TLS/SSL fixes:

- don't run fingerprint and passphrase protected tests if the corresponding
  files (sha1 and encrypted client key) are not found in CERT_PATH
- don't overwrite SSL errors if handshake failed
- Use gnutls read/write instead of pvio

libmariadb/secure/gnutls.c

@@ -1229,6 +1229,7 @@ error:
   return NULL;
 }
 
+#ifdef GNUTLS_EXTERNAL_TRANSPORT
 ssize_t ma_tls_push(gnutls_transport_ptr_t ptr, const void* data, size_t len)
 {
   MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr;
@@ -1248,6 +1249,7 @@ static int ma_tls_pull_timeout(gnutls_transport_ptr_t ptr, unsigned int ms)
   MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr;
   return pvio->methods->wait_io_or_timeout(pvio, 0, ms);
 }
+#endif
 
 my_bool ma_tls_connect(MARIADB_TLS *ctls)
 {
@@ -1269,12 +1271,16 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
   if (!(blocking= pvio->methods->is_blocking(pvio)))
     pvio->methods->blocking(pvio, TRUE, 0);
 
+#ifdef GNUTLS_EXTERNAL_TRANSPORT
   /* we don't use GnuTLS read/write functions */
   gnutls_transport_set_ptr(ssl, pvio);
   gnutls_transport_set_push_function(ssl, ma_tls_push);
   gnutls_transport_set_pull_function(ssl, ma_tls_pull);
   gnutls_transport_set_pull_timeout_function(ssl, ma_tls_pull_timeout);
   gnutls_handshake_set_timeout(ssl, pvio->timeout[PVIO_CONNECT_TIMEOUT]);
+#else
+  gnutls_transport_set_int(ssl, mysql_get_socket(mysql));
+#endif
 
   do {
     ret = gnutls_handshake(ssl);

plugins/auth/my_auth.c

@@ -408,7 +408,12 @@ static int client_mpvio_write_packet(struct st_plugin_vio *mpv,
       res= 1; /* no chit-chat in embedded */
     else
       res= ma_net_write(net, (unsigned char *)pkt, pkt_len) || ma_net_flush(net);
+  }
+
   if (res)
+  {
+    /* don't overwrite errors */
+    if (!mysql_errno(mpvio->mysql))
       my_set_error(mpvio->mysql, CR_SERVER_LOST, SQLSTATE_UNKNOWN,
                                  ER(CR_SERVER_LOST_EXTENDED),
                                  "sending authentication information",

unittest/libmariadb/CMakeLists.txt

@@ -38,8 +38,14 @@ SET(MANUAL_TESTS "t_aurora" "t_conc173")
 # Get finger print from server certificate
 IF(WITH_SSL)
   IF(CERT_PATH)
+    IF(EXISTS ${CERT_PATH}/server-cert.sha1)
       FILE(READ ${CERT_PATH}/server-cert.sha1 CERT_FINGER_PRINT)
       STRING(REPLACE "\n" "" CERT_FINGER_PRINT "${CERT_FINGER_PRINT}")
+      ADD_DEFINITIONS(-DTEST_SSL_SHA1)
+    ENDIF()
+    IF(EXISTS ${CERT_PATH}/client-key-enc.pem)
+      ADD_DEFINITIONS(-DTEST_SSL_PASSPHRASE)
+    ENDIF()
     SET(API_TESTS ${API_TESTS} "ssl")
     IF(WIN32)
       STRING(REPLACE "\\" "\\\\" CERT_PATH ${CERT_PATH})

unittest/libmariadb/ssl.c.in

@@ -394,6 +394,10 @@ static int test_password_protected(MYSQL *unused __attribute__((unused)))
   if (check_skip_ssl())
     return SKIP;
 
+#ifndef TEST_SSL_PASSPHRASE
+  return SKIP;
+#endif
+
   mysql= mysql_init(NULL);
   FAIL_IF(!mysql, "Can't allocate memory");
 
@@ -789,6 +793,10 @@ static int test_ssl_fp_list(MYSQL *unused __attribute__((unused)))
   if (check_skip_ssl())
     return SKIP;
 
+#ifndef TEST_SSL_SHA1
+  return SKIP;
+#endif
+
   if (!ssl_cert_finger_print[0])
   {
     diag("No fingerprint available");