diff --git a/Makefile.am b/Makefile.am
index 105850283..0cd988d08 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -26,7 +26,10 @@ SUBDIRS_OPT =
 DIST_SUBDIRS_OPT =
 
 # allow supplementary or override flags to be passed at make time:
+AM_CPPFLAGS += $(EXTRA_CPPFLAGS)
 AM_CFLAGS += $(EXTRA_CFLAGS)
+AM_CCASFLAGS += $(EXTRA_CCASFLAGS)
+AM_LDFLAGS += $(EXTRA_LDFLAGS)
 
 #includes additional rules from aminclude.am
 @INC_AMINCLUDE@
@@ -201,13 +204,15 @@ include scripts/include.am
 
 if BUILD_LINUXKM
     # rather than setting $SUBDIRS here directly, we set an auxiliary variable.
-    # autotools see the SUBDIRS assignment here even if BUILD_LINUXKM is false,
+    # autotools sees the SUBDIRS assignment here even if BUILD_LINUXKM is false,
     # at least for purposes of recursing for "make distdir", which we don't want to happen.
     SUBDIRS_OPT += linuxkm
     DIST_SUBDIRS_OPT += linuxkm
 
-    export KERNEL_ROOT KERNEL_ARCH KERNEL_EXTRA_CFLAGS AM_CPPFLAGS CPPFLAGS \
-        AM_CFLAGS CFLAGS AM_CCASFLAGS CCASFLAGS \
+    export KERNEL_ROOT KERNEL_ARCH KERNEL_EXTRA_CFLAGS \
+        EXTRA_CFLAGS EXTRA_CPPFLAGS EXTRA_CCASFLAGS EXTRA_LDFLAGS \
+	AM_CPPFLAGS CPPFLAGS AM_CFLAGS CFLAGS \
+        AM_CCASFLAGS CCASFLAGS \
         src_libwolfssl_la_OBJECTS ENABLED_CRYPT_TESTS ENABLED_LINUXKM_PIE ENABLED_ASM \
         CFLAGS_FPU_DISABLE CFLAGS_FPU_ENABLE CFLAGS_SIMD_DISABLE CFLAGS_SIMD_ENABLE \
         CFLAGS_AUTO_VECTORIZE_DISABLE CFLAGS_AUTO_VECTORIZE_ENABLE \
diff --git a/configure.ac b/configure.ac
index 963a81fb9..ebd79df6b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -35,7 +35,10 @@ AC_CONFIG_HEADERS([config.h:config.in])
 LT_PREREQ([2.4.2])
 LT_INIT([disable-static win32-dll])
 
-AC_ARG_VAR(EXTRA_CFLAGS, [Extra CFLAGS to add to autoconf-computed arg list.  Can also supply directly to make.])
+AC_ARG_VAR(EXTRA_CPPFLAGS, [Extra CPPFLAGS to add to end of autoconf-computed arg list.  Can also supply directly to make.])
+AC_ARG_VAR(EXTRA_CFLAGS, [Extra CFLAGS to add to end of autoconf-computed arg list.  Can also supply directly to make.])
+AC_ARG_VAR(EXTRA_CCASFLAGS, [Extra CCASFLAGS to add to end of autoconf-computed arg list.  Can also supply directly to make.])
+AC_ARG_VAR(EXTRA_LDFLAGS, [Extra LDFLAGS to add to end of autoconf-computed arg list.  Can also supply directly to make.])
 
 WOLFSSL_CONFIG_ARGS=$ac_configure_args
 AC_SUBST([WOLFSSL_CONFIG_ARGS])
@@ -65,7 +68,7 @@ AC_SUBST([WOLFSSL_LIBRARY_VERSION])
 
 gl_VISIBILITY
 AS_IF([ test -n "$CFLAG_VISIBILITY" ], [
-       AM_CFLAGS="$AM_CPPFLAGS $CFLAG_VISIBILITY"
+       AM_CFLAGS="$AM_CFLAGS $CFLAG_VISIBILITY"
        ])
 
 
@@ -981,7 +984,6 @@ AC_ARG_WITH([liboqs],
     [AS_HELP_STRING([--with-liboqs=PATH],[Path to liboqs install (default /usr/local) EXPERIMENTAL!])],
     [
         AC_MSG_CHECKING([for liboqs])
-        CPPFLAGS="$CPPFLAGS -DHAVE_LIBOQS -DHAVE_TLS_EXTENSIONS"
         LIBS="$LIBS -loqs"
 
         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <oqs/common.h>]], [[ OQS_init(); ]])], [ liboqs_linked=yes ],[ liboqs_linked=no ])
@@ -994,8 +996,8 @@ AC_ARG_WITH([liboqs],
                 tryliboqsdir="/usr/local"
             fi
 
+            CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBOQS -DHAVE_TLS_EXTENSIONS -I$tryliboqsdir/include"
             LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$tryliboqsdir/lib"
-            CPPFLAGS="$CPPFLAGS -I$tryliboqsdir/include"
 
             AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <oqs/common.h>]], [[ OQS_init(); ]])], [ liboqs_linked=yes ],[ liboqs_linked=no ])
 
@@ -1004,6 +1006,7 @@ AC_ARG_WITH([liboqs],
                 If it's already installed, specify its path using --with-liboqs=/dir/])
             fi
             AC_MSG_RESULT([yes])
+            AM_CPPFLAGS="$CPPFLAGS"
             AM_LDFLAGS="$AM_LDFLAGS -L$tryliboqsdir/lib"
         else
             AC_MSG_RESULT([yes])
@@ -4840,7 +4843,6 @@ AC_ARG_WITH([wnr],
     [AS_HELP_STRING([--with-wnr=PATH],[Path to Whitewood netRandom install (default /usr/local)])],
     [
         AC_MSG_CHECKING([for Whitewood netRandom])
-        CPPFLAGS="$CPPFLAGS -DHAVE_WNR"
         LIBS="$LIBS -lwnr"
 
         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <wnr.h>]], [[ wnr_setup(0, 0); ]])], [ wnr_linked=yes ],[ wnr_linked=no ])
@@ -4853,8 +4855,8 @@ AC_ARG_WITH([wnr],
                 trywnrdir="/usr/local"
             fi
 
+            CPPFLAGS="$AM_CPPFLAGS -DHAVE_WNR -I$trywnrdir/include"
             LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$trywnrdir/lib"
-            CPPFLAGS="$CPPFLAGS -I$trywnrdir/include"
 
             AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <wnr.h>]], [[ wnr_setup(0, 0); ]])], [ wnr_linked=yes ],[ wnr_linked=no ])
 
@@ -4863,6 +4865,7 @@ AC_ARG_WITH([wnr],
                 If it's already installed, specify its path using --with-wnr=/dir/])
             fi
             AC_MSG_RESULT([yes])
+            AM_CPPFLAGS="$CPPFLAGS"
             AM_LDFLAGS="$AM_LDFLAGS -L$trywnrdir/lib"
         else
             AC_MSG_RESULT([yes])
@@ -6423,7 +6426,6 @@ AC_ARG_WITH([cavium],
     [  --with-cavium=PATH      PATH to cavium/software dir ],
     [
         AC_MSG_CHECKING([for cavium])
-        CPPFLAGS="$CPPFLAGS -DHAVE_CAVIUM"
         LIB_ADD="-lrt $LIB_ADD"
 
         if test "x$withval" = "xyes" ; then
@@ -6433,8 +6435,8 @@ AC_ARG_WITH([cavium],
             trycaviumdir=$withval
         fi
 
+        CPPFLAGS="$AM_CPPFLAGS -DHAVE_CAVIUM -I$trycaviumdir/include"
         LDFLAGS="$AM_LDFLAGS $trycaviumdir/api/cavium_common.o"
-        CPPFLAGS="$CPPFLAGS -I$trycaviumdir/include"
 
         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "cavium_common.h"]], [[ CspShutdown(CAVIUM_DEV_ID); ]])],[ cavium_linked=yes ],[ cavium_linked=no ])
 
@@ -6442,7 +6444,8 @@ AC_ARG_WITH([cavium],
             AC_MSG_ERROR([cavium isn't found.
             If it's already installed, specify its path using --with-cavium=/dir/])
         else
-            AM_CFLAGS="$AM_CFLAGS -DHAVE_CAVIUM"
+            AM_CPPFLAGS="$CPPFLAGS"
+            AM_LDFLAGS="$LDFLAGS"
         fi
         AC_MSG_RESULT([yes])
         enable_shared=no
@@ -8508,6 +8511,10 @@ then
     AM_CFLAGS="$AM_CFLAGS -include ${output_objdir}/.build_params"
 fi
 
+AM_CPPFLAGS="$AM_CPPFLAGS $EXTRA_CPPFLAGS"
+AM_CFLAGS="$AM_CFLAGS $EXTRA_CFLAGS"
+AM_CCASFLAGS="$AM_CCASFLAGS $EXTRA_CCASFLAGS"
+AM_LDFLAGS="$AM_LDFLAGS $EXTRA_LDFLAGS"
 
 CREATE_HEX_VERSION
 AC_SUBST([AM_CPPFLAGS])
@@ -8564,9 +8571,11 @@ fi
 
 if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
 then
-    echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" > ${output_objdir}/.build_params &&
-        echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> ${output_objdir}/.build_params ||
+    echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" > "${output_objdir}/.build_params" &&
+        echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" ||
         AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.])
+else
+    rm -f "${output_objdir}/.build_params"
 fi
 
 # generate user options header
@@ -8579,7 +8588,7 @@ rm -f $OPTION_FILE
 echo "/* wolfssl options.h" > $OPTION_FILE
 echo " * generated from configure options" >> $OPTION_FILE
 echo " *" >> $OPTION_FILE
-echo " * Copyright (C) 2006-2022 wolfSSL Inc." >> $OPTION_FILE
+echo " * Copyright (C) 2006-2023 wolfSSL Inc." >> $OPTION_FILE
 echo " *" >> $OPTION_FILE
 echo " * This file is part of wolfSSL. (formerly known as CyaSSL)" >> $OPTION_FILE
 echo " *" >> $OPTION_FILE
@@ -8595,11 +8604,12 @@ echo "extern \"C\" {" >> $OPTION_FILE
 echo "#endif" >> $OPTION_FILE
 echo "" >> $OPTION_FILE
 
-for option in $CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS $EXTRA_CFLAGS; do
-    defonly=`echo $option | sed 's/^-D//'`
-    if test "$defonly" != "$option"
-    then
-        noequalsign=`echo $defonly | sed 's/=/ /'`
+for option in $CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS; do
+    opt_type=$(echo $option | colrm 3)
+    case "$opt_type" in
+    -D)
+        RHS_only=$(echo $option | sed 's/^-D//')
+        noequalsign=$(echo $RHS_only | sed 's/=/ /')
         if test "$noequalsign" = "NDEBUG" || test "$noequalsign" = "DEBUG"
         then
             if test "$verbose" = "yes"; then
@@ -8615,7 +8625,7 @@ for option in $CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS $EXTRA_CFLAGS; do
             echo "#ifndef WOLFSSL_OPTIONS_IGNORE_SYS" >> $OPTION_FILE
         fi
 
-        noarg=`echo $defonly | sed 's/=.*//'`
+        noarg=$(echo "$RHS_only" | sed 's/=.*//')
         echo "#undef  $noarg" >> $OPTION_FILE
         echo "#define $noequalsign" >> $OPTION_FILE
 
@@ -8625,11 +8635,18 @@ for option in $CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS $EXTRA_CFLAGS; do
         fi
 
         echo "" >> $OPTION_FILE
-    else
+        ;;
+    -U)
+        RHS_only=$(echo $option | sed 's/^-U//')
+        echo "#undef  $RHS_only" >> $OPTION_FILE
+        echo "" >> $OPTION_FILE
+        ;;
+    *)
         if test "$verbose" = "yes"; then
-            AC_MSG_NOTICE([option w/o begin -D is $option, not saving to $OPTION_FILE])
+            AC_MSG_NOTICE([option "$option" is not a preprocessor directive -- not saving to $OPTION_FILE])
         fi
-    fi
+        ;;
+    esac
 done
 
 echo "" >> $OPTION_FILE
@@ -8678,6 +8695,7 @@ echo "   * C++ Compiler:               $CXX"
 echo "   * C++ Flags:                  $CXXFLAGS"
 echo "   * CPP Flags:                  $CPPFLAGS"
 echo "   * CCAS Flags:                 $CCASFLAGS"
+echo "   * LD Flags:                   $LDFLAGS"
 echo "   * LIB Flags:                  $LIB"
 echo "   * Library Suffix:             $LIBSUFFIX"
 
diff --git a/linuxkm/module_exports.c.template b/linuxkm/module_exports.c.template
index 87edee82e..5d697e52e 100644
--- a/linuxkm/module_exports.c.template
+++ b/linuxkm/module_exports.c.template
@@ -88,6 +88,9 @@
 #ifdef HAVE_ECC
     #include <wolfssl/wolfcrypt/ecc.h>
 #endif
+#ifdef HAVE_HPKE
+    #include <wolfssl/wolfcrypt/hpke.h>
+#endif
 #ifdef HAVE_CURVE25519
     #include <wolfssl/wolfcrypt/curve25519.h>
 #endif
diff --git a/tests/api.c b/tests/api.c
index 8bc987158..120f00b11 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -50957,7 +50957,11 @@ static int test_tls13_apis(void)
 #endif
 #endif
 #ifndef OPENSSL_EXTRA
+#ifdef WOLFSSL_ERROR_CODE_OPENSSL
+    AssertIntEQ(wolfSSL_CTX_set_max_early_data(serverCtx, 32), WOLFSSL_SUCCESS);
+#else
     AssertIntEQ(wolfSSL_CTX_set_max_early_data(serverCtx, 32), 0);
+#endif
     AssertIntEQ(wolfSSL_CTX_get_max_early_data(serverCtx), 32);
 #else
     AssertIntEQ(SSL_CTX_set_max_early_data(serverCtx, 32), 1);
@@ -50974,7 +50978,11 @@ static int test_tls13_apis(void)
 #endif
 #ifndef NO_WOLFSSL_CLIENT
 #ifndef OPENSSL_EXTRA
+#ifdef WOLFSSL_ERROR_CODE_OPENSSL
+    AssertIntEQ(wolfSSL_set_max_early_data(clientSsl, 17), WOLFSSL_SUCCESS);
+#else
     AssertIntEQ(wolfSSL_set_max_early_data(clientSsl, 17), 0);
+#endif
     AssertIntEQ(wolfSSL_get_max_early_data(clientSsl), 17);
 #else
     AssertIntEQ(SSL_set_max_early_data(clientSsl, 17), WOLFSSL_SUCCESS);
@@ -50992,7 +51000,11 @@ static int test_tls13_apis(void)
 #endif
 #endif
 #ifndef OPENSSL_EXTRA
+#ifdef WOLFSSL_ERROR_CODE_OPENSSL
+    AssertIntEQ(wolfSSL_set_max_early_data(serverSsl, 16), WOLFSSL_SUCCESS);
+#else
     AssertIntEQ(wolfSSL_set_max_early_data(serverSsl, 16), 0);
+#endif
     AssertIntEQ(wolfSSL_get_max_early_data(serverSsl), 16);
 #else
     AssertIntEQ(SSL_set_max_early_data(serverSsl, 16), 1);
diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c
index 604f9fb0b..b9e3c3b2c 100644
--- a/wolfcrypt/src/hpke.c
+++ b/wolfcrypt/src/hpke.c
@@ -942,14 +942,19 @@ int wc_HpkeSealBase(Hpke* hpke, void* ephemeralKey, void* receiverKey,
     }
 #endif
 
+    PRIVATE_KEY_UNLOCK();
+
     /* setup the context and pubKey */
     ret = wc_HpkeSetupBaseSender(hpke, context, ephemeralKey, receiverKey, info,
         infoSz);
 
     /* run seal using the context */
-    if (ret == 0)
+    if (ret == 0) {
         ret = wc_HpkeContextSealBase(hpke, context, aad, aadSz, plaintext,
             ptSz, ciphertext);
+    }
+
+    PRIVATE_KEY_LOCK();
 
 #ifdef WOLFSSL_SMALL_STACK
     XFREE(context, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -1174,6 +1179,8 @@ int wc_HpkeOpenBase(Hpke* hpke, void* receiverKey, const byte* pubKey,
     }
 #endif
 
+    PRIVATE_KEY_UNLOCK();
+
     /* setup receiver */
     ret = wc_HpkeSetupBaseReceiver(hpke, context, receiverKey, pubKey,
         pubKeySz, info, infoSz);
@@ -1184,6 +1191,8 @@ int wc_HpkeOpenBase(Hpke* hpke, void* receiverKey, const byte* pubKey,
             ctSz, plaintext);
     }
 
+    PRIVATE_KEY_LOCK();
+
 #ifdef WOLFSSL_SMALL_STACK
     XFREE(context, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
diff --git a/wolfcrypt/src/port/af_alg/afalg_aes.c b/wolfcrypt/src/port/af_alg/afalg_aes.c
index 699e37057..918c40f0e 100644
--- a/wolfcrypt/src/port/af_alg/afalg_aes.c
+++ b/wolfcrypt/src/port/af_alg/afalg_aes.c
@@ -156,8 +156,14 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
             return BAD_FUNC_ARG;
         }
 
+#ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
+        if (sz % AES_BLOCK_SIZE) {
+            return BAD_LENGTH_E;
+        }
+#endif
+
         if (aes->rdFd == WC_SOCK_NOTSET) {
-                if ((ret = wc_AesSetup(aes, WC_TYPE_SYMKEY, WC_NAME_AESCBC,
+            if ((ret = wc_AesSetup(aes, WC_TYPE_SYMKEY, WC_NAME_AESCBC,
                                 AES_IV_SIZE, 0)) != 0) {
                 WOLFSSL_MSG("Error with first time setup of AF_ALG socket");
                 return ret;
@@ -205,11 +211,18 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
         struct iovec    iov;
         int ret;
 
-        if (aes == NULL || out == NULL || in == NULL
-                                       || sz % AES_BLOCK_SIZE != 0) {
+        if (aes == NULL || out == NULL || in == NULL) {
             return BAD_FUNC_ARG;
         }
 
+        if (sz % AES_BLOCK_SIZE) {
+#ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
+            return BAD_LENGTH_E;
+#else
+            return BAD_FUNC_ARG;
+#endif
+        }
+
         if (aes->rdFd == WC_SOCK_NOTSET) {
             if ((ret = wc_AesSetup(aes, WC_TYPE_SYMKEY, WC_NAME_AESCBC,
                                 AES_IV_SIZE, 0)) != 0) {
@@ -534,6 +547,9 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         return BAD_FUNC_ARG;
     }
 
+    if (ivSz > WC_SYSTEM_AESGCM_IV)
+        ivSz = WC_SYSTEM_AESGCM_IV;
+
     if (ivSz != WC_SYSTEM_AESGCM_IV) {
         WOLFSSL_MSG("IV size not supported on system");
         return BAD_FUNC_ARG;
@@ -636,8 +652,9 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         initalCounter[AES_BLOCK_SIZE - 1] = 1;
         GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
         ret = wc_AesEncryptDirect(aes, scratch, initalCounter);
-        if (ret < 0)
+        if (ret < 0) {
             return ret;
+        }
         xorbuf(authTag, scratch, authTagSz);
     }
 #else
@@ -724,6 +741,9 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         return BAD_FUNC_ARG;
     }
 
+    if (ivSz > WC_SYSTEM_AESGCM_IV)
+        ivSz = WC_SYSTEM_AESGCM_IV;
+
     if (ivSz != WC_SYSTEM_AESGCM_IV) {
         WOLFSSL_MSG("IV size not supported on system");
         return BAD_FUNC_ARG;
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 7a258b5b5..69b3ebd56 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -22582,14 +22582,28 @@ static int hpke_test_single(Hpke* hpke)
     byte plaintext[MAX_HPKE_LABEL_SZ];
     void* receiverKey = NULL;
     void* ephemeralKey = NULL;
+#ifdef WOLFSSL_SMALL_STACK
+    uint8_t *pubKey = NULL; /* public key */
+    word16 pubKeySz = (word16)HPKE_Npk_MAX;
+#else
     uint8_t pubKey[HPKE_Npk_MAX]; /* public key */
     word16 pubKeySz = (word16)sizeof(pubKey);
+#endif
 
     rngRet = ret = wc_InitRng(rng);
 
     if (ret != 0)
         return ret;
 
+#ifdef WOLFSSL_SMALL_STACK
+    if (ret == 0) {
+        pubKey = (uint8_t *)XMALLOC(pubKeySz, HEAP_HINT,
+                                    DYNAMIC_TYPE_TMP_BUFFER);
+        if (pubKey == NULL)
+            ret = MEMORY_E;
+    }
+#endif
+
     /* generate the keys */
     if (ret == 0)
         ret = wc_HpkeGenerateKeyPair(hpke, &ephemeralKey, rng);
@@ -22598,24 +22612,26 @@ static int hpke_test_single(Hpke* hpke)
         ret = wc_HpkeGenerateKeyPair(hpke, &receiverKey, rng);
 
     /* seal */
-    if (ret == 0)
+    if (ret == 0) {
         ret = wc_HpkeSealBase(hpke, ephemeralKey, receiverKey,
             (byte*)info_text, (word32)XSTRLEN(info_text),
             (byte*)aad_text, (word32)XSTRLEN(aad_text),
             (byte*)start_text, (word32)XSTRLEN(start_text),
             ciphertext);
+    }
 
     /* export ephemeral key */
     if (ret == 0)
         ret = wc_HpkeSerializePublicKey(hpke, ephemeralKey, pubKey, &pubKeySz);
 
     /* open with exported ephemeral key */
-    if (ret == 0)
+    if (ret == 0) {
         ret = wc_HpkeOpenBase(hpke, receiverKey, pubKey, pubKeySz,
             (byte*)info_text, (word32)XSTRLEN(info_text),
             (byte*)aad_text, (word32)XSTRLEN(aad_text),
             ciphertext, (word32)XSTRLEN(start_text),
             plaintext);
+    }
 
     if (ret == 0)
         ret = XMEMCMP(plaintext, start_text, XSTRLEN(start_text));
@@ -22626,6 +22642,11 @@ static int hpke_test_single(Hpke* hpke)
     if (receiverKey != NULL)
         wc_HpkeFreeKey(hpke, hpke->kem, receiverKey, hpke->heap);
 
+#ifdef WOLFSSL_SMALL_STACK
+    if (pubKey != NULL)
+        XFREE(pubKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
     if (rngRet == 0)
         wc_FreeRng(rng);