diff --git a/include/polarssl/arc4.h b/include/polarssl/arc4.h
index aa8feaaf7a..9333265d38 100644
--- a/include/polarssl/arc4.h
+++ b/include/polarssl/arc4.h
@@ -55,7 +55,7 @@ arc4_context;
  *
  * \param ctx      ARC4 context to be initialized
  * \param key      the secret key
- * \param keylen   length of the key
+ * \param keylen   length of the key, in bytes
  */
 void arc4_setup( arc4_context *ctx, const unsigned char *key, unsigned int keylen );
 
diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c
index 79daaf9877..f09823ac74 100644
--- a/library/cipher_wrap.c
+++ b/library/cipher_wrap.c
@@ -786,7 +786,11 @@ static int arc4_crypt_stream_wrap( void *ctx, size_t length,
 static int arc4_setkey_wrap( void *ctx, const unsigned char *key,
                              unsigned int key_length )
 {
-    arc4_setup( (arc4_context *) ctx, key, key_length );
+    /* we get key_length in bits, arc4 expects it in bytes */
+    if( key_length % 8 != 0)
+        return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
+
+    arc4_setup( (arc4_context *) ctx, key, key_length / 8 );
     return( 0 );
 }