From 9433fcb820355051189c63fc3b88f616be792801 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Fri, 20 Jul 2018 09:42:01 +1000
Subject: [PATCH] Allow SHA384 to be compiled in without SHA512

---
 configure.ac               | 29 ++++++++++-
 src/ssl.c                  | 12 ++---
 tests/api.c                |  6 +--
 wolfcrypt/src/hash.c       | 82 +++++++++++++++----------------
 wolfcrypt/src/hmac.c       | 14 +++---
 wolfcrypt/src/rsa.c        |  2 +-
 wolfcrypt/src/sha512.c     | 99 ++++++++++++++++++++++++--------------
 wolfssl/internal.h         |  3 ++
 wolfssl/wolfcrypt/hash.h   | 18 ++++---
 wolfssl/wolfcrypt/hmac.h   |  2 +-
 wolfssl/wolfcrypt/sha512.h | 26 +++++++---
 11 files changed, 182 insertions(+), 111 deletions(-)

diff --git a/configure.ac b/configure.ac
index 05cbf55f9..8a340f977 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1079,15 +1079,41 @@ fi
 if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_FORTRESS" = "yes"
 then
     ENABLED_SHA512="yes"
+    ENABLED_SHA384="yes"
 fi
 
 if test "$ENABLED_SHA512" = "yes" && test "$ENABLED_32BIT" = "no"
 then
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512"
 fi
 
 AM_CONDITIONAL([BUILD_SHA512], [test "x$ENABLED_SHA512" = "xyes"])
 
+# SHA384
+AC_ARG_ENABLE([sha384],
+    [AS_HELP_STRING([--enable-sha384],[Enable wolfSSL SHA-384 support (default: enabled)])],
+    [ ENABLED_SHA384=$enableval ],
+    [ ENABLED_SHA384=yes ]
+    )
+
+# options that don't require sha512
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
+then
+    ENABLED_SHA384=no
+fi
+
+# options that require sha384
+if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_FORTRESS" = "yes"
+then
+    ENABLED_SHA384="yes"
+fi
+if test "$ENABLED_SHA384" = "yes" && test "$ENABLED_32BIT" = "no"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA384"
+fi
+
+AM_CONDITIONAL([BUILD_SHA512], [test "x$ENABLED_SHA384" = "xyes"])
+
 
 # SESSION CERTS
 AC_ARG_ENABLE([sessioncerts],
@@ -4389,6 +4415,7 @@ echo "   * MD5:                        $ENABLED_MD5"
 echo "   * RIPEMD:                     $ENABLED_RIPEMD"
 echo "   * SHA:                        $ENABLED_SHA"
 echo "   * SHA-224:                    $ENABLED_SHA224"
+echo "   * SHA-384:                    $ENABLED_SHA384"
 echo "   * SHA-512:                    $ENABLED_SHA512"
 echo "   * SHA3:                       $ENABLED_SHA3"
 echo "   * BLAKE2:                     $ENABLED_BLAKE2"
diff --git a/src/ssl.c b/src/ssl.c
index 889e16ff6..ea4a0c43e 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -88,7 +88,7 @@
     #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL)
         #include <wolfssl/openssl/ocsp.h>
     #endif /* WITH_STUNNEL */
-    #ifdef WOLFSSL_SHA512
+    #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
         #include <wolfssl/wolfcrypt/sha512.h>
     #endif
     #if defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA256) \
@@ -13706,13 +13706,13 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
             mdlen = WC_SHA256_DIGEST_SIZE;
         } else
 #endif
-#ifdef WOLFSSL_SHA512
 #ifdef WOLFSSL_SHA384
         if (XSTRNCMP(evp_md, "SHA384", 6) == 0) {
             type = WC_SHA384;
             mdlen = WC_SHA384_DIGEST_SIZE;
         } else
 #endif
+#ifdef WOLFSSL_SHA512
         if (XSTRNCMP(evp_md, "SHA512", 6) == 0) {
             type = WC_SHA512;
             mdlen = WC_SHA512_DIGEST_SIZE;
@@ -24830,13 +24830,13 @@ int wolfSSL_HMAC_CTX_copy(WOLFSSL_HMAC_CTX* des, WOLFSSL_HMAC_CTX* src)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             XMEMCPY(&des->hmac.hash.sha384, &src->hmac.hash.sha384,
                     sizeof(wc_Sha384));
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             XMEMCPY(&des->hmac.hash.sha512, &src->hmac.hash.sha512,
                     sizeof(wc_Sha512));
@@ -24911,12 +24911,12 @@ static int _HMAC_Init(Hmac* hmac, int type, void* heap)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             ret = wc_InitSha384(&hmac->hash.sha384);
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             ret = wc_InitSha512(&hmac->hash.sha512);
             break;
@@ -29721,7 +29721,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
     }
 #endif /* ! NO_SHA256 */
 
-#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512)
+#ifdef WOLFSSL_SHA384
      /* One shot SHA384 hash of message.
       *
       * d  message to hash
@@ -29766,7 +29766,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
              return (unsigned char*)dig;
          }
      }
-#endif /* defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512)  */
+#endif /* WOLFSSL_SHA384  */
 
 
 #if defined(WOLFSSL_SHA512)
diff --git a/tests/api.c b/tests/api.c
index dab68c0ba..2fa3fb479 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -17662,7 +17662,7 @@ static void test_wolfSSL_HMAC(void)
     AssertNotNull(HMAC(EVP_sha224(), key, (int)sizeof(key), NULL, 0, hash, &len));
     AssertIntEQ(len, (int)WC_SHA224_DIGEST_SIZE);
 #endif
-#if defined(OPENSSL_EXTRA) && (defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512))
+#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA384)
     len = 0;
     AssertNotNull(HMAC(EVP_sha384(), key, (int)sizeof(key), NULL, 0, hash, &len));
     AssertIntEQ(len, (int)WC_SHA384_DIGEST_SIZE);
@@ -18414,7 +18414,6 @@ static void test_wolfSSL_HMAC_CTX(void)
 
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
     AssertIntEQ((digestSz = test_HMAC_CTX_helper(EVP_sha384(), digest)), 48);
     AssertIntEQ(XMEMCMP("\x9E\xCB\x07\x0C\x11\x76\x3F\x23\xC3\x25\x0E\xC4\xB7"
@@ -18423,6 +18422,7 @@ static void test_wolfSSL_HMAC_CTX(void)
                           "\xCD\xFB\xC2\xCC\x9F\x2B\xC5\x41\xAB",
                           digest, digestSz), 0);
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
     AssertIntEQ((digestSz = test_HMAC_CTX_helper(EVP_sha512(), digest)), 64);
     AssertIntEQ(XMEMCMP("\xD4\x21\x0C\x8B\x60\x6F\xF4\xBF\x07\x2F\x26\xCC\xAD"
                           "\xBC\x06\x0B\x34\x78\x8B\x4F\xD6\xC0\x42\xF1\x33\x10"
@@ -18518,7 +18518,7 @@ static void test_wolfSSL_SHA(void)
     }
     #endif
 
-    #if defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512)
+    #if defined(WOLFSSL_SHA384)
     {
         const unsigned char in[] = "abc";
         unsigned char expected[] = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50"
diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c
index 4ac728d5b..ec6c09cf2 100644
--- a/wolfcrypt/src/hash.c
+++ b/wolfcrypt/src/hash.c
@@ -92,12 +92,12 @@ enum wc_HashType wc_HashTypeConvert(int hashType)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             eHashType = WC_HASH_TYPE_SHA384;
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             eHashType = WC_HASH_TYPE_SHA512;
             break;
@@ -343,7 +343,7 @@ int wc_HashGetBlockSize(enum wc_HashType hash_type)
         #endif
             break;
         case WC_HASH_TYPE_SHA384:
-        #if defined(WOLFSSL_SHA512) && defined(WOLFSSL_SHA384)
+        #ifdef WOLFSSL_SHA384
             block_size = WC_SHA384_BLOCK_SIZE;
         #endif
             break;
@@ -431,7 +431,7 @@ int wc_Hash(enum wc_HashType hash_type, const byte* data,
 #endif
             break;
         case WC_HASH_TYPE_SHA384:
-#if defined(WOLFSSL_SHA512) && defined(WOLFSSL_SHA384)
+#ifdef WOLFSSL_SHA384
             ret = wc_Sha384Hash(data, data_len, hash);
 #endif
             break;
@@ -822,42 +822,42 @@ int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out)
 
         return ret;
     }
-
-    #if defined(WOLFSSL_SHA384)
-        int wc_Sha384Hash(const byte* data, word32 len, byte* hash)
-        {
-            int ret = 0;
-        #ifdef WOLFSSL_SMALL_STACK
-            wc_Sha384* sha384;
-        #else
-            wc_Sha384 sha384[1];
-        #endif
-
-        #ifdef WOLFSSL_SMALL_STACK
-            sha384 = (wc_Sha384*)XMALLOC(sizeof(wc_Sha384), NULL,
-                DYNAMIC_TYPE_TMP_BUFFER);
-            if (sha384 == NULL)
-                return MEMORY_E;
-        #endif
-
-            if ((ret = wc_InitSha384(sha384)) != 0) {
-                WOLFSSL_MSG("InitSha384 failed");
-            }
-            else {
-                if ((ret = wc_Sha384Update(sha384, data, len)) != 0) {
-                    WOLFSSL_MSG("Sha384Update failed");
-                }
-                else if ((ret = wc_Sha384Final(sha384, hash)) != 0) {
-                    WOLFSSL_MSG("Sha384Final failed");
-                }
-                wc_Sha384Free(sha384);
-            }
-
-        #ifdef WOLFSSL_SMALL_STACK
-            XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        #endif
-
-            return ret;
-        }
-    #endif /* WOLFSSL_SHA384 */
 #endif /* WOLFSSL_SHA512 */
+
+#if defined(WOLFSSL_SHA384)
+    int wc_Sha384Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha384* sha384;
+    #else
+        wc_Sha384 sha384[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha384 = (wc_Sha384*)XMALLOC(sizeof(wc_Sha384), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha384 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha384(sha384)) != 0) {
+            WOLFSSL_MSG("InitSha384 failed");
+        }
+        else {
+            if ((ret = wc_Sha384Update(sha384, data, len)) != 0) {
+                WOLFSSL_MSG("Sha384Update failed");
+            }
+            else if ((ret = wc_Sha384Final(sha384, hash)) != 0) {
+                WOLFSSL_MSG("Sha384Final failed");
+            }
+            wc_Sha384Free(sha384);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* WOLFSSL_SHA384 */
diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c
index b60d92717..9f2d24bee 100644
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@@ -157,12 +157,12 @@ int wc_HmacSizeByType(int type)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             ret = WC_SHA384_DIGEST_SIZE;
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             ret = WC_SHA512_DIGEST_SIZE;
             break;
@@ -230,12 +230,12 @@ int _InitHmac(Hmac* hmac, int type, void* heap)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             ret = wc_InitSha384(&hmac->hash.sha384);
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             ret = wc_InitSha512(&hmac->hash.sha512);
             break;
@@ -397,7 +397,6 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             hmac_block_size = WC_SHA384_BLOCK_SIZE;
@@ -418,6 +417,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
             }
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             hmac_block_size = WC_SHA512_BLOCK_SIZE;
             if (length <= WC_SHA512_BLOCK_SIZE) {
@@ -604,13 +604,13 @@ static int HmacKeyInnerHash(Hmac* hmac)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->ipad,
                                                              WC_SHA384_BLOCK_SIZE);
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->ipad,
                                                              WC_SHA512_BLOCK_SIZE);
@@ -706,12 +706,12 @@ int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             ret = wc_Sha384Update(&hmac->hash.sha384, msg, length);
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             ret = wc_Sha512Update(&hmac->hash.sha512, msg, length);
             break;
@@ -850,7 +850,6 @@ int wc_HmacFinal(Hmac* hmac, byte* hash)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             ret = wc_Sha384Final(&hmac->hash.sha384, (byte*)hmac->innerHash);
@@ -867,6 +866,7 @@ int wc_HmacFinal(Hmac* hmac, byte* hash)
             ret = wc_Sha384Final(&hmac->hash.sha384, hash);
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             ret = wc_Sha512Final(&hmac->hash.sha512, (byte*)hmac->innerHash);
             if (ret != 0)
@@ -1027,12 +1027,12 @@ void wc_HmacFree(Hmac* hmac)
             break;
     #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_SHA384:
             wc_Sha384Free(&hmac->hash.sha384);
             break;
     #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
         case WC_SHA512:
             wc_Sha512Free(&hmac->hash.sha512);
             break;
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index e8d945a88..684ca1747 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -619,12 +619,12 @@ static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
             ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
             break;
     #endif
-    #ifdef WOLFSSL_SHA512
     #ifdef WOLFSSL_SHA384
         case WC_MGF1SHA384:
             ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
             break;
     #endif
+    #ifdef WOLFSSL_SHA512
         case WC_MGF1SHA512:
             ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
             break;
diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c
index fb5db0aec..c229f418a 100644
--- a/wolfcrypt/src/sha512.c
+++ b/wolfcrypt/src/sha512.c
@@ -26,7 +26,7 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#ifdef WOLFSSL_SHA512
+#if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
 
 #if defined(HAVE_FIPS) && \
 	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
@@ -53,44 +53,47 @@
 #if defined(HAVE_FIPS) && \
     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 
-    int wc_InitSha512(wc_Sha512* sha)
-    {
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
+    #ifdef WOLFSSL_SHA512
 
-        return InitSha512_fips(sha);
-    }
-    int wc_InitSha512_ex(wc_Sha512* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha512_fips(sha);
-    }
-    int wc_Sha512Update(wc_Sha512* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL || (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
+        int wc_InitSha512(wc_Sha512* sha)
+        {
+            if (sha == NULL) {
+                return BAD_FUNC_ARG;
+            }
 
-        return Sha512Update_fips(sha, data, len);
-    }
-    int wc_Sha512Final(wc_Sha512* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
+            return InitSha512_fips(sha);
         }
+        int wc_InitSha512_ex(wc_Sha512* sha, void* heap, int devId)
+        {
+            (void)heap;
+            (void)devId;
+            if (sha == NULL) {
+                return BAD_FUNC_ARG;
+            }
+            return InitSha512_fips(sha);
+        }
+        int wc_Sha512Update(wc_Sha512* sha, const byte* data, word32 len)
+        {
+            if (sha == NULL || (data == NULL && len > 0)) {
+                return BAD_FUNC_ARG;
+            }
 
-        return Sha512Final_fips(sha, out);
-    }
-    void wc_Sha512Free(wc_Sha512* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
+            return Sha512Update_fips(sha, data, len);
+        }
+        int wc_Sha512Final(wc_Sha512* sha, byte* out)
+        {
+            if (sha == NULL || out == NULL) {
+                return BAD_FUNC_ARG;
+            }
+
+            return Sha512Final_fips(sha, out);
+        }
+        void wc_Sha512Free(wc_Sha512* sha)
+        {
+            (void)sha;
+            /* Not supported in FIPS */
+        }
+    #endif
 
     #if defined(WOLFSSL_SHA384) || defined(HAVE_AESGCM)
         int wc_InitSha384(wc_Sha384* sha)
@@ -186,6 +189,8 @@
     /* functions defined in wolfcrypt/src/port/caam/caam_sha.c */
 #else
 
+#ifdef WOLFSSL_SHA512
+
 static int InitSha512(wc_Sha512* sha512)
 {
     if (sha512 == NULL)
@@ -207,10 +212,13 @@ static int InitSha512(wc_Sha512* sha512)
     return 0;
 }
 
+#endif /* WOLFSSL_SHA512 */
 
 /* Hardware Acceleration */
 #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
 
+#ifdef WOLFSSL_SHA512
+
     /*****
     Intel AVX1/AVX2 Macro Control Structure
 
@@ -358,9 +366,13 @@ static int InitSha512(wc_Sha512* sha512)
         return ret;
     }
 
+#endif /* WOLFSSL_SHA512 */
+
 #else
     #define Transform_Sha512(sha512) _Transform_Sha512(sha512)
 
+    #ifdef WOLFSSL_SHA512
+
     int wc_InitSha512_ex(wc_Sha512* sha512, void* heap, int devId)
     {
         int ret = 0;
@@ -388,6 +400,8 @@ static int InitSha512(wc_Sha512* sha512)
         return ret;
     }
 
+    #endif /* WOLFSSL_SHA512 */
+
 #endif /* Hardware Acceleration */
 
 static const word64 K512[80] = {
@@ -640,6 +654,8 @@ static WC_INLINE int Sha512Update(wc_Sha512* sha512, const byte* data, word32 le
     return ret;
 }
 
+#ifdef WOLFSSL_SHA512
+
 int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
 {
     if (sha512 == NULL || (data == NULL && len > 0)) {
@@ -656,6 +672,9 @@ int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
 
     return Sha512Update(sha512, data, len);
 }
+
+#endif /* WOLFSSL_SHA512 */
+
 #endif /* WOLFSSL_IMX6_CAAM */
 
 static WC_INLINE int Sha512Final(wc_Sha512* sha512)
@@ -725,6 +744,8 @@ static WC_INLINE int Sha512Final(wc_Sha512* sha512)
     return 0;
 }
 
+#ifdef WOLFSSL_SHA512
+
 int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash)
 {
 #ifdef LITTLE_ENDIAN_ORDER
@@ -2595,6 +2616,7 @@ static int Transform_Sha512_AVX2_RORX_Len(wc_Sha512* sha512, word32 len)
 #endif /* HAVE_INTEL_RORX */
 #endif /* HAVE_INTEL_AVX2 */
 
+#endif /* WOLFSSL_SHA512 */
 
 
 /* -------------------------------------------------------------------------- */
@@ -2763,6 +2785,7 @@ void wc_Sha384Free(wc_Sha384* sha384)
 
 #endif /* HAVE_FIPS */
 
+#ifdef WOLFSSL_SHA512
 
 int wc_Sha512GetHash(wc_Sha512* sha512, byte* hash)
 {
@@ -2799,7 +2822,10 @@ int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst)
     return ret;
 }
 
+#endif /* WOLFSSL_SHA512 */
+
 #ifdef WOLFSSL_SHA384
+
 int wc_Sha384GetHash(wc_Sha384* sha384, byte* hash)
 {
     int ret;
@@ -2833,6 +2859,7 @@ int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst)
 
     return ret;
 }
+
 #endif /* WOLFSSL_SHA384 */
 
-#endif /* WOLFSSL_SHA512 */
+#endif /* WOLFSSL_SHA512 || WOLFSSL_SHA384 */
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 606c455c2..5660065bf 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -84,6 +84,9 @@
 #ifdef HAVE_OCSP
     #include <wolfssl/ocsp.h>
 #endif
+#ifdef WOLFSSL_SHA384
+    #include <wolfssl/wolfcrypt/sha512.h>
+#endif
 #ifdef WOLFSSL_SHA512
     #include <wolfssl/wolfcrypt/sha512.h>
 #endif
diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h
index fef7dc725..698fa51e3 100644
--- a/wolfssl/wolfcrypt/hash.h
+++ b/wolfssl/wolfcrypt/hash.h
@@ -146,22 +146,24 @@ WOLFSSL_API int wc_Md5Hash(const byte* data, word32 len, byte* hash);
 WOLFSSL_API int wc_ShaHash(const byte*, word32, byte*);
 #endif
 
+#ifdef WOLFSSL_SHA224
+#include <wolfssl/wolfcrypt/sha256.h>
+WOLFSSL_API int wc_Sha224Hash(const byte*, word32, byte*);
+#endif /* defined(WOLFSSL_SHA224) */
+
 #ifndef NO_SHA256
 #include <wolfssl/wolfcrypt/sha256.h>
 WOLFSSL_API int wc_Sha256Hash(const byte*, word32, byte*);
-
-    #if defined(WOLFSSL_SHA224)
-        WOLFSSL_API int wc_Sha224Hash(const byte*, word32, byte*);
-    #endif /* defined(WOLFSSL_SHA224) */
 #endif
 
+#ifdef WOLFSSL_SHA384
+#include <wolfssl/wolfcrypt/sha512.h>
+WOLFSSL_API int wc_Sha384Hash(const byte*, word32, byte*);
+#endif /* defined(WOLFSSL_SHA384) */
+
 #ifdef WOLFSSL_SHA512
 #include <wolfssl/wolfcrypt/sha512.h>
 WOLFSSL_API int wc_Sha512Hash(const byte*, word32, byte*);
-
-    #if defined(WOLFSSL_SHA384)
-        WOLFSSL_API int wc_Sha384Hash(const byte*, word32, byte*);
-    #endif /* defined(WOLFSSL_SHA384) */
 #endif /* WOLFSSL_SHA512 */
 
 #ifdef __cplusplus
diff --git a/wolfssl/wolfcrypt/hmac.h b/wolfssl/wolfcrypt/hmac.h
index bf1910ca3..8a725397c 100644
--- a/wolfssl/wolfcrypt/hmac.h
+++ b/wolfssl/wolfcrypt/hmac.h
@@ -119,10 +119,10 @@ typedef union {
 #ifndef NO_SHA256
     wc_Sha256 sha256;
 #endif
-#ifdef WOLFSSL_SHA512
 #ifdef WOLFSSL_SHA384
     wc_Sha384 sha384;
 #endif
+#ifdef WOLFSSL_SHA512
     wc_Sha512 sha512;
 #endif
 #ifdef HAVE_BLAKE2
diff --git a/wolfssl/wolfcrypt/sha512.h b/wolfssl/wolfcrypt/sha512.h
index 0cebf9da0..af32e38b8 100644
--- a/wolfssl/wolfcrypt/sha512.h
+++ b/wolfssl/wolfcrypt/sha512.h
@@ -29,7 +29,7 @@
 
 #include <wolfssl/wolfcrypt/types.h>
 
-#ifdef WOLFSSL_SHA512
+#if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
 
 #if defined(HAVE_FIPS) && \
     defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
@@ -38,11 +38,13 @@
 
 #if defined(HAVE_FIPS) && \
 	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
-    #define wc_Sha512             Sha512
-    #define WC_SHA512             SHA512
-    #define WC_SHA512_BLOCK_SIZE  SHA512_BLOCK_SIZE
-    #define WC_SHA512_DIGEST_SIZE SHA512_DIGEST_SIZE
-    #define WC_SHA512_PAD_SIZE    SHA512_PAD_SIZE
+    #ifdef WOLFSSL_SHA512
+        #define wc_Sha512             Sha512
+        #define WC_SHA512             SHA512
+        #define WC_SHA512_BLOCK_SIZE  SHA512_BLOCK_SIZE
+        #define WC_SHA512_DIGEST_SIZE SHA512_DIGEST_SIZE
+        #define WC_SHA512_PAD_SIZE    SHA512_PAD_SIZE
+    #endif /* WOLFSSL_SHA512 */
     #ifdef WOLFSSL_SHA384
         #define wc_Sha384             Sha384
         #define WC_SHA384             SHA384
@@ -79,6 +81,8 @@
     #define SHA512_NOINLINE
 #endif
 
+#ifdef WOLFSSL_SHA512
+
 #if !defined(NO_OLD_SHA_NAMES)
     #define SHA512             WC_SHA512
 #endif
@@ -90,9 +94,13 @@
     #define SHA512_PAD_SIZE    WC_SHA512_PAD_SIZE
 #endif
 
+#endif /* WOLFSSL_SHA512 */
+
 /* in bytes */
 enum {
+#ifdef WOLFSSL_SHA512
     WC_SHA512              =   WC_HASH_TYPE_SHA512,
+#endif
     WC_SHA512_BLOCK_SIZE   = 128,
     WC_SHA512_DIGEST_SIZE  =  64,
     WC_SHA512_PAD_SIZE     = 112
@@ -124,6 +132,8 @@ typedef struct wc_Sha512 {
 
 #endif /* HAVE_FIPS */
 
+#ifdef WOLFSSL_SHA512
+
 WOLFSSL_API int wc_InitSha512(wc_Sha512*);
 WOLFSSL_API int wc_InitSha512_ex(wc_Sha512*, void*, int);
 WOLFSSL_API int wc_Sha512Update(wc_Sha512*, const byte*, word32);
@@ -134,6 +144,8 @@ WOLFSSL_API void wc_Sha512Free(wc_Sha512*);
 WOLFSSL_API int wc_Sha512GetHash(wc_Sha512*, byte*);
 WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst);
 
+#endif /* WOLFSSL_SHA512 */
+
 #if defined(WOLFSSL_SHA384)
 
 /* avoid redefinition of structs */
@@ -179,6 +191,6 @@ WOLFSSL_API int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst);
     } /* extern "C" */
 #endif
 
-#endif /* WOLFSSL_SHA512 */
+#endif /* WOLFSSL_SHA512 || WOLFSSL_SHA384 */
 #endif /* WOLF_CRYPT_SHA512_H */