3 files changed, 63 insertions, 11 deletions
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index 8fe7c54549..578f6a731a 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -365,7 +365,7 @@ req_cnf(Root, C) ->
      "default_bits	= ", integer_to_list(C#config.default_bits), "\n"
      "RANDFILE		= $ROOTDIR/RAND\n"
      "encrypt_key	= no\n"
-     "default_md	= md5\n"
+     "default_md	= sha1\n"
      "#string_mask	= pkix\n"
      "x509_extensions	= ca_ext\n"
      "prompt		= no\n"
@@ -415,7 +415,7 @@ ca_cnf(
      ["crl_extensions = crl_ext\n" || C#config.v2_crls],
      "unique_subject  = no\n"
      "default_days	= 3600\n"
-     "default_md	= md5\n"
+     "default_md	= sha1\n"
      "preserve	        = no\n"
      "policy		= policy_match\n"
      "\n"
@@ -499,7 +499,7 @@ ca_cnf(
      ["crl_extensions = crl_ext\n" || C#config.v2_crls],
      "unique_subject  = no\n"
      "default_days	= 3600\n"
-     "default_md	= md5\n"
+     "default_md	= sha1\n"
      "preserve	        = no\n"
      "policy		= policy_match\n"
      "\n"
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index a0cc9f5c08..97b794c3e2 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -3570,14 +3570,14 @@ conf_signature_algs(Config) when is_list(Config) ->
 	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
 				   {from, self()}, 
 				   {mfa, {ssl_test_lib, send_recv_result, []}},
-				   {options,  [{active, false}, {signature_algs, [{sha256, rsa}]} | ServerOpts]}]),
+				   {options,  [{active, false}, {signature_algs, [{sha, rsa}]} | ServerOpts]}]),
     Port = ssl_test_lib:inet_port(Server),
     Client = 
 	ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 				   {host, Hostname},
 				   {from, self()}, 
 				   {mfa, {ssl_test_lib, send_recv_result, []}},
-				   {options, [{active, false}, {signature_algs, [{sha256, rsa}]} | ClientOpts]}]),
+				   {options, [{active, false}, {signature_algs, [{sha, rsa}]} | ClientOpts]}]),
     
     ct:log("Testcase ~p, Client ~p  Server ~p ~n",
 			 [self(), Client, Server]),
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index ef1f6be286..861fecc554 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -25,6 +25,7 @@
 -compile(export_all).
 
 -include_lib("common_test/include/ct.hrl").
+-include("ssl_alert.hrl").
 -include("ssl_internal.hrl").
 -include("tls_handshake.hrl").
 -include_lib("public_key/include/public_key.hrl").
@@ -41,7 +42,7 @@ all() -> [decode_hello_handshake,
 	  decode_empty_server_sni_correctly,
 	  select_proper_tls_1_2_rsa_default_hashsign,
 	  ignore_hassign_extension_pre_tls_1_2,
-          unorded_chain].
+	  unorded_chain, signature_algorithms].
 
 %%--------------------------------------------------------------------
 init_per_suite(Config) ->
@@ -55,7 +56,9 @@ init_per_group(_GroupName, Config) ->
 end_per_group(_,Config) ->
     Config.
 
-init_per_testcase(ignore_hassign_extension_pre_tls_1_2, Config0) ->
+init_per_testcase(TC, Config0) when
+      TC =:= ignore_hassign_extension_pre_tls_1_2 orelse
+      TC =:= signature_algorithms ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
@@ -163,11 +166,11 @@ ignore_hassign_extension_pre_tls_1_2(Config) ->
     Opts = proplists:get_value(server_opts, Config),
     CertFile = proplists:get_value(certfile, Opts),
     [{_, Cert, _}] = ssl_test_lib:pem_to_der(CertFile),
-    HashSigns = #hash_sign_algos{hash_sign_algos = [{sha512, rsa}, {sha, dsa}]},
-    {sha512, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, ecdhe_rsa, tls_v1:default_signature_algs({3,3}), {3,3}),
+    HashSigns = #hash_sign_algos{hash_sign_algos = [{sha512, rsa}, {sha, dsa}, {sha, rsa}]},
+    {sha512, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs({3,3}), {3,3}),
     %%% Ignore
-    {md5sha, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, ecdhe_rsa, tls_v1:default_signature_algs({3,2}), {3,2}),
-    {md5sha, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, ecdhe_rsa, tls_v1:default_signature_algs({3,0}), {3,0}).
+    {md5sha, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs({3,2}), {3,2}),
+    {md5sha, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs({3,0}), {3,0}).
 
 unorded_chain(Config) when is_list(Config) ->
     DefConf = ssl_test_lib:default_cert_chain_conf(),
@@ -188,6 +191,55 @@ unorded_chain(Config) when is_list(Config) ->
         ssl_certificate:certificate_chain(PeerCert, ets:new(foo, []), ExtractedCerts, UnordedChain).
 
 
+signature_algorithms(Config) ->
+    Opts = proplists:get_value(server_opts, Config),
+    CertFile = proplists:get_value(certfile, Opts),
+    io:format("Cert = ~p~n", [CertFile]),
+    [{_, Cert, _}] = ssl_test_lib:pem_to_der(CertFile),
+    HashSigns0 = #hash_sign_algos{
+                   hash_sign_algos = [{sha512, rsa},
+                                      {sha, dsa},
+                                      {sha, rsa}]},
+    Schemes0 = #signature_scheme_list{
+                 signature_scheme_list = [rsa_pkcs1_sha1,
+                                          ecdsa_sha1]},
+    {sha512, rsa} = ssl_handshake:select_hashsign(
+                      {HashSigns0, Schemes0},
+                      Cert, ecdhe_rsa,
+                      tls_v1:default_signature_algs({3,3}),
+                      {3,3}),
+    HashSigns1 = #hash_sign_algos{
+                    hash_sign_algos = [{sha, dsa},
+                                      {sha, rsa}]},
+    {sha, rsa} = ssl_handshake:select_hashsign(
+                      {HashSigns1, Schemes0},
+                      Cert, ecdhe_rsa,
+                      tls_v1:default_signature_algs({3,3}),
+                   {3,3}),
+    Schemes1 = #signature_scheme_list{
+                  signature_scheme_list = [rsa_pkcs1_sha256,
+                                           ecdsa_sha1]},
+    %% Signature not supported
+    #alert{} = ssl_handshake:select_hashsign(
+                 {HashSigns1, Schemes1},
+                 Cert, ecdhe_rsa,
+                 tls_v1:default_signature_algs({3,3}),
+                 {3,3}),
+    %% No scheme, hashsign is used
+    {sha, rsa} = ssl_handshake:select_hashsign(
+                   {HashSigns1, undefined},
+                   Cert, ecdhe_rsa,
+                   tls_v1:default_signature_algs({3,3}),
+                   {3,3}),
+    HashSigns2 = #hash_sign_algos{
+                    hash_sign_algos = [{sha, dsa}]},
+    %% Signature not supported
+    #alert{} = ssl_handshake:select_hashsign(
+                 {HashSigns2, Schemes1},
+                 Cert, ecdhe_rsa,
+                 tls_v1:default_signature_algs({3,3}),
+                 {3,3}).
+
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
 %%--------------------------------------------------------------------