From 828a8c08b60a25a6e7b997dfcd215de0693a0f73 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Tue, 26 Feb 2019 16:48:55 +0000
Subject: [PATCH] Add compile-guard for < TLS1.2 path in server-side
 ssl_pick_cert()

Minor code-size optimization along the way.
---
 library/ssl_srv.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index f661d11e6..f00e44ba6 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -862,6 +862,8 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
             continue;
         }
 
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
         /*
          * Try to select a SHA-1 certificate for pre-1.2 clients, but still
          * present them a SHA-higher cert rather than failing if it's the only
@@ -890,6 +892,9 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
                 continue;
             }
         }
+#endif /* MBEDTLS_SSL_PROTO_TLS1   ||
+          MBEDTLS_SSL_PROTO_TLS1_1 ||
+          MBEDTLS_SSL_PROTO_SSL3 */
 
         /* If we get there, we got a winner */
         break;