From 0d67d2de601f73cdff67561928f1d311b9303e8b Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@home-assistant.io>
Date: Sun, 21 Sep 2025 15:36:27 -0600
Subject: [PATCH] preen

---
 esphome/components/esphome/ota/__init__.py     | 9 +++++----
 esphome/components/esphome/ota/ota_esphome.cpp | 6 ++++++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/esphome/components/esphome/ota/__init__.py b/esphome/components/esphome/ota/__init__.py
index 72a690b926..e6f249e021 100644
--- a/esphome/components/esphome/ota/__init__.py
+++ b/esphome/components/esphome/ota/__init__.py
@@ -140,13 +140,14 @@ async def to_code(config):
     var = cg.new_Pvariable(config[CONF_ID])
     cg.add(var.set_port(config[CONF_PORT]))
 
-    # Only include SHA256 support on platforms that have it
-    if supports_sha256():
-        cg.add_define("USE_OTA_SHA256")
-
     if CONF_PASSWORD in config:
         cg.add(var.set_auth_password(config[CONF_PASSWORD]))
         cg.add_define("USE_OTA_PASSWORD")
+        # Only include hash algorithms when password is configured
+        cg.add_define("USE_OTA_MD5")
+        # Only include SHA256 support on platforms that have it
+        if supports_sha256():
+            cg.add_define("USE_OTA_SHA256")
     cg.add_define("USE_OTA_VERSION", config[CONF_VERSION])
 
     await cg.register_component(var, config)
diff --git a/esphome/components/esphome/ota/ota_esphome.cpp b/esphome/components/esphome/ota/ota_esphome.cpp
index a07e94b09b..f503ff795e 100644
--- a/esphome/components/esphome/ota/ota_esphome.cpp
+++ b/esphome/components/esphome/ota/ota_esphome.cpp
@@ -1,6 +1,8 @@
 #include "ota_esphome.h"
 #ifdef USE_OTA
+#ifdef USE_OTA_MD5
 #include "esphome/components/md5/md5.h"
+#endif
 #ifdef USE_OTA_SHA256
 #include "esphome/components/sha256/sha256.h"
 #endif
@@ -269,10 +271,12 @@ void ESPHomeOTAComponent::handle_data_() {
       auth_success = this->perform_hash_auth_(&sha_hasher, this->password_, 16, ota::OTA_RESPONSE_REQUEST_SHA256_AUTH,
                                               LOG_STR("SHA256"), sbuf);
     } else {
+#ifdef USE_OTA_MD5
       ESP_LOGW(TAG, "Using MD5 auth for compatibility (deprecated)");
       md5::MD5Digest md5_hasher;
       auth_success = this->perform_hash_auth_(&md5_hasher, this->password_, 8, ota::OTA_RESPONSE_REQUEST_AUTH,
                                               LOG_STR("MD5"), sbuf);
+#endif  // USE_OTA_MD5
     }
 #else
     // Strict mode: SHA256 required on capable platforms (future default)
@@ -288,9 +292,11 @@ void ESPHomeOTAComponent::handle_data_() {
 #else
     // Platform only supports MD5 - use it as the only available option
     // This is not a security downgrade as the platform cannot support SHA256
+#ifdef USE_OTA_MD5
     md5::MD5Digest md5_hasher;
     auth_success =
         this->perform_hash_auth_(&md5_hasher, this->password_, 8, ota::OTA_RESPONSE_REQUEST_AUTH, LOG_STR("MD5"), sbuf);
+#endif  // USE_OTA_MD5
 #endif  // USE_OTA_SHA256
 
     if (!auth_success) {