diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index 61f67b7121..285881b7ca 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -639,6 +639,9 @@ WC_DILITHIUM_FIXED_ARRAY
 WC_DISABLE_RADIX_ZERO_PAD
 WC_FLAG_DONT_USE_AESNI
 WC_FORCE_LINUXKM_FORTIFY_SOURCE
+WC_HASH_CUSTOM_MAX_BLOCK_SIZE
+WC_HASH_CUSTOM_MAX_DIGEST_SIZE
+WC_HASH_CUSTOM_MIN_DIGEST_SIZE
 WC_NO_ASYNC_SLEEP
 WC_NO_RNG_SIMPLE
 WC_NO_STATIC_ASSERT
@@ -651,9 +654,6 @@ WC_RSA_NONBLOCK
 WC_RSA_NONBLOCK_TIME
 WC_RSA_NO_FERMAT_CHECK
 WC_RWLOCK_OPS_INLINE
-WC_SHA384
-WC_SHA384_DIGEST_SIZE
-WC_SHA512
 WC_SKIP_INCLUDED_C_FILES
 WC_SSIZE_TYPE
 WC_STRICT_SIG
diff --git a/src/internal.c b/src/internal.c
index 067b7a6c08..51328afa5a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -157,6 +157,7 @@
 #include <wolfssl/error-ssl.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/dh.h>
+#include <wolfssl/wolfcrypt/hash.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
@@ -5720,6 +5721,12 @@ int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* out,
     }
 #endif
 
+    /* Check hash length */
+    if ((outSz > WC_MAX_DIGEST_SIZE) ||
+        (outSz < WC_MIN_DIGEST_SIZE)) {
+        return BAD_LENGTH_E;
+    }
+
     (void)ssl;
     (void)keyBufInfo;
 
diff --git a/src/pk_ec.c b/src/pk_ec.c
index 2a44ca55de..14e8c78a75 100644
--- a/src/pk_ec.c
+++ b/src/pk_ec.c
@@ -5264,6 +5264,14 @@ int wolfSSL_ECDSA_do_verify(const unsigned char *dgst, int dLen,
         ret = WOLFSSL_FATAL_ERROR;
     }
 
+    /* Check hash length */
+    if ((ret == 1) &&
+        ((dLen > WC_MAX_DIGEST_SIZE) ||
+         (dLen < WC_MIN_DIGEST_SIZE))) {
+        WOLFSSL_MSG("wolfSSL_ECDSA_do_verify Bad digest size");
+        ret = WOLFSSL_FATAL_ERROR;
+    }
+
     /* Ensure internal EC key is set from external. */
     if ((ret == 1) && (key->inSet == 0)) {
         WOLFSSL_MSG("No EC key internal set, do it");
@@ -5388,6 +5396,14 @@ int wolfSSL_ECDSA_verify(int type, const unsigned char *digest, int digestSz,
         ret = 0;
     }
 
+    /* Check hash length */
+    if ((ret == 1) &&
+        ((digestSz > WC_MAX_DIGEST_SIZE) ||
+         (digestSz < WC_MIN_DIGEST_SIZE))) {
+        WOLFSSL_MSG("wolfSSL_ECDSA_verify Bad digest size");
+        ret = 0;
+    }
+
     /* Verify signature using digest and key. */
     if ((ret == 1) && (wc_ecc_verify_hash(sig, (word32)sigSz, digest,
             (word32)digestSz, &verify, (ecc_key*)key->internal) != 0)) {
diff --git a/tests/api.c b/tests/api.c
index 8f561b0648..b9a9d87193 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -12284,9 +12284,9 @@ static int test_wc_CheckCertSigPubKey(void)
     ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, 0,
         RSAk), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
-    /* Wrong aglo. */
+    /* Wrong algo. */
     ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer,
-        keyDerSz, ECDSAk), WC_NO_ERR_TRACE(ASN_PARSE_E));
+        keyDerSz, ECDSAk), WC_NO_ERR_TRACE(ASN_SIG_OID_E));
 
     wc_FreeDecodedCert(&decoded);
     if (cert_der != NULL)
diff --git a/tests/api/api.h b/tests/api/api.h
index 7e57bb1436..d618de0cad 100644
--- a/tests/api/api.h
+++ b/tests/api/api.h
@@ -37,10 +37,32 @@
     #define HEAP_HINT NULL
 #endif
 
+#include <wolfssl/wolfcrypt/hash.h>
 
-#define TEST_STRING    "Everyone gets Friday off."
-#define TEST_STRING_SZ 25
-
+#if defined(WC_FIPS_186_5_PLUS)
+    #define TEST_STRING "WC_FIPS_186_5_PLUS test test"
+    #define TEST_STRING_SZ 28
+#elif defined(WC_FIPS_186_4_PLUS) || defined(HAVE_SELFTEST)
+    #define TEST_STRING "WC_FIPS_186_4_PLUS test.."
+    #define TEST_STRING_SZ 25
+#elif WC_MIN_DIGEST_SIZE <= 25
+    #define TEST_STRING "Everyone gets Friday off."
+    #define TEST_STRING_SZ 25
+#elif WC_MIN_DIGEST_SIZE <= 28
+    #define TEST_STRING "Everyone works the weekends."
+    #define TEST_STRING_SZ 28
+#elif WC_MIN_DIGEST_SIZE <= 32
+    #define TEST_STRING "Everyone works through the night"
+    #define TEST_STRING_SZ 32
+#elif WC_MIN_DIGEST_SIZE <= 48
+    #define TEST_STRING "Everyone gets to summer in Tuscany with Chianti."
+    #define TEST_STRING_SZ 48
+#elif WC_MIN_DIGEST_SIZE <= 64
+    #define TEST_STRING "Everyone works from Christmas Eve, clear through New Year's Day."
+    #define TEST_STRING_SZ 64
+#else
+    #error WC_MIN_DIGEST_SIZE value not supported by unit test.
+#endif
 
 #ifndef ONEK_BUF
     #define ONEK_BUF 1024
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 315d594663..fea4498637 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -16109,6 +16109,118 @@ static int DecodeDsaAsn1Sig(const byte* sig, word32 sigSz, byte* sigCpy,
 }
 #endif
 
+/* The certificate's signatureAlgorithm (sigOID) must match the issuer's
+ * key type (keyOID). sigOID picks the pre-hash; keyOID picks the
+ * verifier. They need to agree or the verifier gets the wrong input. */
+static int SigOidMatchesKeyOid(word32 sigOID, word32 keyOID)
+{
+    switch (keyOID) {
+    #ifndef NO_RSA
+        case RSAk:
+            switch (sigOID) {
+                case CTC_MD2wRSA:
+                case CTC_MD5wRSA:
+                case CTC_SHAwRSA:
+                case CTC_SHA224wRSA:
+                case CTC_SHA256wRSA:
+                case CTC_SHA384wRSA:
+                case CTC_SHA512wRSA:
+                case CTC_SHA3_224wRSA:
+                case CTC_SHA3_256wRSA:
+                case CTC_SHA3_384wRSA:
+                case CTC_SHA3_512wRSA:
+                case CTC_RSASSAPSS:
+                    return 1;
+            }
+            return 0;
+        #ifdef WC_RSA_PSS
+        case RSAPSSk:
+            return (sigOID == CTC_RSASSAPSS);
+        #endif
+    #endif
+    #if !defined(NO_DSA) && !defined(HAVE_SELFTEST)
+        case DSAk:
+            switch (sigOID) {
+                case CTC_SHAwDSA:
+                case CTC_SHA256wDSA:
+                    return 1;
+            }
+            return 0;
+    #endif
+    #if defined(HAVE_ECC) && defined(HAVE_ECC_VERIFY)
+        case ECDSAk:
+        #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
+        case SM2k:
+        #endif
+            switch (sigOID) {
+                case CTC_SHAwECDSA:
+                case CTC_SHA224wECDSA:
+                case CTC_SHA256wECDSA:
+                case CTC_SHA384wECDSA:
+                case CTC_SHA512wECDSA:
+                case CTC_SHA3_224wECDSA:
+                case CTC_SHA3_256wECDSA:
+                case CTC_SHA3_384wECDSA:
+                case CTC_SHA3_512wECDSA:
+            #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
+                case CTC_SM3wSM2:
+            #endif
+                    return 1;
+            }
+            return 0;
+    #endif
+    #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
+        case ED25519k:
+            return (sigOID == CTC_ED25519);
+    #endif
+    #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
+        case ED448k:
+            return (sigOID == CTC_ED448);
+    #endif
+    #if defined(HAVE_FALCON)
+        case FALCON_LEVEL1k:
+            return (sigOID == CTC_FALCON_LEVEL1);
+        case FALCON_LEVEL5k:
+            return (sigOID == CTC_FALCON_LEVEL5);
+    #endif
+    #if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \
+        !defined(WOLFSSL_DILITHIUM_NO_ASN1)
+        #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
+        case DILITHIUM_LEVEL2k:
+            return (sigOID == CTC_DILITHIUM_LEVEL2);
+        case DILITHIUM_LEVEL3k:
+            return (sigOID == CTC_DILITHIUM_LEVEL3);
+        case DILITHIUM_LEVEL5k:
+            return (sigOID == CTC_DILITHIUM_LEVEL5);
+        #endif
+        case ML_DSA_LEVEL2k:
+            return (sigOID == CTC_ML_DSA_LEVEL2);
+        case ML_DSA_LEVEL3k:
+            return (sigOID == CTC_ML_DSA_LEVEL3);
+        case ML_DSA_LEVEL5k:
+            return (sigOID == CTC_ML_DSA_LEVEL5);
+    #endif
+    #if defined(HAVE_SPHINCS)
+        case SPHINCS_FAST_LEVEL1k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL1);
+        case SPHINCS_FAST_LEVEL3k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL3);
+        case SPHINCS_FAST_LEVEL5k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL5);
+        case SPHINCS_SMALL_LEVEL1k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL1);
+        case SPHINCS_SMALL_LEVEL3k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL3);
+        case SPHINCS_SMALL_LEVEL5k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL5);
+    #endif
+    }
+
+    /* Default to reject unknown key types */
+    (void)sigOID;
+    return 0;
+}
+
 /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */
 int ConfirmSignature(SignatureCtx* sigCtx,
     const byte* buf, word32 bufSz,
@@ -16177,6 +16289,11 @@ int ConfirmSignature(SignatureCtx* sigCtx,
 
         case SIG_STATE_HASH:
         {
+            if (!SigOidMatchesKeyOid(sigOID, keyOID)) {
+                WOLFSSL_MSG("sigOID incompatible with issuer keyOID");
+                ERROR_OUT(ASN_SIG_OID_E, exit_cs);
+            }
+
         #if !defined(NO_RSA) && defined(WC_RSA_PSS)
             if (sigOID == RSAPSSk) {
                 word32 fakeSigOID = 0;
diff --git a/wolfcrypt/src/dilithium.c b/wolfcrypt/src/dilithium.c
index fc66b43065..8e1ea8e638 100644
--- a/wolfcrypt/src/dilithium.c
+++ b/wolfcrypt/src/dilithium.c
@@ -9273,8 +9273,9 @@ static int dilithium_sign_ctx_hash_with_seed(dilithium_key* key,
     byte oidMsgHash[DILITHIUM_HASH_OID_LEN + WC_MAX_DIGEST_SIZE];
     word32 oidMsgHashLen = 0;
 
-    if ((ret == 0) && (hashLen > WC_MAX_DIGEST_SIZE)) {
-        ret = BUFFER_E;
+    /* Check that the input hash length is valid. */
+    if ((int)hashLen != wc_HashGetDigestSize((enum wc_HashType)hashAlg)) {
+        ret = BAD_LENGTH_E;
     }
 
     if (ret == 0) {
@@ -9944,6 +9945,12 @@ static int dilithium_verify_ctx_hash(dilithium_key* key, const byte* ctx,
     if (key == NULL) {
         ret = BAD_FUNC_ARG;
     }
+    /* Check that the input hash length is valid. */
+    if ((ret == 0) &&
+        ((int)hashLen != wc_HashGetDigestSize((enum wc_HashType)hashAlg)))
+    {
+        ret = BAD_LENGTH_E;
+    }
 
     if (ret == 0) {
         /* Step 6: Hash public key. */
diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c
index df05effbdc..14a9aca106 100644
--- a/wolfcrypt/src/dsa.c
+++ b/wolfcrypt/src/dsa.c
@@ -27,6 +27,7 @@
 #include <wolfssl/wolfcrypt/wolfmath.h>
 #include <wolfssl/wolfcrypt/sha.h>
 #include <wolfssl/wolfcrypt/dsa.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
@@ -689,6 +690,12 @@ int wc_DsaSign_ex(const byte* digest, word32 digestSz, byte* out, DsaKey* key,
     if (digest == NULL || out == NULL || key == NULL || rng == NULL)
         return BAD_FUNC_ARG;
 
+    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
+        (digestSz < WC_MIN_DIGEST_SIZE))
+    {
+        return BAD_LENGTH_E;
+    }
+
     SAVE_VECTOR_REGISTERS(return _svr_ret;);
 
     do {
@@ -1022,6 +1029,16 @@ int wc_DsaVerify_ex(const byte* digest, word32 digestSz, const byte* sig,
     if (digest == NULL || sig == NULL || key == NULL || answer == NULL)
         return BAD_FUNC_ARG;
 
+    /* Note the min allowed digestSz here is WC_SHA_DIGEST_SIZE, not
+     * WC_MIN_DIGEST_SIZE, to allow verify-only legacy DSA operations, as
+     * expressly allowed under FIPS 186-5, FIPS 140-3, and SP 800-131A.
+     */
+    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
+        (digestSz < WC_SHA_DIGEST_SIZE))
+    {
+        return BAD_LENGTH_E;
+    }
+
     do {
 #ifdef WOLFSSL_SMALL_STACK
         w = (mp_int *)XMALLOC(sizeof *w, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index f879392939..6300abd436 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -213,6 +213,7 @@ ECC Curve Sizes:
 
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/asn.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
 #ifdef WOLFSSL_HAVE_SP_ECC
 #include <wolfssl/wolfcrypt/sp.h>
@@ -223,10 +224,6 @@ ECC Curve Sizes:
     #include <wolfssl/wolfcrypt/aes.h>
 #endif
 
-#ifdef HAVE_X963_KDF
-    #include <wolfssl/wolfcrypt/hash.h>
-#endif
-
 #ifdef WOLF_CRYPTO_CB
     #include <wolfssl/wolfcrypt/cryptocb.h>
 #endif
@@ -6778,7 +6775,9 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen,
     if (in == NULL || out == NULL || outlen == NULL || key == NULL) {
         return ECC_BAD_ARG_E;
     }
-    if (inlen > WC_MAX_DIGEST_SIZE) {
+    if ((inlen > WC_MAX_DIGEST_SIZE) ||
+        (inlen < WC_MIN_DIGEST_SIZE))
+    {
         return BAD_LENGTH_E;
     }
 
@@ -7299,6 +7298,11 @@ int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng,
    if (in == NULL || r == NULL || s == NULL || key == NULL || rng == NULL) {
        return ECC_BAD_ARG_E;
    }
+   if ((inlen > WC_MAX_DIGEST_SIZE) ||
+       (inlen < WC_MIN_DIGEST_SIZE))
+   {
+       return BAD_LENGTH_E;
+   }
 
    /* is this a private key? */
    if (key->type != ECC_PRIVATEKEY && key->type != ECC_PRIVATEKEY_ONLY) {
@@ -8576,7 +8580,10 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash,
     if (sig == NULL || hash == NULL || res == NULL || key == NULL) {
         return ECC_BAD_ARG_E;
     }
-    if (hashlen > WC_MAX_DIGEST_SIZE) {
+
+    /* Check hash length */
+    if ((hashlen > WC_MAX_DIGEST_SIZE) ||
+        (hashlen < WC_MIN_DIGEST_SIZE)) {
         return BAD_LENGTH_E;
     }
 
@@ -9284,6 +9291,12 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
    if (r == NULL || s == NULL || hash == NULL || res == NULL || key == NULL)
        return ECC_BAD_ARG_E;
 
+    /* Check hash length */
+    if ((hashlen > WC_MAX_DIGEST_SIZE) ||
+        (hashlen < WC_MIN_DIGEST_SIZE)) {
+        return BAD_LENGTH_E;
+    }
+
    /* default to invalid signature */
    *res = 0;
 
diff --git a/wolfcrypt/src/ed25519.c b/wolfcrypt/src/ed25519.c
index 425531575b..bf5cf590d0 100644
--- a/wolfcrypt/src/ed25519.c
+++ b/wolfcrypt/src/ed25519.c
@@ -389,6 +389,12 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
         return BAD_FUNC_ARG;
     }
 
+    if ((type == Ed25519ph) &&
+        (inLen != WC_SHA512_DIGEST_SIZE))
+    {
+        return BAD_LENGTH_E;
+    }
+
 #ifdef WOLF_CRYPTO_CB
     if (key->devId != INVALID_DEVID) {
         ret = wc_CryptoCb_Ed25519Sign(in, inLen, out, outLen, key, type,
@@ -897,6 +903,12 @@ int wc_ed25519_verify_msg_ex(const byte* sig, word32 sigLen, const byte* msg,
                                          (context == NULL && contextLen != 0))
         return BAD_FUNC_ARG;
 
+    if ((type == Ed25519ph) &&
+        (msgLen != WC_SHA512_DIGEST_SIZE))
+    {
+        return BAD_LENGTH_E;
+    }
+
 #ifdef WOLF_CRYPTO_CB
     if (key->devId != INVALID_DEVID) {
         ret = wc_CryptoCb_Ed25519Verify(sig, sigLen, msg, msgLen, res, key,
diff --git a/wolfcrypt/src/ed448.c b/wolfcrypt/src/ed448.c
index 37674cad51..8e43778750 100644
--- a/wolfcrypt/src/ed448.c
+++ b/wolfcrypt/src/ed448.c
@@ -371,6 +371,11 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
         ret = BAD_FUNC_ARG;
     }
 
+    if ((ret == 0) && (type == Ed448ph) && (inLen != ED448_PREHASH_SIZE))
+    {
+        ret = BAD_LENGTH_E;
+    }
+
     /* check and set up out length */
     if ((ret == 0) && (*outLen < ED448_SIG_SIZE)) {
         *outLen = ED448_SIG_SIZE;
@@ -796,6 +801,12 @@ int wc_ed448_verify_msg_ex(const byte* sig, word32 sigLen, const byte* msg,
     if (key == NULL)
         return BAD_FUNC_ARG;
 
+    if ((type == Ed448ph) &&
+        (msgLen != ED448_PREHASH_SIZE))
+    {
+        return BAD_LENGTH_E;
+    }
+
 #ifdef WOLFSSL_ED448_PERSISTENT_SHA
     sha = &key->sha;
 #else
diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c
index 4b649c3f3c..d839cdb434 100644
--- a/wolfcrypt/src/hash.c
+++ b/wolfcrypt/src/hash.c
@@ -476,6 +476,12 @@ int wc_HashGetDigestSize(enum wc_HashType hash_type)
         #endif
             break;
         case WC_HASH_TYPE_BLAKE2B:
+        #if defined(HAVE_BLAKE2B)
+            dig_size = BLAKE2B_OUTBYTES;
+        #else
+            dig_size = HASH_TYPE_E;
+        #endif
+            break;
         case WC_HASH_TYPE_BLAKE2S:
         #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
             dig_size = BLAKE2S_OUTBYTES;
@@ -626,6 +632,12 @@ int wc_HashGetBlockSize(enum wc_HashType hash_type)
         #endif
             break;
         case WC_HASH_TYPE_BLAKE2B:
+        #if defined(HAVE_BLAKE2B)
+            block_size = BLAKE2B_BLOCKBYTES;
+        #else
+            block_size = HASH_TYPE_E;
+        #endif
+            break;
         case WC_HASH_TYPE_BLAKE2S:
         #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
             block_size = BLAKE2S_BLOCKBYTES;
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index 9efec15ec7..62a2b80337 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -4565,6 +4565,12 @@ static int wc_PKCS7_EcdsaVerify(wc_PKCS7* pkcs7, byte* sig, int sigSz,
     if (pkcs7 == NULL || sig == NULL)
         return BAD_FUNC_ARG;
 
+    /* Check hash length */
+    if ((hashSz > WC_MAX_DIGEST_SIZE) ||
+        (hashSz < WC_MIN_DIGEST_SIZE)) {
+        return BAD_LENGTH_E;
+    }
+
 #ifdef WOLFSSL_SMALL_STACK
     digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap,
                             DYNAMIC_TYPE_TMP_BUFFER);
diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c
index fffbaf16c3..b26620e5da 100644
--- a/wolfcrypt/src/signature.c
+++ b/wolfcrypt/src/signature.c
@@ -163,6 +163,35 @@ int wc_SignatureVerifyHash(
         WOLFSSL_MSG("wc_SignatureVerify: Invalid hash type/len");
         return ret;
     }
+
+#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    /* For WC_SIGNATURE_TYPE_RSA_W_ENC, we need to extract the actual size of
+     * the ASN.1-encoded hash.
+     */
+    if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+        int hash_dec_len;
+        word32 idx = 0;
+        if (GetSequence(hash_data, &idx, &hash_dec_len, hash_len) < 0)
+            return ASN_PARSE_E;
+        /* skip the AlgorithmIdentifier */
+        if (GetSequence(hash_data, &idx, &hash_dec_len, hash_len) < 0)
+            return ASN_PARSE_E;
+        idx += (word32)hash_dec_len;
+        /* now sitting at the OCTET STRING containing the digest */
+        if (GetOctetString(hash_data, &idx, &hash_dec_len, hash_len) < 0)
+            return ASN_PARSE_E;
+        if (hash_dec_len != ret)
+            return BAD_LENGTH_E;
+    }
+    else
+#endif
+    {
+        if (hash_len != (word32)ret) {
+            WOLFSSL_MSG("wc_SignatureVerify: Invalid hash size");
+            return BAD_LENGTH_E;
+        }
+    }
+
     ret = 0;
 
     /* Verify signature using hash */
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 755aa94358..17016740aa 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -27130,14 +27130,16 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t dh_test(void)
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t dsa_test(void)
 {
     wc_test_ret_t ret = 0;
-    int answer;
     word32 bytes;
     word32 idx = 0;
     WC_RNG rng;
     int rng_inited = 0;
     wc_Sha sha;
     byte   hash[WC_SHA_DIGEST_SIZE];
+#ifndef WC_FIPS_186_5_PLUS
     byte   signature[40];
+    int answer;
+#endif
     int key_inited = 0;
 #ifdef WOLFSSL_KEY_GEN
     int    derSz = 0;
@@ -27223,6 +27225,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t dsa_test(void)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
     rng_inited = 1;
 
+#ifndef WC_FIPS_186_5_PLUS
     ret = wc_DsaSign(hash, signature, key, &rng);
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
@@ -27232,6 +27235,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t dsa_test(void)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
     if (answer != 1)
         ERROR_OUT(WC_TEST_RET_ENC_NC, out);
+#endif /* !WC_FIPS_186_5_PLUS */
 
     wc_FreeDsaKey(key);
     key_inited = 0;
@@ -33216,8 +33220,30 @@ static wc_test_ret_t ecc_test_vector(int keySize)
         break;
 #endif /* HAVE_ECC192 */
 
-#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
+#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && \
+    (!defined(NO_SHA) || defined(WOLFSSL_SHA224) || \
+     (defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)))
     case 28:
+#if defined(WC_FIPS_186_5_PLUS) || defined(NO_SHA)
+        /* FIPS 186-5 Example vector -- P-224, SHA-224 */
+        /* Unhashed message: "Example of ECDSA with P-224" */
+
+        vec.msg = "\x1F\x1E\x1C\xF8\x92\x92\x6C\xFC\xCF\xC5\xA2\x8F\xEE\xF3\xD8"
+            "\x07\xD2\x3F\x77\x80\x08\xDB\xA4\xB3\x5F\x04\xB2\xFD";
+        vec.msgLen = 28;
+        vec.Qx  = "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E";
+        vec.Qy  = "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555";
+        vec.d   = "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8";
+        vec.R   = "C3A3F5B82712532004C6F6D1DB672F55D931C3409EA1216D0BE77380";
+        vec.S   = "C5AA1EAE6095DEA34C9BD84DA3852CCA41A8BD9D5548F36DABDF6617";
+        vec.curveName = "SECP224R1";
+        vec.r   = (const byte *)"\xC3\xA3\xF5\xB8\x27\x12\x53\x20\x04\xC6\xF6"
+            "\xD1\xDB\x67\x2F\x55\xD9\x31\xC3\x40\x9E\xA1\x21\x6D\x0B\xE7\x73\x80";
+        vec.rSz = 28;
+        vec.s   = (const byte *)"\xC5\xAA\x1E\xAE\x60\x95\xDE\xA3\x4C\x9B\xD8"
+            "\x4D\xA3\x85\x2C\xCA\x41\xA8\xBD\x9D\x55\x48\xF3\x6D\xAB\xDF\x66\x17";
+        vec.sSz = 28;
+#else /* !WC_FIPS_186_5_PLUS && !NO_SHA */
         /* first [P-224,SHA-1] vector from FIPS 186-3 NIST vectors */
         #if 1
             vec.msg = "\xb9\xa3\xb8\x6d\xb0\xba\x99\xfd\xc6\xd2\x94\x6b\xfe\xbe\x9c\xe8\x3f\x10\x74\xfc";
@@ -33249,8 +33275,9 @@ static wc_test_ret_t ecc_test_vector(int keySize)
                          "\x61\x91\x28\x9e\x2e\x04\xd4\x54\x93\x5d\x50\xfe"
                          "\x6a\xf3\xad\x5b";
         vec.sSz = 28;
+#endif /* !WC_FIPS_186_5_PLUS && !NO_SHA */
         break;
-#endif /* HAVE_ECC224 */
+#endif /* HAVE_ECC224 && (!NO_SHA || SHA224 || SHA3_224 */
 
 #if defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)
     case 30:
@@ -33259,6 +33286,29 @@ static wc_test_ret_t ecc_test_vector(int keySize)
 
 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
     case 32:
+#if defined(WC_FIPS_186_5_PLUS) || defined(NO_SHA)
+        /* FIPS 186-5 Example vector - P-256, SHA-256 */
+        /* Unhashed message: "Example of ECDSA with P-256" */
+
+        vec.msg = "\xA4\x1A\x41\xA1\x2A\x79\x95\x48\x21\x1C\x41\x0C\x65\xD8\x13"
+                "\x3A\xFD\xE3\x4D\x28\xBD\xD5\x42\xE4\xB6\x80\xCF\x28\x99\xC8"
+                "\xA8\xC4";
+        vec.msgLen = 32;
+        vec.Qx  = "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19";
+        vec.Qy  = "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09";
+        vec.d   = "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96";
+        vec.R   = "2B42F576D07F4165FF65D1F3B1500F81E44C316F1F0B3EF57325B69ACA46104F";
+        vec.S   = "DC42C2122D6392CD3E3A993A89502A8198C1886FE69D262C4B329BDB6B63FAF1";
+        vec.curveName = "SECP256R1";
+        vec.r   = (const byte *)"\x2B\x42\xF5\x76\xD0\x7F\x41\x65\xFF\x65\xD1"
+                "\xF3\xB1\x50\x0F\x81\xE4\x4C\x31\x6F\x1F\x0B\x3E\xF5\x73\x25"
+                "\xB6\x9A\xCA\x46\x10\x4F";
+        vec.rSz = 32;
+        vec.s   = (const byte *)"\xDC\x42\xC2\x12\x2D\x63\x92\xCD\x3E\x3A\x99"
+                "\x3A\x89\x50\x2A\x81\x98\xC1\x88\x6F\xE6\x9D\x26\x2C\x4B\x32"
+                "\x9B\xDB\x6B\x63\xFA\xF1";
+        vec.sSz = 32;
+#else /* !WC_FIPS_186_5_PLUS && !NO_SHA */
         /* first [P-256,SHA-1] vector from FIPS 186-3 NIST vectors */
         #if 1
             vec.msg = "\xa3\xf9\x1a\xe2\x1b\xa6\xb3\x03\x98\x64\x47\x2f\x18\x41\x44\xc6\xaf\x62\xcd\x0e";
@@ -33290,6 +33340,7 @@ static wc_test_ret_t ecc_test_vector(int keySize)
                          "\x5a\x21\x48\xae\x32\xe3\xa2\x48";
         vec.sSz = 32;
         vec.curveName = "SECP256R1";
+#endif /* !WC_FIPS_186_5_PLUS && !NO_SHA */
         break;
 #endif /* !NO_ECC256 */
 
@@ -33300,6 +33351,37 @@ static wc_test_ret_t ecc_test_vector(int keySize)
 
 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
     case 48:
+#if defined(WC_FIPS_186_5_PLUS) || defined(NO_SHA)
+        /* FIPS 186-5 Example vector -- P-384, SHA-384 */
+        /* Unhashed message: "Example of ECDSA with P-384" */
+
+        vec.msg = "\x5A\xEA\x18\x7D\x1C\x4F\x6E\x1B\x35\x05\x7D\x20\x12\x6D\x83"
+                  "\x6C\x6A\xDB\xBC\x70\x49\xEE\x02\x99\xC9\x52\x9F\x5E\x0B\x3F"
+                  "\x8B\x5A\x74\x11\x14\x9D\x6C\x30\xD6\xCB\x2B\x8A\xF7\x0E\x0A"
+                  "\x78\x1E\x89";
+        vec.msgLen = 48;
+        vec.Qx  = "3BF701BC9E9D36B4D5F1455343F09126F2564390F2B487365071243C61E6"
+                  "471FB9D2AB74657B82F9086489D9EF0F5CB5";
+        vec.Qy  = "D1A358EAFBF952E68D533855CCBDAA6FF75B137A5101443199325583552A"
+                  "6295FFE5382D00CFCDA30344A9B5B68DB855";
+        vec.d   = "F92C02ED629E4B48C0584B1C6CE3A3E3B4FAAE4AFC6ACB0455E73DFC392E"
+                  "6A0AE393A8565E6B9714D1224B57D83F8A08";
+        vec.R   = "30EA514FC0D38D8208756F068113C7CADA9F66A3B40EA3B313D040D9B57D"
+                  "D41A332795D02CC7D507FCEF9FAF01A27088";
+        vec.S   = "CC808E504BE414F46C9027BCBF78ADF067A43922D6FCAA66C4476875FBB7"
+                  "B94EFD1F7D5DBE620BFB821C46D549683AD8";
+        vec.curveName = "SECP384R1";
+        vec.r   = (const byte *)"\x30\xEA\x51\x4F\xC0\xD3\x8D\x82\x08\x75\x6F"
+                  "\x06\x81\x13\xC7\xCA\xDA\x9F\x66\xA3\xB4\x0E\xA3\xB3\x13\xD0"
+                  "\x40\xD9\xB5\x7D\xD4\x1A\x33\x27\x95\xD0\x2C\xC7\xD5\x07\xFC"
+                  "\xEF\x9F\xAF\x01\xA2\x70\x88";
+        vec.rSz = 48;
+        vec.s   = (const byte *)"\xCC\x80\x8E\x50\x4B\xE4\x14\xF4\x6C\x90\x27"
+                  "\xBC\xBF\x78\xAD\xF0\x67\xA4\x39\x22\xD6\xFC\xAA\x66\xC4\x47"
+                  "\x68\x75\xFB\xB7\xB9\x4E\xFD\x1F\x7D\x5D\xBE\x62\x0B\xFB\x82"
+                  "\x1C\x46\xD5\x49\x68\x3A\xD8";
+        vec.sSz = 48;
+#else /* !WC_FIPS_186_5_PLUS && !NO_SHA */
         /* first [P-384,SHA-1] vector from FIPS 186-3 NIST vectors */
         #if 1
             vec.msg = "\x9b\x9f\x8c\x95\x35\xa5\xca\x26\x60\x5d\xb7\xf2\xfa\x57\x3b\xdf\xc3\x2e\xab\x8b";
@@ -33333,6 +33415,7 @@ static wc_test_ret_t ecc_test_vector(int keySize)
                          "\x8e\x93\x56\x74\x1f\x23\xc9\x6c\x14\x71\x42\x21"
                          "\x07\x8d\xbd\x5c\x17\xf4\xfd\xd8\x9b\x32\xa9\x07";
         vec.sSz = 48;
+#endif /* !WC_FIPS_186_5_PLUS && !NO_SHA */
         break;
 #endif /* HAVE_ECC384 */
 
@@ -33343,6 +33426,45 @@ static wc_test_ret_t ecc_test_vector(int keySize)
 
 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
     case 66:
+#if defined(WC_FIPS_186_5_PLUS) || defined(NO_SHA)
+        /* FIPS 186-5 Example vector -- P-521, SHA-512 */
+        /* Unhashed message: "Example of ECDSA with P-521" */
+
+        vec.msg = "\x9B\xF0\xE1\xDE\xED\xA3\x1E\x00\xF9\x25\xB7\x7F\x7C\xB6\xB1"
+                  "\xCE\xD7\x36\x8D\xE1\xDC\x75\xBB\x9F\x94\x58\x2C\x1C\xA7\x09"
+                  "\x20\x5D\x32\xAF\x90\x02\x5B\x02\xFA\x13\x2F\xBE\xBD\x6C\xDD"
+                  "\xCD\x91\x72\xC0\xD6\x6D\x8E\x58\x17\x67\xA8\xB6\xF7\x1D\xE6"
+                  "\x0B\xE1\xF9\x32";
+        vec.msgLen = 64;
+        vec.Qx  = "98E91EEF9A68452822309C52FAB453F5F117C1DA8ED796B255E9AB8F6410"
+                  "CCA16E59DF403A6BDC6CA467A37056B1E54B3005D8AC030DECFEB68DF18B"
+                  "171885D5C4";
+        vec.Qy  = "164350C321AECFC1CCA1BA4364C9B15656150B4B78D6A48D7D28E7F31985"
+                  "EF17BE8554376B72900712C4B83AD668327231526E313F5F092999A4632F"
+                  "D50D946BC2E";
+        vec.d   = "100085F47B8E1B8B11B7EB33028C0B2888E304BFC98501955B45BBA1478D"
+                  "C184EEEDF09B86A5F7C21994406072787205E69A63709FE35AA93BA33351"
+                  "4B24F961722";
+        vec.R   = "140C8EDCA57108CE3F7E7A240DDD3AD74D81E2DE62451FC1D558FDC79269"
+                  "ADACD1C2526EEEEF32F8C0432A9D56E2B4A8A732891C37C9B96641A9254C"
+                  "CFE5DC3E2BA";
+        vec.S   = "D72F15229D0096376DA6651D9985BFD7C07F8D49583B545DB3EAB20E0A2C"
+                  "1E8615BD9E298455BDEB6B61378E77AF1C54EEE2CE37B2C61F5C9A823295"
+                  "1CB988B5B1";
+        vec.curveName = "SECP521R1";
+        vec.r   = (const byte *)"\x01\x40\xC8\xED\xCA\x57\x10\x8C\xE3\xF7\xE7"
+                  "\xA2\x40\xDD\xD3\xAD\x74\xD8\x1E\x2D\xE6\x24\x51\xFC\x1D\x55"
+                  "\x8F\xDC\x79\x26\x9A\xDA\xCD\x1C\x25\x26\xEE\xEE\xF3\x2F\x8C"
+                  "\x04\x32\xA9\xD5\x6E\x2B\x4A\x8A\x73\x28\x91\xC3\x7C\x9B\x96"
+                  "\x64\x1A\x92\x54\xCC\xFE\x5D\xC3\xE2\xBA";
+        vec.rSz = 66;
+        vec.s   = (const byte *)"\xD7\x2F\x15\x22\x9D\x00\x96\x37\x6D\xA6\x65"
+                  "\x1D\x99\x85\xBF\xD7\xC0\x7F\x8D\x49\x58\x3B\x54\x5D\xB3\xEA"
+                  "\xB2\x0E\x0A\x2C\x1E\x86\x15\xBD\x9E\x29\x84\x55\xBD\xEB\x6B"
+                  "\x61\x37\x8E\x77\xAF\x1C\x54\xEE\xE2\xCE\x37\xB2\xC6\x1F\x5C"
+                  "\x9A\x82\x32\x95\x1C\xB9\x88\xB5\xB1";
+        vec.sSz = 65;
+#else /* !WC_FIPS_186_5_PLUS && !NO_SHA */
         /* first [P-521,SHA-1] vector from FIPS 186-3 NIST vectors */
         #if 1
             vec.msg = "\x1b\xf7\x03\x9c\xca\x23\x94\x27\x3f\x11\xa1\xd4\x8d\xcc\xb4\x46\x6f\x31\x61\xdf";
@@ -33380,6 +33502,7 @@ static wc_test_ret_t ecc_test_vector(int keySize)
                          "\xdf\xf9\x0c\x34\x68\x4c\xdb\xe7\xbb\x66\x9b\x6c"
                          "\x3d\x22\xf2\x48\x0c";
         vec.sSz = 65;
+#endif /* !WC_FIPS_186_5_PLUS && !NO_SHA */
         break;
 #endif /* HAVE_ECC521 */
     default:
@@ -34115,7 +34238,9 @@ static wc_test_ret_t ecc_test_make_pub(WC_RNG* rng)
     byte exportBuf[ECC_BUFSIZE];
     byte tmp[ECC_BUFSIZE];
 #endif
-    const byte* msg = (const byte*)"test wolfSSL ECC public gen";
+    static const byte msg[] =
+        "All we have to decide is what to do with the time that is given ";
+    wc_static_assert(sizeof(msg) >= WC_MAX_DIGEST_SIZE);
     word32 x;
     word32 tmpSz;
     wc_test_ret_t ret = 0;
@@ -34267,7 +34392,7 @@ static wc_test_ret_t ecc_test_make_pub(WC_RNG* rng)
         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
     #endif
         if (ret == 0) {
-            ret = wc_ecc_sign_hash(msg, (word32)XSTRLEN((const char* )msg), tmp,
+            ret = wc_ecc_sign_hash(msg, WC_MAX_DIGEST_SIZE, tmp,
                 &tmpSz, rng, key);
         }
     } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
@@ -34284,7 +34409,7 @@ static wc_test_ret_t ecc_test_make_pub(WC_RNG* rng)
     #endif
         if (ret == 0) {
             ret = wc_ecc_verify_hash(tmp, tmpSz, msg,
-                (word32)XSTRLEN((const char*)msg), &verify, key);
+                WC_MAX_DIGEST_SIZE, &verify, key);
         }
     } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
     if (ret != 0)
diff --git a/wolfssl/wolfcrypt/blake2.h b/wolfssl/wolfcrypt/blake2.h
index 48bdaed5e7..e412e9b4fd 100644
--- a/wolfssl/wolfcrypt/blake2.h
+++ b/wolfssl/wolfcrypt/blake2.h
@@ -51,18 +51,16 @@
 #endif
 
 /* in bytes, variable digest size up to 512 bits (64 bytes) */
-enum {
 #ifdef HAVE_BLAKE2B
-    BLAKE2B_ID  = WC_HASH_TYPE_BLAKE2B,
-    BLAKE2B_256 = 32,  /* 256 bit type, SSL default */
-    WC_BLAKE2B_DIGEST_SIZE = 64,
+    #define BLAKE2B_ID  WC_HASH_TYPE_BLAKE2B
+    #define BLAKE2B_256 32  /* 256 bit type, SSL default */
+    #define WC_BLAKE2B_DIGEST_SIZE 64
 #endif
 #ifdef HAVE_BLAKE2S
-    BLAKE2S_ID  = WC_HASH_TYPE_BLAKE2S,
-    BLAKE2S_256 = 32,  /* 256 bit type */
-    WC_BLAKE2S_DIGEST_SIZE = 32
+    #define BLAKE2S_ID WC_HASH_TYPE_BLAKE2S
+    #define BLAKE2S_256 32  /* 256 bit type */
+    #define WC_BLAKE2S_DIGEST_SIZE 32
 #endif
-};
 
 
 #ifdef HAVE_BLAKE2B
diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h
index 5e9a7088fa..e3c630cded 100644
--- a/wolfssl/wolfcrypt/hash.h
+++ b/wolfssl/wolfcrypt/hash.h
@@ -160,6 +160,78 @@ typedef struct {
     #define WC_MAX_BLOCK_SIZE  128
 #endif
 
+#if defined(WC_HASH_CUSTOM_MAX_DIGEST_SIZE) && \
+    defined(WC_HASH_CUSTOM_MIN_DIGEST_SIZE)
+    #if WC_HASH_CUSTOM_MAX_DIGEST_SIZE < \
+        WC_HASH_CUSTOM_MIN_DIGEST_SIZE
+        #error HASH_CUSTOM_MAX_DIGEST_SIZE < WC_HASH_CUSTOM_MIN_DIGEST_SIZE
+    #endif
+#endif
+#ifdef WC_HASH_CUSTOM_MAX_DIGEST_SIZE
+    #undef WC_MAX_DIGEST_SIZE
+    #define WC_MAX_DIGEST_SIZE WC_HASH_CUSTOM_MAX_DIGEST_SIZE
+#endif
+#ifdef WC_HASH_CUSTOM_MAX_BLOCK_SIZE
+    #undef WC_MAX_BLOCK_SIZE
+    #define WC_MAX_BLOCK_SIZE WC_HASH_CUSTOM_MAX_BLOCK_SIZE
+#endif
+
+#if defined(WC_HASH_CUSTOM_MIN_DIGEST_SIZE)
+    #if defined(WC_FIPS_186_5_PLUS) && \
+            (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 224 / 8)
+        #error FIPS 186-5 requires a minimum hash size >= SHA-224.
+    #elif defined(WC_FIPS_186_4) && \
+            (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 160 / 8)
+        #error FIPS 186-4 requires a minimum hash size >= SHA-1.
+    #elif (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 128 / 8)
+        #error WC_HASH_CUSTOM_MIN_DIGEST_SIZE is too small.
+    #endif
+    /* Let the user override the minimum digest size */
+    #define WC_MIN_DIGEST_SIZE WC_HASH_CUSTOM_MIN_DIGEST_SIZE
+#elif defined(WOLFSSL_MD2) && !defined(WC_FIPS_186_4_PLUS)
+    #define WC_MIN_DIGEST_SIZE WC_MD2_DIGEST_SIZE /* 16 */
+#elif !defined(NO_MD4) && !defined(WC_FIPS_186_4_PLUS)
+    #define WC_MIN_DIGEST_SIZE WC_MD4_DIGEST_SIZE /* 16 */
+#elif !defined(NO_MD5) && !defined(WC_FIPS_186_4_PLUS)
+    #define WC_MIN_DIGEST_SIZE WC_MD5_DIGEST_SIZE /* 16 */
+#elif !defined(NO_SHA) && !defined(WC_FIPS_186_5_PLUS)
+    #define WC_MIN_DIGEST_SIZE WC_SHA_DIGEST_SIZE /* 20 */
+#elif defined(WOLFSSL_SHA224)
+    #define WC_MIN_DIGEST_SIZE WC_SHA224_DIGEST_SIZE
+#elif !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
+    defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
+    #define WC_MIN_DIGEST_SIZE WC_SHA512_224_DIGEST_SIZE
+#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+    #define WC_MIN_DIGEST_SIZE WC_SHA3_224_DIGEST_SIZE
+#elif !defined(NO_SHA256)
+    #define WC_MIN_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
+#elif !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
+    defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
+    #define WC_MIN_DIGEST_SIZE WC_SHA512_256_DIGEST_SIZE
+#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+    #define WC_MIN_DIGEST_SIZE WC_SHA3_256_DIGEST_SIZE
+#elif defined(HAVE_BLAKE2S)
+    #define WC_MIN_DIGEST_SIZE BLAKE2S_OUTBYTES /* 32 */
+#elif defined(WOLFSSL_SM3)
+    #define WC_MIN_DIGEST_SIZE WC_SM3_DIGEST_SIZE /* 32 */
+#elif defined(WOLFSSL_SHA384)
+    #define WC_MIN_DIGEST_SIZE WC_SHA384_DIGEST_SIZE
+#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+    #define WC_MIN_DIGEST_SIZE WC_SHA3_384_DIGEST_SIZE
+#elif defined(WOLFSSL_SHA512)
+    #define WC_MIN_DIGEST_SIZE WC_SHA512_DIGEST_SIZE
+#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+    #define WC_MIN_DIGEST_SIZE WC_SHA3_512_DIGEST_SIZE
+#elif defined(HAVE_BLAKE2B)
+    #define WC_MIN_DIGEST_SIZE BLAKE2B_OUTBYTES /* 64 */
+#elif defined(WOLFSSL_SHAKE128) || defined(WOLFSSL_SHAKE256)
+    #error SHAKE enabled without SHA-3.
+    #define WC_MIN_DIGEST_SIZE 64
+#else
+    #error No builtin hashes enabled and no WC_HASH_CUSTOM_MIN_DIGEST_SIZE.
+    #define WC_MIN_DIGEST_SIZE 64
+#endif
+
 #if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
 WOLFSSL_API int wc_HashGetOID(enum wc_HashType hash_type);
 WOLFSSL_API enum wc_HashType wc_OidGetHash(int oid);
diff --git a/wolfssl/wolfcrypt/md2.h b/wolfssl/wolfcrypt/md2.h
index ee6a73150f..3c8826dd67 100644
--- a/wolfssl/wolfcrypt/md2.h
+++ b/wolfssl/wolfcrypt/md2.h
@@ -36,12 +36,10 @@
 #endif
 
 /* in bytes */
-enum {
-    WC_MD2_BLOCK_SIZE  = 16,
-    WC_MD2_DIGEST_SIZE = 16,
-    WC_MD2_PAD_SIZE    = 16,
-    WC_MD2_X_SIZE      = 48
-};
+#define WC_MD2_BLOCK_SIZE  16
+#define WC_MD2_DIGEST_SIZE 16
+#define WC_MD2_PAD_SIZE    16
+#define WC_MD2_X_SIZE      48
 
 
 /* Md2 digest */
@@ -60,13 +58,11 @@ WOLFSSL_API int  wc_Md2Hash(const byte* data, word32 len, byte* hash);
 
 #ifndef OPENSSL_COEXIST
 
-enum {
-    MD2             = WC_HASH_TYPE_MD2,
-    MD2_BLOCK_SIZE  = WC_MD2_BLOCK_SIZE,
-    MD2_DIGEST_SIZE = WC_MD2_DIGEST_SIZE,
-    MD2_PAD_SIZE    = WC_MD2_PAD_SIZE,
-    MD2_X_SIZE      = WC_MD2_X_SIZE
-};
+#define MD2             WC_HASH_TYPE_MD2,
+#define MD2_BLOCK_SIZE  WC_MD2_BLOCK_SIZE,
+#define MD2_DIGEST_SIZE WC_MD2_DIGEST_SIZE,
+#define MD2_PAD_SIZE    WC_MD2_PAD_SIZE,
+#define MD2_X_SIZE      WC_MD2_X_SIZE
 
 
 /* Md2 digest */
diff --git a/wolfssl/wolfcrypt/md4.h b/wolfssl/wolfcrypt/md4.h
index ca66bafeaf..65ed6bd5ff 100644
--- a/wolfssl/wolfcrypt/md4.h
+++ b/wolfssl/wolfcrypt/md4.h
@@ -35,11 +35,9 @@
 #endif
 
 /* in bytes */
-enum {
-    WC_MD4_BLOCK_SIZE  = 64,
-    WC_MD4_DIGEST_SIZE = 16,
-    WC_MD4_PAD_SIZE    = 56
-};
+#define WC_MD4_BLOCK_SIZE  64
+#define WC_MD4_DIGEST_SIZE 16
+#define WC_MD4_PAD_SIZE    56
 
 /* MD4 digest */
 typedef struct wc_Md4 {
@@ -56,12 +54,10 @@ WOLFSSL_API void wc_Md4Final(wc_Md4* md4, byte* hash);
 
 #ifndef OPENSSL_COEXIST
 
-enum {
-    MD4             = WC_HASH_TYPE_MD4,
-    MD4_BLOCK_SIZE  = WC_MD4_BLOCK_SIZE,
-    MD4_DIGEST_SIZE = WC_MD4_DIGEST_SIZE,
-    MD4_PAD_SIZE    = WC_MD4_PAD_SIZE
-};
+#define MD4             WC_HASH_TYPE_MD4,
+#define MD4_BLOCK_SIZE  WC_MD4_BLOCK_SIZE,
+#define MD4_DIGEST_SIZE WC_MD4_DIGEST_SIZE,
+#define MD4_PAD_SIZE    WC_MD4_PAD_SIZE
 
 typedef struct wc_Md4 Md4;
 
diff --git a/wolfssl/wolfcrypt/md5.h b/wolfssl/wolfcrypt/md5.h
index 3ee62544ef..7f13cf55ef 100644
--- a/wolfssl/wolfcrypt/md5.h
+++ b/wolfssl/wolfcrypt/md5.h
@@ -55,16 +55,14 @@
     #define Md5             wc_Md5
     #define MD5_BLOCK_SIZE  WC_MD5_BLOCK_SIZE
     #define MD5_DIGEST_SIZE WC_MD5_DIGEST_SIZE
-    #define WC_MD5_PAD_SIZE WC_MD5_PAD_SIZE
+    #define MD5_PAD_SIZE    WC_MD5_PAD_SIZE
 #endif
 
 /* in bytes */
-enum {
-    WC_MD5             =  WC_HASH_TYPE_MD5,
-    WC_MD5_BLOCK_SIZE  = 64,
-    WC_MD5_DIGEST_SIZE = 16,
-    WC_MD5_PAD_SIZE    = 56
-};
+#define WC_MD5             WC_HASH_TYPE_MD5
+#define WC_MD5_BLOCK_SIZE  64
+#define WC_MD5_DIGEST_SIZE 16
+#define WC_MD5_PAD_SIZE    56
 
 
 #ifdef WOLFSSL_MICROCHIP_PIC32MZ
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index a0c79c5e84..30449301ac 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -459,6 +459,29 @@
     (WOLFSSL_FIPS_VERSION_CODE > WOLFSSL_MAKE_FIPS_VERSION3(major,minor,patch))
 #define FIPS_VERSION3_NE(major,minor,patch) \
     (WOLFSSL_FIPS_VERSION_CODE != WOLFSSL_MAKE_FIPS_VERSION3(major,minor,patch))
+
+#ifdef HAVE_FIPS
+    #if FIPS_VERSION3_GE(7,0,0)
+        #ifndef WC_FIPS_186_5
+            #define WC_FIPS_186_5
+        #endif
+    #else
+        #ifndef WC_FIPS_186_4
+            #define WC_FIPS_186_4
+        #endif
+    #endif
+#endif
+#if defined(WC_FIPS_186_4) && defined(WC_FIPS_186_5)
+    #error Conflicting FIPS 186 settings.
+#endif
+#if (defined(WC_FIPS_186_4) || defined(WC_FIPS_186_5)) && \
+        !defined(WC_FIPS_186_4_PLUS)
+    #define WC_FIPS_186_4_PLUS
+#endif
+#if defined(WC_FIPS_186_5) && !defined(WC_FIPS_186_5_PLUS)
+    #define WC_FIPS_186_5_PLUS
+#endif
+
 /*------------------------------------------------------------*/
 
 
diff --git a/wolfssl/wolfcrypt/sha.h b/wolfssl/wolfcrypt/sha.h
index 195aa574ed..adda36320b 100644
--- a/wolfssl/wolfcrypt/sha.h
+++ b/wolfssl/wolfcrypt/sha.h
@@ -101,12 +101,10 @@
 #endif
 
 /* in bytes */
-enum {
-    WC_SHA              =  WC_HASH_TYPE_SHA,
-    WC_SHA_BLOCK_SIZE   = 64,
-    WC_SHA_DIGEST_SIZE  = 20,
-    WC_SHA_PAD_SIZE     = 56
-};
+#define WC_SHA              WC_HASH_TYPE_SHA
+#define WC_SHA_BLOCK_SIZE   64
+#define WC_SHA_DIGEST_SIZE  20
+#define WC_SHA_PAD_SIZE     56
 
 
 #if defined(WOLFSSL_TI_HASH)
diff --git a/wolfssl/wolfcrypt/sha256.h b/wolfssl/wolfcrypt/sha256.h
index 740c1d6e54..dd69f57603 100644
--- a/wolfssl/wolfcrypt/sha256.h
+++ b/wolfssl/wolfcrypt/sha256.h
@@ -116,12 +116,10 @@
 #endif
 
 /* in bytes */
-enum {
-    WC_SHA256              =  WC_HASH_TYPE_SHA256,
-    WC_SHA256_BLOCK_SIZE   = 64,
-    WC_SHA256_DIGEST_SIZE  = 32,
-    WC_SHA256_PAD_SIZE     = 56
-};
+#define WC_SHA256              WC_HASH_TYPE_SHA256
+#define WC_SHA256_BLOCK_SIZE   64
+#define WC_SHA256_DIGEST_SIZE  32
+#define WC_SHA256_PAD_SIZE     56
 
 
 #ifdef WOLFSSL_TI_HASH
@@ -303,12 +301,10 @@ WOLFSSL_API void wc_Sha256SizeSet(wc_Sha256* sha256, word32 len);
 #endif
 
 /* in bytes */
-enum {
-    WC_SHA224              =   WC_HASH_TYPE_SHA224,
-    WC_SHA224_BLOCK_SIZE   =   WC_SHA256_BLOCK_SIZE,
-    WC_SHA224_DIGEST_SIZE  =   28,
-    WC_SHA224_PAD_SIZE     =   WC_SHA256_PAD_SIZE
-};
+#define WC_SHA224             WC_HASH_TYPE_SHA224
+#define WC_SHA224_BLOCK_SIZE  WC_SHA256_BLOCK_SIZE
+#define WC_SHA224_DIGEST_SIZE 28
+#define WC_SHA224_PAD_SIZE    WC_SHA256_PAD_SIZE
 
 
 #ifndef WC_SHA224_TYPE_DEFINED
diff --git a/wolfssl/wolfcrypt/sha512.h b/wolfssl/wolfcrypt/sha512.h
index 02ca55b9cb..292021c44b 100644
--- a/wolfssl/wolfcrypt/sha512.h
+++ b/wolfssl/wolfcrypt/sha512.h
@@ -98,28 +98,26 @@
 #endif /* WOLFSSL_SHA512 */
 
 /* in bytes */
-enum {
 #ifdef WOLFSSL_SHA512
-    WC_SHA512              =   WC_HASH_TYPE_SHA512,
+    #define WC_SHA512              WC_HASH_TYPE_SHA512
     #ifndef WOLFSSL_NOSHA512_224
-    WC_SHA512_224          =   WC_HASH_TYPE_SHA512_224,
+    #define WC_SHA512_224          WC_HASH_TYPE_SHA512_224
     #endif
     #ifndef WOLFSSL_NOSHA512_256
-    WC_SHA512_256          =   WC_HASH_TYPE_SHA512_256,
+    #define WC_SHA512_256          WC_HASH_TYPE_SHA512_256
     #endif
 #endif
-    WC_SHA512_BLOCK_SIZE   = 128,
-    WC_SHA512_DIGEST_SIZE  =  64,
-    WC_SHA512_PAD_SIZE     = 112,
+    #define WC_SHA512_BLOCK_SIZE   128
+    #define WC_SHA512_DIGEST_SIZE   64
+    #define WC_SHA512_PAD_SIZE     112
 
-    WC_SHA512_224_BLOCK_SIZE  = WC_SHA512_BLOCK_SIZE,
-    WC_SHA512_224_DIGEST_SIZE = 28,
-    WC_SHA512_224_PAD_SIZE    = WC_SHA512_PAD_SIZE,
+    #define WC_SHA512_224_BLOCK_SIZE  WC_SHA512_BLOCK_SIZE
+    #define WC_SHA512_224_DIGEST_SIZE 28
+    #define WC_SHA512_224_PAD_SIZE    WC_SHA512_PAD_SIZE
 
-    WC_SHA512_256_BLOCK_SIZE  = WC_SHA512_BLOCK_SIZE,
-    WC_SHA512_256_DIGEST_SIZE = 32,
-    WC_SHA512_256_PAD_SIZE    = WC_SHA512_PAD_SIZE
-};
+    #define WC_SHA512_256_BLOCK_SIZE  WC_SHA512_BLOCK_SIZE
+    #define WC_SHA512_256_DIGEST_SIZE 32
+    #define WC_SHA512_256_PAD_SIZE    WC_SHA512_PAD_SIZE
 
 
 #if defined(WOLFSSL_IMX6_CAAM) && !defined(WOLFSSL_QNX_CAAM)
@@ -321,12 +319,10 @@ WOLFSSL_API int wc_Sha512_256Transform(wc_Sha512* sha,
 #endif
 
 /* in bytes */
-enum {
-    WC_SHA384              =   WC_HASH_TYPE_SHA384,
-    WC_SHA384_BLOCK_SIZE   =   WC_SHA512_BLOCK_SIZE,
-    WC_SHA384_DIGEST_SIZE  =   48,
-    WC_SHA384_PAD_SIZE     =   WC_SHA512_PAD_SIZE
-};
+    #define WC_SHA384              WC_HASH_TYPE_SHA384
+    #define WC_SHA384_BLOCK_SIZE   WC_SHA512_BLOCK_SIZE
+    #define WC_SHA384_DIGEST_SIZE  48
+    #define WC_SHA384_PAD_SIZE     WC_SHA512_PAD_SIZE
 
 
 #ifndef WC_SHA384_TYPE_DEFINED