wolfSSL · Frauschi · Jan 9, 2026
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -78,7 +78,8 @@ jobs:
             -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
             -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
             -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
-            -DWOLFSSL_X963KDF:BOOL=yes \
+            -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
+            -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
             -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
             ..
         cmake --build .
@@ -89,9 +90,6 @@ jobs:
         cd ..
         rm -rf build
 
-        # Kyber Cmake broken
-        # -DWOLFSSL_KYBER:BOOL=yes
-
 # build "lean-tls" wolfssl
     - name: Build wolfssl with lean-tls
       working-directory: ./wolfssl
@@ -107,3 +105,22 @@ jobs:
         # clean up
         cd ..
         rm -rf build
+
+# CMake build with user_settings.h
+    - name: Build wolfssl with user_settings.h
+      working-directory: ./wolfssl
+      run: |
+        mkdir build
+        cp examples/configs/user_settings_all.h ./build/user_settings.h
+        cd build
+        cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
+            -DWOLFSSL_USER_SETTINGS=ON -DWOLFSSL_USER_SETTINGS_ASM=ON -DWOLFSSL_EXAMPLES=ON -DWOLFSSL_CRYPT_TESTS=ON \
+            -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -I ." \
+            ..
+        cmake --build .
+        ctest -j $(nproc)
+        cmake --install .
+
+        # clean up
+        cd ..
+        rm -rf build
diff --git a/.github/workflows/pq-all.yml b/.github/workflows/pq-all.yml
@@ -19,9 +19,14 @@ jobs:
         config: [
           # Add new configs here
           '--enable-intelasm --enable-sp-asm --enable-mlkem=yes,kyber,ml-kem CPPFLAGS="-DWOLFSSL_ML_KEM_USE_OLD_IDS"',
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
-          '--enable-smallstack --enable-smallstackcache --enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++'
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-smallstack --enable-smallstackcache --enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_BLIND_PRIVATE_KEY"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_BLIND_PRIVATE_KEY"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ"',
+          '--disable-intelasm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"',
+          '--disable-intelasm --enable-smallstack --enable-smallstackcache --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -711,11 +711,18 @@ if (WOLFSSL_EXPERIMENTAL)
         set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
 
         message(STATUS "Automatically set related requirements for Dilithium:")
-        set_wolfssl_definitions("HAVE_DILITHIUM"       RESUlT)
-        set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESUlT)
+        add_definitions("-DHAVE_DILITHIUM")
+        add_definitions("-DWOLFSSL_WC_DILITHIUM")
+        add_definitions("-DWOLFSSL_SHA3")
+        add_definitions("-DWOLFSSL_SHAKE128")
+        add_definitions("-DWOLFSSL_SHAKE256")
+
+        message(STATUS "Automatically set related requirements for Dilithium:")
+        set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
+        set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
         message(STATUS "Looking for WOLFSSL_DILITHIUM - found")
     else()
         message(STATUS "Looking for WOLFSSL_DILITHIUM - not found")
@@ -1063,6 +1070,41 @@ if(WOLFSSL_ECC)
     endif()
 endif()
 
+# ECCSI
+add_option("WOLFSSL_ECCSI"
+    "Enable ECCSI (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_ECCSI)
+    if (NOT WOLFSSL_ECC)
+        message(FATAL_ERROR "cannot enable ECCSI without enabling ECC.")
+    endif()
+
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFCRYPT_HAVE_ECCSI -DWOLFSSL_PUBLIC_MP")
+endif()
+
+# SAKKE
+add_option("WOLFSSL_SAKKE"
+    "Enable SAKKE (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_SAKKE)
+    if (NOT WOLFSSL_ECC)
+        message(FATAL_ERROR "cannot enable SAKKE without enabling ECC.")
+    endif()
+
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFCRYPT_HAVE_SAKKE")
+endif()
+
+# SipHash
+add_option("WOLFSSL_SIPHASH"
+    "Enable SipHash (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_SIPHASH)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SIPHASH")
+endif()
+
 # TODO: - Compressed key
 #       - FP ECC, fixed point cache ECC
 #       - ECC encrypt
@@ -1898,6 +1940,7 @@ add_option("WOLFSSL_PKCS11"
     "no" "yes;no")
 
 if(WOLFSSL_PKCS11 AND NOT WIN32)
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_PKCS11 -DHAVE_WOLF_BIGINT")
     list(APPEND WOLFSSL_LINK_LIBS ${CMAKE_DL_LIBS})
 endif()
 

diff --git a/cmake/functions.cmake b/cmake/functions.cmake
@@ -108,6 +108,15 @@ function(generate_build_flags)
     if(WOLFSSL_ECC OR WOLFSSL_USER_SETTINGS)
         set(BUILD_ECC "yes" PARENT_SCOPE)
     endif()
+    if(WOLFSSL_ECCSI OR WOLFSSL_USER_SETTINGS)
+        set(BUILD_ECCSI "yes" PARENT_SCOPE)
+    endif()
+    if(WOLFSSL_SAKKE OR WOLFSSL_USER_SETTINGS)
+        set(BUILD_SAKKE "yes" PARENT_SCOPE)
+    endif()
+    if(WOLFSSL_SIPHASH OR WOLFSSL_USER_SETTINGS)
+        set(BUILD_SIPHASH "yes" PARENT_SCOPE)
+    endif()
     if(WOLFSSL_ED25519 OR WOLFSSL_USER_SETTINGS)
         set(BUILD_ED25519 "yes" PARENT_SCOPE)
     endif()
@@ -914,6 +923,18 @@ function(generate_lib_src_list LIB_SOURCES)
             list(APPEND LIB_SOURCES wolfcrypt/src/ecc.c)
         endif()
 
+        if(BUILD_ECCSI)
+            list(APPEND LIB_SOURCES wolfcrypt/src/eccsi.c)
+        endif()
+
+        if(BUILD_SAKKE)
+            list(APPEND LIB_SOURCES wolfcrypt/src/sakke.c)
+        endif()
+
+        if(BUILD_SIPHASH)
+            list(APPEND LIB_SOURCES wolfcrypt/src/siphash.c)
+        endif()
+
         if(BUILD_CURVE25519)
             list(APPEND LIB_SOURCES wolfcrypt/src/curve25519.c)
             if(BUILD_ARMASM)
@@ -942,21 +963,17 @@ function(generate_lib_src_list LIB_SOURCES)
         endif()
 
         if(BUILD_FEMATH)
-            if(BUILD_CURVE25519_SMALL)
                 list(APPEND LIB_SOURCES wolfcrypt/src/fe_low_mem.c)
-            else()
+
                 if(BUILD_INTELASM)
                     list(APPEND LIB_SOURCES wolfcrypt/src/fe_x25519_asm.S)
                 else()
                     list(APPEND LIB_SOURCES wolfcrypt/src/fe_operations.c)
                 endif()
-            endif()
         endif()
 
         if(BUILD_GEMATH)
-            if(BUILD_ED25519_SMALL)
                 list(APPEND LIB_SOURCES wolfcrypt/src/ge_low_mem.c)
-            else()
                 list(APPEND LIB_SOURCES wolfcrypt/src/ge_operations.c)
 
                 if(NOT BUILD_FEMATH)
@@ -966,7 +983,6 @@ function(generate_lib_src_list LIB_SOURCES)
                         list(APPEND LIB_SOURCES wolfcrypt/src/fe_operations.c)
                     endif()
                 endif()
-            endif()
         endif()
 
         if(BUILD_CURVE448)

diff --git a/examples/configs/user_settings_all.h b/examples/configs/user_settings_all.h
@@ -216,8 +216,9 @@ extern "C" {
 #define HAVE_HASHDRBG
 #define HAVE_CURVE25519
 #define HAVE_ED25519
+#define ED25519_SMALL
 #define WOLFSSL_ED25519_STREAMING_VERIFY
-#define CURVED25519_SMALL
+#define CURVE25519_SMALL
 #define HAVE_ED448
 #define WOLFSSL_ED448_STREAMING_VERIFY
 #define HAVE_CURVE448

diff --git a/src/internal.c b/src/internal.c
@@ -7124,6 +7124,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
         if (ret != 0) {
             return ret;
         }
+        ret = WOLFSSL_SUCCESS;
     }
 #endif
     ssl->buffers.keyType  = ctx->privateKeyType;

diff --git a/src/ssl.c b/src/ssl.c
@@ -7519,11 +7519,19 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
 #ifdef WOLFSSL_DUAL_ALG_CERTS
 #ifdef WOLFSSL_BLIND_PRIVATE_KEY
     privateKey = wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask);
-    altPrivateKey = wolfssl_priv_der_unblind(ctx->altPrivateKey,
-                                             ctx->altPrivateKeyMask);
-    if ((privateKey == NULL) || (altPrivateKey == NULL)) {
+    if (privateKey == NULL) {
         res = WOLFSSL_FAILURE;
     }
+    if (ctx->altPrivateKey != NULL) {
+        altPrivateKey = wolfssl_priv_der_unblind(ctx->altPrivateKey,
+                                                 ctx->altPrivateKeyMask);
+        if (altPrivateKey == NULL) {
+            res = WOLFSSL_FAILURE;
+        }
+    }
+    else {
+        altPrivateKey = NULL;
+    }
 #else
     privateKey = ctx->privateKey;
     altPrivateKey = ctx->altPrivateKey;
@@ -8866,47 +8874,69 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl)
 {
     int res = WOLFSSL_SUCCESS;
 
+#ifdef WOLFSSL_BLIND_PRIVATE_KEY
+    DerBuffer *privateKey;
+#ifdef WOLFSSL_DUAL_ALG_CERTS
+    DerBuffer *altPrivateKey;
+#endif
+#else
+    const DerBuffer *privateKey;
+#ifdef WOLFSSL_DUAL_ALG_CERTS
+    const DerBuffer *altPrivateKey;
+#endif
+#endif
+
     if (ssl == NULL) {
         return WOLFSSL_FAILURE;
     }
 #ifdef WOLFSSL_DUAL_ALG_CERTS
 #ifdef WOLFSSL_BLIND_PRIVATE_KEY
-    wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
-    wolfssl_priv_der_unblind(ssl->buffers.altKey, ssl->buffers.altKeyMask);
-#endif
-    res = check_cert_key(ssl->buffers.certificate, ssl->buffers.key,
-        ssl->buffers.altKey, ssl->heap, ssl->buffers.keyDevId,
-        ssl->buffers.keyLabel, ssl->buffers.keyId, ssl->buffers.altKeyDevId,
-        ssl->buffers.altKeyLabel, ssl->buffers.altKeyId);
-#ifdef WOLFSSL_BLIND_PRIVATE_KEY
-    if (res == WOLFSSL_SUCCESS) {
-        int ret;
-        ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
-            (DerBuffer**)&ssl->buffers.keyMask);
-        if (ret == 0) {
-            ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey,
-                (DerBuffer**)&ssl->buffers.altKeyMask);
-        }
-        if (ret != 0) {
+    privateKey = wolfssl_priv_der_unblind(ssl->buffers.key,
+                                          ssl->buffers.keyMask);
+    if (privateKey == NULL) {
+        res = WOLFSSL_FAILURE;
+    }
+    if (ssl->buffers.altKey != NULL) {
+        altPrivateKey = wolfssl_priv_der_unblind(ssl->buffers.altKey,
+                                                 ssl->buffers.altKeyMask);
+        if (altPrivateKey == NULL) {
             res = WOLFSSL_FAILURE;
         }
     }
-#endif
+    else {
+        altPrivateKey = NULL;
+    }
 #else
+    privateKey = ssl->buffers.key;
+    altPrivateKey = ssl->buffers.altKey;
+#endif
+    if (res == WOLFSSL_SUCCESS) {
+        res = check_cert_key(ssl->buffers.certificate, privateKey,
+            altPrivateKey, ssl->heap, ssl->buffers.keyDevId,
+            ssl->buffers.keyLabel, ssl->buffers.keyId, ssl->buffers.altKeyDevId,
+            ssl->buffers.altKeyLabel, ssl->buffers.altKeyId);
+    }
 #ifdef WOLFSSL_BLIND_PRIVATE_KEY
-    wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
+    wolfssl_priv_der_unblind_free(privateKey);
+    wolfssl_priv_der_unblind_free(altPrivateKey);
 #endif
-    res = check_cert_key(ssl->buffers.certificate, ssl->buffers.key, NULL,
-        ssl->heap, ssl->buffers.keyDevId, ssl->buffers.keyLabel,
-        ssl->buffers.keyId, INVALID_DEVID, 0, 0);
+#else
 #ifdef WOLFSSL_BLIND_PRIVATE_KEY
+    privateKey = wolfssl_priv_der_unblind(ssl->buffers.key,
+                                          ssl->buffers.keyMask);
+    if (privateKey == NULL) {
+        res = WOLFSSL_FAILURE;
+    }
+#else
+    privateKey = ssl->buffers.key;
+#endif
     if (res == WOLFSSL_SUCCESS) {
-        int ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
-            (DerBuffer**)&ssl->buffers.keyMask);
-        if (ret != 0) {
-            res = WOLFSSL_FAILURE;
-        }
+        res = check_cert_key(ssl->buffers.certificate, privateKey, NULL,
+            ssl->heap, ssl->buffers.keyDevId, ssl->buffers.keyLabel,
+            ssl->buffers.keyId, INVALID_DEVID, 0, 0);
     }
+#ifdef WOLFSSL_BLIND_PRIVATE_KEY
+    wolfssl_priv_der_unblind_free(privateKey);
 #endif
 #endif
 
@@ -20988,14 +21018,15 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
     ssl->buffers.altKey   = ctx->altPrivateKey;
 #else
     if (ctx->altPrivateKey != NULL) {
-        ret = AllocCopyDer(&ssl->buffers.altkey, ctx->altPrivateKey->buffer,
+        ret = AllocCopyDer(&ssl->buffers.altKey, ctx->altPrivateKey->buffer,
             ctx->altPrivateKey->length, ctx->altPrivateKey->type,
             ctx->altPrivateKey->heap);
         if (ret != 0) {
             return NULL;
         }
         /* Blind the private key for the SSL with new random mask. */
-        wolfssl_priv_der_unblind(ssl->buffers.altKey, ctx->altPrivateKeyMask);
+        wolfssl_priv_der_blind_toggle(ssl->buffers.altKey,
+                                      ctx->altPrivateKeyMask);
         ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey,
             &ssl->buffers.altKeyMask);
         if (ret != 0) {

diff --git a/wolfcrypt/src/dilithium.c b/wolfcrypt/src/dilithium.c
@@ -8788,9 +8788,9 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
                 const byte* s2pt = s2p;
             #endif
                 sword32* cs2 = ct0;
+                byte idx = 0;
                 w0t = w0;
                 w1t = w1;
-                byte idx = 0;
 
                 for (r = 0; valid && (r < params->k); r++) {
             #ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC

diff --git a/wolfcrypt/src/wc_lms_impl.c b/wolfcrypt/src/wc_lms_impl.c
@@ -3185,9 +3185,14 @@ int wc_hss_reload_key(LmsState* state, const byte* priv_raw,
     (void)pub_root;
 
     /* Defend against undefined shifts; LmsParams* params = state->params */
-    if ((state->params->cacheBits >= 32U) || (state->params->height >= 32U)) {
+    if (state->params->height >= 32U) {
         return BAD_FUNC_ARG;
     }
+#ifndef WOLFSSL_WC_LMS_SMALL
+    if (state->params->cacheBits >= 32U) {
+        return BAD_FUNC_ARG;
+    }
+#endif
 
     wc_hss_priv_data_load(state->params, priv_key, priv_data);
 #ifndef WOLFSSL_WC_LMS_SMALL