diff --git a/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c b/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
index c3a9a1b4fb..64e8246288 100644
--- a/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
+++ b/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -7,10 +7,12 @@
 #include "esp_tls_crypto.h"
 #include "esp_log.h"
 #include "esp_err.h"
-static const char *TAG = "esp_crypto";
+#include "sdkconfig.h"
+__attribute__((unused)) static const char *TAG = "esp_crypto";
 #ifdef CONFIG_ESP_TLS_USING_MBEDTLS
 #include "mbedtls/sha1.h"
 #include "mbedtls/base64.h"
+#include "mbedtls/error.h"
 #define _esp_crypto_sha1 esp_crypto_sha1_mbedtls
 #define _esp_crypto_base64_encode esp_crypto_bas64_encode_mbedtls
 #elif  CONFIG_ESP_TLS_USING_WOLFSSL
@@ -25,11 +27,34 @@ static int esp_crypto_sha1_mbedtls( const unsigned char *input,
                                     size_t ilen,
                                     unsigned char output[20])
 {
-    int ret = mbedtls_sha1(input, ilen, output);
+#if CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init(&ctx);
+
+    if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_finish(&ctx, output)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_sha1_free(&ctx);
     if (ret != 0) {
         ESP_LOGE(TAG, "Error in calculating sha1 sum , Returned 0x%02X", ret);
     }
     return ret;
+#else
+    ESP_LOGE(TAG, "Please enable CONFIG_MBEDTLS_SHA1_C or CONFIG_MBEDTLS_HARDWARE_SHA to support SHA1 operations");
+    return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+#endif /*  CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA*/
 }
 
 static int esp_crypto_bas64_encode_mbedtls( unsigned char *dst, size_t dlen,
diff --git a/components/esp_http_server/src/httpd_ws.c b/components/esp_http_server/src/httpd_ws.c
index 01e16b62b6..bcf32cf9e6 100644
--- a/components/esp_http_server/src/httpd_ws.c
+++ b/components/esp_http_server/src/httpd_ws.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -13,10 +13,12 @@
 #include <esp_err.h>
 #include <mbedtls/sha1.h>
 #include <mbedtls/base64.h>
+#include <mbedtls/error.h>
 
 #include <esp_http_server.h>
 #include "esp_httpd_priv.h"
 #include "freertos/event_groups.h"
+#include "sdkconfig.h"
 
 #ifdef CONFIG_HTTPD_WS_SUPPORT
 
@@ -51,23 +53,23 @@ static const char *TAG="httpd_ws";
  */
 static const char ws_magic_uuid[] = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
 
-/* Checks if any subprotocols from the comma seperated list matches the supported one
+/* Checks if any subprotocols from the comma separated list matches the supported one
  *
  * Returns true if the response should contain a protocol field
 */
 
 /**
- * @brief Checks if any subprotocols from the comma seperated list matches the supported one
+ * @brief Checks if any subprotocols from the comma separated list matches the supported one
  *
  * @param supported_subprotocol[in] The subprotocol supported by the URI
- * @param subprotocol[in],  [in]: A comma seperate list of subprotocols requested
+ * @param subprotocol[in],  [in]: A comma separate list of subprotocols requested
  * @param buf_len Length of the buffer
  * @return true: found a matching subprotocol
  * @return false
  */
 static bool httpd_ws_get_response_subprotocol(const char *supported_subprotocol, char *subprotocol, size_t buf_len)
 {
-    /* Request didnt contain any subprotocols */
+    /* Request didn't contain any subprotocols */
     if (strnlen(subprotocol, buf_len) == 0) {
         return false;
     }
@@ -77,7 +79,7 @@ static bool httpd_ws_get_response_subprotocol(const char *supported_subprotocol,
         return false;
     }
 
-    /* Get first subprotocol from comma seperated list */
+    /* Get first subprotocol from comma separated list */
     char *rest = NULL;
     char *s = strtok_r(subprotocol, ", ", &rest);
     do {
@@ -143,7 +145,34 @@ esp_err_t httpd_ws_respond_server_handshake(httpd_req_t *req, const char *suppor
 
     /* Generate SHA-1 first and then encode to Base64 */
     size_t key_len = strlen(server_raw_text);
-    mbedtls_sha1((uint8_t *)server_raw_text, key_len, server_key_hash);
+
+#if CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha1_context ctx;
+    mbedtls_sha1_init(&ctx);
+
+    if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+        goto sha_end;
+    }
+
+    if ((ret = mbedtls_sha1_update(&ctx, (uint8_t *)server_raw_text, key_len)) != 0) {
+        goto sha_end;
+    }
+
+    if ((ret = mbedtls_sha1_finish(&ctx, server_key_hash)) != 0) {
+        goto sha_end;
+    }
+
+sha_end:
+    mbedtls_sha1_free(&ctx);
+    if (ret != 0) {
+        ESP_LOGE(TAG, "Error in calculating SHA1 sum , returned 0x%02X", ret);
+        return ESP_FAIL;
+    }
+#else
+    ESP_LOGE(TAG, "Please enable CONFIG_MBEDTLS_SHA1_C or CONFIG_MBEDTLS_HARDWARE_SHA to support SHA1 operations");
+    return ESP_FAIL;
+#endif /* CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA */
 
     size_t encoded_len = 0;
     mbedtls_base64_encode((uint8_t *)server_key_encoded, sizeof(server_key_encoded), &encoded_len,
@@ -153,7 +182,7 @@ esp_err_t httpd_ws_respond_server_handshake(httpd_req_t *req, const char *suppor
 
     char subprotocol[50] = { '\0' };
     if (httpd_req_get_hdr_value_str(req, "Sec-WebSocket-Protocol", subprotocol, sizeof(subprotocol) - 1) == ESP_ERR_HTTPD_RESULT_TRUNC) {
-        ESP_LOGW(TAG, "Sec-WebSocket-Protocol length exceeded buffer size of %"NEWLIB_NANO_COMPAT_FORMAT", was trunctated", NEWLIB_NANO_COMPAT_CAST(sizeof(subprotocol)));
+        ESP_LOGW(TAG, "Sec-WebSocket-Protocol length exceeded buffer size of %"NEWLIB_NANO_COMPAT_FORMAT", was truncated", NEWLIB_NANO_COMPAT_CAST(sizeof(subprotocol)));
     }
 
 
diff --git a/components/mbedtls/port/mbedtls_rom/mbedtls_rom_osi.h b/components/mbedtls/port/mbedtls_rom/mbedtls_rom_osi.h
index b612adfa55..689cdf730f 100644
--- a/components/mbedtls/port/mbedtls_rom/mbedtls_rom_osi.h
+++ b/components/mbedtls/port/mbedtls_rom/mbedtls_rom_osi.h
@@ -38,6 +38,7 @@
 #include "mbedtls/ssl.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/x509.h"
+#include "soc/soc_caps.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -676,9 +677,7 @@ STRUCT_OFFSET_CHECK(mbedtls_sha1_context, first_block, 92);
 STRUCT_OFFSET_CHECK(mbedtls_sha1_context, mode, 96);
 STRUCT_OFFSET_CHECK(mbedtls_sha1_context, sha_state, 100);
 STRUCT_SIZE_CHECK(mbedtls_sha1_context, 104);
-#if (!defined(MBEDTLS_SHA1_C)) || \
-    (!defined(MBEDTLS_SHA1_ALT)) || \
-    (defined(MBEDTLS_SHA1_PROCESS_ALT))
+#if !(defined(MBEDTLS_SHA1_C) || (defined(MBEDTLS_SHA1_ALT) && SOC_SHA_SUPPORT_SHA1))
 #error "MBEDTLS_SHA1_C"
 #endif
 
@@ -690,11 +689,8 @@ STRUCT_OFFSET_CHECK(mbedtls_sha256_context, first_block, 104);
 STRUCT_OFFSET_CHECK(mbedtls_sha256_context, mode, 108);
 STRUCT_OFFSET_CHECK(mbedtls_sha256_context, sha_state, 112);
 STRUCT_SIZE_CHECK(mbedtls_sha256_context, 116);
-#if (!defined(MBEDTLS_SHA256_C)) || \
-    (!defined(MBEDTLS_SHA256_ALT)) || \
-    (defined(MBEDTLS_SHA256_PROCESS_ALT)) || \
-    (defined(MBEDTLS_SHA256_SMALLER))
-#error "!MBEDTLS_SHA256_C"
+#if !(defined(MBEDTLS_SHA256_C) || (defined(MBEDTLS_SHA256_ALT) && SOC_SHA_SUPPORT_SHA256))
+#error "MBEDTLS_SHA256_C"
 #endif
 
 /* sha512.c */
@@ -703,10 +699,8 @@ STRUCT_OFFSET_CHECK(mbedtls_sha512_context, MBEDTLS_PRIVATE(state), 16);
 STRUCT_OFFSET_CHECK(mbedtls_sha512_context, MBEDTLS_PRIVATE(buffer), 80);
 STRUCT_OFFSET_CHECK(mbedtls_sha512_context, MBEDTLS_PRIVATE(is384), 208);
 STRUCT_SIZE_CHECK(mbedtls_sha512_context, 216);
-#if (!defined(MBEDTLS_SHA512_C)) || \
-    (defined(MBEDTLS_SHA512_ALT)) || \
-    (defined(MBEDTLS_SHA512_PROCESS_ALT))
-#error "MBEDTLS_SHA256_C"
+#if !(defined(MBEDTLS_SHA512_C) || (defined(MBEDTLS_SHA512_ALT) && SOC_SHA_SUPPORT_SHA512))
+#error "MBEDTLS_SHA512_C"
 #endif
 
 /* aes.c */
diff --git a/components/wpa_supplicant/CMakeLists.txt b/components/wpa_supplicant/CMakeLists.txt
index 9a5f9a3bf3..11421167d1 100644
--- a/components/wpa_supplicant/CMakeLists.txt
+++ b/components/wpa_supplicant/CMakeLists.txt
@@ -114,7 +114,6 @@ endif()
 
 if(CONFIG_ESP_WIFI_MBEDTLS_CRYPTO)
     set(crypto_src
-    "esp_supplicant/src/crypto/fastpbkdf2.c"
     "esp_supplicant/src/crypto/crypto_mbedtls.c"
     "esp_supplicant/src/crypto/crypto_mbedtls-bignum.c"
     "esp_supplicant/src/crypto/crypto_mbedtls-rsa.c"
@@ -127,7 +126,14 @@ if(CONFIG_ESP_WIFI_MBEDTLS_CRYPTO)
     if(NOT CONFIG_MBEDTLS_DES_C)
         set(crypto_src ${crypto_src} "src/crypto/des-internal.c")
     endif()
-    if(NOT CONFIG_MBEDTLS_SHA1_C)
+    if(NOT CONFIG_MBEDTLS_SHA1_C AND NOT CONFIG_MBEDTLS_HARDWARE_SHA)
+        set(crypto_src ${crypto_src} "src/crypto/sha1-pbkdf2.c"
+                       ${crypto_src} "src/crypto/sha1.c"
+                       ${crypto_src} "src/crypto/sha1-internal.c")
+    else()
+        set(crypto_src ${crypto_src} "esp_supplicant/src/crypto/fastpbkdf2.c")
+    endif()
+    if(NOT CONFIG_MBEDTLS_SHA1_C AND CONFIG_MBEDTLS_HARDWARE_SHA)
         set(crypto_src ${crypto_src} "src/crypto/sha1.c")
     endif()
     # Enabling this only for WiFi is probably not a good idea since MbedTLS
@@ -264,9 +270,12 @@ target_compile_definitions(${COMPONENT_LIB} PRIVATE
     CONFIG_IEEE80211W
     CONFIG_SHA256
     CONFIG_NO_RADIUS
-    CONFIG_FAST_PBKDF2
     )
 
+if(CONFIG_MBEDTLS_SHA1_C OR CONFIG_MBEDTLS_HARDWARE_SHA)
+    target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_FAST_PBKDF2)
+endif()
+
 if(CONFIG_ESP_WIFI_ENABLE_WPA3_SAE)
     target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_WPA3_SAE)
 endif()
@@ -318,7 +327,8 @@ if(NOT CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT)
 endif()
 if(CONFIG_ESP_WIFI_MBEDTLS_CRYPTO)
     target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_CRYPTO_MBEDTLS)
-else()
+endif()
+if(NOT CONFIG_MBEDTLS_SHA1_C AND NOT CONFIG_MBEDTLS_HARDWARE_SHA)
     target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_CRYPTO_INTERNAL)
 endif()
 if(CONFIG_ESP_WIFI_WPS_SOFTAP_REGISTRAR)
diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
index 5fe89410fa..73addce23b 100644
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
@@ -7,6 +7,7 @@
 #include "esp_system.h"
 #endif
 
+#include <errno.h>
 #include "utils/includes.h"
 #include "utils/common.h"
 #include "crypto.h"
@@ -104,6 +105,7 @@ int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
     return digest_vector(MBEDTLS_MD_SHA512, num_elem, addr, len, mac);
 }
 
+#if CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA
 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 #if defined(MBEDTLS_SHA1_C)
@@ -129,6 +131,7 @@ exit:
     return -ENOTSUP;
 #endif
 }
+#endif
 
 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
@@ -772,6 +775,7 @@ cleanup:
     return ret;
 }
 
+#if defined(CONFIG_MBEDTLS_SHA1_C) || defined(CONFIG_MBEDTLS_HARDWARE_SHA)
 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
                 int iterations, u8 *buf, size_t buflen)
 {
@@ -799,6 +803,7 @@ cleanup:
     return ret;
 #endif
 }
+#endif /* defined(CONFIG_MBEDTLS_SHA1_C) || defined(CONFIG_MBEDTLS_HARDWARE_SHA) */
 
 #ifdef MBEDTLS_DES_C
 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
diff --git a/components/wpa_supplicant/test_apps/README.md b/components/wpa_supplicant/test_apps/README.md
index e5c31559f2..0d1a0dc44a 100644
--- a/components/wpa_supplicant/test_apps/README.md
+++ b/components/wpa_supplicant/test_apps/README.md
@@ -1,5 +1,5 @@
-| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-C61 | ESP32-S2 | ESP32-S3 |
-| ----------------- | ----- | -------- | -------- | -------- | -------- | --------- | -------- | -------- |
+| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-C61 | ESP32-S2 | ESP32-S3 |
+| ----------------- | ----- | -------- | -------- | -------- | --------- | -------- | -------- |
 
 # wpa_supplicant unit test
 
diff --git a/components/wpa_supplicant/test_apps/main/test_fast_pbkdf2.c b/components/wpa_supplicant/test_apps/main/test_fast_pbkdf2.c
index 14a2f45333..0bedd60ab4 100644
--- a/components/wpa_supplicant/test_apps/main/test_fast_pbkdf2.c
+++ b/components/wpa_supplicant/test_apps/main/test_fast_pbkdf2.c
@@ -22,6 +22,7 @@ void fastpbkdf2_hmac_sha1(const uint8_t *pw, size_t npw,
 
 int64_t esp_timer_get_time(void);
 
+#if defined(CONFIG_MBEDTLS_SHA1_C) || defined(CONFIG_MBEDTLS_HARDWARE_SHA)
 TEST_CASE("Test pbkdf2", "[crypto-pbkdf2]")
 {
     set_leak_threshold(130);
@@ -105,3 +106,4 @@ TEST_CASE("Test pbkdf2", "[crypto-pbkdf2]")
     ESP_LOGI("Timing", "Average time for fast_pbkdf2_sha1: %lld microseconds", avg_time_fast);
     ESP_LOGI("Timing", "Average time for mbedtls_pkcs5_pbkdf2_hmac_ext: %lld microseconds", avg_time_mbedtls);
 }
+#endif