From 051509ec79f882839c776465138bd52798bd3b3b Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 12 May 2026 13:54:38 -0600
Subject: [PATCH 1/2] fix for tropic port AES key length used

---
 wolfcrypt/src/port/tropicsquare/tropic01.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c
index 0ba5dbd3f66..16efc60da70 100644
--- a/wolfcrypt/src/port/tropicsquare/tropic01.c
+++ b/wolfcrypt/src/port/tropicsquare/tropic01.c
@@ -307,10 +307,13 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
 #if !defined(NO_AES)
     #ifdef HAVE_AESGCM
             if (info->cipher.type == WC_CIPHER_AES_GCM) {
+                word32 keyLen = info->cipher.enc
+                    ? info->cipher.aesgcm_enc.aes->keylen
+                    : info->cipher.aesgcm_dec.aes->keylen;
                 ret = Tropic01_GetKeyAES(
                         lt_key,
                         TROPIC01_AES_KEY_RMEM_SLOT,
-                        TROPIC01_AES_MAX_KEY_SIZE);
+                        keyLen);
                 if (ret != 0) {
                     WOLFSSL_MSG_EX(
                             "TROPIC01: CryptoCB: Failed to get AES key,ret=%d",
@@ -332,7 +335,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
                 }
                 if (info->cipher.enc) {
                     ret = wc_AesSetKey(info->cipher.aesgcm_enc.aes, lt_key,
-                                WC_AES_BLOCK_SIZE, lt_iv, AES_ENCRYPTION);
+                                keyLen, lt_iv, AES_ENCRYPTION);
                     ForceZero(lt_key, sizeof(lt_key));
                     ForceZero(lt_iv, sizeof(lt_iv));
                     if (ret != 0) {
@@ -360,7 +363,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
                 }
                 else {
                     ret = wc_AesSetKey(info->cipher.aesgcm_dec.aes, lt_key,
-                                WC_AES_BLOCK_SIZE, lt_iv, AES_DECRYPTION);
+                                keyLen, lt_iv, AES_DECRYPTION);
                     ForceZero(lt_key, sizeof(lt_key));
                     ForceZero(lt_iv, sizeof(lt_iv));
                     if (ret != 0) {
@@ -390,10 +393,11 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
 #endif /* HAVE_AESGCM */
     #ifdef HAVE_AES_CBC
         if (info->cipher.type == WC_CIPHER_AES_CBC) {
+            word32 keyLen = info->cipher.aescbc.aes->keylen;
             ret = Tropic01_GetKeyAES(
                         lt_key,
                         TROPIC01_AES_KEY_RMEM_SLOT,
-                        TROPIC01_AES_MAX_KEY_SIZE);
+                        keyLen);
             if (ret != 0) {
                 WOLFSSL_MSG_EX(
                     "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", ret);
@@ -413,7 +417,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
             }
             if (info->cipher.enc) {
                 ret = wc_AesSetKey(info->cipher.aescbc.aes, lt_key,
-                                WC_AES_BLOCK_SIZE, lt_iv, AES_ENCRYPTION);
+                                keyLen, lt_iv, AES_ENCRYPTION);
                 ForceZero(lt_key, sizeof(lt_key));
                 ForceZero(lt_iv, sizeof(lt_iv));
                 if (ret != 0) {
@@ -436,7 +440,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
             else {
 
                 ret = wc_AesSetKey(info->cipher.aescbc.aes, lt_key,
-                                WC_AES_BLOCK_SIZE, lt_iv, AES_DECRYPTION);
+                                keyLen, lt_iv, AES_DECRYPTION);
                 ForceZero(lt_key, sizeof(lt_key));
                 ForceZero(lt_iv, sizeof(lt_iv));
                 if (ret != 0) {

From 11b1d8da7a445aab480e8f35653c8d41156abfcb Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 12 May 2026 14:23:59 -0600
Subject: [PATCH 2/2] add sanity check on AES key length

---
 wolfcrypt/src/port/tropicsquare/tropic01.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c
index 16efc60da70..4b36ef8f0fb 100644
--- a/wolfcrypt/src/port/tropicsquare/tropic01.c
+++ b/wolfcrypt/src/port/tropicsquare/tropic01.c
@@ -310,6 +310,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
                 word32 keyLen = info->cipher.enc
                     ? info->cipher.aesgcm_enc.aes->keylen
                     : info->cipher.aesgcm_dec.aes->keylen;
+                if (keyLen != AES_128_KEY_SIZE &&
+                    keyLen != AES_192_KEY_SIZE &&
+                    keyLen != AES_256_KEY_SIZE) {
+                    WOLFSSL_MSG_EX(
+                        "TROPIC01: CryptoCB: invalid AES key length %u",
+                        keyLen);
+                    return BAD_FUNC_ARG;
+                }
                 ret = Tropic01_GetKeyAES(
                         lt_key,
                         TROPIC01_AES_KEY_RMEM_SLOT,
@@ -394,6 +402,13 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
     #ifdef HAVE_AES_CBC
         if (info->cipher.type == WC_CIPHER_AES_CBC) {
             word32 keyLen = info->cipher.aescbc.aes->keylen;
+            if (keyLen != AES_128_KEY_SIZE &&
+                keyLen != AES_192_KEY_SIZE &&
+                keyLen != AES_256_KEY_SIZE) {
+                WOLFSSL_MSG_EX(
+                    "TROPIC01: CryptoCB: invalid AES key length %u", keyLen);
+                return BAD_FUNC_ARG;
+            }
             ret = Tropic01_GetKeyAES(
                         lt_key,
                         TROPIC01_AES_KEY_RMEM_SLOT,