diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 11a7226f0..8e00c26ed 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -28314,7 +28314,12 @@ int wc_EncodeNameCanonical(EncodedName* name, const char* nameStr,
 int ParseKeyUsageStr(const char* value, word16* keyUsage, void* heap)
 {
     int ret = 0;
-    char *token, *str, *ptr;
+#ifdef WOLFSSL_NO_MALLOC
+    char str[1024];
+#else
+    char *str;
+#endif
+    char *token, *ptr;
     word32 len = 0;
     word16 usage = 0;
 
@@ -28324,10 +28329,15 @@ int ParseKeyUsageStr(const char* value, word16* keyUsage, void* heap)
 
     /* duplicate string (including terminator) */
     len = (word32)XSTRLEN(value);
+#ifdef WOLFSSL_NO_MALLOC
+    if (len >= sizeof(str))
+        return MEMORY_E;
+#else
     str = (char*)XMALLOC(len + 1, heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (str == NULL) {
         return MEMORY_E;
     }
+#endif
     XMEMCPY(str, value, len + 1);
 
     /* parse value, and set corresponding Key Usage value */
@@ -32302,7 +32312,11 @@ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
                                  dilithium_key* dilithiumKey,
                                  sphincs_key *sphincsKey, int kid_type)
 {
+#ifdef WOLFSSL_NO_MALLOC
+    byte buf[MAX_PUBLIC_KEY_SZ];
+#else
     byte *buf;
+#endif
     int   bufferSz, ret;
 
     if (cert == NULL ||
@@ -32312,10 +32326,12 @@ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
         (kid_type != SKID_TYPE && kid_type != AKID_TYPE))
         return BAD_FUNC_ARG;
 
+#ifndef WOLFSSL_NO_MALLOC
     buf = (byte *)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap,
                                                        DYNAMIC_TYPE_TMP_BUFFER);
     if (buf == NULL)
         return MEMORY_E;
+#endif
 
     /* Public Key */
     bufferSz = -1;
@@ -33322,7 +33338,12 @@ int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz)
 int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap)
 {
     word32 idx = 0, nb_val;
-    char *token, *str, *ptr;
+#ifdef WOLFSSL_NO_MALLOC
+    char str[1024];
+#else
+    char *str;
+#endif
+    char *token, *ptr;
     word32 len;
 
     (void)heap;
@@ -33332,9 +33353,14 @@ int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap)
 
     /* duplicate string (including terminator) */
     len = (word32)XSTRLEN(in);
+#ifdef WOLFSSL_NO_MALLOC
+    if (len >= sizeof(str))
+        return MEMORY_E;
+#else
     str = (char *)XMALLOC(len+1, heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (str == NULL)
         return MEMORY_E;
+#endif
     XMEMCPY(str, in, len+1);
 
     nb_val = 0;
diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c
index c830d7a91..df902e116 100644
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -2979,7 +2979,11 @@ int wc_DhGenerateParams(WC_RNG *rng, int modSz, DhKey *dh)
             primeCheckCount = 0;
     int     primeCheck = MP_NO,
             ret = 0;
+#ifdef WOLFSSL_NO_MALLOC
+    unsigned char buf[4096 / WOLFSSL_BIT_SIZE];
+#else
     unsigned char *buf = NULL;
+#endif
 
 #if !defined(WOLFSSL_SMALL_STACK) || defined(WOLFSSL_NO_MALLOC)
     XMEMSET(tmp, 0, sizeof(tmp));
@@ -3029,11 +3033,16 @@ int wc_DhGenerateParams(WC_RNG *rng, int modSz, DhKey *dh)
     if (ret == 0) {
         bufSz = (word32)modSz - groupSz;
 
+#ifdef WOLFSSL_NO_MALLOC
+        if (bufSz > sizeof(buf))
+            ret = MEMORY_E;
+#else
         /* allocate ram */
         buf = (unsigned char *)XMALLOC(bufSz,
                                        dh->heap, DYNAMIC_TYPE_TMP_BUFFER);
         if (buf == NULL)
             ret = MEMORY_E;
+#endif
     }
 
     /* make a random string that will be multiplied against q */
@@ -3167,7 +3176,10 @@ int wc_DhGenerateParams(WC_RNG *rng, int modSz, DhKey *dh)
 
     RESTORE_VECTOR_REGISTERS();
 
-    if (buf != NULL) {
+#ifndef WOLFSSL_NO_MALLOC
+    if (buf != NULL)
+#endif
+    {
         ForceZero(buf, bufSz);
         if (dh != NULL) {
             XFREE(buf, dh->heap, DYNAMIC_TYPE_TMP_BUFFER);
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index ee4ea34af..aedca835c 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -12441,6 +12441,9 @@ static const struct {
 /* find a hole and free as required, return -1 if no hole found */
 static int find_hole(void)
 {
+#ifdef WOLFSSL_NO_MALLOC
+   return -1;
+#else
    int      x, y, z;
    for (z = -1, y = INT_MAX, x = 0; x < FP_ENTRIES; x++) {
        if (fp_cache[x].lru_count < y && fp_cache[x].lock == 0) {
@@ -12469,6 +12472,7 @@ static int find_hole(void)
       fp_cache[z].lru_count = 0;
    }
    return z;
+#endif /* !WOLFSSL_NO_MALLOC */
 }
 
 /* determine if a base is already in the cache and if so, where */
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 66e81cbe3..ff8a4ffc3 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -2652,7 +2652,7 @@ static wc_test_ret_t _SaveDerAndPem(const byte* der, int derSz,
     #ifndef WOLFSSL_NO_MALLOC
         byte* pem;
     #else
-        byte pem[1024];
+        byte pem[2048];
     #endif
         int pemSz;
 
@@ -2668,7 +2668,7 @@ static wc_test_ret_t _SaveDerAndPem(const byte* der, int derSz,
         }
     #else
         if (pemSz > (int)sizeof(pem))
-            return BAD_FUNC_ARG;
+            return WC_TEST_RET_ENC_EC(BAD_FUNC_ARG);
     #endif
         /* Convert to PEM */
         pemSz = wc_DerToPem(der, (word32)derSz, pem, (word32)pemSz, pemType);
@@ -18163,7 +18163,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t memory_test(void)
             #ifdef WOLFSSL_CERT_GEN
             static const char* rsaCaCertFile = CERT_ROOT "ca-cert.pem";
             #endif
-            #if defined(WOLFSSL_ALT_NAMES) || defined(HAVE_PKCS7)
+            #if (defined(WOLFSSL_ALT_NAMES) && !defined(WOLFSSL_NO_MALLOC)) || \
+                defined(HAVE_PKCS7)
             static const char* rsaCaCertDerFile = CERT_ROOT "ca-cert.der";
             #endif
             #ifdef HAVE_PKCS7
@@ -18208,7 +18209,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t memory_test(void)
             #ifndef NO_RSA
                 static const char* eccKeyPubFileDer = CERT_ROOT "ecc-keyPub.der";
             #endif
-            #ifndef NO_ASN_TIME
+            #if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_MALLOC)
                 static const char* eccCaKeyFile  = CERT_ROOT "ca-ecc-key.der";
                 static const char* eccCaCertFile = CERT_ROOT "ca-ecc-cert.pem";
                 #ifdef ENABLE_ECC384_CERT_GEN_TEST
@@ -18264,7 +18265,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t memory_test(void)
 #ifndef NO_WRITE_TEMP_FILES
 #ifdef HAVE_ECC
     #ifndef NO_ECC_SECP
-        #if defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME)
+        #if defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME) && \
+            !defined(WOLFSSL_NO_MALLOC)
         static const char* certEccPemFile = CERT_WRITE_TEMP_DIR "certecc.pem";
         static const char* certEccDerFile = CERT_WRITE_TEMP_DIR "certecc.der";
         #endif
@@ -18286,7 +18288,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t memory_test(void)
 #endif /* HAVE_ECC */
 
 #ifndef NO_RSA
-    #if defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME)
+    #if defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME) && \
+        !defined(WOLFSSL_NO_MALLOC)
         static const char* otherCertDerFile = CERT_WRITE_TEMP_DIR "othercert.der";
         static const char* certDerFile = CERT_WRITE_TEMP_DIR "cert.der";
         static const char* otherCertPemFile = CERT_WRITE_TEMP_DIR "othercert.pem";
@@ -20482,7 +20485,7 @@ exit_rsa_even_mod:
 }
 #endif /* WOLFSSL_HAVE_SP_RSA */
 
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME)
+#if defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_MALLOC)
 static wc_test_ret_t rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng, byte* tmp)
 {
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
@@ -21969,7 +21972,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
         goto exit_rsa;
 #endif
 
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME)
+#if defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME) && \
+    !defined(WOLFSSL_NO_MALLOC)
     /* Make Cert / Sign example for RSA cert and RSA CA */
     ret = rsa_certgen_test(key, keypub, &rng, tmp);
     if (ret != 0)
@@ -32575,7 +32579,8 @@ static int test_sm2_verify(void)
 #endif /* WOLFSSL_SM2 */
 
 
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_ECC_SECP) && !defined(NO_ASN_TIME)
+#if defined(WOLFSSL_CERT_GEN) && !defined(NO_ECC_SECP) && \
+    !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_MALLOC)
 
 /* Make Cert / Sign example for ECC cert and ECC CA */
 static wc_test_ret_t ecc_test_cert_gen(WC_RNG* rng)
@@ -33612,7 +33617,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ecc_test(void)
 #elif defined(HAVE_ECC_KEY_IMPORT)
     (void)ecc_test_make_pub; /* for compiler warning */
 #endif
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_ECC_SECP) && !defined(NO_ASN_TIME)
+#if defined(WOLFSSL_CERT_GEN) && !defined(NO_ECC_SECP) && \
+    !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_MALLOC)
     ret = ecc_test_cert_gen(&rng);
     if (ret != 0) {
         printf("ecc_test_cert_gen failed!\n");
@@ -33647,6 +33653,8 @@ done:
 #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \
     (defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_256))
 
+#if !defined(WOLFSSL_NO_MALLOC)
+
 #if ((! defined(HAVE_FIPS)) || FIPS_VERSION_GE(5,3))
 /* maximum encrypted message:
  * msgSz (14) + pad (2) + pubKeySz(1+66*2) + ivSz(16) + digestSz(32) = 197 */
@@ -33765,6 +33773,8 @@ static wc_test_ret_t ecc_ctx_kdf_salt_test(WC_RNG* rng, ecc_key* a, ecc_key* b)
 }
 #endif /* !HAVE_FIPS || FIPS_VERSION_GE(5,3) */
 
+#endif /* !WOLFSSL_NO_MALLOC */
+
 /* ecc_encrypt_e2e_test() uses wc_ecc_ctx_set_algo(), which was added in
  * wolfFIPS 5.3.
  * ecc_encrypt_kat() is used only by ecc_encrypt_e2e_test().
@@ -34007,6 +34017,7 @@ static wc_test_ret_t ecc_encrypt_kat(WC_RNG *rng)
 }
 #endif
 
+#ifndef WOLFSSL_NO_MALLOC
 static wc_test_ret_t ecc_encrypt_e2e_test(WC_RNG* rng, ecc_key* userA, ecc_key* userB,
     byte encAlgo, byte kdfAlgo, byte macAlgo)
 {
@@ -34275,6 +34286,7 @@ done:
 
     return ret;
 }
+#endif
 
 #endif /* !HAVE_FIPS || FIPS_VERSION_GE(5,3) */
 
@@ -34350,7 +34362,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ecc_encrypt_test(void)
 
 #if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
 
-#if !defined(NO_AES) && defined(HAVE_AES_CBC)
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && !defined(WOLFSSL_NO_MALLOC)
 #ifdef WOLFSSL_AES_128
     if (ret == 0) {
         ret = ecc_encrypt_e2e_test(&rng, userA, userB, ecAES_128_CBC,
@@ -34386,7 +34398,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ecc_encrypt_test(void)
     }
 #endif
 #endif
-#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER)
+#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && !defined(WOLFSSL_NO_MALLOC)
 #ifdef WOLFSSL_AES_128
     if (ret == 0) {
         ret = ecc_encrypt_e2e_test(&rng, userA, userB, ecAES_128_CTR,
@@ -34406,7 +34418,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ecc_encrypt_test(void)
     }
 #endif
 #endif /* !NO_AES && WOLFSSL_AES_COUNTER */
-#if !defined(NO_AES) && defined(HAVE_AES_CBC)
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && !defined(WOLFSSL_NO_MALLOC)
     if (ret == 0) {
         ret = ecc_ctx_kdf_salt_test(&rng, userA, userB);
     }
@@ -37865,15 +37877,20 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed448_test(void)
 
         /* test api for import/exporting keys */
         {
-            byte   *exportPKey = NULL;
-            byte   *exportSKey = NULL;
             word32 exportPSz = ED448_KEY_SIZE;
             word32 exportSSz = ED448_KEY_SIZE;
+#ifdef WOLFSSL_NO_MALLOC
+            byte   exportPKey[exportPSz];
+            byte   exportSKey[exportSSz];
+#else
+            byte   *exportPKey = NULL;
+            byte   *exportSKey = NULL;
 
             exportPKey = (byte *)XMALLOC(exportPSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             exportSKey = (byte *)XMALLOC(exportSSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             if ((exportPKey == NULL) || (exportSKey == NULL))
                 ERROR_OUT(WC_TEST_RET_ENC_NC, out);
+#endif
 
             ret = 0;
 
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 6735d02a6..305ad1974 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -511,7 +511,7 @@ typedef struct w64wrapper {
         #ifdef WOLFSSL_XFREE_NO_NULLNESS_CHECK
             #define XFREE(p, h, t)       m2mb_os_free(xp)
         #else
-            #define XFREE(p, h, t)       {void* xp = (p); if (xp) m2mb_os_free(xp);}
+            #define XFREE(p, h, t)       do { void* xp = (p); if (xp) m2mb_os_free(xp); } while (0)
         #endif
         #define XREALLOC(p, n, h, t) m2mb_os_realloc((p), (n))
 
@@ -527,11 +527,11 @@ typedef struct w64wrapper {
                     return NULL;
                 };
                 #define XMALLOC(s, h, t)     ((void)(h), (void)(t), malloc_check((s)))
-                #define XFREE(p, h, t)       (void)(h); (void)(t)
+                #define XFREE(p, h, t)       do { (void)(h); (void)(t); } while (0)
                 #define XREALLOC(p, n, h, t) ((void)(h), (void)(t), NULL)
             #else
                 #define XMALLOC(s, h, t)     ((void)(s), (void)(h), (void)(t), NULL)
-                #define XFREE(p, h, t)       (void)(p); (void)(h); (void)(t)
+                #define XFREE(p, h, t)       do { (void)(p); (void)(h); (void)(t); } while(0)
                 #define XREALLOC(p, n, h, t) ((void)(p), (void)(n), (void)(h), (void)(t), NULL)
             #endif
         #else
@@ -539,9 +539,9 @@ typedef struct w64wrapper {
             #include <stdlib.h>
             #define XMALLOC(s, h, t)     ((void)(h), (void)(t), malloc((size_t)(s)))
             #ifdef WOLFSSL_XFREE_NO_NULLNESS_CHECK
-                #define XFREE(p, h, t)       ((void)(h), (void)(t), free(p))
+                #define XFREE(p, h, t)       do { (void)(h); (void)(t); free(p); } while (0)
             #else
-                #define XFREE(p, h, t)       {void* xp = (p); (void)(h); if (xp) free(xp);}
+                #define XFREE(p, h, t)       do { void* xp = (p); (void)(h); if (xp) free(xp); } while (0)
             #endif
             #define XREALLOC(p, n, h, t) \
                 ((void)(h), (void)(t), realloc((p), (size_t)(n)))
@@ -565,7 +565,7 @@ typedef struct w64wrapper {
                 #ifdef WOLFSSL_XFREE_NO_NULLNESS_CHECK
                     #define XFREE(p, h, t)       wolfSSL_Free(xp, h, t, __func__, __LINE__)
                 #else
-                    #define XFREE(p, h, t)       {void* xp = (p); if (xp) wolfSSL_Free(xp, h, t, __func__, __LINE__);}
+                    #define XFREE(p, h, t)       do { void* xp = (p); if (xp) wolfSSL_Free(xp, h, t, __func__, __LINE__); } while (0)
                 #endif
                 #define XREALLOC(p, n, h, t) wolfSSL_Realloc((p), (n), (h), (t), __func__, __LINE__)
             #else
@@ -573,7 +573,7 @@ typedef struct w64wrapper {
                 #ifdef WOLFSSL_XFREE_NO_NULLNESS_CHECK
                     #define XFREE(p, h, t)       wolfSSL_Free(xp, h, t)
                 #else
-                    #define XFREE(p, h, t)       {void* xp = (p); if (xp) wolfSSL_Free(xp, h, t);}
+                    #define XFREE(p, h, t)       do { void* xp = (p); if (xp) wolfSSL_Free(xp, h, t); } while (0)
                 #endif
                 #define XREALLOC(p, n, h, t) wolfSSL_Realloc((p), (n), (h), (t))
             #endif /* WOLFSSL_DEBUG_MEMORY */
@@ -585,17 +585,17 @@ typedef struct w64wrapper {
             #ifdef WOLFSSL_DEBUG_MEMORY
                 #define XMALLOC(s, h, t)     ((void)(h), (void)(t), wolfSSL_Malloc((s), __func__, __LINE__))
                 #ifdef WOLFSSL_XFREE_NO_NULLNESS_CHECK
-                    #define XFREE(p, h, t)       ((void)(h), (void)(t), wolfSSL_Free(xp, __func__, __LINE__))
+                    #define XFREE(p, h, t)       do { (void)(h); (void)(t); wolfSSL_Free(xp, __func__, __LINE__); } while (0)
                 #else
-                    #define XFREE(p, h, t)       {void* xp = (p); (void)(h); (void)(t); if (xp) wolfSSL_Free(xp, __func__, __LINE__);}
+                    #define XFREE(p, h, t)       do { void* xp = (p); (void)(h); (void)(t); if (xp) wolfSSL_Free(xp, __func__, __LINE__); } while (0)
                 #endif
                 #define XREALLOC(p, n, h, t) ((void)(h), (void)(t), wolfSSL_Realloc((p), (n), __func__, __LINE__))
             #else
                 #define XMALLOC(s, h, t)     ((void)(h), (void)(t), wolfSSL_Malloc((s)))
                 #ifdef WOLFSSL_XFREE_NO_NULLNESS_CHECK
-                    #define XFREE(p, h, t)       ((void)(h), (void)(t), wolfSSL_Free(p))
+                    #define XFREE(p, h, t)       do { (void)(h); (void)(t); wolfSSL_Free(p); } while (0)
                 #else
-                    #define XFREE(p, h, t)       {void* xp = (p); (void)(h); (void)(t); if (xp) wolfSSL_Free(xp);}
+                    #define XFREE(p, h, t)       do { void* xp = (p); (void)(h); (void)(t); if (xp) wolfSSL_Free(xp); } while (0)
                 #endif
                 #define XREALLOC(p, n, h, t) ((void)(h), (void)(t), wolfSSL_Realloc((p), (n)))
             #endif /* WOLFSSL_DEBUG_MEMORY */