From df9633b21cd4888ab0c0bbeb5ad2386b575c6c92 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Mon, 26 Aug 2019 13:24:31 +0100
Subject: [PATCH 1/6] Add missing dependency of RSA test on CTR DRBG

---
 tests/suites/test_suite_rsa.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function
index 89c84e8ca..f2a9b9878 100644
--- a/tests/suites/test_suite_rsa.function
+++ b/tests/suites/test_suite_rsa.function
@@ -1506,7 +1506,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_C:ENTROPY_HAVE_STRONG */
+/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C:ENTROPY_HAVE_STRONG */
 void mbedtls_rsa_validate_params( int radix_N, char *input_N,
                                   int radix_P, char *input_P,
                                   int radix_Q, char *input_Q,

From 7f1c805b23c398150bc27b9a08790a82ca5986de Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Mon, 26 Aug 2019 13:30:13 +0100
Subject: [PATCH 2/6] Allow ssl_client2/ssl_server2 to use HMAC DRBG instead of
 CTR DRBG

So far, ssl_client2 and ssl_server2 were relying on MBEDTLS_CTR_DRBG_C
being set. This commit adapts them to use HMAC DRBG in case CTR DRBG
is disabled in the configuration.

Note that disabling CTR DRBG in favor of HMAC DRBG can be useful on
constrained systems because Mbed TLS' HMAC DRBG is slightly smaller,
and moreover needed anyway as part of deterministic ECDSA.
---
 programs/ssl/ssl_client2.c | 64 ++++++++++++++++++++++++++++-----
 programs/ssl/ssl_server2.c | 73 ++++++++++++++++++++++++++++++++------
 2 files changed, 118 insertions(+), 19 deletions(-)

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 2aa49503e..cd02fcb50 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -43,13 +43,16 @@
 #endif
 
 #if !defined(MBEDTLS_ENTROPY_C) || \
-    !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
-    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C)
+    !defined(MBEDTLS_SSL_TLS_C) || \
+    !defined(MBEDTLS_SSL_CLI_C) || \
+    !defined(MBEDTLS_NET_C)     || \
+    !( defined(MBEDTLS_CTR_DRBG_C) || defined(MBEDTLS_HMAC_DRBG_C) )
 int main( void )
 {
     mbedtls_printf("MBEDTLS_ENTROPY_C and/or "
            "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
-           "MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined.\n");
+           "MBEDTLS_NET_C not defined, or "
+           "neither MBEDTLS_CTR_DRBG_C nor MBEDTLS_HMAC_DRBG_C defined.\n");
     return( 0 );
 }
 #else
@@ -59,6 +62,7 @@ int main( void )
 #include "mbedtls/ssl_ciphersuites.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
+#include "mbedtls/hmac_drbg.h"
 #include "mbedtls/certs.h"
 #include "mbedtls/x509.h"
 #include "mbedtls/error.h"
@@ -701,8 +705,9 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
     return( 0 );
 }
 
-#if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
-static int ssl_sig_hashes_for_test[] = {
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+static int available_hashes[] = {
 #if defined(MBEDTLS_SHA512_C)
     MBEDTLS_MD_SHA512,
     MBEDTLS_MD_SHA384,
@@ -717,8 +722,6 @@ static int ssl_sig_hashes_for_test[] = {
 #endif
     MBEDTLS_MD_NONE
 };
-#endif /* !MBEDTLS_SSL_CONF_SINGLE_HASH */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 /*
  * Wait for an event from the underlying transport or the timer
@@ -892,14 +895,23 @@ int report_cid_usage( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_CONF_RNG)
 int rng_wrap( void *ctx, unsigned char *dst, size_t len );
 
+#if defined(MBEDTLS_CTR_DRBG_C)
 mbedtls_ctr_drbg_context *rng_ctx_global = NULL;
+#else
+mbedtls_hmac_drbg_context *rng_ctx_global = NULL;
+#endif /* MBEDTLS_CTR_DRBG_C */
+
 int rng_wrap( void *ctx, unsigned char *dst, size_t len )
 {
     /* We expect the NULL parameter here. */
     if( ctx != NULL )
         return( -1 );
 
+#if defined(MBEDTLS_CTR_DRBG_C)
     return( mbedtls_ctr_drbg_random( rng_ctx_global, dst, len ) );
+#else
+    return( mbedtls_hmac_drbg_random( rng_ctx_global, dst, len ) );
+#endif
 }
 #endif /* MBEDTLS_SSL_CONF_RNG */
 
@@ -941,7 +953,11 @@ int main( int argc, char *argv[] )
     mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
 #endif
     mbedtls_entropy_context entropy;
+#if defined(MBEDTLS_CTR_DRBG_C)
     mbedtls_ctr_drbg_context ctr_drbg;
+#else
+    mbedtls_hmac_drbg_context hmac_drbg;
+#endif
     mbedtls_ssl_context ssl;
     mbedtls_ssl_config conf;
     mbedtls_ssl_session saved_session;
@@ -970,7 +986,11 @@ int main( int argc, char *argv[] )
     mbedtls_ssl_init( &ssl );
     mbedtls_ssl_config_init( &conf );
     memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) );
+#if defined(MBEDTLS_CTR_DRBG_C)
     mbedtls_ctr_drbg_init( &ctr_drbg );
+#else
+    mbedtls_hmac_drbg_init( &hmac_drbg );
+#endif /* MBEDTLS_CTR_DRBG_C */
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
     mbedtls_x509_crt_init( &cacert );
     mbedtls_x509_crt_init( &clicert );
@@ -1664,6 +1684,7 @@ int main( int argc, char *argv[] )
     fflush( stdout );
 
     mbedtls_entropy_init( &entropy );
+#if defined(MBEDTLS_CTR_DRBG_C)
     if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
                                        &entropy, (const unsigned char *) pers,
                                        strlen( pers ) ) ) != 0 )
@@ -1672,6 +1693,19 @@ int main( int argc, char *argv[] )
                         -ret );
         goto exit;
     }
+#else /* MBEDTLS_CTR_DRBG_C */
+    if( ( ret = mbedtls_hmac_drbg_seed( &hmac_drbg,
+                                        mbedtls_md_info_from_type(
+                                            available_hashes[0] ),
+                                        mbedtls_entropy_func,
+                                        &entropy, (const unsigned char *) pers,
+                                        strlen( pers ) ) ) != 0 )
+    {
+        mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n",
+                        -ret );
+        goto exit;
+    }
+#endif /* MBEDTLS_CTR_DRBG */
 
     mbedtls_printf( " ok\n" );
 
@@ -1851,7 +1885,7 @@ int main( int argc, char *argv[] )
         crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
         mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
-        mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
+        mbedtls_ssl_conf_sig_hashes( &conf, available_hashes );
 #endif
     }
 
@@ -1953,11 +1987,19 @@ int main( int argc, char *argv[] )
         }
 #endif
 
+#if defined(MBEDTLS_CTR_DRBG_C)
 #if !defined(MBEDTLS_SSL_CONF_RNG)
     mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
 #else
     rng_ctx_global = &ctr_drbg;
 #endif
+#else /* MBEDTLS_CTR_DRBG_C */
+#if !defined(MBEDTLS_SSL_CONF_RNG)
+    mbedtls_ssl_conf_rng( &conf, mbedtls_hmac_drbg_random, &hmac_drbg );
+#else
+    rng_ctx_global = &hmac_drbg;
+#endif
+#endif /* MBEDTLS_CTR_DRBG_C */
 
 #if defined(MBEDTLS_DEBUG_C)
     mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
@@ -2871,7 +2913,11 @@ exit:
     mbedtls_ssl_session_free( &saved_session );
     mbedtls_ssl_free( &ssl );
     mbedtls_ssl_config_free( &conf );
+#if defined(MBEDTLS_CTR_DRBG_C)
     mbedtls_ctr_drbg_free( &ctr_drbg );
+#else
+    mbedtls_hmac_drbg_free( &hmac_drbg );
+#endif
     mbedtls_entropy_free( &entropy );
     if( session_data != NULL )
         mbedtls_platform_zeroize( session_data, session_data_len );
@@ -2895,4 +2941,4 @@ exit:
 }
 #endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
           MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
-          MBEDTLS_CTR_DRBG_C MBEDTLS_TIMING_C */
+          ( MBEDTLS_CTR_DRBG_C || MBEDTLS_HMAC_DRBG_C ) && MBEDTLS_TIMING_C */
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index e0e433714..d32d3aaa6 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -42,13 +42,16 @@
 #endif
 
 #if !defined(MBEDTLS_ENTROPY_C) || \
-    !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
-    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C)
+    !defined(MBEDTLS_SSL_TLS_C) || \
+    !defined(MBEDTLS_SSL_SRV_C) || \
+    !defined(MBEDTLS_NET_C)     || \
+    !( defined(MBEDTLS_CTR_DRBG_C) || defined(MBEDTLS_HMAC_DRBG_C) )
 int main( void )
 {
     mbedtls_printf("MBEDTLS_ENTROPY_C and/or "
            "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
-           "MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined.\n");
+           "MBEDTLS_NET_C not defined, or "
+           "neither MBEDTLS_CTR_DRBG_C nor MBEDTLS_HMAC_DRBG_C defined.\n");
     return( 0 );
 }
 #else
@@ -58,6 +61,7 @@ int main( void )
 #include "mbedtls/ssl_ciphersuites.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
+#include "mbedtls/hmac_drbg.h"
 #include "mbedtls/certs.h"
 #include "mbedtls/x509.h"
 #include "mbedtls/error.h"
@@ -1133,9 +1137,7 @@ void term_handler( int sig )
 }
 #endif
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
-    !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
-static int ssl_sig_hashes_for_test[] = {
+static int available_hashes[] = {
 #if defined(MBEDTLS_SHA512_C)
     MBEDTLS_MD_SHA512,
     MBEDTLS_MD_SHA384,
@@ -1150,7 +1152,6 @@ static int ssl_sig_hashes_for_test[] = {
 #endif
     MBEDTLS_MD_NONE
 };
-#endif /* MBEDTLS_X509_CRT_PARSE_C && !defined(MBEDTLS_SSL_CONF_SINGLE_HASH) */
 
 /** Return true if \p ret is a status code indicating that there is an
  * operation in progress on an SSL connection, and false if it indicates
@@ -1508,14 +1509,23 @@ int report_cid_usage( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_CONF_RNG)
 int rng_wrap( void *ctx, unsigned char *dst, size_t len );
 
+#if defined(MBEDTLS_CTR_DRBG_C)
 mbedtls_ctr_drbg_context *rng_ctx_global = NULL;
+#else
+mbedtls_hmac_drbg_context *rng_ctx_global = NULL;
+#endif /* MBEDTLS_CTR_DRBG_C */
+
 int rng_wrap( void *ctx, unsigned char *dst, size_t len )
 {
     /* We expect the NULL parameter here. */
     if( ctx != NULL )
         return( -1 );
 
+#if defined(MBEDTLS_CTR_DRBG_C)
     return( mbedtls_ctr_drbg_random( rng_ctx_global, dst, len ) );
+#else
+    return( mbedtls_hmac_drbg_random( rng_ctx_global, dst, len ) );
+#endif
 }
 #endif /* MBEDTLS_SSL_CONF_RNG */
 
@@ -1545,7 +1555,11 @@ int main( int argc, char *argv[] )
     mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
 #endif
     mbedtls_entropy_context entropy;
+#if defined(MBEDTLS_CTR_DRBG_C)
     mbedtls_ctr_drbg_context ctr_drbg;
+#else
+    mbedtls_hmac_drbg_context hmac_drbg;
+#endif
     mbedtls_ssl_context ssl;
     mbedtls_ssl_config conf;
 #if defined(MBEDTLS_TIMING_C)
@@ -1615,7 +1629,11 @@ int main( int argc, char *argv[] )
     mbedtls_net_init( &listen_fd );
     mbedtls_ssl_init( &ssl );
     mbedtls_ssl_config_init( &conf );
+#if defined(MBEDTLS_CTR_DRBG_C)
     mbedtls_ctr_drbg_init( &ctr_drbg );
+#else
+    mbedtls_hmac_drbg_init( &hmac_drbg );
+#endif /* MBEDTLS_CTR_DRBG_C */
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
     mbedtls_x509_crt_init( &cacert );
     mbedtls_x509_crt_init( &srvcert );
@@ -2418,6 +2436,7 @@ int main( int argc, char *argv[] )
     fflush( stdout );
 
     mbedtls_entropy_init( &entropy );
+#if defined(MBEDTLS_CTR_DRBG_C)
     if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
                                        &entropy, (const unsigned char *) pers,
                                        strlen( pers ) ) ) != 0 )
@@ -2426,6 +2445,19 @@ int main( int argc, char *argv[] )
                         -ret );
         goto exit;
     }
+#else /* MBEDTLS_CTR_DRBG_C */
+    if( ( ret = mbedtls_hmac_drbg_seed( &hmac_drbg,
+                                        mbedtls_md_info_from_type(
+                                            available_hashes[0] ),
+                                        mbedtls_entropy_func,
+                                        &entropy, (const unsigned char *) pers,
+                                        strlen( pers ) ) ) != 0 )
+    {
+        mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n",
+                        -ret );
+        goto exit;
+    }
+#endif /* MBEDTLS_CTR_DRBG */
 
     mbedtls_printf( " ok\n" );
 
@@ -2674,7 +2706,7 @@ int main( int argc, char *argv[] )
         crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
         mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
-        mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
+        mbedtls_ssl_conf_sig_hashes( &conf, available_hashes );
 #endif
     }
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
@@ -2765,11 +2797,19 @@ int main( int argc, char *argv[] )
         }
 #endif
 
+#if defined(MBEDTLS_CTR_DRBG_C)
 #if !defined(MBEDTLS_SSL_CONF_RNG)
     mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
 #else
     rng_ctx_global = &ctr_drbg;
 #endif
+#else /* MBEDTLS_CTR_DRBG_C */
+#if !defined(MBEDTLS_SSL_CONF_RNG)
+    mbedtls_ssl_conf_rng( &conf, mbedtls_hmac_drbg_random, &hmac_drbg );
+#else
+    rng_ctx_global = &hmac_drbg;
+#endif
+#endif /* MBEDTLS_CTR_DRBG_C */
 
 #if defined(MBEDTLS_DEBUG_C)
     mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
@@ -2793,7 +2833,11 @@ int main( int argc, char *argv[] )
     if( opt.tickets == MBEDTLS_SSL_SESSION_TICKETS_ENABLED )
     {
         if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx,
+#if defined(MBEDTLS_CTR_DRBG_C)
                         mbedtls_ctr_drbg_random, &ctr_drbg,
+#else
+                        mbedtls_hmac_drbg_random, &hmac_drbg,
+#endif
                         MBEDTLS_CIPHER_AES_256_GCM,
                         opt.ticket_timeout ) ) != 0 )
         {
@@ -2815,7 +2859,12 @@ int main( int argc, char *argv[] )
         if( opt.cookies > 0 )
         {
             if( ( ret = mbedtls_ssl_cookie_setup( &cookie_ctx,
-                                          mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
+#if defined(MBEDTLS_CTR_DRBG_C)
+                                          mbedtls_ctr_drbg_random, &ctr_drbg
+#else
+                                          mbedtls_hmac_drbg_random, &hmac_drbg
+#endif /* MBEDTLS_CTR_DRBG_C */
+                      ) ) != 0 )
             {
                 mbedtls_printf( " failed\n  ! mbedtls_ssl_cookie_setup returned %d\n\n", ret );
                 goto exit;
@@ -3852,7 +3901,11 @@ exit:
 
     mbedtls_ssl_free( &ssl );
     mbedtls_ssl_config_free( &conf );
+#if defined(MBEDTLS_CTR_DRBG_C)
     mbedtls_ctr_drbg_free( &ctr_drbg );
+#else
+    mbedtls_hmac_drbg_free( &hmac_drbg );
+#endif
     mbedtls_entropy_free( &entropy );
 
 #if defined(MBEDTLS_SSL_CACHE_C)
@@ -3895,4 +3948,4 @@ exit:
 }
 #endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
           MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
-          MBEDTLS_CTR_DRBG_C */
+          ( MBEDTLS_CTR_DRBG_C || MBEDTLS_HMAC_DRBG_C ) */

From c973fdee72c46909f35e6629547c54897110f548 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Mon, 26 Aug 2019 13:35:56 +0100
Subject: [PATCH 3/6] all.sh: Add test exercising configurations without CTR
 DRBG

---
 tests/scripts/all.sh | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 20552926d..8464dec1b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -682,6 +682,27 @@ component_test_rsa_no_crt () {
     if_build_succeeded tests/compat.sh -t RSA
 }
 
+component_test_no_ctr_drbg () {
+    msg "build: Default + !MBEDTLS_CTR_DRBG_C"
+    scripts/config.pl unset MBEDTLS_CTR_DRBG_C
+    CC=gcc cmake .
+    make
+
+    msg "test: !MBEDTLS_CTR_DRBG_C - ssl-opt.sh" # ~ 5s
+    if_build_succeeded tests/ssl-opt.sh --filter "Default"
+}
+
+component_test_no_ctr_drbg_no_sha512 () {
+    msg "build: Default + !MBEDTLS_CTR_DRBG_C + !MBEDTLS_SHA512_C"
+    scripts/config.pl unset MBEDTLS_CTR_DRBG_C
+    scripts/config.pl unset MBEDTLS_SHA512_C
+    CC=gcc cmake .
+    make
+
+    msg "test: !MBEDTLS_CTR_DRBG_C + !MBEDTLS_SHA512_C - ssl-opt.sh" # ~ 5s
+    if_build_succeeded tests/ssl-opt.sh --filter "Default"
+}
+
 component_test_no_resumption () {
     msg "build: Default + MBEDTLS_SSL_NO_SESSION_RESUMPTION (ASan build)" # ~ 6 min
     scripts/config.pl unset MBEDTLS_SSL_SESSION_TICKETS

From 801de73ad66b5b9350eb4b186f7feac539981b45 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Mon, 26 Aug 2019 13:41:11 +0100
Subject: [PATCH 4/6] Remove CTR DRBG from baremetal test configuration

---
 configs/baremetal_test.h | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/configs/baremetal_test.h b/configs/baremetal_test.h
index b7e36f0f4..b107bd79a 100644
--- a/configs/baremetal_test.h
+++ b/configs/baremetal_test.h
@@ -37,9 +37,6 @@
 /* Debug output */
 #define MBEDTLS_DEBUG_C
 
-/* ssl_client2 and ssl_server2 use CTR-DRBG so far. */
-#define MBEDTLS_CTR_DRBG_C
-
 /* The ticket implementation hardcodes AES-GCM */
 #define MBEDTLS_GCM_C
 

From 10da2a39bec0cf1534d5ec93e0ed4d99f3722fcf Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Wed, 28 Aug 2019 15:08:27 +0100
Subject: [PATCH 5/6] Fix unused variable warnings in ssl_client2/ssl_server2

---
 programs/ssl/ssl_client2.c | 5 +++++
 programs/ssl/ssl_server2.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index cd02fcb50..788793a49 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -707,6 +707,9 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
 
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+#if ( defined(MBEDTLS_X509_CRT_PARSE_C) &&        \
+      !defined(MBEDTLS_SSL_CONF_SINGLE_HASH) ) || \
+    !defined(MBEDTLS_CTR_DRBG_C)
 static int available_hashes[] = {
 #if defined(MBEDTLS_SHA512_C)
     MBEDTLS_MD_SHA512,
@@ -722,6 +725,8 @@ static int available_hashes[] = {
 #endif
     MBEDTLS_MD_NONE
 };
+#endif /* ( MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_CONF_SINGLE_HASH ) ||
+          !MBEDTLS_CTR_DRBG_C */
 
 /*
  * Wait for an event from the underlying transport or the timer
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index d32d3aaa6..778fe941c 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1137,6 +1137,9 @@ void term_handler( int sig )
 }
 #endif
 
+#if ( defined(MBEDTLS_X509_CRT_PARSE_C) &&        \
+      !defined(MBEDTLS_SSL_CONF_SINGLE_HASH) ) || \
+    !defined(MBEDTLS_CTR_DRBG_C)
 static int available_hashes[] = {
 #if defined(MBEDTLS_SHA512_C)
     MBEDTLS_MD_SHA512,
@@ -1152,6 +1155,8 @@ static int available_hashes[] = {
 #endif
     MBEDTLS_MD_NONE
 };
+#endif /* ( MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_CONF_SINGLE_HASH ) ||
+          !MBEDTLS_CTR_DRBG_C */
 
 /** Return true if \p ret is a status code indicating that there is an
  * operation in progress on an SSL connection, and false if it indicates

From 2ccdab8ef3b2e462863c9c2a946dcd6ccceca6bd Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Tue, 3 Sep 2019 09:01:49 +0100
Subject: [PATCH 6/6] Fixup alignment in ssl_server2

---
 programs/ssl/ssl_server2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 778fe941c..890725e75 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2869,7 +2869,7 @@ int main( int argc, char *argv[] )
 #else
                                           mbedtls_hmac_drbg_random, &hmac_drbg
 #endif /* MBEDTLS_CTR_DRBG_C */
-                      ) ) != 0 )
+                                          ) ) != 0 )
             {
                 mbedtls_printf( " failed\n  ! mbedtls_ssl_cookie_setup returned %d\n\n", ret );
                 goto exit;