diff --git a/src/internal.c b/src/internal.c
index 92aeb861e..ce90accaf 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -25686,7 +25686,7 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
 }
 
 /* process input data */
-int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
+int ReceiveData(WOLFSSL* ssl, byte* output, size_t sz, int peek)
 {
     int size;
     int error = ssl->error;
@@ -25842,7 +25842,7 @@ startScr:
 #endif
     }
 
-    size = (int)min((word32)sz, ssl->buffers.clearOutputBuffer.length);
+    size = (int)min_size_t(sz, (size_t)ssl->buffers.clearOutputBuffer.length);
 
     XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size);
 
diff --git a/src/ssl.c b/src/ssl.c
index 822fa4ce6..c37be0a9b 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -3110,13 +3110,13 @@ int wolfSSL_write_ex(WOLFSSL* ssl, const void* data, int sz, size_t* wr)
 }
 
 
-static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, int sz, int peek)
+static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, size_t sz, int peek)
 {
     int ret;
 
     WOLFSSL_ENTER("wolfSSL_read_internal");
 
-    if (ssl == NULL || data == NULL || sz < 0)
+    if (ssl == NULL || data == NULL)
         return BAD_FUNC_ARG;
 
 #ifdef WOLFSSL_QUIC
@@ -3194,7 +3194,10 @@ int wolfSSL_peek(WOLFSSL* ssl, void* data, int sz)
 {
     WOLFSSL_ENTER("wolfSSL_peek");
 
-    return wolfSSL_read_internal(ssl, data, sz, TRUE);
+    if (sz < 0)
+        return BAD_FUNC_ARG;
+
+    return wolfSSL_read_internal(ssl, data, (size_t)sz, TRUE);
 }
 
 
@@ -3203,6 +3206,9 @@ int wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
 {
     WOLFSSL_ENTER("wolfSSL_read");
 
+    if (sz < 0)
+        return BAD_FUNC_ARG;
+
     #ifdef OPENSSL_EXTRA
     if (ssl == NULL) {
         return BAD_FUNC_ARG;
@@ -3212,16 +3218,26 @@ int wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
         ssl->cbmode = WOLFSSL_CB_READ;
     }
     #endif
-    return wolfSSL_read_internal(ssl, data, sz, FALSE);
+    return wolfSSL_read_internal(ssl, data, (size_t)sz, FALSE);
 }
 
 
 /* returns 0 on failure and on no read */
-int wolfSSL_read_ex(WOLFSSL* ssl, void* data, int sz, size_t* rd)
+int wolfSSL_read_ex(WOLFSSL* ssl, void* data, size_t sz, size_t* rd)
 {
-   int ret;
+    int ret;
+
+    #ifdef OPENSSL_EXTRA
+    if (ssl == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    if (ssl->CBIS != NULL) {
+        ssl->CBIS(ssl, WOLFSSL_CB_READ, WOLFSSL_SUCCESS);
+        ssl->cbmode = WOLFSSL_CB_READ;
+    }
+    #endif
+    ret = wolfSSL_read_internal(ssl, data, sz, FALSE);
 
-    ret = wolfSSL_read(ssl, data, sz);
     if (ret > 0 && rd != NULL) {
         *rd = (size_t)ret;
     }
@@ -3238,10 +3254,10 @@ int wolfSSL_mcast_read(WOLFSSL* ssl, word16* id, void* data, int sz)
 
     WOLFSSL_ENTER("wolfSSL_mcast_read");
 
-    if (ssl == NULL)
+    if ((ssl == NULL) || (sz < 0))
         return BAD_FUNC_ARG;
 
-    ret = wolfSSL_read_internal(ssl, data, sz, FALSE);
+    ret = wolfSSL_read_internal(ssl, data, (size_t)sz, FALSE);
     if (ssl->options.dtls && ssl->options.haveMcast && id != NULL)
         *id = ssl->keys.curPeerId;
     return ret;
diff --git a/src/tls13.c b/src/tls13.c
index 0b651ab70..0f868a859 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -14887,7 +14887,7 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
             return WOLFSSL_FATAL_ERROR;
     }
     if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
-        ret = ReceiveData(ssl, (byte*)data, sz, FALSE);
+        ret = ReceiveData(ssl, (byte*)data, (size_t)sz, FALSE);
         if (ret > 0)
             *outSz = ret;
         if (ssl->error == WC_NO_ERR_TRACE(ZERO_RETURN)) {
diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c
index b9f85832e..0cfb38c45 100644
--- a/wolfcrypt/src/misc.c
+++ b/wolfcrypt/src/misc.c
@@ -519,6 +519,11 @@ WC_MISC_STATIC WC_INLINE int ConstantCompare(const byte* a, const byte* b,
     }
 #endif /* !WOLFSSL_HAVE_MIN */
 
+    WC_MISC_STATIC WC_INLINE size_t min_size_t(size_t a, size_t b)
+    {
+        return a > b ? b : a;
+    }
+
 #ifndef WOLFSSL_HAVE_MAX
     #define WOLFSSL_HAVE_MAX
     #if defined(HAVE_FIPS) && !defined(max) /* so ifdef check passes */
@@ -530,6 +535,11 @@ WC_MISC_STATIC WC_INLINE int ConstantCompare(const byte* a, const byte* b,
     }
 #endif /* !WOLFSSL_HAVE_MAX */
 
+    WC_MISC_STATIC WC_INLINE size_t max_size_t_(size_t a, size_t b)
+    {
+        return a > b ? a : b;
+    }
+
 #ifndef WOLFSSL_NO_INT_ENCODE
 /* converts a 32 bit integer to 24 bit */
 WC_MISC_STATIC WC_INLINE void c32to24(word32 in, word24 out)
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 156d5390b..fefe594c7 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -6521,7 +6521,7 @@ WOLFSSL_LOCAL int SendHelloRequest(WOLFSSL* ssl);
 WOLFSSL_LOCAL int SendCertificateStatus(WOLFSSL* ssl);
 WOLFSSL_LOCAL int SendServerKeyExchange(WOLFSSL* ssl);
 WOLFSSL_LOCAL int SendBuffered(WOLFSSL* ssl);
-WOLFSSL_LOCAL int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek);
+WOLFSSL_LOCAL int ReceiveData(WOLFSSL* ssl, byte* output, size_t sz, int peek);
 WOLFSSL_LOCAL int SendFinished(WOLFSSL* ssl);
 WOLFSSL_LOCAL int RetrySendAlert(WOLFSSL* ssl);
 WOLFSSL_LOCAL int SendAlert(WOLFSSL* ssl, int severity, int type);
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 4ccce54a2..cb7bbb24a 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -1368,7 +1368,7 @@ WOLFSSL_ABI WOLFSSL_API int  wolfSSL_write(
 WOLFSSL_API int wolfSSL_write_ex(WOLFSSL* ssl, const void* data, int sz,
     size_t* wr);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_read(WOLFSSL* ssl, void* data, int sz);
-WOLFSSL_API int wolfSSL_read_ex(WOLFSSL* ssl, void* data, int sz, size_t* rd);
+WOLFSSL_API int wolfSSL_read_ex(WOLFSSL* ssl, void* data, size_t sz, size_t* rd);
 WOLFSSL_API int  wolfSSL_peek(WOLFSSL* ssl, void* data, int sz);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_accept(WOLFSSL* ssl);
 WOLFSSL_API int wolfSSL_inject(WOLFSSL* ssl, const void* data, int sz);
diff --git a/wolfssl/wolfcrypt/misc.h b/wolfssl/wolfcrypt/misc.h
index 6af03be09..9f195c688 100644
--- a/wolfssl/wolfcrypt/misc.h
+++ b/wolfssl/wolfcrypt/misc.h
@@ -107,6 +107,7 @@ void   ByteReverseWords64(word64* out, const word64* in, word32 byteCount);
     #endif
     WOLFSSL_LOCAL word32 min(word32 a, word32 b);
 #endif
+WOLFSSL_LOCAL size_t min_size_t(size_t a, size_t b);
 
 #ifndef WOLFSSL_HAVE_MAX
     #if defined(HAVE_FIPS) && !defined(max) /* so ifdef check passes */
@@ -114,6 +115,7 @@ void   ByteReverseWords64(word64* out, const word64* in, word32 byteCount);
     #endif
     WOLFSSL_LOCAL word32 max(word32 a, word32 b);
 #endif /* WOLFSSL_HAVE_MAX */
+WOLFSSL_LOCAL size_t max_size_t(size_t a, size_t b);
 
 
 void c32to24(word32 in, word24 out);