey(genKey, &gRng);
+    (void)wc_MakeSakkeRsk(genKey, id, sizeof(id), rsk);
+    (void)wc_SetSakkeRsk(genKey, rsk, NULL, 0);
+    (void)wc_SetSakkeIdentity(genKey, id, sizeof(id));
 
     /* Encapsulate */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            ret = wc_MakeSakkeEncapsulatedSSV(&genKey,
+            ret = wc_MakeSakkeEncapsulatedSSV(genKey,
                                               WC_HASH_TYPE_SHA256,
                                               ssv, sizeof(ssv), auth, &authSz);
             if (ret != 0) {
@@ -11897,7 +11962,7 @@ void bench_sakke(void)
     do {
         for (i = 0; i < genTimes; i++) {
             XMEMCPY(derSSV, ssv, sizeof(ssv));
-            ret = wc_DeriveSakkeSSV(&genKey, WC_HASH_TYPE_SHA256, derSSV,
+            ret = wc_DeriveSakkeSSV(genKey, WC_HASH_TYPE_SHA256, derSSV,
                                     sizeof(derSSV), auth, authSz);
             if (ret != 0) {
                 printf("wc_DeriveSakkeSSV failed: %d\n", ret);
@@ -11920,19 +11985,21 @@ void bench_sakke(void)
 #endif
 
     /* Calculate Point I and generate table. */
-    (void)wc_MakeSakkePointI(&genKey, id, sizeof(id));
+    (void)wc_MakeSakkePointI(genKey, id, sizeof(id));
     iTableLen = 0;
-    (void)wc_GenerateSakkePointITable(&genKey, NULL, &iTableLen);
+    (void)wc_GenerateSakkePointITable(genKey, NULL, &iTableLen);
     if (iTableLen != 0) {
         iTable = (byte*)XMALLOC(iTableLen, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        (void)wc_GenerateSakkePointITable(&genKey, iTable, &iTableLen);
+        if (iTable == NULL)
+            WC_ALLOC_DO_ON_FAILURE();
+        (void)wc_GenerateSakkePointITable(genKey, iTable, &iTableLen);
     }
 
     /* Encapsulate with Point I table */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
-            ret = wc_MakeSakkeEncapsulatedSSV(&genKey,
+            ret = wc_MakeSakkeEncapsulatedSSV(genKey,
                                               WC_HASH_TYPE_SHA256, ssv,
                                               sizeof(ssv), auth, &authSz);
             if (ret != 0) {
@@ -11956,14 +12023,14 @@ void bench_sakke(void)
 
     RESET_MULTI_VALUE_STATS_VARS();
 
-    (void)wc_SetSakkeRsk(&genKey, rsk, table, len);
+    (void)wc_SetSakkeRsk(genKey, rsk, table, len);
 
     /* Derive with Point I table */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
             XMEMCPY(derSSV, ssv, sizeof(ssv));
-            ret = wc_DeriveSakkeSSV(&genKey, WC_HASH_TYPE_SHA256, derSSV,
+            ret = wc_DeriveSakkeSSV(genKey, WC_HASH_TYPE_SHA256, derSSV,
                                     sizeof(derSSV), auth, authSz);
             if (ret != 0) {
                 printf("wc_DeriveSakkeSSV failed: %d\n", ret);
@@ -11988,19 +12055,21 @@ void bench_sakke(void)
     RESET_MULTI_VALUE_STATS_VARS();
 
     len = 0;
-    (void)wc_GenerateSakkeRskTable(&genKey, rsk, NULL, &len);
+    (void)wc_GenerateSakkeRskTable(genKey, rsk, NULL, &len);
     if (len > 0) {
         table = (byte*)XMALLOC(len, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        (void)wc_GenerateSakkeRskTable(&genKey, rsk, table, &len);
+        if (table == NULL)
+            WC_ALLOC_DO_ON_FAILURE();
+        (void)wc_GenerateSakkeRskTable(genKey, rsk, table, &len);
     }
-    (void)wc_SetSakkeRsk(&genKey, rsk, table, len);
+    (void)wc_SetSakkeRsk(genKey, rsk, table, len);
 
     /* Derive with Point I table and RSK table */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
             XMEMCPY(derSSV, ssv, sizeof(ssv));
-            ret = wc_DeriveSakkeSSV(&genKey, WC_HASH_TYPE_SHA256, derSSV,
+            ret = wc_DeriveSakkeSSV(genKey, WC_HASH_TYPE_SHA256, derSSV,
                                     sizeof(derSSV), auth, authSz);
             if (ret != 0) {
                 printf("wc_DeriveSakkeSSV failed: %d\n", ret);
@@ -12024,13 +12093,13 @@ void bench_sakke(void)
 
     RESET_MULTI_VALUE_STATS_VARS();
 
-    wc_ClearSakkePointITable(&genKey);
+    wc_ClearSakkePointITable(genKey);
     /* Derive with RSK table */
     bench_stats_start(&count, &start);
     do {
         for (i = 0; i < genTimes; i++) {
             XMEMCPY(derSSV, ssv, sizeof(ssv));
-            ret = wc_DeriveSakkeSSV(&genKey, WC_HASH_TYPE_SHA256, derSSV,
+            ret = wc_DeriveSakkeSSV(genKey, WC_HASH_TYPE_SHA256, derSSV,
                                     sizeof(derSSV), auth, authSz);
             if (ret != 0) {
                 printf("wc_DeriveSakkeSSV failed: %d\n", ret);
@@ -12052,8 +12121,18 @@ void bench_sakke(void)
     bench_multi_value_stats(max, min, sum, squareSum, runs);
 #endif
 
-    wc_FreeSakkeKey(&genKey);
+    wc_FreeSakkeKey(genKey);
     wc_ecc_del_point(rsk);
+
+exit:
+
+    if (iTable)
+        XFREE(iTable, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+
+    if (table)
+        XFREE(table, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+
+    WC_FREE_VAR(genKey, HEAP_HINT);
 }
 #endif /* WOLFCRYPT_SAKKE_CLIENT */
 #endif /* WOLFCRYPT_HAVE_SAKKE */
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index ad17786c00..099dc059ba 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -23610,6 +23610,28 @@ void FreeSignerTable(Signer** table, int rows, void* heap)
     }
 }
 
+void FreeSignerTableType(Signer** table, int rows, byte type, void* heap)
+{
+    int i;
+
+    for (i = 0; i < rows; i++) {
+        Signer* signer = table[i];
+        Signer** next = &table[i];
+
+        while (signer) {
+            if (signer->type == type) {
+                *next = signer->next;
+                FreeSigner(signer, heap);
+                signer = *next;
+            }
+            else {
+                next = &signer->next;
+                signer = signer->next;
+            }
+        }
+    }
+}
+
 #ifdef WOLFSSL_TRUST_PEER_CERT
 /* Free an individual trusted peer cert.
  *
@@ -34937,7 +34959,7 @@ static const ASNItem singleResponseASN[] = {
                                                           /* revocationTime */
 /* CS_REVOKED_TIME       */         { 2, ASN_GENERALIZED_TIME, 0, 0, 0 },
                                                           /* revocationReason  [0] EXPLICIT CRLReason OPTIONAL */
-/* CS_REVOKED_REASON     */         { 2, ASN_CONTEXT_SPECIFIC | 0, 0, 1, 1 },
+/* CS_REVOKED_REASON     */         { 2, ASN_CONTEXT_SPECIFIC | 0, 1, 1, 1 },
                                                               /* crlReason */
 /* CS_REVOKED_REASON_VAL */             { 3, ASN_ENUMERATED, 0, 0, 0 },
                                                       /* unknown           [2] IMPLICIT UnknownInfo ::= NULL */
@@ -35934,13 +35956,11 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
     if (ret == 0) {
         word32 dataIdx = 0;
         /* Decode the response data. */
-        if (DecodeResponseData(
+        ret = DecodeResponseData(
                 GetASNItem_Addr(dataASN[OCSPBASICRESPASN_IDX_TBS_SEQ], source),
                 &dataIdx, resp,
                 GetASNItem_Length(dataASN[OCSPBASICRESPASN_IDX_TBS_SEQ], source)
-                ) < 0) {
-            ret = ASN_PARSE_E;
-        }
+                );
     }
 #ifdef WC_RSA_PSS
     if (ret == 0 && (dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS].tag != 0)) {
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index 9d3ed5ccff..649ed6d808 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -245,11 +245,17 @@ ECC Curve Sizes:
     #define HAVE_ECC_MAKE_PUB
 #endif
 
+
+/* macro guard for ecc_check_pubkey_order functionality */
 #if !defined(WOLFSSL_SP_MATH) && \
     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
     !defined(WOLFSSL_SE050) && !defined(WOLFSSL_STM32_PKA) && \
-    !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    (!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_IMXRT1170_CAAM) || \
+      defined(WOLFSSL_QNX_CAAM))
+
+    /* CAAM builds use public key validation as a means to check if an
+     * imported private key is an encrypted black key or not */
     #undef  HAVE_ECC_CHECK_PUBKEY_ORDER
     #define HAVE_ECC_CHECK_PUBKEY_ORDER
 #endif
@@ -1842,7 +1848,9 @@ static void alt_fp_init(mp_int* a)
 
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
-    !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    !defined(WOLFSSL_CRYPTOCELL) && \
+    (!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_QNX_CAAM) || \
+      defined(WOLFSSL_IMXRT1170_CAAM))
 
 #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_PUBLIC_ECC_ADD_DBL)
 static int _ecc_projective_dbl_point(ecc_point *P, ecc_point *R, mp_int* a,
@@ -3971,7 +3979,7 @@ int wc_ecc_mulmod(const mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
     return wc_ecc_mulmod_ex(k, G, R, a, modulus, map, NULL);
 }
 
-#endif /* !WOLFSSL_ATECC508A */
+#endif
 
 /**
  * Allocate a new ECC point (if one not provided)
@@ -5139,7 +5147,9 @@ int wc_ecc_point_is_on_curve(ecc_point *p, int curve_idx)
 #endif /* USE_ECC_B_PARAM */
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
-    !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    !defined(WOLFSSL_CRYPTOCELL) && \
+    (!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_QNX_CAAM) || \
+      defined(WOLFSSL_IMXRT1170_CAAM))
 /* return 1 if point is at infinity, 0 if not, < 0 on error */
 int wc_ecc_point_is_at_infinity(ecc_point* p)
 {
@@ -5150,7 +5160,7 @@ int wc_ecc_point_is_at_infinity(ecc_point* p)
 
     return 0;
 }
-#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCELL */
+#endif
 
 /* generate random and ensure its greater than 0 and less than order */
 int wc_ecc_gen_k(WC_RNG* rng, int size, mp_int* k, mp_int* order)
@@ -7769,7 +7779,9 @@ int wc_ecc_free(ecc_key* key)
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SP_MATH) && \
-    !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    (!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_QNX_CAAM) || \
+      defined(WOLFSSL_IMXRT1170_CAAM))
+
 /* Handles add failure cases:
  *
  * Before add:
@@ -7883,8 +7895,11 @@ int ecc_projective_dbl_point_safe(ecc_point *P, ecc_point *R, mp_int* a,
 
     return err;
 }
-#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A
-          && !WOLFSSL_CRYPTOCELL && !WOLFSSL_SP_MATH */
+#endif /* !(WOLFSSL_ATECC508A) && !(WOLFSSL_ATECC608A) && \
+          !(WOLFSSL_CRYPTOCELL) && !(WOLFSSL_SP_MATH) && \
+          (!(WOLF_CRYPTO_CB_ONLY_ECC) || (WOLFSSL_QNX_CAAM) || \
+            (WOLFSSL_IMXRT1170_CAAM))
+        */
 
 #if !defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_ATECC508A) && \
     !defined(WOLFSSL_ATECC608A) && !defined(WOLFSSL_CRYPTOCELL) && \
@@ -9608,7 +9623,9 @@ int wc_ecc_export_x963_ex(ecc_key* key, byte* out, word32* outLen,
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SE050) && \
-    !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLFSSL_STM32_PKA)
+    !defined(WOLFSSL_STM32_PKA) && \
+    (!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_QNX_CAAM) || \
+      defined(WOLFSSL_IMXRT1170_CAAM))
 
 /* is ecc point on curve described by dp ? */
 static int _ecc_is_point(ecc_point* ecp, mp_int* a, mp_int* b, mp_int* prime)
@@ -10107,7 +10124,11 @@ static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a,
 }
 #endif /* !WOLFSSL_SP_MATH */
 
-#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCELL*/
+#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A &&
+          !WOLFSSL_CRYPTOCELL && !WOLFSSL_SE050 && !WOLFSSL_STM32_PKA &&
+          (!WOLF_CRYPTO_CB_ONLY_ECC || WOLFSSL_QNX_CAAM ||
+            WOLFSSL_IMXRT1170_CAAM)
+       */
 
 #ifdef OPENSSL_EXTRA
 int wc_ecc_get_generator(ecc_point* ecp, int curve_idx)
@@ -10147,11 +10168,7 @@ int wc_ecc_get_generator(ecc_point* ecp, int curve_idx)
 static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
 {
     int err = MP_OKAY;
-#ifndef WOLFSSL_SP_MATH
-#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
-    !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
-    !defined(WOLFSSL_SE050) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \
-    !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLFSSL_STM32_PKA)
+#ifdef HAVE_ECC_CHECK_PUBKEY_ORDER
     mp_int* b = NULL;
     #ifdef USE_ECC_B_PARAM
         DECLARE_CURVE_SPECS(4);
@@ -10161,9 +10178,7 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
         #endif
         DECLARE_CURVE_SPECS(3);
     #endif /* USE_ECC_B_PARAM */
-#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A &&
-          !WOLFSSL_CRYPTOCELL && !WOLFSSL_SILABS_SE_ACCEL && !WOLFSSL_SE050 */
-#endif /* !WOLFSSL_SP_MATH */
+#endif /* HAVE_ECC_CHECK_PUBKEY_ORDER */
 
     ASSERT_SAVED_VECTOR_REGISTERS();
 
@@ -10208,7 +10223,7 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
     /* consider key check success on HW crypto
      * ex: ATECC508/608A, CryptoCell and Silabs
      *
-     * consider key check success on Crypt Cb
+     * consider key check success on most Crypt Cb only builds
      */
     err = MP_OKAY;
 
diff --git a/wolfcrypt/src/ed25519.c b/wolfcrypt/src/ed25519.c
index 373edb9190..f59b672901 100644
--- a/wolfcrypt/src/ed25519.c
+++ b/wolfcrypt/src/ed25519.c
@@ -22,6 +22,12 @@
 
  /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */
 
+
+/* Possible Ed25519 enable options:
+ *   WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN                               Default: OFF
+ *     Check that the private key didn't change during the signing operations.
+ */
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -305,6 +311,9 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
     ALIGN16 byte nonce[WC_SHA512_DIGEST_SIZE];
     ALIGN16 byte hram[WC_SHA512_DIGEST_SIZE];
     ALIGN16 byte az[ED25519_PRV_KEY_SIZE];
+#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
+    byte orig_k[ED25519_KEY_SIZE];
+#endif
 
     /* sanity check on arguments */
     if (in == NULL || out == NULL || outLen == NULL || key == NULL ||
@@ -332,6 +341,10 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
     }
     *outLen = ED25519_SIG_SIZE;
 
+#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
+    XMEMCPY(orig_k, key->k, ED25519_KEY_SIZE);
+#endif
+
     /* step 1: create nonce to use where nonce is r in
        r = H(h_b, ... ,h_2b-1,M) */
     ret = ed25519_hash(key, key->k, ED25519_KEY_SIZE, az);
@@ -442,6 +455,18 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
     sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
 #endif
 #endif /* WOLFSSL_SE050 */
+
+#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
+    {
+        int  i;
+        byte c = 0;
+        for (i = 0; i < ED25519_KEY_SIZE; i++) {
+            c |= key->k[i] ^ orig_k[i];
+        }
+        ret = ctMaskGT(c, 0) & SIG_VERIFY_E;
+    }
+#endif
+
     return ret;
 }
 
diff --git a/wolfcrypt/src/ed448.c b/wolfcrypt/src/ed448.c
index 8eb83372d0..e93c212886 100644
--- a/wolfcrypt/src/ed448.c
+++ b/wolfcrypt/src/ed448.c
@@ -25,6 +25,11 @@
  * Reworked for curve448 by Sean Parkinson.
  */
 
+/* Possible Ed448 enable options:
+ *   WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN                               Default: OFF
+ *     Check that the private key didn't change during the signing operations.
+ */
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -198,7 +203,10 @@ int wc_ed448_make_public(ed448_key* key, unsigned char* pubKey, word32 pubKeySz)
         az[55] |= 0x80;
         az[56]  = 0x00;
 
-        ge448_scalarmult_base(&A, az);
+        ret = ge448_scalarmult_base(&A, az);
+    }
+
+    if (ret == 0) {
         ge448_to_bytes(pubKey, &A);
 
         key->pubKeySet = 1;
@@ -279,6 +287,9 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
     byte     hram[ED448_SIG_SIZE];
     byte     az[ED448_PRV_KEY_SIZE];
     int      ret = 0;
+#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
+    byte     orig_k[ED448_KEY_SIZE];
+#endif
 
     /* sanity check on arguments */
     if ((in == NULL) || (out == NULL) || (outLen == NULL) || (key == NULL) ||
@@ -298,6 +309,10 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
     if (ret == 0) {
         *outLen = ED448_SIG_SIZE;
 
+#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
+        XMEMCPY(orig_k, key->k, ED448_KEY_SIZE);
+#endif
+
         /* step 1: create nonce to use where nonce is r in
            r = H(h_b, ... ,h_2b-1,M) */
         ret = ed448_hash(key, key->k, ED448_KEY_SIZE, az, sizeof(az));
@@ -353,13 +368,15 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
 
         /* step 2: computing R = rB where rB is the scalar multiplication of
            r and B */
-        ge448_scalarmult_base(&R,nonce);
-        ge448_to_bytes(out,&R);
+        ret = ge448_scalarmult_base(&R,nonce);
 
         /* step 3: hash R + public key + message getting H(R,A,M) then
            creating S = (r + H(R,A,M)a) mod l */
+        if (ret == 0) {
+            ge448_to_bytes(out,&R);
 
-        ret = ed448_hash_update(key, sha, ed448Ctx, ED448CTX_SIZE);
+            ret = ed448_hash_update(key, sha, ed448Ctx, ED448CTX_SIZE);
+        }
         if (ret == 0) {
             ret = ed448_hash_update(key, sha, &type, sizeof(type));
         }
@@ -391,6 +408,17 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
         sc448_muladd(out + (ED448_SIG_SIZE/2), hram, az, nonce);
     }
 
+#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
+    if (ret == 0) {
+        int  i;
+        byte c = 0;
+        for (i = 0; i < ED448_KEY_SIZE; i++) {
+            c |= key->k[i] ^ orig_k[i];
+        }
+        ret = ctMaskGT(c, 0) & SIG_VERIFY_E;
+    }
+#endif
+
     return ret;
 }
 
diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c
index c0488430a6..a365ff6821 100644
--- a/wolfcrypt/src/evp.c
+++ b/wolfcrypt/src/evp.c
@@ -2497,9 +2497,9 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
 #endif
                 return WOLFSSL_FAILURE;
             }
-            if (wc_ecc_shared_secret_ssh((ecc_key*)ctx->pkey->ecc->internal,
-                                         (ecc_point*)ctx->peerKey->ecc->pub_key->internal,
-                                         key, &len32) != MP_OKAY) {
+            if (wc_ecc_shared_secret((ecc_key*)ctx->pkey->ecc->internal,
+                    (ecc_key*)ctx->peerKey->ecc->internal, key, &len32)
+                    != MP_OKAY) {
                 WOLFSSL_MSG("wc_ecc_shared_secret failed");
 #if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
     && (!defined(HAVE_FIPS) || \
diff --git a/wolfcrypt/src/ge_448.c b/wolfcrypt/src/ge_448.c
index 7065b9af17..5ce8ea75d7 100644
--- a/wolfcrypt/src/ge_448.c
+++ b/wolfcrypt/src/ge_448.c
@@ -342,9 +342,10 @@ static void ge448_scalarmult(ge448_p2* h, const ge448_p2* p, const byte* a)
  * r  [in]  Point to hold result.
  * a  [in]  Scalar to multiply by.
  */
-void ge448_scalarmult_base(ge448_p2* h, const byte* a)
+int ge448_scalarmult_base(ge448_p2* h, const byte* a)
 {
     ge448_scalarmult(h, &ed448_base, a);
+    return 0;
 }
 
 /* Perform a scalar multplication of the base point and public point.
@@ -10563,12 +10564,28 @@ static void ge448_select(ge448_precomp* r, int pos, byte b)
  * r  [in]  Point to hold result.
  * a  [in]  Scalar to multiply by.
  */
-void ge448_scalarmult_base(ge448_p2* r, const byte* a)
+int ge448_scalarmult_base(ge448_p2* r, const byte* a)
 {
     byte          carry;
-    ge448_precomp t;
-    int           i;
+#ifdef WOLFSSL_SMALL_STACK
+    ge448_precomp *t = NULL;
+    byte          *e = NULL;
+#else
+    ge448_precomp t[1];
     byte          e[113];
+#endif
+    int           i;
+
+#ifdef WOLFSSL_SMALL_STACK
+    t = (ge448_precomp *)XMALLOC(sizeof(*t), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (t == NULL)
+        return MEMORY_E;
+    e = (byte *)XMALLOC(113, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (e == NULL) {
+        XFREE(t, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
+#endif
 
     carry = 0;
     for (i = 0; i < 56; ++i) {
@@ -10586,13 +10603,13 @@ void ge448_scalarmult_base(ge448_p2* r, const byte* a)
     /* each e[i] is between -8 and 8 */
 
     /* Odd indeces first - sum based on even index so multiply by 16 */
-    ge448_select(&t, 0, e[1]);
-    fe448_copy(r->X, t.x);
-    fe448_copy(r->Y, t.y);
+    ge448_select(t, 0, e[1]);
+    fe448_copy(r->X, t->x);
+    fe448_copy(r->Y, t->y);
     fe448_1(r->Z);
     for (i = 3; i < 112; i += 2) {
-        ge448_select(&t, i / 2, e[i]);
-        ge448_madd(r, r, &t);
+        ge448_select(t, i / 2, e[i]);
+        ge448_madd(r, r, t);
     }
 
     ge448_dbl(r, r);
@@ -10602,9 +10619,16 @@ void ge448_scalarmult_base(ge448_p2* r, const byte* a)
 
     /* Add even indeces */
     for (i = 0; i <= 112; i += 2) {
-        ge448_select(&t, i / 2, e[i]);
-        ge448_madd(r, r, &t);
+        ge448_select(t, i / 2, e[i]);
+        ge448_madd(r, r, t);
     }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(t, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return 0;
 }
 
 /* Create to a sliding window for the scalar multiplicaton.
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index 91577d3d32..e743208721 100644
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -1770,6 +1770,26 @@ WC_RNG* wc_rng_new(byte* nonce, word32 nonceSz, void* heap)
 }
 
 
+int wc_rng_new_ex(WC_RNG **rng, byte* nonce, word32 nonceSz,
+                  void* heap, int devId)
+{
+    int ret;
+
+    *rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), heap, DYNAMIC_TYPE_RNG);
+    if (*rng == NULL) {
+        return MEMORY_E;
+    }
+
+    ret = _InitRng(*rng, nonce, nonceSz, heap, devId);
+    if (ret != 0) {
+        XFREE(*rng, heap, DYNAMIC_TYPE_RNG);
+        *rng = NULL;
+    }
+
+    return ret;
+}
+
+
 WOLFSSL_ABI
 void wc_rng_free(WC_RNG* rng)
 {
@@ -3434,6 +3454,73 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         return 0;
     }
 
+#elif defined(ARDUINO)
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int ret = 0;
+        word32 rand;
+        while (sz > 0) {
+            word32 len = sizeof(rand);
+            if (sz < len)
+                len = sz;
+        /* Get an Arduino framework random number */
+        #if defined(__arm__)
+            /* See: https://github.com/avrxml/asf/tree/master/sam/utils/cmsis/sam3x/include */
+            #if defined(__SAM3A4C__)
+                #ifndef TRNG
+                    #define TRNG (0x400BC000U)
+                #endif
+            #elif defined(__SAM3A8C__)
+                #ifndef TRNG
+                    #define TRNG (0x400BC000U)
+                #endif
+            #elif defined(__SAM3X4C__)
+                #ifndef TRNG
+                    #define TRNG (0x400BC000U)
+                #endif
+            #elif defined(__SAM3X4E__)
+                #ifndef TRNG
+                    #define TRNG (0x400BC000U)
+                #endif
+            #elif defined(__SAM3X8C__)
+                #ifndef TRNG
+                    #define TRNG (0x400BC000U)
+                #endif
+            #elif defined(__SAM3X8E__)
+                /* This is the Arduino Due */
+                #ifndef TRNG
+                    #define TRNG (0x400BC000U)
+                #endif
+            #elif  defined(__SAM3A8H__)
+                #ifndef TRNG
+                    #define TRNG (0x400BC000U)
+                #endif
+            #else
+                #ifndef TRNG
+                    #error "Unknown TRNG for this device"
+                #endif
+            #endif
+
+            srand(analogRead(0));
+            rand = trng_read_output_data(TRNG);
+        #elif defined(__STM32__)
+            /* TODO: confirm this is proper random number on Arduino STM32 */
+            #warning "Not yet tested on STM32 targets"
+            rand = random();
+        #else
+            /* TODO: Pull requests appreciated for new targets */
+            #warning "Not yet tested on this target"
+            rand = random();
+        #endif
+            XMEMCPY(output, &rand, len);
+            output += len;
+            sz -= len;
+        }
+
+        return ret;
+    }
+
 #elif defined(WOLFSSL_ESPIDF)
 
     /* Espressif */
@@ -3655,7 +3742,14 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
                 output[i] = (byte)rand();
             return 0;
         }
+#elif defined(WOLFSSL_MAXQ108X) || defined(WOLFSSL_MAXQ1065)
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        (void)os;
 
+        return maxq10xx_random(output, sz);
+    }
 #elif defined(WOLFSSL_GETRANDOM)
 
     /* getrandom() was added to the Linux kernel in version 3.17.
@@ -3703,6 +3797,28 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 
 #elif defined(NO_DEV_RANDOM)
 
+    /* Allow bare-metal targets to use cryptoCb as seed provider */
+    #if defined(WOLF_CRYPTO_CB)
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int ret = WC_HW_E;
+
+        #ifndef WOLF_CRYPTO_CB_FIND
+        if (os->devId != INVALID_DEVID)
+        #endif
+        {
+            ret = wc_CryptoCb_RandomSeed(os, output, sz);
+            if (ret == CRYPTOCB_UNAVAILABLE) {
+                ret = WC_HW_E;
+            }
+        }
+
+        return ret;
+    }
+
+    #else /* defined(WOLF_CRYPTO_CB)*/
+
     #error "you need to write an os specific wc_GenerateSeed() here"
 
     /*
@@ -3712,6 +3828,8 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
     }
     */
 
+   #endif  /* !defined(WOLF_CRYPTO_CB) */
+
 #else
 
     /* may block */
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index 42c46b0b9b..4299fd2f86 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -3082,7 +3082,7 @@ int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig,
 #ifndef WOLF_CRYPTO_CB_ONLY_RSA
 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(TEST_UNPAD_CONSTANT_TIME) &&     !defined(NO_RSA_BOUNDS_CHECK)
 /* Check that 1 < in < n-1. (Requirement of 800-56B.) */
-static int RsaFunctionCheckIn(const byte* in, word32 inLen, RsaKey* key,
+int RsaFunctionCheckIn(const byte* in, word32 inLen, RsaKey* key,
     int checkSmallCt)
 {
     int ret = 0;
diff --git a/wolfcrypt/src/sakke.c b/wolfcrypt/src/sakke.c
index 8e5342c808..eb0f932f1d 100644
--- a/wolfcrypt/src/sakke.c
+++ b/wolfcrypt/src/sakke.c
@@ -6522,7 +6522,6 @@ int wc_GenerateSakkePointITable(SakkeKey* key, byte* table, word32* len)
         key->i.table = table;
         key->i.tableLen = *len;
     }
-    (void)table;
 #endif
 
     return err;
diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c
index 65d92ffa10..ae69f53c26 100644
--- a/wolfcrypt/src/tfm.c
+++ b/wolfcrypt/src/tfm.c
@@ -4589,10 +4589,11 @@ void fp_clear(fp_int *a)
 
 void fp_forcezero (mp_int * a)
 {
+    int size;
+
     if (a == NULL)
       return;
 
-    int size;
     a->used = 0;
     a->sign = FP_ZPOS;
 #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 7ae553ddc7..82c01dab14 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -11888,6 +11888,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes192_test(void)
 #else
     Aes enc[1];
 #endif
+    int enc_inited = 0;
     byte cipher[AES_BLOCK_SIZE];
 #ifdef HAVE_AES_DECRYPT
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
@@ -11895,6 +11896,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes192_test(void)
 #else
     Aes dec[1];
 #endif
+    int dec_inited = 0;
     byte plain[AES_BLOCK_SIZE];
 #endif
 #endif /* HAVE_AES_CBC */
@@ -11915,12 +11917,12 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes192_test(void)
         0x71,0x78,0x18,0x3a,0x9f,0xa0,0x71,0xe8
     };
 
-    WOLFSSL_SMALL_STACK_STATIC byte key[] = {
+    WOLFSSL_SMALL_STACK_STATIC const byte key[] = {
         0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
         0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
         0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
     };
-    WOLFSSL_SMALL_STACK_STATIC byte iv[]  = {
+    WOLFSSL_SMALL_STACK_STATIC const byte iv[]  = {
         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
         0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F
     };
@@ -11937,11 +11939,13 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes192_test(void)
     ret = wc_AesInit(enc, HEAP_HINT, devId);
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
+    enc_inited = 1;
 #ifdef HAVE_AES_DECRYPT
     ret = wc_AesInit(dec, HEAP_HINT, devId);
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
 #endif
+    dec_inited = 1;
 
     ret = wc_AesSetKey(enc, key, (int) sizeof(key), iv, AES_ENCRYPTION);
     if (ret != 0)
@@ -11975,19 +11979,25 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes192_test(void)
     }
 #endif
 
-    wc_AesFree(enc);
-#ifdef HAVE_AES_DECRYPT
-    wc_AesFree(dec);
-#endif
-
   out:
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
-    if (enc)
+    if (enc) {
+        if (enc_inited)
+            wc_AesFree(enc);
         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
+    }
 #ifdef HAVE_AES_DECRYPT
-    if (dec)
+    if (dec) {
+        if (dec_inited)
+            wc_AesFree(dec);
         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
+    }
 #endif
+#else /* !WOLFSSL_SMALL_STACK || WOLFSSL_NO_MALLOC */
+    if (enc_inited)
+        wc_AesFree(enc);
+    if (dec_inited)
+        wc_AesFree(dec);
 #endif
 #endif /* HAVE_AES_CBC */
 
@@ -12004,6 +12014,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes256_test(void)
 #else
     Aes enc[1];
 #endif
+    int enc_inited = 0;
     byte cipher[AES_BLOCK_SIZE];
 #ifdef HAVE_AES_DECRYPT
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
@@ -12011,6 +12022,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes256_test(void)
 #else
     Aes dec[1];
 #endif
+    int dec_inited = 0;
     byte plain[AES_BLOCK_SIZE];
 #endif
 #endif /* HAVE_AES_CBC */
@@ -12034,7 +12046,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes256_test(void)
                 (byte*)guser_PKCbInfo.wrapped_key_aes256;
     int keySz = (256/8);
 #else
-    WOLFSSL_SMALL_STACK_STATIC byte key[] = {
+    WOLFSSL_SMALL_STACK_STATIC const byte key[] = {
         0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
         0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
         0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
@@ -12042,7 +12054,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes256_test(void)
     };
     int keySz = (int)sizeof(key);
 #endif
-    WOLFSSL_SMALL_STACK_STATIC byte iv[]  = {
+    WOLFSSL_SMALL_STACK_STATIC const byte iv[]  = {
         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
         0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F
     };
@@ -12059,11 +12071,13 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes256_test(void)
     ret = wc_AesInit(enc, HEAP_HINT, devId);
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
+    enc_inited = 1;
 #ifdef HAVE_AES_DECRYPT
     ret = wc_AesInit(dec, HEAP_HINT, devId);
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
 #endif
+    dec_inited = 1;
 
     ret = wc_AesSetKey(enc, key, keySz, iv, AES_ENCRYPTION);
     if (ret != 0)
@@ -12173,21 +12187,28 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes256_test(void)
         ERROR_OUT(WC_TEST_RET_ENC_NC, out);
 #endif
 
-    wc_AesFree(enc);
-#ifdef HAVE_AES_DECRYPT
-    wc_AesFree(dec);
-#endif
-
-#endif
+#endif /* DEBUG_VECTOR_REGISTER_ACCESS && WC_AES_C_DYNAMIC_FALLBACK */
 
   out:
+
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
-    if (enc)
+    if (enc) {
+        if (enc_inited)
+            wc_AesFree(enc);
         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
+    }
 #ifdef HAVE_AES_DECRYPT
-    if (dec)
+    if (dec) {
+        if (dec_inited)
+            wc_AesFree(dec);
         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
+    }
 #endif
+#else /* !WOLFSSL_SMALL_STACK || WOLFSSL_NO_MALLOC */
+    if (enc_inited)
+        wc_AesFree(enc);
+    if (dec_inited)
+        wc_AesFree(dec);
 #endif
 #endif /* HAVE_AES_CBC */
 
@@ -12326,7 +12347,7 @@ static wc_test_ret_t aesgcm_default_test_helper(byte* key, int keySz, byte* iv,
             wc_AesFree(dec);
         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
     }
-#else
+#else /* !WOLFSSL_SMALL_STACK || WOLFSSL_NO_MALLOC */
     if (enc_inited)
         wc_AesFree(enc);
     if (dec_inited)
@@ -15260,14 +15281,30 @@ static wc_test_ret_t random_rng_test(void)
 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && !defined(WOLFSSL_NO_MALLOC)
     {
         byte nonce[8] = { 0 };
-        /* Test dynamic RNG. */
+
+        /* Test dynamic RNG */
         rng = wc_rng_new(nonce, (word32)sizeof(nonce), HEAP_HINT);
         if (rng == NULL)
             return WC_TEST_RET_ENC_ERRNO;
 
         ret = _rng_test(rng, WC_TEST_RET_ENC_NC);
+        wc_rng_free(rng);
+        rng = NULL;
 
+        if (ret != 0)
+            return ret;
+
+        /* Test dynamic RNG using extended API */
+        ret = wc_rng_new_ex(&rng, nonce, (word32)sizeof(nonce),
+                            HEAP_HINT, devId);
+        if (ret != 0)
+            return WC_TEST_RET_ENC_EC(ret);
+
+        ret = _rng_test(rng, WC_TEST_RET_ENC_NC);
         wc_rng_free(rng);
+
+        if (ret != 0)
+            return ret;
     }
 #endif
 
@@ -15734,7 +15771,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t memory_test(void)
             #ifdef WOLFSSL_CERT_GEN
             static const char* rsaCaCertFile = CERT_ROOT "ca-cert.pem";
             #endif
-            #if defined(WOLFSSL_ALT_NAMES) || defined(HAVE_PKCS7)
+            #if (defined(WOLFSSL_ALT_NAMES) || defined(HAVE_PKCS7)) \
+                && !defined(NO_ASN_TIME)
             static const char* rsaCaCertDerFile = CERT_ROOT "ca-cert.der";
             #endif
             #ifdef HAVE_PKCS7
@@ -15956,16 +15994,16 @@ static void initDefaultName(void)
 
 #if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
     !defined(NO_FILESYSTEM)
-static byte minSerial[] = { 0x02, 0x01, 0x01 };
-static byte minName[] = { 0x30, 0x00 };
-static byte nameBad[] = {
+static const byte minSerial[] = { 0x02, 0x01, 0x01 };
+static const byte minName[] = { 0x30, 0x00 };
+static const byte nameBad[] = {
     0x30, 0x08,
           0x31, 0x06,
                 0x30, 0x04,
                       0x06, 0x02,
                             0x55, 0x04,
 };
-static byte minDates[] = {
+static const byte minDates[] = {
     0x30, 0x1e,
           0x17, 0x0d,
                 0x31, 0x38, 0x30, 0x34, 0x31, 0x33, 0x31, 0x35,
@@ -15974,7 +16012,7 @@ static byte minDates[] = {
                 0x32, 0x31, 0x30, 0x31, 0x30, 0x37, 0x31, 0x35,
                 0x32, 0x33, 0x31, 0x30, 0x5a
 };
-static byte minPubKey[] = {
+static const byte minPubKey[] = {
     0x30, 0x1c,
           0x30, 0x0d,
                 0x06, 0x09,
@@ -15988,14 +16026,14 @@ static byte minPubKey[] = {
                             0x02, 0x03,
                                   0x01, 0x00, 0x01
 };
-static byte minSigAlg[] = {
+static const byte minSigAlg[] = {
     0x30, 0x0d,
           0x06, 0x09,
                 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
                 0x0b,
           0x05, 0x00
 };
-static byte minSig[] = {
+static const byte minSig[] = {
     0x03, 0x01,
           0x00
 };
@@ -16007,7 +16045,7 @@ static int add_seq(byte* certData, int offset, byte* data, byte length)
     certData[offset++] = length;
     return offset + length;
 }
-static int add_data(byte* certData, int offset, byte* data, byte length)
+static int add_data(byte* certData, int offset, const byte* data, byte length)
 {
     XMEMCPY(certData + offset, data, length);
     return offset + length;
@@ -17238,6 +17276,10 @@ static wc_test_ret_t rsa_pss_test(WC_RNG* rng, RsaKey* key)
     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
     WC_DECLARE_VAR(sig, byte, RSA_TEST_BYTES, HEAP_HINT);
 
+    WC_ALLOC_VAR(in, byte, RSA_TEST_BYTES, HEAP_HINT);
+    WC_ALLOC_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
+    WC_ALLOC_VAR(sig, byte, RSA_TEST_BYTES, HEAP_HINT);
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     if (in == NULL || out == NULL || sig == NULL)
         ERROR_OUT(MEMORY_E, exit_rsa_pss);
@@ -17558,6 +17600,10 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_no_pad_test(void)
     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
     WC_DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
 
+    WC_ALLOC_VAR(key, RsaKey, 1, HEAP_HINT);
+    WC_ALLOC_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
+    WC_ALLOC_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     if (key == NULL || out == NULL || plain == NULL)
         ERROR_OUT(MEMORY_E, exit_rsa_nopadding);
@@ -17788,6 +17834,12 @@ static wc_test_ret_t rsa_even_mod_test(WC_RNG* rng, RsaKey* key)
 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
     WC_DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
 #endif
+
+    WC_ALLOC_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    WC_ALLOC_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
+#endif
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     if (out == NULL
     #ifndef WOLFSSL_RSA_PUBLIC_ONLY
@@ -18074,8 +18126,7 @@ static wc_test_ret_t rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng,
     if (ret < 0) {
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_rsa);
     }
-
-#ifdef WOLFSSL_ALT_NAMES
+#if defined(WOLFSSL_ALT_NAMES) || defined(HAVE_PKCS7)
         /* Get CA Cert for testing */
     #ifdef USE_CERT_BUFFERS_1024
         XMEMCPY(tmp, ca_cert_der_1024, sizeof_ca_cert_der_1024);
@@ -18094,6 +18145,7 @@ static wc_test_ret_t rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng,
             ERROR_OUT(WC_TEST_RET_ENC_ERRNO, exit_rsa);
     #endif /* USE_CERT_BUFFERS */
 
+    #if  defined(WOLFSSL_ALT_NAMES)
     #if !defined(NO_FILESYSTEM) && !defined(USE_CERT_BUFFERS_1024) && \
         !defined(USE_CERT_BUFFERS_2048) && !defined(NO_ASN)
         ret = wc_SetAltNames(myCert, rsaCaCertFile);
@@ -18115,7 +18167,8 @@ static wc_test_ret_t rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng,
         if (ret < 0)
             ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_rsa);
     #endif
-#endif /* WOLFSSL_ALT_NAMES */
+    #endif /* WOLFSSL_ALT_NAMES */
+#endif /* WOLFSSL_ALT_NAMES || HAVE_PKCS7 */
 
     /* Get CA Key */
 #ifdef USE_CERT_BUFFERS_1024
@@ -18604,6 +18657,10 @@ static wc_test_ret_t rsa_oaep_padding_test(RsaKey* key, WC_RNG* rng)
     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
     WC_DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
 
+    WC_ALLOC_VAR(in, byte, TEST_STRING_SZ, HEAP_HINT);
+    WC_ALLOC_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
+    WC_ALLOC_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     if (in == NULL || out == NULL || plain == NULL)
         ERROR_OUT(MEMORY_E, exit_rsa);
@@ -18964,6 +19021,10 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
     WC_DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
 
+    WC_ALLOC_VAR(in, byte, TEST_STRING_SZ, HEAP_HINT);
+    WC_ALLOC_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
+    WC_ALLOC_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     if (in == NULL || out == NULL || plain == NULL)
         ERROR_OUT(MEMORY_E, exit_rsa);
@@ -19169,7 +19230,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
 
 #elif defined(WOLFSSL_PUBLIC_MP)
     {
-        static byte signature_2048[] = {
+        static const byte signature_2048[] = {
             0x07, 0x6f, 0xc9, 0x85, 0x73, 0x9e, 0x21, 0x79,
             0x47, 0xf1, 0xa3, 0xd7, 0xf4, 0x27, 0x29, 0xbe,
             0x99, 0x5d, 0xac, 0xb2, 0x10, 0x3f, 0x95, 0xda,
@@ -25943,6 +26004,13 @@ static wc_test_ret_t ecc_test_vector_item(const eccVector* vector)
     WC_DECLARE_VAR(s, byte, MAX_ECC_BYTES, HEAP_HINT);
 #endif
 
+    WC_ALLOC_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
+#if !defined(NO_ASN) && !defined(HAVE_SELFTEST)
+    WC_ALLOC_VAR(sigRaw, byte, ECC_SIG_SIZE, HEAP_HINT);
+    WC_ALLOC_VAR(r, byte, MAX_ECC_BYTES, HEAP_HINT);
+    WC_ALLOC_VAR(s, byte, MAX_ECC_BYTES, HEAP_HINT);
+#endif
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
     if (sig == NULL)
         ERROR_OUT(MEMORY_E, done);
@@ -27331,6 +27399,21 @@ static wc_test_ret_t ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerif
     int     curveSize;
 #endif
 
+#if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) && \
+    !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
+    WC_ALLOC_VAR(sharedA, byte, ECC_SHARED_SIZE, HEAP_HINT);
+    WC_ALLOC_VAR(sharedB, byte, ECC_SHARED_SIZE, HEAP_HINT);
+#endif
+#ifdef HAVE_ECC_KEY_EXPORT
+    WC_ALLOC_VAR(exportBuf, byte, ECC_KEY_EXPORT_BUF_SIZE, HEAP_HINT);
+#endif
+#if !defined(ECC_TIMING_RESISTANT) || (defined(ECC_TIMING_RESISTANT) && \
+    !defined(WC_NO_RNG) && !defined(WOLFSSL_KCAPI_ECC)) && \
+    defined(HAVE_ECC_SIGN)
+    WC_ALLOC_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
+    WC_ALLOC_VAR(digest, byte, ECC_DIGEST_SIZE, HEAP_HINT);
+#endif
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
 #if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \
     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
@@ -28289,7 +28372,9 @@ static wc_test_ret_t ecc_mulmod_test(ecc_key* key1)
 #endif
 
 #if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) && \
-    !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLFSSL_ATECC508A) && \
+    !defined(WOLFSSL_ATECC608A) && !defined(PLUTON_CRYPTO_ECC) && \
+    !defined(WOLFSSL_CRYPTOCELL)
 static wc_test_ret_t ecc_ssh_test(ecc_key* key, WC_RNG* rng)
 {
     wc_test_ret_t ret;
@@ -28981,6 +29066,18 @@ static int ecc_sm2_test_curve(WC_RNG* rng, int testVerifyCount)
     int     curveSize;
 #endif
 
+#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG)
+    WC_ALLOC_VAR(sharedA, byte, ECC_SHARED_SIZE, HEAP_HINT);
+    WC_ALLOC_VAR(sharedB, byte, ECC_SHARED_SIZE, HEAP_HINT);
+#endif
+#ifdef HAVE_ECC_KEY_EXPORT
+    WC_ALLOC_VAR(exportBuf, byte, ECC_KEY_EXPORT_BUF_SIZE, HEAP_HINT);
+#endif
+#ifdef HAVE_ECC_SIGN
+    WC_ALLOC_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
+    WC_ALLOC_VAR(digest, byte, ECC_DIGEST_SIZE, HEAP_HINT);
+#endif
+
 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
 #if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG)
     if (sharedA == NULL || sharedB == NULL)
@@ -32659,7 +32756,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed25519_test(void)
                                    sizeof(msg4)
     };
 #ifndef NO_ASN
-    static byte privateEd25519[] = {
+    static const byte privateEd25519[] = {
         0x30,0x2e,0x02,0x01,0x00,0x30,0x05,0x06,
         0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
@@ -32667,7 +32764,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed25519_test(void)
         0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
         0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
     };
-    static byte badPrivateEd25519[] = {
+    static const byte badPrivateEd25519[] = {
         0x30,0x52,0x02,0x01,0x00,0x30,0x05,0x06,
         0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
@@ -32681,7 +32778,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed25519_test(void)
         0xf7,0x07,0x51,0x1a,
         0x00  /* add additional bytes to make the pubkey bigger  */
     };
-    static byte publicEd25519[] = {
+    static const byte publicEd25519[] = {
         0x30,0x2a,0x30,0x05,0x06,0x03,0x2b,0x65,
         0x70,0x03,0x21,0x00,0xd7,0x5a,0x98,0x01,
         0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
@@ -32691,7 +32788,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed25519_test(void)
     };
 
     /* size has been altered to catch if sanity check is done */
-    static byte badPublicEd25519[] = {
+    static const byte badPublicEd25519[] = {
         0x30,0x2a,0x30,0x05,0x06,0x03,0x2b,0x65,
         0x70,0x03,0x21,0x00,0xd7,0x5a,0x98,0x01,
         0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
@@ -32700,7 +32797,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed25519_test(void)
         0xf7,0x07,0x51,0x1a,
         0x00 /* add an additional byte to make the pubkey appear bigger */
     };
-    static byte privPubEd25519[] = {
+    static const byte privPubEd25519[] = {
         0x30,0x50,0x02,0x01,0x00,0x30,0x05,0x06,
         0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
@@ -36786,7 +36883,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t xmss_test(void)
  *   https://github.com/XMSS/xmss-reference
  * */
 
-static byte xmss_pub[XMSS_SHA256_PUBLEN] =
+static const byte xmss_pub[XMSS_SHA256_PUBLEN] =
 {
     0x00,0x00,0x00,0x01,0xA5,0x41,0x31,0x96,
     0x0A,0xF9,0xF3,0xB2,0x4B,0x2E,0x5B,0x3E,
@@ -36799,7 +36896,7 @@ static byte xmss_pub[XMSS_SHA256_PUBLEN] =
     0xC9,0xB7,0x39,0x4E
 };
 
-static byte xmss_msg[32] =
+static /* not const */ byte xmss_msg[32] =
 {
     0x07,0x9F,0x80,0x86,0xDB,0x76,0x27,0xDF,
     0xED,0x5B,0x2A,0x81,0x60,0x60,0x7D,0xB4,
@@ -36809,7 +36906,7 @@ static byte xmss_msg[32] =
 
 /* This was actually the 5th signature produced from
  * xmss_fast test in xmss-reference. */
-static byte xmss_sig[2500] =
+static /* not const */ byte xmss_sig[2500] =
 {
     0x00,0x00,0x00,0x05,0xF0,0x15,0x34,0xBA,
     0x92,0x03,0x6A,0xB9,0xA5,0x23,0x86,0x11,
@@ -37387,7 +37484,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t lms_test(void)
  * */
 
 /* "wolfSSL LMS example message!" without null terminator. */
-static byte lms_msg[28] =
+static const byte lms_msg[28] =
 {
     0x77,0x6F,0x6C,0x66,0x53,0x53,0x4C,0x20,
     0x4C,0x4D,0x53,0x20,0x65,0x78,0x61,0x6D,
@@ -37395,7 +37492,7 @@ static byte lms_msg[28] =
     0x61,0x67,0x65,0x21
 };
 
-static byte lms_L1H10W8_pub[HSS_MAX_PUBLIC_KEY_LEN] =
+static const byte lms_L1H10W8_pub[HSS_MAX_PUBLIC_KEY_LEN] =
 {
     0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x06,
     0x00,0x00,0x00,0x04,0xA1,0x26,0x76,0xF8,
@@ -37409,7 +37506,7 @@ static byte lms_L1H10W8_pub[HSS_MAX_PUBLIC_KEY_LEN] =
 
 #define LMS_L1H10W8_SIGLEN (1456)
 
-static byte lms_L1H10W8_sig[LMS_L1H10W8_SIGLEN] =
+static const byte lms_L1H10W8_sig[LMS_L1H10W8_SIGLEN] =
 {
     0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
     0x00,0x00,0x00,0x04,0x18,0x70,0x09,0x2E,
@@ -39419,12 +39516,12 @@ static wc_test_ret_t sakke_kat_encapsulate_test(SakkeKey* key)
         0x37, 0x30, 0x30, 0x39, 0x30, 0x30, 0x31, 0x32,
         0x33, 0x00
     };
-    static word32 idSz = sizeof(id);
+    static const word32 idSz = sizeof(id);
     byte ssv[] = {
         0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,
         0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0
     };
-    static word16 ssvSz = sizeof(ssv);
+    static const word16 ssvSz = sizeof(ssv);
     static const byte expAuth[] = {
         0x04,
         0x44, 0xE8, 0xAD, 0x44, 0xAB, 0x85, 0x92, 0xA6,
@@ -43124,8 +43221,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs7encrypted_test(void)
     /* Attribute example from RFC 4134, Section 7.2
      * OID = 1.2.5555
      * OCTET STRING = 'This is a test General ASN Attribute, number 1.' */
-    static byte genAttrOid[] = { 0x06, 0x03, 0x2a, 0xab, 0x33 };
-    static byte genAttr[] = { 0x04, 47,
+    static const byte genAttrOid[] = { 0x06, 0x03, 0x2a, 0xab, 0x33 };
+    static const byte genAttr[] = { 0x04, 47,
                               0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
                               0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x47,
                               0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c, 0x20, 0x41,
@@ -43133,8 +43230,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs7encrypted_test(void)
                               0x62, 0x75, 0x74, 0x65, 0x2c, 0x20, 0x6e, 0x75,
                               0x6d, 0x62, 0x65, 0x72, 0x20, 0x31, 0x2e };
 
-    static byte genAttrOid2[] = { 0x06, 0x03, 0x2a, 0xab, 0x34 };
-    static byte genAttr2[] = { 0x04, 47,
+    static const byte genAttrOid2[] = { 0x06, 0x03, 0x2a, 0xab, 0x34 };
+    static const byte genAttr2[] = { 0x04, 47,
                               0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
                               0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x47,
                               0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c, 0x20, 0x41,
@@ -43467,12 +43564,12 @@ typedef struct {
     word32       signedAttribsSz;
     const char*  outFileName;
     int          contentOID;
-    byte*        contentType;
+    const byte*  contentType;
     word32       contentTypeSz;
     int          sidType;
     int          encryptOID;   /* for single-shot encrypt alg OID */
     int          encCompFlag;  /* for single-shot. 1 = enc, 2 = comp, 3 = both*/
-    byte*        encryptKey;   /* for single-shot, encryptedData */
+    const byte*  encryptKey;   /* for single-shot, encryptedData */
     word32       encryptKeySz; /* for single-shot, encryptedData */
     PKCS7Attrib* unprotectedAttribs;   /* for single-shot, encryptedData */
     word32       unprotectedAttribsSz; /* for single-shot, encryptedData */
@@ -43506,24 +43603,24 @@ static wc_test_ret_t pkcs7signed_run_vectors(
         0x72,0x6c,0x64
     };
 
-    static byte transIdOid[] =
+    static const byte transIdOid[] =
                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
                  0x09, 0x07 };
-    static byte messageTypeOid[] =
+    static const byte messageTypeOid[] =
                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
                  0x09, 0x02 };
-    static byte senderNonceOid[] =
+    static const byte senderNonceOid[] =
                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
                  0x09, 0x05 };
 #ifndef NO_SHA
-    static byte transId[(WC_SHA_DIGEST_SIZE + 1) * 2 + 1];
+    byte transId[(WC_SHA_DIGEST_SIZE + 1) * 2 + 1];
 #else
-    static byte transId[(WC_SHA256_DIGEST_SIZE + 1) * 2 + 1];
+    byte transId[(WC_SHA256_DIGEST_SIZE + 1) * 2 + 1];
 #endif
-    static byte messageType[] = { 0x13, 2, '1', '9' };
-    static byte senderNonce[PKCS7_NONCE_SZ + 2];
+    static const byte messageType[] = { 0x13, 2, '1', '9' };
+    byte senderNonce[PKCS7_NONCE_SZ + 2];
 
-    static PKCS7Attrib attribs[] =
+    PKCS7Attrib attribs[] =
     {
         { transIdOid, sizeof(transIdOid), transId,
                                sizeof(transId) - 1 }, /* take off the null */
@@ -43534,13 +43631,13 @@ static wc_test_ret_t pkcs7signed_run_vectors(
     };
 
     /* for testing custom contentType, FirmwarePkgData */
-    static byte customContentType[] = { 0x06, 0x0B, 0x2A, 0x86,
+    static const byte customContentType[] = { 0x06, 0x0B, 0x2A, 0x86,
                                         0x48, 0x86, 0xF7, 0x0D,
                                         0x01, 0x09, 0x10, 0x01, 0x10 };
 
     #define MAX_TESTVECTORS_LEN 20
     #define ADD_PKCS7SIGNEDVECTOR(...) {                                       \
-            pkcs7SignedVector _this_vector = { __VA_ARGS__ };                  \
+            const pkcs7SignedVector _this_vector = { __VA_ARGS__ };            \
             if (testSz == MAX_TESTVECTORS_LEN) {                               \
                 ret = WC_TEST_RET_ENC_NC;                                      \
                 goto out;                                                      \
@@ -43797,7 +43894,8 @@ static wc_test_ret_t pkcs7signed_run_vectors(
         /* optional custom contentType, default is DATA,
            overrides contentOID if set */
         if (testVectors[i].contentType != NULL) {
-            ret = wc_PKCS7_SetContentType(pkcs7, testVectors[i].contentType,
+            ret = wc_PKCS7_SetContentType(pkcs7,
+                                          (byte *)testVectors[i].contentType,
                                           testVectors[i].contentTypeSz);
             if (ret != 0)
                 ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
@@ -43919,7 +44017,7 @@ static wc_test_ret_t pkcs7signed_run_vectors(
         #else
             byte buf[(WC_SHA256_DIGEST_SIZE + 1) * 2 + 1];
         #endif
-            byte* oidPt = transIdOid + 2;  /* skip object id tag and size */
+            const byte* oidPt = transIdOid + 2;  /* skip object id tag and size */
             int oidSz = (int)sizeof(transIdOid) - 2;
             int bufSz = 0;
 
@@ -44025,7 +44123,7 @@ static wc_test_ret_t pkcs7signed_run_SingleShotVectors(
 
 #if !defined(NO_PKCS7_ENCRYPTED_DATA) && \
      defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256)
-    static byte aes256Key[] = {
+    static const byte aes256Key[] = {
         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
@@ -44033,10 +44131,10 @@ static wc_test_ret_t pkcs7signed_run_SingleShotVectors(
     };
 #endif
 
-    static byte messageTypeOid[] =
+    static const byte messageTypeOid[] =
                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
                  0x09, 0x02 };
-    static byte messageType[] = { 0x13, 2, '1', '9' };
+    static const byte messageType[] = { 0x13, 2, '1', '9' };
 
     PKCS7Attrib attribs[] =
     {
@@ -44326,7 +44424,7 @@ static wc_test_ret_t pkcs7signed_run_SingleShotVectors(
 
             /* encode Signed Encrypted FirmwarePkgData */
             encodedSz = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7,
-                    testVectors[i].encryptKey, testVectors[i].encryptKeySz,
+                    (byte *)testVectors[i].encryptKey, testVectors[i].encryptKeySz,
                     testVectors[i].privateKey, testVectors[i].privateKeySz,
                     testVectors[i].encryptOID, testVectors[i].signOID,
                     testVectors[i].hashOID, (byte*)testVectors[i].content,
@@ -44429,7 +44527,7 @@ static wc_test_ret_t pkcs7signed_run_SingleShotVectors(
         else if (testVectors[i].encCompFlag == 1) {
 
             /* decrypt inner encryptedData */
-            pkcs7->encryptionKey = testVectors[i].encryptKey;
+            pkcs7->encryptionKey = (byte *)testVectors[i].encryptKey;
             pkcs7->encryptionKeySz = testVectors[i].encryptKeySz;
 
             ret = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index ca3f80d833..8b65d0a29a 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -2519,6 +2519,7 @@ struct CRL_Entry {
 };
 
 
+#ifdef HAVE_CRL_MONITOR
 typedef struct CRL_Monitor CRL_Monitor;
 
 /* CRL directory monitor */
@@ -2544,6 +2545,7 @@ typedef HANDLE wolfSSL_CRL_mfd_t; /* monitor fd, INVALID_HANDLE_VALUE if
                                    * no init yet */
 #define WOLFSSL_CRL_MFD_INIT_VAL (INVALID_HANDLE_VALUE)
 #endif
+#endif
 
 /* wolfSSL CRL controller */
 struct WOLFSSL_CRL {
@@ -2554,8 +2556,8 @@ struct WOLFSSL_CRL {
     CbCrlIO               crlIOCb;
 #endif
     wolfSSL_RwLock        crlLock;       /* CRL list lock */
-    CRL_Monitor           monitors[WOLFSSL_CRL_MONITORS_LEN];
 #ifdef HAVE_CRL_MONITOR
+    CRL_Monitor           monitors[WOLFSSL_CRL_MONITORS_LEN];
     COND_TYPE             cond;          /* condition to signal setup */
     THREAD_TYPE           tid;           /* monitoring thread */
     wolfSSL_CRL_mfd_t     mfd;
@@ -4812,6 +4814,8 @@ struct Options {
     byte            cipherSuite;            /* second byte, actual suite */
     byte            hashAlgo;               /* selected hash algorithm */
     byte            sigAlgo;                /* selected sig algorithm */
+    byte            peerHashAlgo;           /* peer's chosen hash algo */
+    byte            peerSigAlgo;            /* peer's chosen sig algo */
     byte            serverState;
     byte            clientState;
     byte            handShakeState;
diff --git a/wolfssl/openssl/crypto.h b/wolfssl/openssl/crypto.h
index f57626f333..a51fc7b082 100644
--- a/wolfssl/openssl/crypto.h
+++ b/wolfssl/openssl/crypto.h
@@ -96,13 +96,8 @@ WOLFSSL_API int wolfSSL_OPENSSL_init_crypto(word64 opts, const OPENSSL_INIT_SETT
 #define SSLeay_version wolfSSLeay_version
 #define SSLeay wolfSSLeay
 #define OpenSSL_version_num wolfSSL_OpenSSL_version_num
+#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
 
-#if defined(WOLFSSL_QT) || defined(WOLFSSL_HITCH)
-    #define SSLEAY_VERSION 0x10001000L
-#else
-    #define SSLEAY_VERSION 0x0090600fL
-#endif
-#define SSLEAY_VERSION_NUMBER SSLEAY_VERSION
 #define CRYPTO_lock wc_LockMutex_ex
 
 /* this function was used to set the default malloc, free, and realloc */
diff --git a/wolfssl/openssl/opensslv.h b/wolfssl/openssl/opensslv.h
index c426ef4311..57404c928d 100644
--- a/wolfssl/openssl/opensslv.h
+++ b/wolfssl/openssl/opensslv.h
@@ -57,6 +57,10 @@
 #define OPENSSL_VERSION_TEXT             "wolfSSL " LIBWOLFSSL_VERSION_STRING
 #define OPENSSL_VERSION                  0
 
+#ifndef OPENSSL_IS_WOLFSSL
+#define OPENSSL_IS_WOLFSSL
+#endif
+
 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 
 #endif /* header */
diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h
index 77874c7701..5cd96e26f5 100644
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@@ -340,6 +340,9 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_CTX_set1_sigalgs_list       wolfSSL_CTX_set1_sigalgs_list
 #define SSL_set1_sigalgs_list           wolfSSL_set1_sigalgs_list
 #define SSL_get_signature_nid           wolfSSL_get_signature_nid
+#define SSL_get_signature_type_nid      wolfSSL_get_signature_type_nid
+#define SSL_get_peer_signature_nid      wolfSSL_get_peer_signature_nid
+#define SSL_get_peer_signature_type_nid wolfSSL_get_peer_signature_type_nid
 
 #define SSL_CTX_set1_groups             wolfSSL_CTX_set1_groups
 #define SSL_set1_groups                 wolfSSL_set1_groups
diff --git a/wolfssl/quic.h b/wolfssl/quic.h
index c1462cbae8..8e173a0fd4 100644
--- a/wolfssl/quic.h
+++ b/wolfssl/quic.h
@@ -32,6 +32,8 @@
 
 #ifdef WOLFSSL_QUIC
 
+#include <stdint.h>
+
 /* QUIC operates on three encryption levels which determine
  * which keys/algos are used for de-/encryption. These are
  * kept separately for incoming and outgoing data and.
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 4e86b0da4b..edcff46f67 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -1132,6 +1132,10 @@ WOLFSSL_API int wolfSSL_CTX_up_ref(WOLFSSL_CTX* ctx);
 #ifdef OPENSSL_EXTRA
 WOLFSSL_API int wolfSSL_CTX_set_ecdh_auto(WOLFSSL_CTX* ctx, int onoff);
 WOLFSSL_API int wolfSSL_get_signature_nid(WOLFSSL* ssl, int* nid);
+WOLFSSL_API int wolfSSL_get_signature_type_nid(const WOLFSSL* ssl, int* nid);
+WOLFSSL_API int wolfSSL_get_peer_signature_nid(WOLFSSL* ssl, int* nid);
+WOLFSSL_API int wolfSSL_get_peer_signature_type_nid(const WOLFSSL* ssl,
+        int* nid);
 WOLFSSL_API int  wolfSSL_CTX_set1_sigalgs_list(WOLFSSL_CTX* ctx,
                                                const char* list);
 WOLFSSL_API int  wolfSSL_set1_sigalgs_list(WOLFSSL* ssl, const char* list);
@@ -1200,8 +1204,8 @@ WOLFSSL_API int  wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups,
 WOLFSSL_API int  wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count);
 
 #ifdef HAVE_ECC
-WOLFSSL_API int  wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, char *list);
-WOLFSSL_API int  wolfSSL_set1_groups_list(WOLFSSL *ssl, char *list);
+WOLFSSL_API int  wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, const char *list);
+WOLFSSL_API int  wolfSSL_set1_groups_list(WOLFSSL *ssl, const char *list);
 #endif
 #endif
 
@@ -3040,23 +3044,26 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len,
         #ifdef __PPU
             #include <sys/types.h>
             #include <sys/socket.h>
-        #elif !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_IAR_ARM) && \
+        #elif defined(ARDUINO)
+            /* TODO board specific */
+        #elif !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_IAR_ARM)    && \
               !defined(WOLFSSL_PICOTCP) && !defined(WOLFSSL_ROWLEY_ARM) && \
-              !defined(WOLFSSL_EMBOS) && !defined(WOLFSSL_FROSTED) && \
-              !defined(WOLFSSL_CHIBIOS) && !defined(WOLFSSL_CONTIKI) && \
-              !defined(WOLFSSL_ZEPHYR) && !defined(NETOS)
+              !defined(WOLFSSL_EMBOS)   && !defined(WOLFSSL_FROSTED)    && \
+              !defined(WOLFSSL_CHIBIOS) && !defined(WOLFSSL_CONTIKI)    && \
+              !defined(WOLFSSL_ZEPHYR)  && !defined(NETOS)
             #include <sys/uio.h>
         #endif
         /* allow writev style writing */
         WOLFSSL_API int wolfSSL_writev(WOLFSSL* ssl, const struct iovec* iov,
                                      int iovcnt);
-    #endif
-#endif
+    #endif /* !NO_WRITEV */
+#endif /* !_WIN32 */
 
 
 #ifndef NO_CERTS
     /* SSL_CTX versions */
     WOLFSSL_API int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX* ctx);
+    WOLFSSL_API int wolfSSL_CTX_UnloadIntermediateCerts(WOLFSSL_CTX* ctx);
 #ifdef WOLFSSL_TRUST_PEER_CERT
     WOLFSSL_API int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX* ctx);
 #ifdef WOLFSSL_LOCAL_X509_STORE
@@ -3611,6 +3618,8 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
         const unsigned char* buff, long sz, int format);
 
     WOLFSSL_API int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm);
+    WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCerts(
+        WOLFSSL_CERT_MANAGER* cm);
 #ifdef WOLFSSL_TRUST_PEER_CERT
     WOLFSSL_API int wolfSSL_CertManagerUnload_trust_peers(
         WOLFSSL_CERT_MANAGER* cm);
diff --git a/wolfssl/test.h b/wolfssl/test.h
index e9c7e6f638..52ec4921a4 100644
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -175,6 +175,8 @@
         int h_length;        /* length of address */
         char** h_addr_list;  /* list of addresses from the name server */
     };
+#elif defined(ARDUINO)
+    /* TODO, define board-specific */
 #else
     #include <string.h>
     #include <sys/types.h>
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index 395981407e..ee669ac0a8 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -2022,6 +2022,7 @@ struct Signer {
     byte *sapkiDer;
     int sapkiLen;
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
+    byte type;
 
     Signer* next;
 };
@@ -2167,6 +2168,8 @@ WOLFSSL_LOCAL const byte* OidFromId(word32 id, word32 type, word32* oidSz);
 WOLFSSL_LOCAL Signer* MakeSigner(void* heap);
 WOLFSSL_LOCAL void    FreeSigner(Signer* signer, void* heap);
 WOLFSSL_LOCAL void    FreeSignerTable(Signer** table, int rows, void* heap);
+WOLFSSL_LOCAL void    FreeSignerTableType(Signer** table, int rows, byte type,
+                                          void* heap);
 #ifdef WOLFSSL_TRUST_PEER_CERT
 WOLFSSL_LOCAL void    FreeTrustedPeer(TrustedPeerCert* tp, void* heap);
 WOLFSSL_LOCAL void    FreeTrustedPeerTable(TrustedPeerCert** table, int rows,
diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h
index 5f67d2d657..2d7ee320e1 100644
--- a/wolfssl/wolfcrypt/ecc.h
+++ b/wolfssl/wolfcrypt/ecc.h
@@ -659,10 +659,8 @@ WOLFSSL_LOCAL
 int wc_ecc_shared_secret_gen_sync(ecc_key* private_key,
     ecc_point* point, byte* out, word32* outlen);
 
-#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
-    defined(PLUTON_CRYPTO_ECC) || defined(WOLFSSL_CRYPTOCELL)
-#define wc_ecc_shared_secret_ssh wc_ecc_shared_secret
-#else
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
+    !defined(PLUTON_CRYPTO_ECC) && !defined(WOLFSSL_CRYPTOCELL)
 #define wc_ecc_shared_secret_ssh wc_ecc_shared_secret_ex /* For backwards compat */
 #endif
 
diff --git a/wolfssl/wolfcrypt/ed448.h b/wolfssl/wolfcrypt/ed448.h
index b45671d760..48011fce61 100644
--- a/wolfssl/wolfcrypt/ed448.h
+++ b/wolfssl/wolfcrypt/ed448.h
@@ -80,7 +80,7 @@ enum {
 /* An ED448 Key */
 struct ed448_key {
     byte    p[ED448_PUB_KEY_SIZE]; /* compressed public key */
-    byte    k[ED448_PRV_KEY_SIZE]; /* private key : 56 secret -- 56 public */
+    byte    k[ED448_PRV_KEY_SIZE]; /* private key : 57 secret -- 57 public */
 #ifdef FREESCALE_LTC_ECC
     /* uncompressed point coordinates */
     byte pointX[ED448_KEY_SIZE]; /* recovered X coordinate */
diff --git a/wolfssl/wolfcrypt/ge_448.h b/wolfssl/wolfcrypt/ge_448.h
index 760ef2f5af..38ac71a2fe 100644
--- a/wolfssl/wolfcrypt/ge_448.h
+++ b/wolfssl/wolfcrypt/ge_448.h
@@ -64,7 +64,7 @@ WOLFSSL_LOCAL int  ge448_from_bytes_negate_vartime(ge448_p2 *r, const byte *b);
 
 WOLFSSL_LOCAL int  ge448_double_scalarmult_vartime(ge448_p2 *r, const byte *a,
                                     const ge448_p2 *A, const byte *b);
-WOLFSSL_LOCAL void ge448_scalarmult_base(ge448_p2* h, const byte* a);
+WOLFSSL_LOCAL int  ge448_scalarmult_base(ge448_p2* h, const byte* a);
 WOLFSSL_LOCAL void sc448_reduce(byte* b);
 WOLFSSL_LOCAL void sc448_muladd(byte* r, const byte* a, const byte* b, const byte* d);
 WOLFSSL_LOCAL void ge448_to_bytes(byte *s, const ge448_p2 *h);
diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
index 8cd599bdd7..d4ab8e338b 100644
--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@@ -205,7 +205,10 @@ WOLFSSL_API int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz);
 #endif /* HAVE_WNR */
 
 
-WOLFSSL_ABI WOLFSSL_API WC_RNG* wc_rng_new(byte* nonce, word32 nonceSz, void* heap);
+WOLFSSL_ABI WOLFSSL_API WC_RNG* wc_rng_new(byte* nonce, word32 nonceSz,
+                                           void* heap);
+WOLFSSL_API int wc_rng_new_ex(WC_RNG **rng, byte* nonce, word32 nonceSz,
+                              void* heap, int devId);
 WOLFSSL_ABI WOLFSSL_API void wc_rng_free(WC_RNG* rng);
 
 
diff --git a/wolfssl/wolfcrypt/rsa.h b/wolfssl/wolfcrypt/rsa.h
index b2c008b0ea..3daa02c57f 100644
--- a/wolfssl/wolfcrypt/rsa.h
+++ b/wolfssl/wolfcrypt/rsa.h
@@ -444,6 +444,8 @@ WOLFSSL_LOCAL int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** ou
                                    int bits, void* heap);
 
 WOLFSSL_LOCAL int wc_hash2mgf(enum wc_HashType hType);
+WOLFSSL_LOCAL int RsaFunctionCheckIn(const byte* in, word32 inLen, RsaKey* key,
+    int checkSmallCt);
 
 #ifdef __cplusplus
     } /* extern "C" */
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 02bd06c27e..3072906a83 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -265,6 +265,32 @@
 /* Uncomment next line if using MAXQ108x */
 /* #define WOLFSSL_MAXQ108X */
 
+#if defined(ARDUINO)
+    /* we don't have the luxury of compiler options, so manually define */
+    #if defined(__arm__)
+        #undef  WOLFSSL_ARDUINO
+        #define WOLFSSL_ARDUINO
+    /* ESP32? */
+    #endif
+
+    #undef FREERTOS
+    #ifndef WOLFSSL_USER_SETTINGS
+        #define WOLFSSL_USER_SETTINGS
+    #endif /* WOLFSSL_USER_SETTINGS */
+
+    /* board-specific */
+    #if defined(__AVR__)
+        #define WOLFSSL_NO_SOCK
+        #define NO_WRITEV
+    #elif defined(__arm__)
+        #define WOLFSSL_NO_SOCK
+        #define NO_WRITEV
+    #elif defined(ESP32) || defined(ESP8266)
+        /* assume sockets available */
+    #else
+        #define WOLFSSL_NO_SOCK
+    #endif
+#endif
 
 #ifdef WOLFSSL_USER_SETTINGS
     #include "user_settings.h"
@@ -353,50 +379,6 @@
 #define HAVE_OID_DECODING
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
 
-/* ---------------------------------------------------------------------------
- * OpenSSL compat layer
- * ---------------------------------------------------------------------------
- */
-#if defined(OPENSSL_EXTRA) && !defined(OPENSSL_COEXIST)
-#undef  WOLFSSL_ALWAYS_VERIFY_CB
-#define WOLFSSL_ALWAYS_VERIFY_CB
-
-#undef WOLFSSL_VERIFY_CB_ALL_CERTS
-#define WOLFSSL_VERIFY_CB_ALL_CERTS
-
-#undef WOLFSSL_EXTRA_ALERTS
-#define WOLFSSL_EXTRA_ALERTS
-
-#undef HAVE_EXT_CACHE
-#define HAVE_EXT_CACHE
-
-#undef WOLFSSL_FORCE_CACHE_ON_TICKET
-#define WOLFSSL_FORCE_CACHE_ON_TICKET
-
-#undef WOLFSSL_AKID_NAME
-#define WOLFSSL_AKID_NAME
-
-#undef HAVE_CTS
-#define HAVE_CTS
-
-#undef WOLFSSL_SESSION_ID_CTX
-#define WOLFSSL_SESSION_ID_CTX
-#endif /* OPENSSL_EXTRA && !OPENSSL_COEXIST */
-
-/* ---------------------------------------------------------------------------
- * Special small OpenSSL compat layer for certs
- * ---------------------------------------------------------------------------
- */
-#ifdef OPENSSL_EXTRA_X509_SMALL
-#undef WOLFSSL_EKU_OID
-#define WOLFSSL_EKU_OID
-
-#undef WOLFSSL_MULTI_ATTRIB
-#define WOLFSSL_MULTI_ATTRIB
-
-#undef WOLFSSL_NO_OPENSSL_RAND_CB
-#define WOLFSSL_NO_OPENSSL_RAND_CB
-#endif /* OPENSSL_EXTRA_X509_SMALL */
 
 #if defined(_WIN32) && !defined(_M_X64) && \
     defined(HAVE_AESGCM) && defined(WOLFSSL_AESNI)
@@ -424,6 +406,33 @@
     #include <nx_api.h>
 #endif
 
+#if defined(ARDUINO)
+    #if defined(ESP32)
+        #ifndef NO_ARDUINO_DEFAULT
+            #define SIZEOF_LONG_LONG 8
+            #ifdef FREERTOS
+                #undef FREERTOS
+            #endif
+
+            #define WOLFSSL_LWIP
+            #define NO_WRITEV
+            #define NO_WOLFSSL_DIR
+            #define WOLFSSL_NO_CURRDIR
+
+            #define TFM_TIMING_RESISTANT
+            #define ECC_TIMING_RESISTANT
+            #define WC_RSA_BLINDING
+            #define WC_NO_CACHE_RESISTANT
+        #endif /* !NO_ARDUINO_DEFAULT */
+    #elif defined(__arm__)
+            #define NO_WRITEV
+            #define NO_WOLFSSL_DIR
+            #define WOLFSSL_NO_CURRDIR
+    #elif defined(OTHERBOARD)
+        /* TODO: define other Arduino boards here */
+    #endif
+#endif
+
 #if defined(WOLFSSL_ESPIDF)
     #define SIZEOF_LONG_LONG 8
     #ifndef NO_ESPIDF_DEFAULT
@@ -754,11 +763,20 @@
 
 
 #ifdef WOLFSSL_ARDUINO
+    /* Define WOLFSSL_USER_IO here to avoid check in internal.c */
+    #define WOLFSSL_USER_IO
+
     #define NO_WRITEV
     #define NO_WOLFSSL_DIR
     #define SINGLE_THREADED
     #define NO_DEV_RANDOM
-    #ifndef INTEL_GALILEO /* Galileo has time.h compatibility */
+    #if defined(INTEL_GALILEO) || defined(ESP32)
+        /* boards with has time.h compatibility */
+    #elif defined(__arm__)
+        /* TODO is time really missing from Arduino Due? */
+        /* This is a brute-force solution to make it work: */
+        #define NO_ASN_TIME
+    #else
         #define TIME_OVERRIDES
         #ifndef XTIME
             #error "Must define XTIME externally see porting guide"
@@ -2105,9 +2123,17 @@ extern void uITRON4_free(void *p) ;
     #include "RTOS.h"
     #if !defined(XMALLOC_USER) && !defined(NO_WOLFSSL_MEMORY) && \
         !defined(WOLFSSL_STATIC_MEMORY)
-        #define XMALLOC(s, h, type)  ((void)(h), (void)(type), OS_HEAP_malloc((s)))
-        #define XFREE(p, h, type)    ((void)(h), (void)(type), OS_HEAP_free((p)))
-        #define XREALLOC(p, n, h, t) ((void)(h), (void)(t), OS_HEAP_realloc(((p), (n)))
+        /* Per the user manual of embOS https://www.segger.com/downloads/embos/UM01001
+         * this API has changed with V5. */
+        #if (OS_VERSION >= 50000U)
+            #define XMALLOC(s, h, type)  ((void)(h), (void)(type), OS_HEAP_malloc((s)))
+            #define XFREE(p, h, type)    ((void)(h), (void)(type), OS_HEAP_free((p)))
+            #define XREALLOC(p, n, h, t) ((void)(h), (void)(t), OS_HEAP_realloc((p), (n)))
+        #else
+            #define XMALLOC(s, h, type)  ((void)(h), (void)(type), OS_malloc((s)))
+            #define XFREE(p, h, type)    ((void)(h), (void)(type), OS_free((p)))
+            #define XREALLOC(p, n, h, t) ((void)(h), (void)(t), OS_realloc((p), (n)))
+        #endif
     #endif
 #endif
 
@@ -2836,6 +2862,51 @@ extern void uITRON4_free(void *p) ;
     #define OPENSSL_EXTRA
 #endif
 
+/* ---------------------------------------------------------------------------
+ * OpenSSL compat layer
+ * ---------------------------------------------------------------------------
+ */
+#if defined(OPENSSL_EXTRA) && !defined(OPENSSL_COEXIST)
+    #undef  WOLFSSL_ALWAYS_VERIFY_CB
+    #define WOLFSSL_ALWAYS_VERIFY_CB
+
+    #undef WOLFSSL_VERIFY_CB_ALL_CERTS
+    #define WOLFSSL_VERIFY_CB_ALL_CERTS
+
+    #undef WOLFSSL_EXTRA_ALERTS
+    #define WOLFSSL_EXTRA_ALERTS
+
+    #undef HAVE_EXT_CACHE
+    #define HAVE_EXT_CACHE
+
+    #undef WOLFSSL_FORCE_CACHE_ON_TICKET
+    #define WOLFSSL_FORCE_CACHE_ON_TICKET
+
+    #undef WOLFSSL_AKID_NAME
+    #define WOLFSSL_AKID_NAME
+
+    #undef HAVE_CTS
+    #define HAVE_CTS
+
+    #undef WOLFSSL_SESSION_ID_CTX
+    #define WOLFSSL_SESSION_ID_CTX
+#endif /* OPENSSL_EXTRA && !OPENSSL_COEXIST */
+
+/* ---------------------------------------------------------------------------
+ * Special small OpenSSL compat layer for certs
+ * ---------------------------------------------------------------------------
+ */
+#ifdef OPENSSL_EXTRA_X509_SMALL
+    #undef WOLFSSL_EKU_OID
+    #define WOLFSSL_EKU_OID
+
+    #undef WOLFSSL_MULTI_ATTRIB
+    #define WOLFSSL_MULTI_ATTRIB
+
+    #undef WOLFSSL_NO_OPENSSL_RAND_CB
+    #define WOLFSSL_NO_OPENSSL_RAND_CB
+#endif /* OPENSSL_EXTRA_X509_SMALL */
+
 #ifdef HAVE_SNI
     #define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
 #endif
@@ -3342,6 +3413,11 @@ extern void uITRON4_free(void *p) ;
     /* Ciphersuite check done in internal.h */
 #endif
 
+/* Some final sanity checks */
+#if defined(WOLFSSL_ESPIDF) && defined(ARDUINO)
+    #error "Found both ESPIDF and ARDUINO. Pick one."
+#endif
+
 
 #ifdef __cplusplus
     }   /* extern "C" */
diff --git a/wolfssl/wolfcrypt/tfm.h b/wolfssl/wolfcrypt/tfm.h
index dc6d55a1c1..91849f11bf 100644
--- a/wolfssl/wolfcrypt/tfm.h
+++ b/wolfssl/wolfcrypt/tfm.h
@@ -364,7 +364,7 @@ while (0)
 /* Initialize an mp_int. */
 #define INIT_MP_INT_SIZE(name, bits) \
     mp_init(name)
-/* Type to cast to when using size marcos. */
+/* Type to cast to when using size macros. */
 #define MP_INT_SIZE     mp_int
 
 
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 80dfe07678..8c754ddf6c 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -558,6 +558,10 @@ typedef struct w64wrapper {
                 #endif
                 #define XREALLOC(p, n, h, t) wolfSSL_Realloc((p), (n), (h), (t))
             #endif /* WOLFSSL_DEBUG_MEMORY */
+        #elif  defined(WOLFSSL_EMBOS) && !defined(XMALLOC_USER) \
+                && !defined(NO_WOLFSSL_MEMORY) \
+                && !defined(WOLFSSL_STATIC_MEMORY)
+            /* settings.h solve this case already. Avoid redefinition. */
         #elif (!defined(FREERTOS) && !defined(FREERTOS_TCP)) || defined(WOLFSSL_TRACK_MEMORY)
             #ifdef WOLFSSL_DEBUG_MEMORY
                 #define XMALLOC(s, h, t)     ((void)(h), (void)(t), wolfSSL_Malloc((s), __func__, __LINE__))
@@ -580,71 +584,94 @@ typedef struct w64wrapper {
     #endif
 
     /* declare/free variable handling for async and smallstack */
+    #ifndef WC_ALLOC_DO_ON_FAILURE
+        #define WC_ALLOC_DO_ON_FAILURE() WC_DO_NOTHING
+    #endif
+
+    #define WC_DECLARE_HEAP_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
+        VAR_TYPE* VAR_NAME[VAR_ITEMS]; \
+        int idx##VAR_NAME = 0, inner_idx_##VAR_NAME
+    #define WC_HEAP_ARRAY_ARG(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE) \
+        VAR_TYPE* VAR_NAME[VAR_ITEMS]
+    #define WC_ALLOC_HEAP_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
+        for (idx##VAR_NAME=0; idx##VAR_NAME<(VAR_ITEMS); idx##VAR_NAME++) { \
+            (VAR_NAME)[idx##VAR_NAME] = (VAR_TYPE*)XMALLOC(VAR_SIZE, (HEAP), DYNAMIC_TYPE_TMP_BUFFER); \
+            if ((VAR_NAME)[idx##VAR_NAME] == NULL) { \
+                for (inner_idx_##VAR_NAME = 0; inner_idx_##VAR_NAME < idx##VAR_NAME; inner_idx_##VAR_NAME++) { \
+                    XFREE((VAR_NAME)[inner_idx_##VAR_NAME], (HEAP), DYNAMIC_TYPE_TMP_BUFFER); \
+                    (VAR_NAME)[inner_idx_##VAR_NAME] = NULL; \
+                } \
+                for (inner_idx_##VAR_NAME = idx##VAR_NAME + 1; inner_idx_##VAR_NAME < (VAR_ITEMS); inner_idx_##VAR_NAME++) { \
+                    (VAR_NAME)[inner_idx_##VAR_NAME] = NULL; \
+                } \
+                idx##VAR_NAME = 0; \
+                WC_ALLOC_DO_ON_FAILURE(); \
+                break; \
+            } \
+        }
+    #define WC_CALLOC_HEAP_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
+            do { \
+                WC_ALLOC_HEAP_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP); \
+                if (idx##VAR_NAME != 0) { \
+                    for (idx##VAR_NAME=0; idx##VAR_NAME<(VAR_ITEMS); idx##VAR_NAME++) { \
+                        XMEMSET((VAR_NAME)[idx##VAR_NAME], 0, VAR_SIZE); \
+                    } \
+                } \
+            } while (0)
+    #define WC_HEAP_ARRAY_OK(VAR_NAME) (idx##VAR_NAME != 0)
+    #define WC_FREE_HEAP_ARRAY(VAR_NAME, VAR_ITEMS, HEAP)               \
+        if (WC_HEAP_ARRAY_OK(VAR_NAME)) {                               \
+            for (idx##VAR_NAME=0; idx##VAR_NAME<(VAR_ITEMS); idx##VAR_NAME++) { \
+                XFREE((VAR_NAME)[idx##VAR_NAME], (HEAP), DYNAMIC_TYPE_TMP_BUFFER); \
+            }                                                           \
+            idx##VAR_NAME = 0;                                          \
+        }
+
     #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_SMALL_STACK)
         #define WC_DECLARE_VAR_IS_HEAP_ALLOC
         #define WC_DECLARE_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP) \
-            VAR_TYPE* VAR_NAME = (VAR_TYPE*)XMALLOC(sizeof(VAR_TYPE) * (VAR_SIZE), (HEAP), DYNAMIC_TYPE_WOLF_BIGINT)
-        #define WC_DECLARE_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
-            VAR_TYPE* VAR_NAME[VAR_ITEMS]; \
-            int idx##VAR_NAME, inner_idx_##VAR_NAME
-        #define WC_INIT_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
-            for (idx##VAR_NAME=0; idx##VAR_NAME<(VAR_ITEMS); idx##VAR_NAME++) { \
-                (VAR_NAME)[idx##VAR_NAME] = (VAR_TYPE*)XMALLOC(VAR_SIZE, (HEAP), DYNAMIC_TYPE_WOLF_BIGINT); \
-                if ((VAR_NAME)[idx##VAR_NAME] == NULL) { \
-                    for (inner_idx_##VAR_NAME = 0; inner_idx_##VAR_NAME < idx##VAR_NAME; inner_idx_##VAR_NAME++) { \
-                        XFREE((VAR_NAME)[inner_idx_##VAR_NAME], (HEAP), DYNAMIC_TYPE_WOLF_BIGINT); \
-                        (VAR_NAME)[inner_idx_##VAR_NAME] = NULL; \
-                    } \
-                    for (inner_idx_##VAR_NAME = idx##VAR_NAME + 1; inner_idx_##VAR_NAME < (VAR_ITEMS); inner_idx_##VAR_NAME++) { \
-                        (VAR_NAME)[inner_idx_##VAR_NAME] = NULL; \
-                    } \
-                    break; \
-                } \
-            }
+            VAR_TYPE* VAR_NAME = NULL
+        #define WC_ALLOC_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP)        \
+            do {                                                        \
+                (VAR_NAME) = (VAR_TYPE*)XMALLOC(sizeof(VAR_TYPE) * (VAR_SIZE), (HEAP), DYNAMIC_TYPE_WOLF_BIGINT); \
+                if ((VAR_NAME) == NULL) {                               \
+                    WC_ALLOC_DO_ON_FAILURE();                           \
+                }                                                       \
+            } while (0)
+        #define WC_CALLOC_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP)        \
+            do { \
+                WC_ALLOC_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP); \
+                XMEMSET(VAR_NAME, 0, sizeof(VAR_TYPE) * (VAR_SIZE)); \
+            } while (0)
         #define WC_FREE_VAR(VAR_NAME, HEAP) \
             XFREE(VAR_NAME, (HEAP), DYNAMIC_TYPE_WOLF_BIGINT)
+        #define WC_DECLARE_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
+            WC_DECLARE_HEAP_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP)
+        #define WC_ARRAY_ARG(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE) \
+            WC_HEAP_ARRAY_ARG(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE)
+        #define WC_ALLOC_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
+            WC_ALLOC_HEAP_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP)
+        #define WC_CALLOC_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
+            WC_CALLOC_HEAP_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP)
+        #define WC_ARRAY_OK(VAR_NAME) WC_HEAP_ARRAY_OK(VAR_NAME)
         #define WC_FREE_ARRAY(VAR_NAME, VAR_ITEMS, HEAP) \
-            for (idx##VAR_NAME=0; idx##VAR_NAME<(VAR_ITEMS); idx##VAR_NAME++) { \
-                XFREE((VAR_NAME)[idx##VAR_NAME], (HEAP), DYNAMIC_TYPE_WOLF_BIGINT); \
-            }
-
-        #define WC_DECLARE_ARRAY_DYNAMIC_DEC(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
-            WC_DECLARE_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP)
-        #define WC_DECLARE_ARRAY_DYNAMIC_EXE(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
-            WC_INIT_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP)
-        #define WC_FREE_ARRAY_DYNAMIC(VAR_NAME, VAR_ITEMS, HEAP) \
-            WC_FREE_ARRAY(VAR_NAME, VAR_ITEMS, HEAP)
+            WC_FREE_HEAP_ARRAY(VAR_NAME, VAR_ITEMS, HEAP)
     #else
         #undef WC_DECLARE_VAR_IS_HEAP_ALLOC
         #define WC_DECLARE_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP) \
             VAR_TYPE VAR_NAME[VAR_SIZE]
-        #define WC_DECLARE_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
-            VAR_TYPE VAR_NAME[VAR_ITEMS][VAR_SIZE]
-        #define WC_INIT_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) WC_DO_NOTHING
+        #define WC_ALLOC_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP) WC_DO_NOTHING
+        #define WC_CALLOC_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP)        \
+            XMEMSET(VAR_NAME, 0, sizeof(var))
         #define WC_FREE_VAR(VAR_NAME, HEAP) WC_DO_NOTHING /* nothing to free, its stack */
+        #define WC_DECLARE_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
+            VAR_TYPE VAR_NAME[VAR_ITEMS][(VAR_SIZE) / sizeof(VAR_TYPE)] /* // NOLINT(bugprone-sizeof-expression) */
+        #define WC_ARRAY_ARG(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE) \
+            VAR_TYPE VAR_NAME[VAR_ITEMS][(VAR_SIZE) / sizeof(VAR_TYPE)] /* // NOLINT(bugprone-sizeof-expression) */
+        #define WC_ALLOC_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) WC_DO_NOTHING
+        #define WC_CALLOC_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) XMEMSET(VAR_NAME, 0, sizeof(VAR_NAME))
+        #define WC_ARRAY_OK(VAR_NAME) 1
         #define WC_FREE_ARRAY(VAR_NAME, VAR_ITEMS, HEAP) WC_DO_NOTHING /* nothing to free, its stack */
-
-        #define WC_DECLARE_ARRAY_DYNAMIC_DEC(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
-            VAR_TYPE* VAR_NAME[VAR_ITEMS]; \
-            int idx##VAR_NAME, inner_idx_##VAR_NAME
-        #define WC_DECLARE_ARRAY_DYNAMIC_EXE(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
-            for (idx##VAR_NAME=0; idx##VAR_NAME<(VAR_ITEMS); idx##VAR_NAME++) { \
-                (VAR_NAME)[idx##VAR_NAME] = (VAR_TYPE*)XMALLOC(VAR_SIZE, (HEAP), DYNAMIC_TYPE_TMP_BUFFER); \
-                if ((VAR_NAME)[idx##VAR_NAME] == NULL) { \
-                    for (inner_idx_##VAR_NAME = 0; inner_idx_##VAR_NAME < idx##VAR_NAME; inner_idx_##VAR_NAME++) { \
-                        XFREE((VAR_NAME)[inner_idx_##VAR_NAME], HEAP, DYNAMIC_TYPE_TMP_BUFFER); \
-                        (VAR_NAME)[inner_idx_##VAR_NAME] = NULL; \
-                    } \
-                    for (inner_idx_##VAR_NAME = idx##VAR_NAME + 1; inner_idx_##VAR_NAME < (VAR_ITEMS); inner_idx_##VAR_NAME++) { \
-                        (VAR_NAME)[inner_idx_##VAR_NAME] = NULL; \
-                    } \
-                    break; \
-                } \
-            }
-        #define WC_FREE_ARRAY_DYNAMIC(VAR_NAME, VAR_ITEMS, HEAP) \
-            for (idx##VAR_NAME=0; idx##VAR_NAME<(VAR_ITEMS); idx##VAR_NAME++) { \
-                XFREE((VAR_NAME)[idx##VAR_NAME], (HEAP), DYNAMIC_TYPE_TMP_BUFFER); \
-            }
     #endif
 
     #if defined(HAVE_FIPS) || defined(HAVE_SELFTEST)
@@ -653,9 +680,9 @@ typedef struct w64wrapper {
         #define DECLARE_ARRAY               WC_DECLARE_ARRAY
         #define FREE_VAR                    WC_FREE_VAR
         #define FREE_ARRAY                  WC_FREE_ARRAY
-        #define DECLARE_ARRAY_DYNAMIC_DEC   WC_DECLARE_ARRAY_DYNAMIC_DEC
-        #define DECLARE_ARRAY_DYNAMIC_EXE   WC_DECLARE_ARRAY_DYNAMIC_EXE
-        #define FREE_ARRAY_DYNAMIC          WC_FREE_ARRAY_DYNAMIC
+        #define DECLARE_ARRAY_DYNAMIC_DEC   WC_DECLARE_HEAP_ARRAY
+        #define DECLARE_ARRAY_DYNAMIC_EXE   WC_ALLOC_HEAP_ARRAY
+        #define FREE_ARRAY_DYNAMIC          WC_FREE_HEAP_ARRAY
     #endif /* HAVE_FIPS */
 
     #if !defined(USE_WOLF_STRTOK) && \
@@ -884,8 +911,12 @@ typedef struct w64wrapper {
 
     #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)
         #ifndef XGETENV
-            #include <stdlib.h>
-            #define XGETENV getenv
+            #ifdef NO_GETENV
+                #define XGETENV(x) (NULL)
+            #else
+                #include <stdlib.h>
+                #define XGETENV getenv
+            #endif
         #endif
     #endif /* !NO_FILESYSTEM && !NO_STDIO_FILESYSTEM */
 
@@ -900,7 +931,11 @@ typedef struct w64wrapper {
         #endif
         #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
         #define XISALNUM(c)     isalnum((c))
-        #define XISASCII(c)     isascii((c))
+        #ifdef NO_STDLIB_ISASCII
+            #define XISASCII(c) (((c) >= 0 && (c) <= 127) ? 1 : 0)
+        #else
+            #define XISASCII(c) isascii((c))
+        #endif
         #define XISSPACE(c)     isspace((c))
         #endif
         /* needed by wolfSSL_check_domain_name() */
diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h
index 3335ebf2d2..c4ded9c143 100644
--- a/wolfssl/wolfcrypt/wc_port.h
+++ b/wolfssl/wolfcrypt/wc_port.h
@@ -698,49 +698,59 @@ WOLFSSL_ABI WOLFSSL_API int wolfCrypt_Cleanup(void);
 
     #if !defined(NO_WOLFSSL_DIR)\
         && !defined(WOLFSSL_NUCLEUS) && !defined(WOLFSSL_NUCLEUS_1_2)
-    #if defined(USE_WINDOWS_API)
-        #include <sys/stat.h>
-        #ifndef XSTAT
-        #define XSTAT       _stat
-        #endif
-        #define XS_ISREG(s) (s & _S_IFREG)
-        #define SEPARATOR_CHAR ';'
+        #if defined(USE_WINDOWS_API)
+            #include <sys/stat.h>
+            #ifndef XSTAT
+                #define XSTAT       _stat
+            #endif
+            #define XS_ISREG(s) (s & _S_IFREG)
+            #define SEPARATOR_CHAR ';'
 
-    #elif defined(INTIME_RTOS)
-        #include <sys/stat.h>
-        #ifndef XSTAT
-        #define XSTAT _stat64
-        #endif
-        #define XS_ISREG(s) S_ISREG(s)
-        #define SEPARATOR_CHAR ';'
-        #define XWRITE      write
-        #define XREAD       read
-        #define XCLOSE      close
+        #elif defined(ARDUINO)
+            #ifndef XSTAT
+                #define XSTAT       _stat
+            #endif
+            #define XS_ISREG(s) (s & _S_IFREG)
+            #define SEPARATOR_CHAR ';'
 
-    #elif defined(WOLFSSL_TELIT_M2MB)
-        #ifndef XSTAT
-        #define XSTAT       m2mb_fs_stat
-        #endif
-        #define XS_ISREG(s) (s & M2MB_S_IFREG)
-        #define SEPARATOR_CHAR ':'
-    #else
-        #include <dirent.h>
-        #include <unistd.h>
-        #include <sys/stat.h>
-        #define XWRITE      write
-        #define XREAD       read
-        #define XCLOSE      close
-        #ifndef XSTAT
-        #define XSTAT       stat
+        #elif defined(INTIME_RTOS)
+            #include <sys/stat.h>
+            #ifndef XSTAT
+            #define XSTAT _stat64
+            #endif
+            #define XS_ISREG(s) S_ISREG(s)
+            #define SEPARATOR_CHAR ';'
+            #define XWRITE      write
+            #define XREAD       read
+            #define XCLOSE      close
+
+        #elif defined(WOLFSSL_TELIT_M2MB)
+            #ifndef XSTAT
+            #define XSTAT       m2mb_fs_stat
+            #endif
+            #define XS_ISREG(s) (s & M2MB_S_IFREG)
+            #define SEPARATOR_CHAR ':'
+
+        #else
+            #ifndef NO_WOLFSSL_DIR
+                #include <dirent.h>
+            #endif
+            #include <unistd.h>
+            #include <sys/stat.h>
+            #define XWRITE      write
+            #define XREAD       read
+            #define XCLOSE      close
+            #ifndef XSTAT
+            #define XSTAT       stat
+            #endif
+            #define XS_ISREG(s) S_ISREG(s)
+            #define SEPARATOR_CHAR ':'
         #endif
-        #define XS_ISREG(s) S_ISREG(s)
-        #define SEPARATOR_CHAR ':'
-    #endif
 
-    #ifndef XSTAT_TYPE
-        #define XSTAT_TYPE struct XSTAT
-    #endif
-    #endif
+        #ifndef XSTAT_TYPE
+            #define XSTAT_TYPE struct XSTAT
+        #endif
+    #endif /* !NO_WOLFSSL_DIR !WOLFSSL_NUCLEUS !WOLFSSL_NUCLEUS_1_2 */
 #endif
 
     #ifndef MAX_FILENAME_SZ
@@ -777,6 +787,8 @@ WOLFSSL_ABI WOLFSSL_API int wolfCrypt_Cleanup(void);
         #define IntimeFindNext(data)  (0 == _findnext64(data))
         #define IntimeFindClose(data) (0 == _findclose64(data))
         #define IntimeFilename(ctx)   ctx->FindFileData.f_filename
+    #elif defined(ARDUINO)
+        /* TODO: board specific features */
     #else
         struct dirent* entry;
         DIR*   dir;
diff --git a/wolfssl/wolfio.h b/wolfssl/wolfio.h
index 9a8b511381..7336f8a5c1 100644
--- a/wolfssl/wolfio.h
+++ b/wolfssl/wolfio.h
@@ -66,6 +66,8 @@
             #include <errno.h>
             #define LWIP_PROVIDE_ERRNO 1
         #endif
+    #elif defined(ARDUINO)
+        /* TODO Add specific boards */
     #elif defined(FREESCALE_MQX)
         #include <posix.h>
         #include <rtcs.h>
@@ -161,11 +163,15 @@
             #include <sys/socket.h>
             #include <arpa/inet.h>
             #include <netinet/in.h>
-            #include <netdb.h>
+            #ifdef HAVE_NETDB_H
+                #include <netdb.h>
+            #endif
             #ifdef __PPU
                 #include <netex/errno.h>
             #else
-                #include <sys/ioctl.h>
+                #ifdef HAVE_SYS_IOCTL_H
+                    #include <sys/ioctl.h>
+                #endif
             #endif
         #endif
     #endif
@@ -318,6 +324,12 @@
     #include <network.h>
     #define SEND_FUNCTION net_send
     #define RECV_FUNCTION net_recv
+#elif defined(WOLFSSL_ESPIDF)
+    #define SEND_FUNCTION send
+    #define RECV_FUNCTION recv
+    #if !defined(HAVE_SOCKADDR) && !defined(WOLFSSL_NO_SOCK)
+        #define HAVE_SOCKADDR
+    #endif
 #elif defined(WOLFSSL_LWIP) && !defined(WOLFSSL_APACHE_MYNEWT)
     #define SEND_FUNCTION lwip_send
     #define RECV_FUNCTION lwip_recv