diff --git a/ctaocrypt/src/aes.c b/ctaocrypt/src/aes.c
index 3a7ac6d0b..84a82f6cf 100644
--- a/ctaocrypt/src/aes.c
+++ b/ctaocrypt/src/aes.c
@@ -1702,10 +1702,32 @@ int AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
             printf("aes->rounds = %d\n", aes->rounds);
             printf("sz = %d\n", sz);
         #endif
+
+        /* check alignment, decrypt doesn't need alignment */
+        if ((word)in % 16) {
+        #ifndef NO_CYASSL_ALLOC_ALIGN
+            byte* tmp = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            if (tmp == NULL) return MEMORY_E;
+
+            XMEMCPY(tmp, in, sz);
+            AES_CBC_encrypt(tmp, tmp, (byte*)aes->reg, sz, (byte*)aes->key,
+                        aes->rounds);
+            /* store iv for next call */
+            XMEMCPY(aes->reg, tmp + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+
+            XMEMCPY(out, tmp, sz);
+            XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            return 0;
+        #else
+            return BAD_ALIGN_E;
+        #endif
+        }
+
         AES_CBC_encrypt(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
                         aes->rounds);
         /* store iv for next call */
         XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+
         return 0;
     }
 #endif
diff --git a/ctaocrypt/src/error.c b/ctaocrypt/src/error.c
index b1041659e..1df102213 100644
--- a/ctaocrypt/src/error.c
+++ b/ctaocrypt/src/error.c
@@ -297,6 +297,10 @@ void CTaoCryptErrorString(int error, char* buffer)
         XSTRNCPY(buffer, "DeCompress error", max);
         break;
 
+    case BAD_ALIGN_E:
+        XSTRNCPY(buffer, "Bad alignment error, no alloc help", max);
+        break;
+
     default:
         XSTRNCPY(buffer, "unknown error number", max);
 
diff --git a/cyassl/ctaocrypt/error.h b/cyassl/ctaocrypt/error.h
index 265019822..14a08af95 100644
--- a/cyassl/ctaocrypt/error.h
+++ b/cyassl/ctaocrypt/error.h
@@ -108,6 +108,8 @@ enum {
     DECOMPRESS_INIT_E  = -185,  /* DeCompress init error */
     DECOMPRESS_E       = -186,  /* DeCompress error */
 
+    BAD_ALIGN_E        = -187,  /* Bad alignment for operation, no alloc */
+
     MIN_CODE_E         = -200   /* errors -101 - -199 */
 };
 
diff --git a/src/internal.c b/src/internal.c
index d4de841ea..3ec7f16ad 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -3424,20 +3424,6 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
 
         #ifdef BUILD_AES
             case aes:
-            #ifdef CYASSL_AESNI
-                if ((word)input % 16) {
-                    int ret;
-                    byte* tmp = (byte*)XMALLOC(sz, ssl->heap,
-                                               DYNAMIC_TYPE_TMP_BUFFER);
-                    if (tmp == NULL) return MEMORY_E;
-                    XMEMCPY(tmp, input, sz);
-                    ret = AesCbcEncrypt(ssl->encrypt.aes, tmp, tmp, sz);
-                    XMEMCPY(out, tmp, sz);
-                    XFREE(tmp, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
-                    return ret;
-                    break;
-                }
-            #endif
                 return AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
                 break;
         #endif