diff --git a/wolfcrypt/src/port/kcapi/kcapi_aes.c b/wolfcrypt/src/port/kcapi/kcapi_aes.c
index e29099304..5eb89602d 100644
--- a/wolfcrypt/src/port/kcapi/kcapi_aes.c
+++ b/wolfcrypt/src/port/kcapi/kcapi_aes.c
@@ -234,8 +234,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 {
     int     ret = 0;
     byte*   data = NULL;
-    word32  dataSz = authInSz + sz + authTagSz;
-    ssize_t rc;
+    word32  dataSz;
+    int     inbuflen, outbuflen;
     size_t  pageSz = (size_t)sysconf(_SC_PAGESIZE);
 
     /* argument checks */
@@ -255,16 +255,22 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     }
 
     if (ret == 0) {
-        ret = posix_memalign((void*)&data, pageSz, dataSz);
-        if (ret < 0) {
-            ret = MEMORY_E;
+        ret = kcapi_aead_init(&aes->handle, WC_NAME_AESGCM, 0);
+        if (ret != 0) {
+            WOLFSSL_MSG("Error with first time setup of kcapi");
         }
     }
 
     if (ret == 0) {
-        ret = kcapi_aead_init(&aes->handle, WC_NAME_AESGCM, 0);
-        if (ret != 0) {
-            WOLFSSL_MSG("Error with first time setup of kcapi");
+        inbuflen  = (int)kcapi_aead_inbuflen_enc( aes->handle, sz, authInSz,
+            authTagSz);
+        outbuflen = (int)kcapi_aead_outbuflen_enc(aes->handle, sz, authInSz,
+            authTagSz);
+        dataSz = (inbuflen > outbuflen) ? inbuflen : outbuflen;
+
+        ret = posix_memalign((void*)&data, pageSz, dataSz);
+        if (ret < 0) {
+            ret = MEMORY_E;
         }
     }
 
@@ -287,16 +293,18 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         XMEMCPY(data, authIn, authInSz);
         XMEMCPY(data + authInSz, in, sz);
 
-        rc = kcapi_aead_encrypt(aes->handle, data, dataSz, iv, data, dataSz,
-                                                        KCAPI_ACCESS_HEURISTIC);
-        if (rc < 0) {
+        ret = (int)kcapi_aead_encrypt(aes->handle, data, inbuflen, iv, data,
+            outbuflen, KCAPI_ACCESS_HEURISTIC);
+        if (ret < 0) {
             WOLFSSL_MSG("GcmEncrypt failed");
-            ret = (int)rc;
         }
-        else if ((word32)rc != dataSz) {
+        else if (ret != outbuflen) {
             WOLFSSL_MSG("GcmEncrypt produced wrong output length");
             ret = BAD_FUNC_ARG;
         }
+        else {
+            ret = 0; /* success */
+        }
     }
 
     if (ret == 0) {
@@ -327,9 +335,8 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 {
     int     ret = 0;
     byte*   data = NULL;
-    word32  dataSz = authInSz + sz + authTagSz;
-    word32  outSz = authInSz + sz;
-    ssize_t rc;
+    word32  dataSz;
+    int     inbuflen, outbuflen;
     size_t  pageSz = (size_t)sysconf(_SC_PAGESIZE);
 
     /* argument checks */
@@ -350,16 +357,22 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     }
 
     if (ret == 0) {
-        ret = posix_memalign((void*)&data, pageSz, dataSz);
-        if (ret < 0) {
-            ret = MEMORY_E;
+        ret = kcapi_aead_init(&aes->handle, WC_NAME_AESGCM, 0);
+        if (ret != 0) {
+            WOLFSSL_MSG("Error with first time setup of kcapi");
         }
     }
 
     if (ret == 0) {
-        ret = kcapi_aead_init(&aes->handle, WC_NAME_AESGCM, 0);
-        if (ret != 0) {
-            WOLFSSL_MSG("Error with first time setup of kcapi");
+        inbuflen  = (int)kcapi_aead_inbuflen_dec( aes->handle, sz, authInSz,
+            authTagSz);
+        outbuflen = (int)kcapi_aead_outbuflen_dec(aes->handle, sz, authInSz,
+            authTagSz);
+        dataSz = (inbuflen > outbuflen) ? inbuflen : outbuflen;
+
+        ret = posix_memalign((void*)&data, pageSz, dataSz);
+        if (ret < 0) {
+            ret = MEMORY_E;
         }
     }
 
@@ -380,19 +393,20 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         XMEMCPY(data + authInSz, in, sz);
         XMEMCPY(data + authInSz + sz, authTag, authTagSz);
 
-        rc = kcapi_aead_decrypt(aes->handle, data, dataSz, iv, data, outSz,
-                                                        KCAPI_ACCESS_HEURISTIC);
-        if (rc < 0) {
+        ret = (int)kcapi_aead_decrypt(aes->handle, data, inbuflen, iv, data,
+            outbuflen, KCAPI_ACCESS_HEURISTIC);
+        if (ret < 0) {
             WOLFSSL_MSG("GcmDecrypt failed");
-            if (rc == -EBADMSG)
+            if (ret == -EBADMSG)
                 ret = AES_GCM_AUTH_E;
-            else
-                ret = (int)rc;
         }
-        else if ((word32)rc != outSz) {
+        else if (ret != outbuflen) {
             WOLFSSL_MSG("GcmDecrypt produced wrong output length");
             ret = BAD_FUNC_ARG;
         }
+        else {
+            ret = 0; /* success */
+        }
     }
 
     if (ret == 0) {
diff --git a/wolfcrypt/src/port/kcapi/kcapi_dh.c b/wolfcrypt/src/port/kcapi/kcapi_dh.c
index f62f13848..72c65ead5 100644
--- a/wolfcrypt/src/port/kcapi/kcapi_dh.c
+++ b/wolfcrypt/src/port/kcapi/kcapi_dh.c
@@ -26,7 +26,7 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#if defined(WOLFSSL_KCAPI_DH)
+#if defined(WOLFSSL_KCAPI_DH) && !defined(NO_DH)
 
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
@@ -232,4 +232,4 @@ int KcapiDh_SharedSecret(DhKey* private_key, const byte* pub, word32 pubSz,
     return ret;
 }
 
-#endif /* WOLFSSL_KCAPI_DH */
+#endif /* WOLFSSL_KCAPI_DH && !NO_DH */
diff --git a/wolfcrypt/src/port/kcapi/kcapi_ecc.c b/wolfcrypt/src/port/kcapi/kcapi_ecc.c
index 54c483495..d4b9cc74d 100644
--- a/wolfcrypt/src/port/kcapi/kcapi_ecc.c
+++ b/wolfcrypt/src/port/kcapi/kcapi_ecc.c
@@ -26,7 +26,7 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#if defined(WOLFSSL_KCAPI_ECC)
+#if defined(WOLFSSL_KCAPI_ECC) && defined(HAVE_ECC)
 
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
@@ -367,4 +367,4 @@ int KcapiEcc_Verify(ecc_key* key, const byte* hash, word32 hashLen, byte* sig,
 }
 #endif
 
-#endif /* WOLFSSL_KCAPI_ECC */
+#endif /* WOLFSSL_KCAPI_ECC && HAVE_ECC */
diff --git a/wolfcrypt/src/port/kcapi/kcapi_hash.c b/wolfcrypt/src/port/kcapi/kcapi_hash.c
index 47976e543..a14957b40 100644
--- a/wolfcrypt/src/port/kcapi/kcapi_hash.c
+++ b/wolfcrypt/src/port/kcapi/kcapi_hash.c
@@ -642,4 +642,3 @@ int wc_Sha512_256Copy(wc_Sha512* src, wc_Sha512* dst)
 #endif /* WOLFSSL_SHA512 */
 
 #endif /* WOLFSSL_KCAPI_HASH */
-
diff --git a/wolfcrypt/src/port/kcapi/kcapi_hmac.c b/wolfcrypt/src/port/kcapi/kcapi_hmac.c
index 41d06da0f..525001536 100644
--- a/wolfcrypt/src/port/kcapi/kcapi_hmac.c
+++ b/wolfcrypt/src/port/kcapi/kcapi_hmac.c
@@ -26,7 +26,7 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#if defined(WOLFSSL_KCAPI_HMAC)
+#if defined(WOLFSSL_KCAPI_HMAC) && !defined(NO_HMAC)
 
 #define FIPS_NO_WRAPPERS
 
@@ -334,5 +334,4 @@ int wc_HmacFinal(Hmac* hmac, byte* hash)
     return ret;
 }
 
-#endif /* WOLFSSL_KCAPI_HMAC */
-
+#endif /* WOLFSSL_KCAPI_HMAC && !NO_HMAC */
diff --git a/wolfcrypt/src/port/kcapi/kcapi_rsa.c b/wolfcrypt/src/port/kcapi/kcapi_rsa.c
index 828c4c1c8..f11ee2fb7 100644
--- a/wolfcrypt/src/port/kcapi/kcapi_rsa.c
+++ b/wolfcrypt/src/port/kcapi/kcapi_rsa.c
@@ -26,7 +26,7 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#if defined(WOLFSSL_KCAPI_RSA)
+#if defined(WOLFSSL_KCAPI_RSA) && !defined(NO_RSA)
 
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
@@ -356,5 +356,4 @@ int KcapiRsa_Encrypt(RsaKey* key, const byte* in, word32 inLen, byte* out,
     return ret;
 }
 
-#endif /* WOLFSSL_KCAPI_RSA */
-
+#endif /* WOLFSSL_KCAPI_RSA && !NO_RSA */