From 0d212d805546d53d77fc4ca78dbd23f7e13934d0 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 21 Dec 2023 09:41:29 -0800
Subject: [PATCH] Further cleanup for `Hashes.sha` when not required. Gate all
 TLS SHA-1 on either old TLS or `WOLFSSL_ALLOW_TLS_SHA1`.

---
 src/internal.c     | 5 +++--
 wolfssl/internal.h | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index df21a6bfb..61bffd7bc 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -4644,7 +4644,8 @@ static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
 static void SetDigest(WOLFSSL* ssl, int hashAlgo)
 {
     switch (hashAlgo) {
-    #ifndef NO_SHA
+    #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
+                              defined(WOLFSSL_ALLOW_TLS_SHA1))
         case sha_mac:
             ssl->options.dontFreeDigest = 1;
             ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha;
@@ -22028,7 +22029,7 @@ static int BuildMD5_CertVerify(const WOLFSSL* ssl, byte* digest)
 #endif /* !NO_MD5 && !NO_OLD_TLS */
 
 #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
-                              defined(WOLFSSL_ALLOW_TLS_SHA1))
+                          defined(WOLFSSL_ALLOW_TLS_SHA1))
 static int BuildSHA_CertVerify(const WOLFSSL* ssl, byte* digest)
 {
     int ret;
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 658a90a4d..6da5b895a 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -4176,7 +4176,8 @@ typedef struct Hashes {
     #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
         byte md5[WC_MD5_DIGEST_SIZE];
     #endif
-    #if !defined(NO_SHA)
+    #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
+                              defined(WOLFSSL_ALLOW_TLS_SHA1))
         byte sha[WC_SHA_DIGEST_SIZE];
     #endif
     #ifndef NO_SHA256