Further cleanup for Hashes.sha when not required. Gate all TLS SHA-1 on either old TLS or WOLFSSL_ALLOW_TLS_SHA1.

2023-12-21 09:41:29 -08:00
parent 41d4f4a972
commit 0d212d8055
2 changed files with 5 additions and 3 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -4644,7 +4644,8 @@ static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
 static void SetDigest(WOLFSSL* ssl, int hashAlgo)
 {
    switch (hashAlgo) {
-    #ifndef NO_SHA
+    #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
+                              defined(WOLFSSL_ALLOW_TLS_SHA1))
        case sha_mac:
            ssl->options.dontFreeDigest = 1;
            ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha;
@ -22028,7 +22029,7 @@ static int BuildMD5_CertVerify(const WOLFSSL* ssl, byte* digest)
 #endif /* !NO_MD5 && !NO_OLD_TLS */

 #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
-                              defined(WOLFSSL_ALLOW_TLS_SHA1))
+                          defined(WOLFSSL_ALLOW_TLS_SHA1))
 static int BuildSHA_CertVerify(const WOLFSSL* ssl, byte* digest)
 {
    int ret;
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -4176,7 +4176,8 @@ typedef struct Hashes {
    #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
        byte md5[WC_MD5_DIGEST_SIZE];
    #endif
-    #if !defined(NO_SHA)
+    #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
+                              defined(WOLFSSL_ALLOW_TLS_SHA1))
        byte sha[WC_SHA_DIGEST_SIZE];
    #endif
    #ifndef NO_SHA256