diff --git a/src/internal.c b/src/internal.c
index 00dae569d..e1dd193d8 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -8576,7 +8576,7 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
 static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
 {
 #ifdef HAVE_TRUNCATED_HMAC
-    word32 minLength = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ
+    word32 minLength = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
                                            : ssl->specs.hash_size;
 #else
     word32 minLength = ssl->specs.hash_size; /* covers stream */
@@ -9041,7 +9041,7 @@ static INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz,
     word32 pad     = 0;
     word32 padByte = 0;
 #ifdef HAVE_TRUNCATED_HMAC
-    word32 digestSz = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ
+    word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
                                           : ssl->specs.hash_size;
 #else
     word32 digestSz = ssl->specs.hash_size;
@@ -9819,13 +9819,8 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes)
 int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
                  int inSz, int type, int hashOutput, int sizeOnly)
 {
-#ifdef HAVE_TRUNCATED_HMAC
-    word32 digestSz = min(ssl->specs.hash_size,
-                ssl->truncated_hmac ? TRUNCATED_HMAC_SZ : ssl->specs.hash_size);
-#else
-    word32 digestSz = ssl->specs.hash_size;
-#endif
-    word32 sz = RECORD_HEADER_SZ + inSz + digestSz;
+    word32 digestSz;
+    word32 sz = RECORD_HEADER_SZ + inSz;
     word32 pad  = 0, i;
     word32 idx  = RECORD_HEADER_SZ;
     word32 ivSz = 0;      /* TLSv1.1  IV */
@@ -9849,6 +9844,12 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
         return BAD_FUNC_ARG;
     }
 
+    digestSz = ssl->specs.hash_size;
+#ifdef HAVE_TRUNCATED_HMAC
+    if (ssl->truncated_hmac)
+        digestSz = min(TRUNCATED_HMAC_SZ, digestSz);
+#endif
+    sz += digestSz;
 
 #ifdef WOLFSSL_DTLS
     if (ssl->options.dtls) {
diff --git a/src/tls.c b/src/tls.c
index 9a32e55a7..df9ed15d7 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -930,7 +930,8 @@ static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz,
     alpn->negotiated = 0;
     alpn->options = 0;
 
-    alpn->protocol_name = XMALLOC(protocol_nameSz + 1, heap, DYNAMIC_TYPE_TLSX);
+    alpn->protocol_name = (char*)XMALLOC(protocol_nameSz + 1,
+                                         heap, DYNAMIC_TYPE_TLSX);
     if (alpn->protocol_name == NULL) {
         WOLFSSL_MSG("Memory failure");
         XFREE(alpn, heap, DYNAMIC_TYPE_TLSX);
@@ -1241,7 +1242,7 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
     }
 
     *data = alpn->protocol_name;
-    *dataSz = (word16)XSTRLEN(*data);
+    *dataSz = (word16)XSTRLEN((char*)*data);
 
     return SSL_SUCCESS;
 }
@@ -1282,8 +1283,8 @@ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size, void* heap)
 
         switch (sni->type) {
             case WOLFSSL_SNI_HOST_NAME:
-                sni->data.host_name = XMALLOC(size+1, heap, DYNAMIC_TYPE_TLSX);
-
+                sni->data.host_name = (char*)XMALLOC(size + 1, heap,
+                                                     DYNAMIC_TYPE_TLSX);
                 if (sni->data.host_name) {
                     XSTRNCPY(sni->data.host_name, (const char*)data, size);
                     sni->data.host_name[size] = 0;
@@ -1398,7 +1399,7 @@ static SNI* TLSX_SNI_Find(SNI *list, byte type)
 static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
 {
     TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
-    SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
+    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
 
     if (sni)
         sni->status = status;
@@ -1408,7 +1409,7 @@ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
 byte TLSX_SNI_Status(TLSX* extensions, byte type)
 {
     TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
-    SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
+    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
 
     if (sni)
         return sni->status;
@@ -1535,8 +1536,8 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl,  byte isRequest)
     #ifndef NO_WOLFSSL_SERVER
         TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
         TLSX* ssl_ext = TLSX_Find(ssl->extensions,      TLSX_SERVER_NAME);
-        SNI* ctx_sni = ctx_ext ? ctx_ext->data : NULL;
-        SNI* ssl_sni = ssl_ext ? ssl_ext->data : NULL;
+        SNI* ctx_sni = ctx_ext ? (SNI*)ctx_ext->data : NULL;
+        SNI* ssl_sni = ssl_ext ? (SNI*)ssl_ext->data : NULL;
         SNI* sni = NULL;
 
         for (; ctx_sni; ctx_sni = ctx_sni->next) {
@@ -1620,13 +1621,13 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size,
 word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
 {
     TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
-    SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
+    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
 
     if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) {
         switch (sni->type) {
             case WOLFSSL_SNI_HOST_NAME:
                 *data = sni->data.host_name;
-                return XSTRLEN(*data);
+                return XSTRLEN((char*)*data);
         }
     }
 
@@ -1637,7 +1638,7 @@ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
 void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
 {
     TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
-    SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
+    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
 
     if (sni)
         sni->options = options;
@@ -1870,7 +1871,7 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap)
     if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl)
         return BAD_FUNC_ARG;
 
-    if ((data = XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX)) == NULL)
+    if ((data = (byte*)XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX)) == NULL)
         return MEMORY_E;
 
     data[0] = mfl;
@@ -2831,7 +2832,10 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
     if (!extension)
         return 1; /* no suite restriction */
 
-    for (curve = extension->data; curve && !(sig && key); curve = curve->next) {
+    for (curve = (EllipticCurve*)extension->data;
+         curve && !(sig && key);
+         curve = curve->next) {
+
         /* find supported curve */
         switch (curve->name) {
     #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
@@ -3982,7 +3986,7 @@ void TLSX_FreeAll(TLSX* list, void* heap)
                 break;
 
             case TLSX_SUPPORTED_GROUPS:
-                EC_FREE_ALL(extension->data, heap);
+                EC_FREE_ALL((EllipticCurve*)extension->data, heap);
                 break;
 
             case TLSX_STATUS_REQUEST:
@@ -4047,7 +4051,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
             case TLSX_SERVER_NAME:
                 /* SNI only sends the name on the request. */
                 if (isRequest)
-                    length += SNI_GET_SIZE(extension->data);
+                    length += SNI_GET_SIZE((SNI*)extension->data);
                 break;
 
             case TLSX_MAX_FRAGMENT_LENGTH:
@@ -4059,7 +4063,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
                 break;
 
             case TLSX_SUPPORTED_GROUPS:
-                length += EC_GET_SIZE(extension->data);
+                length += EC_GET_SIZE((EllipticCurve*)extension->data);
                 break;
 
             case TLSX_STATUS_REQUEST:
@@ -4083,7 +4087,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
                 break;
 
             case TLSX_APPLICATION_LAYER_PROTOCOL:
-                length += ALPN_GET_SIZE(extension->data);
+                length += ALPN_GET_SIZE((ALPN*)extension->data);
                 break;
 
         }
@@ -4124,11 +4128,11 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
         switch (extension->type) {
             case TLSX_SERVER_NAME:
                 if (isRequest)
-                    offset += SNI_WRITE(extension->data, output + offset);
+                    offset += SNI_WRITE((SNI*)extension->data, output + offset);
                 break;
 
             case TLSX_MAX_FRAGMENT_LENGTH:
-                offset += MFL_WRITE(extension->data, output + offset);
+                offset += MFL_WRITE((byte*)extension->data, output + offset);
                 break;
 
             case TLSX_TRUNCATED_HMAC:
@@ -4136,7 +4140,8 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
                 break;
 
             case TLSX_SUPPORTED_GROUPS:
-                offset += EC_WRITE(extension->data, output + offset);
+                offset += EC_WRITE((EllipticCurve*)extension->data,
+                                    output + offset);
                 break;
 
             case TLSX_STATUS_REQUEST:
@@ -4168,7 +4173,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
                 break;
 
             case TLSX_APPLICATION_LAYER_PROTOCOL:
-                offset += ALPN_WRITE(extension->data, output + offset);
+                offset += ALPN_WRITE((ALPN*)extension->data, output + offset);
                 break;
         }
 
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index 19aeb2de0..c7337610e 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -1878,7 +1878,8 @@ int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
 
 
 #ifndef WC_NO_CACHE_RESISTANT
-#if defined(TFM_TIMING_RESISTANT) && defined(USE_FAST_MATH)
+#if defined(TFM_TIMING_RESISTANT) && defined(USE_FAST_MATH) && \
+    !defined(__cplusplus)
     /* let's use the one we already have */
     extern const wolfssl_word wc_off_on_addr[2];
 #else