Merge commit '36adc36' into dtls

* commit '36adc36':
  Add support for getrandom()
  Use library default for trunc-hmac in ssl_client2
  Make truncated hmac a runtime option server-side
  Fix portability issue in script
  Specific error for suites in common but none good
  Prefer SHA-1 certificates for pre-1.2 clients
  Some more refactoring/tuning.
  Minor refactoring

Conflicts:
	include/polarssl/error.h
	include/polarssl/ssl.h
	library/error.c
diff --git a/ChangeLog b/ChangeLog
index f4551fb..42d1c7c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,10 @@
      length of an X.509 verification chain.
    * Support for renegotiation can now be disabled at compile-time
    * Support for 1/n-1 record splitting, a countermeasure against BEAST.
+   * Certificate selection based on signature hash, prefering SHA-1 over SHA-2
+     for pre-1.2 clients when multiple certificates are available.
+   * Add support for getrandom() syscall on recent Linux kernels with Glibc or
+     a compatible enough libc (eg uClibc).
 
 Bugfix
    * Stack buffer overflow if ctr_drbg_update() is called with too large
@@ -61,6 +65,11 @@
    * debug_print_buf() now prints a text view in addition to hexadecimal.
    * Skip writing and parsing signature_algorithm extension if none of the
      key exchanges enabled needs certificates.
+   * A specific error is now returned when there are ciphersuites in common
+     but none of them is usable due to external factors such as no certificate
+     with a suitable (extended)KeyUsage or curve or no PSK set.
+   * It is now possible to disable neogtiation of truncated HMAC server-side
+     at runtime with ssl_set_truncated_hmac().
 
 = PolarSSL 1.3.9 released 2014-10-20
 Security
diff --git a/include/polarssl/error.h b/include/polarssl/error.h
index 00c794e..1e36a0d 100644
--- a/include/polarssl/error.h
+++ b/include/polarssl/error.h
@@ -91,7 +91,7 @@
  * ECP       4   8 (Started from top)
  * MD        5   4
  * CIPHER    6   6
- * SSL       6   12 (Started from top)
+ * SSL       6   13 (Started from top)
  * SSL       7   31
  *
  * Module dependent error code (5 bits 0x.00.-0x.F8.)
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 37d7e13..2af34cb 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -158,6 +158,7 @@
 #define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO       -0x6B00  /**< Unexpected message at ServerHello in renegotiation. */
 #define POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80  /**< DTLS client must retry for hello verification */
 #define POLARSSL_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00  /**< A buffer is too small to receive or write a message */
+#define POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE             -0x6980  /**< None of the common ciphersuites is usable (eg, no suitable certificate) */
 
 /*
  * Various constants
@@ -1851,15 +1852,15 @@
 
 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
 /**
- * \brief          Activate negotiation of truncated HMAC (Client only)
- *                 (Default: SSL_TRUNC_HMAC_ENABLED)
+ * \brief          Activate negotiation of truncated HMAC
+ *                 (Default: SSL_TRUNC_HMAC_DISABLED on client,
+ *                           SSL_TRUNC_HMAC_ENABLED on server.)
  *
  * \param ssl      SSL context
  * \param truncate Enable or disable (SSL_TRUNC_HMAC_ENABLED or
  *                                    SSL_TRUNC_HMAC_DISABLED)
  *
- * \return         O if successful,
- *                 POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side
+ * \return         Always 0.
  */
 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index 9ca9e95..33e75bc 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -73,6 +73,43 @@
 }
 #else /* _WIN32 && !EFIX64 && !EFI32 */
 
+/*
+ * Test for Linux getrandom() support.
+ * Since there is no wrapper in the libc yet, use the generic syscall wrapper
+ * available in GNU libc and compatible libc's (eg uClibc).
+ */
+#if defined(__linux__) && defined(__GLIBC__)
+#include <linux/version.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#if defined(SYS_getrandom)
+#define HAVE_GETRANDOM
+static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
+{
+    return( syscall( SYS_getrandom, buf, buflen, flags ) );
+}
+#endif /* SYS_getrandom */
+#endif /* __linux__ */
+
+#if defined(HAVE_GETRANDOM)
+
+#include <errno.h>
+
+int platform_entropy_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen )
+{
+    int ret;
+    ((void) data);
+
+    if( ( ret = getrandom_wrapper( output, len, 0 ) ) < 0 )
+        return( POLARSSL_ERR_ENTROPY_SOURCE_FAILED );
+
+    *olen = ret;
+    return( 0 );
+}
+
+#else /* HAVE_GETRANDOM */
+
 #include <stdio.h>
 
 int platform_entropy_poll( void *data,
@@ -100,6 +137,7 @@
 
     return( 0 );
 }
+#endif /* HAVE_GETRANDOM */
 #endif /* _WIN32 && !EFIX64 && !EFI32 */
 #endif /* !POLARSSL_NO_PLATFORM_ENTROPY */
 
diff --git a/library/error.c b/library/error.c
index f3c18c2..b3c2153 100644
--- a/library/error.c
+++ b/library/error.c
@@ -456,6 +456,8 @@
             snprintf( buf, buflen, "SSL - DTLS client must retry for hello verification" );
         if( use_ret == -(POLARSSL_ERR_SSL_BUFFER_TOO_SMALL) )
             snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" );
+        if( use_ret == -(POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE) )
+            snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate)" );
 #endif /* POLARSSL_SSL_TLS_C */
 
 #if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index dc80ed0..d83c560 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -663,7 +663,8 @@
 
     ((void) buf);
 
-    ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
+    if( ssl->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
+        ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
 
     return( 0 );
 }
@@ -831,11 +832,11 @@
 
 #if defined(POLARSSL_X509_CRT_PARSE_C)
 /*
- * Return 1 if the given EC key uses the given curve, 0 otherwise
+ * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
  */
 #if defined(POLARSSL_ECDSA_C)
-static int ssl_key_matches_curves( pk_context *pk,
-                                   const ecp_curve_info **curves )
+static int ssl_check_key_curve( pk_context *pk,
+                                const ecp_curve_info **curves )
 {
     const ecp_curve_info **crv = curves;
     ecp_group_id grp_id = pk_ec( *pk )->grp.id;
@@ -843,11 +844,11 @@
     while( *crv != NULL )
     {
         if( (*crv)->grp_id == grp_id )
-            return( 1 );
+            return( 0 );
         crv++;
     }
 
-    return( 0 );
+    return( -1 );
 }
 #endif /* POLARSSL_ECDSA_C */
 
@@ -858,7 +859,7 @@
 static int ssl_pick_cert( ssl_context *ssl,
                           const ssl_ciphersuite_t * ciphersuite_info )
 {
-    ssl_key_cert *cur, *list;
+    ssl_key_cert *cur, *list, *fallback = NULL;
     pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
 
 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
@@ -891,21 +892,41 @@
         }
 
 #if defined(POLARSSL_ECDSA_C)
-        if( pk_alg == POLARSSL_PK_ECDSA )
-        {
-            if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
-                break;
-        }
-        else
+        if( pk_alg == POLARSSL_PK_ECDSA &&
+            ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
+            continue;
 #endif
-            break;
+
+        /*
+         * Try to select a SHA-1 certificate for pre-1.2 clients, but still
+         * present them a SHA-higher cert rather than failing if it's the only
+         * one we got that satisfies the other conditions.
+         */
+        if( ssl->minor_ver < SSL_MINOR_VERSION_3 &&
+            cur->cert->sig_md != POLARSSL_MD_SHA1 )
+        {
+            if( fallback == NULL )
+                fallback = cur;
+            continue;
+        }
+
+        /* If we get there, we got a winner */
+        break;
     }
 
-    if( cur == NULL )
-        return( -1 );
+    if( cur != NULL )
+    {
+        ssl->handshake->key_cert = cur;
+        return( 0 );
+    }
 
-    ssl->handshake->key_cert = cur;
-    return( 0 );
+    if( fallback != NULL )
+    {
+        ssl->handshake->key_cert = fallback;
+        return( 0 );
+    }
+
+    return( -1 );
 }
 #endif /* POLARSSL_X509_CRT_PARSE_C */
 
@@ -921,8 +942,8 @@
     suite_info = ssl_ciphersuite_from_id( suite_id );
     if( suite_info == NULL )
     {
-        SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", suite_id ) );
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+        SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
     }
 
     if( suite_info->min_minor_ver > ssl->minor_ver ||
@@ -971,7 +992,7 @@
 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
 static int ssl_parse_client_hello_v2( ssl_context *ssl )
 {
-    int ret;
+    int ret, got_common_suite;
     unsigned int i, j;
     size_t n;
     unsigned int ciph_len, sess_len, chal_len;
@@ -1169,6 +1190,7 @@
     }
 #endif /* POLARSSL_SSL_FALLBACK_SCSV */
 
+    got_common_suite = 0;
     ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
     ciphersuite_info = NULL;
 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
@@ -1186,6 +1208,8 @@
                 p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
                 continue;
 
+            got_common_suite = 1;
+
             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
                                                &ciphersuite_info ) ) != 0 )
                 return( ret );
@@ -1195,9 +1219,17 @@
         }
     }
 
-    SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
-
-    return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
+    if( got_common_suite )
+    {
+        SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
+                            "but none of them usable" ) );
+        return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE );
+    }
+    else
+    {
+        SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
+        return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
+    }
 
 have_ciphersuite_v2:
     ssl->session_negotiate->ciphersuite = ciphersuites[i];
@@ -1229,7 +1261,7 @@
 
 static int ssl_parse_client_hello( ssl_context *ssl )
 {
-    int ret;
+    int ret, got_common_suite;
     unsigned int i, j;
     unsigned int ciph_offset, comp_offset, ext_offset;
     unsigned int msg_len, ciph_len, sess_len, comp_len, ext_len;
@@ -1923,6 +1955,7 @@
      * (At the end because we need information from the EC-based extensions
      * and certificate from the SNI callback triggered by the SNI extension.)
      */
+    got_common_suite = 0;
     ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
     ciphersuite_info = NULL;
 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
@@ -1939,6 +1972,8 @@
                 p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
                 continue;
 
+            got_common_suite = 1;
+
             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
                                                &ciphersuite_info ) ) != 0 )
                 return( ret );
@@ -1948,12 +1983,19 @@
         }
     }
 
-    SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
-
-    if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-        return( ret );
-
-    return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
+    if( got_common_suite )
+    {
+        SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
+                            "but none of them usable" ) );
+        ssl_send_fatal_handshake_failure( ssl );
+        return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE );
+    }
+    else
+    {
+        SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
+        ssl_send_fatal_handshake_failure( ssl );
+        return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
+    }
 
 have_ciphersuite:
     ssl->session_negotiate->ciphersuite = ciphersuites[i];
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 413582a..c78b1a7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5149,6 +5149,11 @@
     if( endpoint == SSL_IS_CLIENT )
         ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
 #endif
+
+#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
+    if( endpoint == SSL_IS_SERVER )
+        ssl->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
+#endif
 }
 
 int ssl_set_transport( ssl_context *ssl, int transport )
@@ -5692,9 +5697,6 @@
 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
 {
-    if( ssl->endpoint != SSL_IS_CLIENT )
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
     ssl->trunc_hmac = truncate;
 
     return( 0 );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 0ddd802..9313499 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -92,7 +92,7 @@
 #define DFL_MAX_VERSION         -1
 #define DFL_AUTH_MODE           SSL_VERIFY_REQUIRED
 #define DFL_MFL_CODE            SSL_MAX_FRAG_LEN_NONE
-#define DFL_TRUNC_HMAC          0
+#define DFL_TRUNC_HMAC          -1
 #define DFL_RECSPLIT            -1
 #define DFL_RECONNECT           0
 #define DFL_RECO_DELAY          0
@@ -274,7 +274,7 @@
 
 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
 #define USAGE_TRUNC_HMAC                                    \
-    "    trunc_hmac=%%d       default: 0 (disabled)\n"
+    "    trunc_hmac=%%d       default: library default\n"
 #else
 #define USAGE_TRUNC_HMAC ""
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
@@ -740,9 +740,12 @@
         }
         else if( strcmp( p, "trunc_hmac" ) == 0 )
         {
-            opt.trunc_hmac = atoi( q );
-            if( opt.trunc_hmac < 0 || opt.trunc_hmac > 1 )
-                goto usage;
+            switch( atoi( q ) )
+            {
+                case 0: opt.trunc_hmac = SSL_TRUNC_HMAC_DISABLED; break;
+                case 1: opt.trunc_hmac = SSL_TRUNC_HMAC_ENABLED; break;
+                default: goto usage;
+            }
         }
         else if( strcmp( p, "hs_timeout" ) == 0 )
         {
@@ -1057,12 +1060,8 @@
 #endif
 
 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
-    if( opt.trunc_hmac != 0 )
-        if( ( ret = ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED ) ) != 0 )
-        {
-            printf( " failed\n  ! ssl_set_truncated_hmac returned %d\n\n", ret );
-            goto exit;
-        }
+    if( opt.trunc_hmac != DFL_TRUNC_HMAC )
+        ssl_set_truncated_hmac( &ssl, opt.trunc_hmac );
 #endif
 
 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index fb2327a..85189bd 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -115,6 +115,7 @@
 #define DFL_MAX_VERSION         -1
 #define DFL_AUTH_MODE           SSL_VERIFY_OPTIONAL
 #define DFL_MFL_CODE            SSL_MAX_FRAG_LEN_NONE
+#define DFL_TRUNC_HMAC          -1
 #define DFL_TICKETS             SSL_SESSION_TICKETS_ENABLED
 #define DFL_TICKET_TIMEOUT      -1
 #define DFL_CACHE_MAX           -1
@@ -185,6 +186,7 @@
     int max_version;            /* maximum protocol version accepted        */
     int auth_mode;              /* verify mode for connection               */
     unsigned char mfl_code;     /* code for maximum fragment length         */
+    int trunc_hmac;             /* accept truncated hmac?                   */
     int tickets;                /* enable / disable session tickets         */
     int ticket_timeout;         /* session ticket lifetime                  */
     int cache_max;              /* max number of session cache entries      */
@@ -315,6 +317,13 @@
 #define USAGE_MAX_FRAG_LEN ""
 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
 
+#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
+#define USAGE_TRUNC_HMAC \
+    "    trunc_hmac=%%d       default: library default\n"
+#else
+#define USAGE_TRUNC_HMAC ""
+#endif
+
 #if defined(POLARSSL_SSL_ALPN)
 #define USAGE_ALPN \
     "    alpn=%%s             default: \"\" (disabled)\n"   \
@@ -407,6 +416,7 @@
     USAGE_TICKETS                                           \
     USAGE_CACHE                                             \
     USAGE_MAX_FRAG_LEN                                      \
+    USAGE_TRUNC_HMAC                                        \
     USAGE_ALPN                                              \
     USAGE_EMS                                               \
     USAGE_ETM                                               \
@@ -805,6 +815,7 @@
     opt.max_version         = DFL_MAX_VERSION;
     opt.auth_mode           = DFL_AUTH_MODE;
     opt.mfl_code            = DFL_MFL_CODE;
+    opt.trunc_hmac          = DFL_TRUNC_HMAC;
     opt.tickets             = DFL_TICKETS;
     opt.ticket_timeout      = DFL_TICKET_TIMEOUT;
     opt.cache_max           = DFL_CACHE_MAX;
@@ -1025,6 +1036,15 @@
         {
             opt.alpn_string = q;
         }
+        else if( strcmp( p, "trunc_hmac" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0: opt.trunc_hmac = SSL_TRUNC_HMAC_DISABLED; break;
+                case 1: opt.trunc_hmac = SSL_TRUNC_HMAC_ENABLED; break;
+                default: goto usage;
+            }
+        }
         else if( strcmp( p, "extended_ms" ) == 0 )
         {
             switch( atoi( q ) )
@@ -1475,6 +1495,11 @@
     };
 #endif
 
+#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
+    if( opt.trunc_hmac != DFL_TRUNC_HMAC )
+        ssl_set_truncated_hmac( &ssl, opt.trunc_hmac );
+#endif
+
 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
     if( opt.extended_ms != DFL_EXTENDED_MS )
         ssl_set_extended_master_secret( &ssl, opt.extended_ms );
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index 0ee992d..b9a8e9c 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -46,7 +46,7 @@
 
 $/ = $line_separator;
 
-open(GREP, "/bin/grep \"define POLARSSL_ERR_\" $include_dir/* |") || die("Failure when calling grep: $!");
+open(GREP, "grep \"define POLARSSL_ERR_\" $include_dir/* |") || die("Failure when calling grep: $!");
 
 my $ll_old_define = "";
 my $hl_old_define = "";
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 3aeef96..1bd2a73 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -558,16 +558,43 @@
 
 # Tests for Truncated HMAC extension
 
-run_test    "Truncated HMAC: reference" \
+run_test    "Truncated HMAC: client default, server default" \
             "$P_SRV debug_level=4" \
-            "$P_CLI trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
             0 \
-            -s "dumping 'computed mac' (20 bytes)"
+            -s "dumping 'computed mac' (20 bytes)" \
+            -S "dumping 'computed mac' (10 bytes)"
 
-run_test    "Truncated HMAC: actual test" \
+run_test    "Truncated HMAC: client disabled, server default" \
             "$P_SRV debug_level=4" \
-            "$P_CLI trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
+             trunc_hmac=0" \
             0 \
+            -s "dumping 'computed mac' (20 bytes)" \
+            -S "dumping 'computed mac' (10 bytes)"
+
+run_test    "Truncated HMAC: client enabled, server default" \
+            "$P_SRV debug_level=4" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
+             trunc_hmac=1" \
+            0 \
+            -S "dumping 'computed mac' (20 bytes)" \
+            -s "dumping 'computed mac' (10 bytes)"
+
+run_test    "Truncated HMAC: client enabled, server disabled" \
+            "$P_SRV debug_level=4 trunc_hmac=0" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
+             trunc_hmac=1" \
+            0 \
+            -s "dumping 'computed mac' (20 bytes)" \
+            -S "dumping 'computed mac' (10 bytes)"
+
+run_test    "Truncated HMAC: client enabled, server enabled" \
+            "$P_SRV debug_level=4 trunc_hmac=1" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
+             trunc_hmac=1" \
+            0 \
+            -S "dumping 'computed mac' (20 bytes)" \
             -s "dumping 'computed mac' (10 bytes)"
 
 # Tests for Encrypt-then-MAC extension
@@ -1604,6 +1631,60 @@
             -C "! ssl_handshake returned" \
             -S "X509 - Certificate verification failed"
 
+# Tests for certificate selection based on SHA verson
+
+run_test    "Certificate hash: client TLS 1.2 -> SHA-2" \
+            "$P_SRV crt_file=data_files/server5.crt \
+                    key_file=data_files/server5.key \
+                    crt_file2=data_files/server5-sha1.crt \
+                    key_file2=data_files/server5.key" \
+            "$P_CLI force_version=tls1_2" \
+            0 \
+            -c "signed using.*ECDSA with SHA256" \
+            -C "signed using.*ECDSA with SHA1"
+
+run_test    "Certificate hash: client TLS 1.1 -> SHA-1" \
+            "$P_SRV crt_file=data_files/server5.crt \
+                    key_file=data_files/server5.key \
+                    crt_file2=data_files/server5-sha1.crt \
+                    key_file2=data_files/server5.key" \
+            "$P_CLI force_version=tls1_1" \
+            0 \
+            -C "signed using.*ECDSA with SHA256" \
+            -c "signed using.*ECDSA with SHA1"
+
+run_test    "Certificate hash: client TLS 1.0 -> SHA-1" \
+            "$P_SRV crt_file=data_files/server5.crt \
+                    key_file=data_files/server5.key \
+                    crt_file2=data_files/server5-sha1.crt \
+                    key_file2=data_files/server5.key" \
+            "$P_CLI force_version=tls1" \
+            0 \
+            -C "signed using.*ECDSA with SHA256" \
+            -c "signed using.*ECDSA with SHA1"
+
+run_test    "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
+            "$P_SRV crt_file=data_files/server5.crt \
+                    key_file=data_files/server5.key \
+                    crt_file2=data_files/server6.crt \
+                    key_file2=data_files/server6.key" \
+            "$P_CLI force_version=tls1_1" \
+            0 \
+            -c "serial number.*09" \
+            -c "signed using.*ECDSA with SHA256" \
+            -C "signed using.*ECDSA with SHA1"
+
+run_test    "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
+            "$P_SRV crt_file=data_files/server6.crt \
+                    key_file=data_files/server6.key \
+                    crt_file2=data_files/server5.crt \
+                    key_file2=data_files/server5.key" \
+            "$P_CLI force_version=tls1_1" \
+            0 \
+            -c "serial number.*0A" \
+            -c "signed using.*ECDSA with SHA256" \
+            -C "signed using.*ECDSA with SHA1"
+
 # tests for SNI
 
 run_test    "SNI: no SNI callback" \
@@ -2152,7 +2233,7 @@
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=foo psk=abc123" \
             0 \
-            -S "SSL - The server has no ciphersuites in common" \
+            -S "SSL - None of the common ciphersuites is usable" \
             -S "SSL - Unknown identity received" \
             -S "SSL - Verification of the message MAC failed"
 
@@ -2161,7 +2242,7 @@
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=foo psk=abc123" \
             1 \
-            -s "SSL - The server has no ciphersuites in common" \
+            -s "SSL - None of the common ciphersuites is usable" \
             -S "SSL - Unknown identity received" \
             -S "SSL - Verification of the message MAC failed"
 
@@ -2170,7 +2251,7 @@
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=foo psk=abc123" \
             1 \
-            -S "SSL - The server has no ciphersuites in common" \
+            -S "SSL - None of the common ciphersuites is usable" \
             -s "SSL - Unknown identity received" \
             -S "SSL - Verification of the message MAC failed"
 
@@ -2179,7 +2260,7 @@
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=abc psk=dead" \
             0 \
-            -S "SSL - The server has no ciphersuites in common" \
+            -S "SSL - None of the common ciphersuites is usable" \
             -S "SSL - Unknown identity received" \
             -S "SSL - Verification of the message MAC failed"
 
@@ -2188,7 +2269,7 @@
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=def psk=beef" \
             0 \
-            -S "SSL - The server has no ciphersuites in common" \
+            -S "SSL - None of the common ciphersuites is usable" \
             -S "SSL - Unknown identity received" \
             -S "SSL - Verification of the message MAC failed"
 
@@ -2197,7 +2278,7 @@
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=ghi psk=beef" \
             1 \
-            -S "SSL - The server has no ciphersuites in common" \
+            -S "SSL - None of the common ciphersuites is usable" \
             -s "SSL - Unknown identity received" \
             -S "SSL - Verification of the message MAC failed"
 
@@ -2206,7 +2287,7 @@
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=abc psk=beef" \
             1 \
-            -S "SSL - The server has no ciphersuites in common" \
+            -S "SSL - None of the common ciphersuites is usable" \
             -S "SSL - Unknown identity received" \
             -s "SSL - Verification of the message MAC failed"