merge commit, hope that none of bar and dlenev changes were

lost.

.bzrignore

@@ -23,6 +23,7 @@
 .vimrc
 50
 =6
+BUILD/compile-pentium-maintainer
 BitKeeper/etc/config
 BitKeeper/etc/csets
 BitKeeper/etc/csets-in
@@ -30,6 +31,8 @@ BitKeeper/etc/csets-out
 BitKeeper/etc/gone
 BitKeeper/etc/level
 BitKeeper/etc/pushed
+BitKeeper/post-commit
+BitKeeper/post-commit-manual
 BitKeeper/tmp/*
 BitKeeper/tmp/bkr3sAHD
 BitKeeper/tmp/gone
@@ -223,6 +226,7 @@ bkpull.log.5
 bkpull.log.6
 bkpush.log
 build.log
+build_tags.sh
 client/insert_test
 client/log_event.cc
 client/log_event.h
@@ -311,6 +315,8 @@ libmysql_r/conf_to_src
 libmysql_r/my_static.h
 libmysql_r/mysys_priv.h
 libmysqld/backup_dir
+libmysqld/client.c
+libmysqld/client_settings.h
 libmysqld/convert.cc
 libmysqld/derror.cc
 libmysqld/errmsg.c
@@ -355,6 +361,7 @@ libmysqld/item_sum.cc
 libmysqld/item_timefunc.cc
 libmysqld/item_uniq.cc
 libmysqld/key.cc
+libmysqld/libmysql.c
 libmysqld/lock.cc
 libmysqld/log.cc
 libmysqld/log_event.cc
@@ -366,6 +373,7 @@ libmysqld/net_serv.cc
 libmysqld/opt_ft.cc
 libmysqld/opt_range.cc
 libmysqld/opt_sum.cc
+libmysqld/pack.c
 libmysqld/password.c
 libmysqld/procedure.cc
 libmysqld/protocol.cc
@@ -482,6 +490,7 @@ mysys/#mf_iocache.c#
 mysys/charset2html
 mysys/getopt.c
 mysys/getopt1.c
+mysys/main.cc
 mysys/ste5KbMa
 mysys/test_charset
 mysys/test_dir
@@ -585,6 +594,7 @@ stamp-h1
 stamp-h2
 stamp-h3
 stamp-h4
+start_mysqld.sh
 strings/conf_to_src
 strings/ctype_autoconf.c
 strings/ctype_extra_sources.c
@@ -611,6 +621,7 @@ support-files/mysql.spec
 tags
 test_xml
 tests/client_test
+tests/connect_test
 thread_test
 tmp/*
 tools/my_vsnprintf.c
@@ -622,7 +633,3 @@ vio/test-ssl
 vio/test-sslclient
 vio/test-sslserver
 vio/viotest-ssl
-libmysqld/client.c
-libmysqld/client_settings.h
-libmysqld/libmysql.c
-libmysqld/pack.c

client/mysqladmin.c

@@ -769,9 +769,12 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
 	return 1;
       }
       if (argv[1][0])
-	make_scrambled_password(crypted_pw,argv[1],
-                                (find_type(argv[0], &command_typelib, 2) ==
-                                 ADMIN_OLD_PASSWORD), &rand_st);
+      {
+        if (find_type(argv[0], &command_typelib, 2) == ADMIN_OLD_PASSWORD)
+          make_scrambled_password_323(crypted_pw, argv[1]);
+        else
+          make_scrambled_password(crypted_pw, argv[1]);
+      }
       else
 	crypted_pw[0]=0;			/* No password */
       sprintf(buff,"set password='%s',sql_log_off=0",crypted_pw);

include/mysql.h

@@ -229,7 +229,9 @@ typedef struct st_mysql
   enum mysql_status status;
   my_bool	free_me;		/* If free in mysql_close */
   my_bool	reconnect;		/* set to 1 if automatic reconnect */
-  char	        scramble_buff[21];      /* New protocol requires longer scramble*/
+
+  /* session-wide random string */
+  char	        scramble[SCRAMBLE_LENGTH+1];
 
  /*
    Set if this is the original connection, not a master or a slave we have

include/mysql_com.h

@@ -49,8 +49,15 @@ enum enum_server_command
 };
 
 
-#define SCRAMBLE_LENGTH   8
-#define SCRAMBLE41_LENGTH 20
+/*
+  Length of random string sent by server on handshake; this is also length of
+  obfuscated password, recieved from client 
+*/
+#define SCRAMBLE_LENGTH 20
+#define SCRAMBLE_LENGTH_323 8
+/* length of password stored in the db: new passwords are preceeded with '*' */
+#define SCRAMBLED_PASSWORD_CHAR_LENGTH (SCRAMBLE_LENGTH*2+1)
+#define SCRAMBLED_PASSWORD_CHAR_LENGTH_323 (SCRAMBLE_LENGTH_323*2)
 
 
 #define NOT_NULL_FLAG	1		/* Field can't be NULL */
@@ -302,31 +309,34 @@ extern "C" {
 extern unsigned long max_allowed_packet;
 extern unsigned long net_buffer_length;
 
-void randominit(struct rand_struct *,unsigned long seed1,
-		unsigned long seed2);
+/*
+  These functions are used for authentication by client and server and
+  implemented in sql/password.c
+*/
+
+void randominit(struct rand_struct *, unsigned long seed1,
+                unsigned long seed2);
 double my_rnd(struct rand_struct *);
-void make_scrambled_password(char *to,const char *password,
-     my_bool force_old_scramble,struct rand_struct *rand_st);
-int get_password_length(my_bool force_old_scramble);
-char get_password_version(const char* password);
-void create_random_string(int length,struct rand_struct *rand_st,char* target);
-my_bool validate_password(const char* password, const char* message,
-        unsigned long* salt);
-void password_hash_stage1(char *to, const char *password);
-void password_hash_stage2(char *to,const char *salt);
-void password_crypt(const char* from,char* to, const char* password,int length);
-void get_hash_and_password(unsigned long* salt, unsigned char  pversion,char* hash,
-     unsigned char* bin_password);
-void get_salt_from_password(unsigned long *res,const char *password);
-void create_key_from_old_password(const char* password,char* key);
-void make_password_from_salt(char *to, unsigned long *hash_res,
-     unsigned char  password_version);
-char *scramble(char *to,const char *message,const char *password,
-	       my_bool old_ver);
-my_bool check_scramble(const char *, const char *message,
-		       unsigned long *salt,my_bool old_ver);
+void create_random_string(char *to, uint length, struct rand_struct *rand_st);
+
+void hash_password(ulong *to, const char *password, uint password_len);
+void make_scrambled_password_323(char *to, const char *password);
+void scramble_323(char *to, const char *message, const char *password);
+my_bool check_scramble_323(const char *, const char *message,
+                           unsigned long *salt);
+void get_salt_from_password_323(unsigned long *res, const char *password);
+void make_password_from_salt_323(char *to, const unsigned long *salt);
+
+void make_scrambled_password(char *to, const char *password);
+void scramble(char *to, const char *message, const char *password);
+my_bool check_scramble(const char *reply, const char *message,
+                       const unsigned char *hash_stage2);
+void get_salt_from_password(unsigned char *res, const char *password);
+void make_password_from_salt(char *to, const unsigned char *hash_stage2);
+
+/* end of password.c */
+
 char *get_tty_password(char *opt_message);
-void hash_password(unsigned long *result, const char *password);
 const char *mysql_errno_to_sqlstate(unsigned int mysql_errno);
 
 /* Some other useful functions */

include/mysqld_error.h

@@ -290,4 +290,5 @@
 #define ER_VARIABLE_IS_NOT_STRUCT 1271
 #define ER_UNKNOWN_COLLATION 1272
 #define ER_SLAVE_IGNORED_SSL_PARAMS 1273
-#define ER_ERROR_MESSAGES 274
+#define ER_SERVER_IS_IN_SECURE_AUTH_MODE 1274
+#define ER_ERROR_MESSAGES 275

libmysql/libmysql.c

@@ -604,41 +604,55 @@ my_bool	STDCALL mysql_change_user(MYSQL *mysql, const char *user,
   /* Store user into the buffer */
   end=strmov(end,user)+1;
 
-  /*
-    We always start with old type handshake the only difference is message sent
-    If server handles secure connection type we'll not send the real scramble
-  */
-  if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
+  /* write scrambled password according to server capabilities */
+  if (passwd[0])
   {
-    if (passwd[0])
+    if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
     {
-      /* Prepare false scramble  */
-      bfill(end, SCRAMBLE_LENGTH, 'x');
-      end+=SCRAMBLE_LENGTH;
-      *end=0;
-
+      *end++= SCRAMBLE_LENGTH;
+      scramble(end, mysql->scramble, passwd);
+      end+= SCRAMBLE_LENGTH;
+    }
+    else
+    {
+      scramble_323(end, mysql->scramble, passwd);
+      end+= SCRAMBLE_LENGTH_323 + 1;
     }
-    else					/* For empty password */
-      *end=0;					/* zero length scramble */
   }
   else
-  {
-    /*
-      Real scramble is only sent to old servers. This can be blocked 
-      by calling mysql_options(MYSQL *, MYSQL_SECURE_CONNECT, (char*) &1);
-    */
-    end=scramble(end, mysql->scramble_buff, passwd,
-                 (my_bool) (mysql->protocol_version == 9));
-  }
+    *end++= '\0';                               // empty password
   /* Add database if needed */
-  end=strmov(end+1,db ? db : "");
+  end= strmov(end, db ? db : "") + 1;
 
   /* Write authentication package */
   simple_command(mysql,COM_CHANGE_USER, buff,(ulong) (end-buff),1);
 
-  if (mysql_autenticate(mysql, passwd))
+  NET *net= &mysql->net;
+  ulong pkt_length= net_safe_read(mysql);
+
+  if (pkt_length == packet_error)
     goto error;
 
+  if (pkt_length == 1 && net->read_pos[0] == 254 &&
+      mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
+  {
+    /*
+      By sending this very specific reply server asks us to send scrambled
+      password in old format. The reply contains scramble_323.
+    */
+    scramble_323(buff, mysql->scramble, passwd);
+    if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net))
+    {
+      net->last_errno= CR_SERVER_LOST;
+      strmov(net->sqlstate, unknown_sqlstate);
+      strmov(net->last_error,ER(net->last_errno));
+      goto error;
+    }
+    /* Read what server thinks about out new auth message report */
+    if (net_safe_read(mysql) == packet_error)
+      goto error;
+  }
+
   /* Free old connect information */
   my_free(mysql->user,MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->passwd,MYF(MY_ALLOW_ZERO_PTR));

mysql-test/r/connect.result

@@ -30,6 +30,7 @@ show tables;
 Tables_in_test
 update mysql.user set password=old_password("gambling2") where user="test";
 flush privileges;
+set password=old_password('gambling3');
 show tables;
 Tables_in_mysql
 columns_priv

mysql-test/r/func_crypt.result

 select length(encrypt('foo', 'ff')) <> 0;
 length(encrypt('foo', 'ff')) <> 0
 1
-select password("a",""), password("a",NULL), password("","a"), password(NULL,"a");
-password("a","")	password("a",NULL)	password("","a")	password(NULL,"a")
-*2517f7235d68d4ba2e5019c93420523101157a792c01	NULL		NULL
-select password("aaaaaaaaaaaaaaaa","a"), password("a","aaaaaaaaaaaaaaaa");
-password("aaaaaaaaaaaaaaaa","a")	password("a","aaaaaaaaaaaaaaaa")
-*2cd3b9a44e9a9994789a30f935c92f45a96c5472f381	*37c7c5c794ff144819f2531bf03c57772cd84e40db09
-select old_password('test'), length(password("1")), length(encrypt('test')), encrypt('test','aa');
-old_password('test')	length(password("1"))	length(encrypt('test'))	encrypt('test','aa')
-378b243e220ca493	45	13	aaqPiZY5xR5l.
-select old_password(""), old_password(NULL), password(""), password(NULL);
-old_password("")	old_password(NULL)	password("")	password(NULL)
-	NULL		NULL
+select password('abc');
+password('abc')
+*0d3ced9bec10a777aec23ccc353a8c08a633045e
+select password('');
+password('')
+
+select old_password('abc');
+old_password('abc')
+7cd2b5942be28759
+select old_password('');
+old_password('')
+
+select password('gabbagabbahey');
+password('gabbagabbahey')
+*b0f99d2963660dd7e16b751ec9ee2f17b6a68fa6
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+select length(password('1'));
+length(password('1'))
+41
+select length(encrypt('test'));
+length(encrypt('test'))
+13
+select encrypt('test','aa');
+encrypt('test','aa')
+aaqPiZY5xR5l.
+select old_password(NULL);
+old_password(NULL)
+NULL
+select password(NULL);
+password(NULL)
+NULL
+set global old_passwords=on;
+select password('');
+password('')
+
+select old_password('');
+old_password('')
+
+select password('idkfa');
+password('idkfa')
+*b669c9dac3aa6f2254b03cdef8dfdd6b2d1054ba
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set old_passwords=on;
+select password('idkfa');
+password('idkfa')
+5c078dc54ca0fcca
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set global old_passwords=off;
+select password('idkfa');
+password('idkfa')
+5c078dc54ca0fcca
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set old_passwords=off;
+select password('idkfa ');
+password('idkfa ')
+*2dc31d90647b4c1abc9231563d2236e96c9a2db2
+select password('idkfa');
+password('idkfa')
+*b669c9dac3aa6f2254b03cdef8dfdd6b2d1054ba
+select password(' idkfa');
+password(' idkfa')
+*12b099e56bb7fe8d43c78fd834a9d1d11178d045
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+select old_password(' i 	 d k f a ');
+old_password(' i 	 d k f a ')
+5c078dc54ca0fcca

mysql-test/t/connect.test

@@ -48,8 +48,9 @@ flush privileges;
 #connect (con1,localhost,test,gambling2,"");
 #show tables;
 connect (con1,localhost,test,gambling2,mysql);
+set password=old_password('gambling3');
 show tables;
-connect (con1,localhost,test,gambling2,test);
+connect (con1,localhost,test,gambling3,test);
 show tables;
 
 # Re enable this one day if error handling on connect will take place
@@ -63,7 +64,9 @@ show tables;
 #connect (con1,localhost,test,zorro,);
 #--error 1045
 
+
 # remove user 'test' so that other tests which may use 'test'
 # do not depend on this test.
+
 delete from mysql.user where user="test";
 flush privileges;

mysql-test/t/func_crypt.test

@@ -4,7 +4,33 @@ select length(encrypt('foo', 'ff')) <> 0;
 --replace_result $1$aa$4OSUA5cjdx0RUQ08opV27/ aaqPiZY5xR5l.
 
 # Test new and old password handling functions 
-select password("a",""), password("a",NULL), password("","a"), password(NULL,"a");
-select password("aaaaaaaaaaaaaaaa","a"), password("a","aaaaaaaaaaaaaaaa");
-select old_password('test'), length(password("1")), length(encrypt('test')), encrypt('test','aa');
-select old_password(""), old_password(NULL), password(""), password(NULL);
+select password('abc');
+select password('');
+select old_password('abc');
+select old_password('');
+select password('gabbagabbahey');
+select old_password('idkfa');
+select length(password('1'));
+select length(encrypt('test'));
+select encrypt('test','aa');
+select old_password(NULL);
+select password(NULL);
+set global old_passwords=on;
+select password('');
+select old_password('');
+select password('idkfa');
+select old_password('idkfa');
+set old_passwords=on;
+select password('idkfa');
+select old_password('idkfa');
+set global old_passwords=off;
+select password('idkfa');
+select old_password('idkfa');
+
+# this test shows that new scrambles honor spaces in passwords:
+set old_passwords=off;
+select password('idkfa ');
+select password('idkfa');
+select password(' idkfa');
+select old_password('idkfa');
+select old_password(' i 	 d k f a ');

scripts/mysql_create_system_tables.sh

@@ -108,7 +108,7 @@ then
   c_u="$c_u CREATE TABLE user ("
   c_u="$c_u   Host char(60) binary DEFAULT '' NOT NULL,"
   c_u="$c_u   User char(16) binary DEFAULT '' NOT NULL,"
-  c_u="$c_u   Password char(45) binary DEFAULT '' NOT NULL,"
+  c_u="$c_u   Password char(41) binary DEFAULT '' NOT NULL,"
   c_u="$c_u   Select_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
   c_u="$c_u   Insert_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
   c_u="$c_u   Update_priv enum('N','Y') DEFAULT 'N' NOT NULL,"

scripts/mysql_fix_privilege_tables.sql

@@ -16,7 +16,7 @@ ALTER TABLE host type=MyISAM;
 ALTER TABLE func type=MyISAM;
 ALTER TABLE columns_priv type=MyISAM;
 ALTER TABLE tables_priv type=MyISAM;
-ALTER TABLE user change Password Password char(45) not null;
+ALTER TABLE user change Password Password char(41) not null;
 ALTER TABLE user add File_priv enum('N','Y') NOT NULL;
 CREATE TABLE IF NOT EXISTS func (
   name char(64) DEFAULT '' NOT NULL,

sql-common/client.c

@@ -1391,76 +1391,6 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
 #endif /* HAVE_OPENSSL */
 
 
-/*
-  Handle password authentication
-*/
-
-my_bool mysql_autenticate(MYSQL *mysql, const char *passwd)
-{
-  ulong pkt_length;
-  NET *net= &mysql->net;
-  char buff[SCRAMBLE41_LENGTH];
-  char password_hash[SCRAMBLE41_LENGTH]; /* Used for storage of stage1 hash */
-
-  /* We shall only query server if it expect us to do so */
-  if ((pkt_length=net_safe_read(mysql)) == packet_error)
-    goto error;
-
-  if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
-  {
-    /*
-      This should always happen with new server unless empty password
-      OK/Error packets have zero as the first char
-    */
-    if (pkt_length == 24 && net->read_pos[0])
-    {
-      /* Old passwords will have '*' at the first byte of hash */
-      if (net->read_pos[0] != '*')
-      {
-        /* Build full password hash as it is required to decode scramble */
-        password_hash_stage1(buff, passwd);
-        /* Store copy as we'll need it later */
-        memcpy(password_hash,buff,SCRAMBLE41_LENGTH);
-        /* Finally hash complete password using hash we got from server */
-        password_hash_stage2(password_hash,(const char*) net->read_pos);
-        /* Decypt and store scramble 4 = hash for stage2 */
-        password_crypt((const char*) net->read_pos+4,mysql->scramble_buff,
-		       password_hash, SCRAMBLE41_LENGTH);
-        mysql->scramble_buff[SCRAMBLE41_LENGTH]=0;
-        /* Encode scramble with password. Recycle buffer */
-        password_crypt(mysql->scramble_buff,buff,buff,SCRAMBLE41_LENGTH);
-      }
-      else
-      {
-	/* Create password to decode scramble */
-	create_key_from_old_password(passwd,password_hash);
-	/* Decypt and store scramble 4 = hash for stage2 */
-	password_crypt((const char*) net->read_pos+4,mysql->scramble_buff,
-		       password_hash, SCRAMBLE41_LENGTH);
-	mysql->scramble_buff[SCRAMBLE41_LENGTH]=0;
-	/* Finally scramble decoded scramble with password */
-	scramble(buff, mysql->scramble_buff, passwd,0);
-      }
-      /* Write second package of authentication */
-      if (my_net_write(net,buff,SCRAMBLE41_LENGTH) || net_flush(net))
-      {
-        net->last_errno= CR_SERVER_LOST;
-	strmov(net->sqlstate, unknown_sqlstate);
-        strmov(net->last_error,ER(net->last_errno));
-        goto error;
-      }
-      /* Read what server thinks about out new auth message report */
-      if (net_safe_read(mysql) == packet_error)
-	goto error;
-    }
-  }
-  return 0;
-
-error:
-  return 1;
-}
-
-
 /*
   Note that the mysql argument must be initialized with mysql_init()
   before calling mysql_real_connect !
@@ -1553,7 +1483,7 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
   mysql->server_status=SERVER_STATUS_AUTOCOMMIT;
 
   /*
-    Grab a socket and connect it to the server
+    Part 0: Grab a socket and connect it to the server
   */
 #if defined(HAVE_SMEM)
   if ((!mysql->options.protocol ||
@@ -1754,6 +1684,11 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
     strmov(net->last_error,ER(net->last_errno));
     goto error;
   }
+
+  /*
+    Part 1: Connection established, read and parse first packet
+  */
+
   if ((pkt_length=net_safe_read(mysql)) == packet_error)
     goto error;
 
@@ -1774,8 +1709,13 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
   end=strend((char*) net->read_pos+1);
   mysql->thread_id=uint4korr(end+1);
   end+=5;
-  strmake(mysql->scramble_buff,end,8);
-  end+=9;
+  /* 
+    Scramble is split into two parts because old clients does not understand
+    long scrambles; here goes the first part.
+  */
+  strmake(mysql->scramble, end, SCRAMBLE_LENGTH_323);
+  end+= SCRAMBLE_LENGTH_323+1;
+
   if (pkt_length >= (uint) (end+1 - (char*) net->read_pos))
     mysql->server_capabilities=uint2korr(end);
   if (pkt_length >= (uint) (end+18 - (char*) net->read_pos))
@@ -1784,6 +1724,14 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
     mysql->server_language=end[2];
     mysql->server_status=uint2korr(end+3);
   }
+  end+= 18;
+  if (pkt_length >= (uint) (end + SCRAMBLE_LENGTH - SCRAMBLE_LENGTH_323 + 1 - 
+                           (char *) net->read_pos))
+    strmake(mysql->scramble+SCRAMBLE_LENGTH_323, end,
+            SCRAMBLE_LENGTH-SCRAMBLE_LENGTH_323);
+  else
+    mysql->server_capabilities&= ~CLIENT_SECURE_CONNECTION;
+
   charset_number= mysql->server_language;
 
   /* Set character set */
@@ -1860,9 +1808,12 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
     mysql->unix_socket=0;
   strmov(mysql->server_version,(char*) net->read_pos+1);
   mysql->port=port;
-  client_flag|=mysql->options.client_flag;
 
-  /* Send client information for access check */
+  /*
+    Part 2: format and send client info to the server for access check
+  */
+  
+  client_flag|=mysql->options.client_flag;
   client_flag|=CLIENT_CAPABILITIES;
   if (client_flag & CLIENT_MULTI_QUERIES)
     client_flag|= CLIENT_MULTI_RESULTS;
@@ -1949,7 +1900,7 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
 		     mysql->server_status, client_flag));
   /* This needs to be changed as it's not useful with big packets */
   if (user && user[0])
-    strmake(end,user,32);			/* Max user name */
+    strmake(end,user,USERNAME_LENGTH);          /* Max user name */
   else
     read_user_name((char*) end);
 
@@ -1958,41 +1909,30 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
 #include "_cust_libmysql.h"
 #endif
   DBUG_PRINT("info",("user: %s",end));
-  /*
-    We always start with old type handshake the only difference is message sent
-    If server handles secure connection type we'll not send the real scramble
-  */
-  if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
+  end= strend(end) + 1;
+  if (passwd[0])
   {
-    if (passwd[0])
+    if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
     {
-      /* Prepare false scramble  */
-      end=strend(end)+1;
-      bfill(end, SCRAMBLE_LENGTH, 'x');
-      end+=SCRAMBLE_LENGTH;
-      *end=0;
+      *end++= SCRAMBLE_LENGTH;
+      scramble(end, mysql->scramble, passwd);
+      end+= SCRAMBLE_LENGTH;
     }
-    else				/* For empty password*/
+    else
     {
-      end=strend(end)+1;
-      *end=0;				/* Store zero length scramble */
+      scramble_323(end, mysql->scramble, passwd);
+      end+= SCRAMBLE_LENGTH_323 + 1;
     }
   }
   else
-  {
-    /*
-      Real scramble is only sent to old servers. This can be blocked 
-      by calling mysql_options(MYSQL *, MYSQL_SECURE_CONNECT, (char*) &1);
-    */
-    end=scramble(strend(end)+1, mysql->scramble_buff, passwd,
-                 (my_bool) (mysql->protocol_version == 9));
-  }
+    *end++= '\0';                               /* empty password */
+
   /* Add database if needed */
   if (db && (mysql->server_capabilities & CLIENT_CONNECT_WITH_DB))
   {
-    end=strmake(end+1,db,NAME_LEN);
-    mysql->db=my_strdup(db,MYF(MY_WME));
-    db=0;
+    end= strmake(end, db, NAME_LEN) + 1;
+    mysql->db= my_strdup(db,MYF(MY_WME));
+    db= 0;
   }
   /* Write authentication package */
   if (my_net_write(net,buff,(ulong) (end-buff)) || net_flush(net))
@@ -2002,10 +1942,36 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
     strmov(net->last_error,ER(net->last_errno));
     goto error;
   }
+  
+  /*
+    Part 3: Authorization data's been sent. Now server can reply with
+    OK-packet, or re-request scrambled password.
+  */
 
-  if (mysql_autenticate(mysql, passwd))
+  if ((pkt_length=net_safe_read(mysql)) == packet_error)
     goto error;
 
+  if (pkt_length == 1 && net->read_pos[0] == 254 && 
+      mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
+  {
+    /*
+      By sending this very specific reply server asks us to send scrambled
+      password in old format.
+    */
+    scramble_323(buff, mysql->scramble, passwd);
+    if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net))
+    {
+      net->last_errno= CR_SERVER_LOST;
+      strmov(net->sqlstate, unknown_sqlstate);
+      strmov(net->last_error,ER(net->last_errno));
+      goto error;
+    }
+    /* Read what server thinks about out new auth message report */
+    if (net_safe_read(mysql) == packet_error)
+      goto error;
+  }
+
+
   if (client_flag & CLIENT_COMPRESS)		/* We will use compression */
     net->compress=1;
 

sql/item_create.cc

@@ -52,13 +52,6 @@ Item *create_func_ord(Item* a)
   return new Item_func_ord(a);
 }
 
-Item *create_func_old_password(Item* a)
-{
-  return new Item_func_old_password(a);
-}
-
-
-
 Item *create_func_asin(Item* a)
 {
   return new Item_func_asin(a);
@@ -332,11 +325,6 @@ Item *create_func_quarter(Item* a)
   return new Item_func_quarter(a);
 }
 
-Item *create_func_password(Item* a)
-{
-  return new Item_func_password(a);
-}
-
 Item *create_func_radians(Item *a)
 {
   return new Item_func_units((char*) "radians",a,M_PI/180,0.0);

sql/item_create.h

@@ -69,14 +69,12 @@ Item *create_func_monthname(Item* a);
 Item *create_func_nullif(Item* a, Item *b);
 Item *create_func_oct(Item *);
 Item *create_func_ord(Item* a);
-Item *create_func_old_password(Item* a);
 Item *create_func_period_add(Item* a, Item *b);
 Item *create_func_period_diff(Item* a, Item *b);
 Item *create_func_pi(void);
 Item *create_func_pow(Item* a, Item *b);
 Item *create_func_current_user(void);
 Item *create_func_quarter(Item* a);
-Item *create_func_password(Item* a);
 Item *create_func_radians(Item *a);
 Item *create_func_release_lock(Item* a);
 Item *create_func_repeat(Item* a, Item *b);

sql/item_strfunc.cc

@@ -1327,95 +1327,49 @@ void Item_func_trim::fix_length_and_dec()
 }
 
 
-
-
-void Item_func_password::fix_length_and_dec()
-{
-  /*
-    If PASSWORD() was called with only one argument, it depends on a random
-    number so we need to save this random number into the binary log.
-    If called with two arguments, it is repeatable.
-  */
-  if (arg_count == 1)
-  {
-    THD *thd= current_thd;
-    thd->rand_used= 1;
-    thd->rand_saved_seed1= thd->rand.seed1;
-    thd->rand_saved_seed2= thd->rand.seed2;
-  } 
-  max_length= get_password_length(use_old_passwords);
-}
-
-/*
- Password() function has 2 arguments. Second argument can be used
- to make results repeatable
-*/ 
+/* Item_func_password */
 
 String *Item_func_password::val_str(String *str)
 {
-  struct rand_struct rand_st; // local structure for 2 param version
-  ulong  seed=0;              // seed to initialise random generator to
-  
-  String *res  =args[0]->val_str(str);          
+  String *res= args[0]->val_str(str); 
   if ((null_value=args[0]->null_value))
     return 0;
-  
-  if (arg_count == 1)
-  {    
-    if (res->length() == 0)
-      return &empty_string;
-    make_scrambled_password(tmp_value,res->c_ptr(),use_old_passwords,
-                            &current_thd->rand);
-    str->set(tmp_value,get_password_length(use_old_passwords),res->charset());
-    return str;
-  }
-  else
-  {
-   /* We'll need the buffer to get second parameter */
-    char key_buff[80];
-    String tmp_key_value(key_buff, sizeof(key_buff), system_charset_info);
-    String *key  =args[1]->val_str(&tmp_key_value);          
-    
-    /* Check second argument for NULL value. First one is already checked */
-    if ((null_value=args[1]->null_value))
-      return 0;
-      
-    /* This shall be done after checking for null for proper results */       
-    if (res->length() == 0)
-      return &empty_string;  
-      
-    /* Generate the seed first this allows to avoid double allocation */  
-    char* seed_ptr=key->c_ptr();
-    while (*seed_ptr)
-    {
-      seed=(seed*211+*seed_ptr) & 0xffffffffL; /* Use simple hashing */
-      seed_ptr++;
-    }
-    
-    /* Use constants which allow nice random values even with small seed */
-    randominit(&rand_st,
-	       (ulong) ((ulonglong) seed*111111+33333333L) & (ulong) 0xffffffff,
-	       (ulong) ((ulonglong) seed*1111+55555555L) & (ulong) 0xffffffff);
-    
-    make_scrambled_password(tmp_value,res->c_ptr(),use_old_passwords,
-                            &rand_st);
-    str->set(tmp_value,get_password_length(use_old_passwords),res->charset());
-    return str;
-  }       
+  if (res->length() == 0)
+    return &empty_string;
+  make_scrambled_password(tmp_value, res->c_ptr());
+  str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH, res->charset());
+  return str;
 }
 
+char *Item_func_password::alloc(THD *thd, const char *password)
+{
+  char *buff= (char *) thd->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH+1);
+  if (buff)
+    make_scrambled_password(buff, password);
+  return buff;
+}
+
+/* Item_func_old_password */
+
 String *Item_func_old_password::val_str(String *str)
 {
-  String *res  =args[0]->val_str(str);
+  String *res= args[0]->val_str(str);
   if ((null_value=args[0]->null_value))
     return 0;
   if (res->length() == 0)
     return &empty_string;
-  make_scrambled_password(tmp_value,res->c_ptr(),1,&current_thd->rand);
-  str->set(tmp_value,16,res->charset());
+  make_scrambled_password_323(tmp_value, res->c_ptr());
+  str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH_323, res->charset());
   return str;
 }
 
+char *Item_func_old_password::alloc(THD *thd, const char *password)
+{
+  char *buff= (char *) thd->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1);
+  if (buff)
+    make_scrambled_password_323(buff, password);
+  return buff;
+}
 
 
 #define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.')

sql/item_strfunc.h

@@ -254,30 +254,45 @@ public:
 };
 
 
+/*
+  Item_func_password -- new (4.1.1) PASSWORD() function implementation.
+  Returns strcat('*', octet2hex(sha1(sha1(password)))). '*' stands for new
+  password format, sha1(sha1(password) is so-called hash_stage2 value.
+  Length of returned string is always 41 byte. To find out how entire
+  authentification procedure works, see comments in password.c.
+*/
+
 class Item_func_password :public Item_str_func
 {
-  char tmp_value[64]; /* This should be enough for new password format */
+  char tmp_value[SCRAMBLED_PASSWORD_CHAR_LENGTH+1]; 
 public:
   Item_func_password(Item *a) :Item_str_func(a) {}
-  Item_func_password(Item *a, Item *b) :Item_str_func(a,b) {}
-  String *val_str(String *);
-  void fix_length_and_dec();
+  String *val_str(String *str);
+  void fix_length_and_dec() { max_length= SCRAMBLED_PASSWORD_CHAR_LENGTH; }
   const char *func_name() const { return "password"; }
+  static char *alloc(THD *thd, const char *password);
 };
 
 
+/*
+  Item_func_old_password -- PASSWORD() implementation used in MySQL 3.21 - 4.0
+  compatibility mode. This item is created in sql_yacc.yy when
+  'old_passwords' session variable is set, and to handle OLD_PASSWORD()
+  function.
+*/
+
 class Item_func_old_password :public Item_str_func
 {
-  char tmp_value[17]; /* old password length +1 */
+  char tmp_value[SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1];
 public:
   Item_func_old_password(Item *a) :Item_str_func(a) {}
-  String *val_str(String *);
-  void fix_length_and_dec() { max_length = get_password_length(1); }
+  String *val_str(String *str);
+  void fix_length_and_dec() { max_length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323; } 
   const char *func_name() const { return "old_password"; }
+  static char *alloc(THD *thd, const char *password);
 };
 
 
-
 class Item_func_des_encrypt :public Item_str_func
 {
   String tmp_value;

sql/lex.h

@@ -294,6 +294,7 @@ static SYMBOL symbols[] = {
   { "NULL",		SYM(NULL_SYM),0,0},
   { "NUMERIC",		SYM(NUMERIC_SYM),0,0},
   { "OFFSET",		SYM(OFFSET_SYM),0,0},
+  { "OLD_PASSWORD",	SYM(OLD_PASSWORD),0,0},
   { "ON",		SYM(ON),0,0},
   { "OPEN",		SYM(OPEN_SYM),0,0},
   { "OPTIMIZE",		SYM(OPTIMIZE),0,0},
@@ -596,7 +597,6 @@ static SYMBOL sql_functions[] = {
   { "NUMPOINTS",	SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_numpoints)},
   { "OCTET_LENGTH",	SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_length)},
   { "OCT",		SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_oct)},
-  { "OLD_PASSWORD",     SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_old_password)},
   { "ORD",              SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_ord)},
   { "OVERLAPS",		SYM(FUNC_ARG2),0,CREATE_FUNC(create_func_overlaps)},
   { "PERIOD_ADD",	SYM(FUNC_ARG2),0,CREATE_FUNC(create_func_period_add)},

sql/mysql_priv.h

@@ -74,9 +74,6 @@ extern CHARSET_INFO *national_charset_info, *table_alias_charset;
 ****************************************************************************/
 
 #define ACL_CACHE_SIZE		256
-/* Password lengh for 4.1 version previous versions had 16 bytes password hash */
-#define HASH_PASSWORD_LENGTH	45
-#define HASH_OLD_PASSWORD_LENGTH 16
 #define MAX_PASSWORD_LENGTH	32
 #define HOST_CACHE_SIZE		128
 #define MAX_ACCEPT_RETRY	10	// Test accept this many times
@@ -771,7 +768,7 @@ extern my_bool opt_safe_show_db, opt_local_infile, lower_case_table_names;
 extern my_bool opt_slave_compressed_protocol, use_temp_pool;
 extern my_bool opt_readonly;
 extern my_bool opt_enable_named_pipe;
-extern my_bool opt_old_passwords, use_old_passwords;
+extern my_bool opt_secure_auth;
 extern char *shared_memory_base_name, *mysqld_unix_port;
 extern bool opt_enable_shared_memory;
 

sql/mysqld.cc

@@ -257,9 +257,10 @@ my_bool opt_local_infile, opt_external_locking, opt_slave_compressed_protocol;
 my_bool opt_safe_user_create = 0, opt_no_mix_types = 0;
 my_bool lower_case_table_names, opt_old_rpl_compat;
 my_bool opt_show_slave_auth_info, opt_sql_bin_update = 0;
-my_bool opt_log_slave_updates= 0, opt_old_passwords=0, use_old_passwords=0;
+my_bool opt_log_slave_updates= 0;
 my_bool	opt_console= 0, opt_bdb, opt_innodb, opt_isam;
 my_bool opt_readonly, use_temp_pool, relay_log_purge;
+my_bool opt_secure_auth= 0;
 volatile bool mqh_used = 0;
 
 uint mysqld_port, test_flags, select_errors, dropping_tables, ha_open_options;
@@ -2819,12 +2820,6 @@ static void create_new_thread(THD *thd)
   if (thread_count-delayed_insert_threads > max_used_connections)
     max_used_connections=thread_count-delayed_insert_threads;
   thd->thread_id=thread_id++;
-  for (uint i=0; i < 8 ; i++)			// Generate password teststring
-    thd->scramble[i]= (char) (my_rnd(&sql_rand)*94+33);
-  thd->scramble[8]=0;
-  // Back it up as old clients may need it
-  memcpy(thd->old_scramble,thd->scramble,9);
-
 
   thd->real_id=pthread_self();			// Keep purify happy
 
@@ -3535,7 +3530,8 @@ enum options
   OPT_EXPIRE_LOGS_DAYS,
   OPT_DEFAULT_WEEK_FORMAT,
   OPT_GROUP_CONCAT_MAX_LEN,
-  OPT_DEFAULT_COLLATION
+  OPT_DEFAULT_COLLATION,
+  OPT_SECURE_AUTH
 };
 
 
@@ -3845,9 +3841,10 @@ master-ssl",
    (gptr*) &opt_no_mix_types, (gptr*) &opt_no_mix_types, 0, GET_BOOL, NO_ARG,
    0, 0, 0, 0, 0, 0},
 #endif
-  {"old-protocol", 'o', "Use the old (3.20) protocol client/server protocol.",
-   (gptr*) &protocol_version, (gptr*) &protocol_version, 0, GET_UINT, NO_ARG,
-   PROTOCOL_VERSION, 0, 0, 0, 0, 0},
+  {"old-passwords", OPT_OLD_PASSWORDS, "Use old password encryption method (needed for 4.0 and older clients).",
+   (gptr*) &global_system_variables.old_passwords,
+   (gptr*) &max_system_variables.old_passwords, 0, GET_BOOL, NO_ARG,
+   0, 0, 0, 0, 0, 0},
   {"old-rpl-compat", OPT_OLD_RPL_COMPAT,
    "Use old LOAD DATA format in the binary log (don't save data in file).",
    (gptr*) &opt_old_rpl_compat, (gptr*) &opt_old_rpl_compat, 0, GET_BOOL,
@@ -3914,8 +3911,6 @@ relay logs.",
    GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
   {"safe-mode", OPT_SAFE, "Skip some optimize stages (for testing).",
    0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},
-  {"old-passwords", OPT_OLD_PASSWORDS, "Use old password encryption method (needed for 4.0 and older clients).",
-   (gptr*) &opt_old_passwords, (gptr*) &opt_old_passwords, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
 #ifndef TO_BE_DELETED
   {"safe-show-database", OPT_SAFE_SHOW_DB,
    "Deprecated option; One should use GRANT SHOW DATABASES instead...",
@@ -3925,6 +3920,9 @@ relay logs.",
    "Don't allow new user creation by the user who has no write privileges to the mysql.user table.",
    (gptr*) &opt_safe_user_create, (gptr*) &opt_safe_user_create, 0, GET_BOOL,
    NO_ARG, 0, 0, 0, 0, 0, 0},
+  {"secure-auth", OPT_SECURE_AUTH, "Disallow authentication for accounts that have old (pre-4.1) passwords.",
+   (gptr*) &opt_secure_auth, (gptr*) &opt_secure_auth, 0, GET_BOOL, NO_ARG,
+   my_bool(0), 0, 0, 0, 0, 0},
   {"server-id",	OPT_SERVER_ID,
    "Uniquely identifies the server instance in the community of replication partners.",
    (gptr*) &server_id, (gptr*) &server_id, 0, GET_ULONG, REQUIRED_ARG, 0, 0, 0,
@@ -4709,7 +4707,8 @@ static void mysql_init_variables(void)
   opt_log= opt_update_log= opt_bin_log= opt_slow_log= 0;
   opt_disable_networking= opt_skip_show_db=0;
   opt_logname= opt_update_logname= opt_binlog_index_name= opt_slow_logname=0;
-  opt_bootstrap= opt_myisam_log= use_old_passwords= 0;
+  opt_secure_auth= 0;
+  opt_bootstrap= opt_myisam_log= 0;
   mqh_used= 0;
   segfaulted= kill_in_progress= 0;
   cleanup_done= 0;
@@ -4813,6 +4812,7 @@ static void mysql_init_variables(void)
   max_system_variables.select_limit=    (ulonglong) HA_POS_ERROR;
   global_system_variables.max_join_size= (ulonglong) HA_POS_ERROR;
   max_system_variables.max_join_size=   (ulonglong) HA_POS_ERROR;
+  global_system_variables.old_passwords= 0;
 
   /* Variables that depends on compile options */
 #ifndef DBUG_OFF
@@ -4934,9 +4934,6 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
   case 'L':
     strmake(language, argument, sizeof(language)-1);
     break;
-  case 'o':
-    protocol_version=PROTOCOL_VERSION-1;
-    break;
 #ifdef HAVE_REPLICATION
   case OPT_SLAVE_SKIP_ERRORS:
     init_slave_skip_errors(argument);

sql/protocol.cc

@@ -349,6 +349,25 @@ send_eof(THD *thd, bool no_flush)
   }
   DBUG_VOID_RETURN;
 }
+
+/*
+    Please client to send scrambled_password in old format.
+  SYNOPSYS
+    send_old_password_request()
+    thd thread handle
+     
+  RETURN VALUE
+    0  ok
+   !0  error
+*/
+
+bool send_old_password_request(THD *thd)
+{
+  static char buff[1]= { (char) 254 };
+  NET *net= &thd->net;
+  return my_net_write(net, buff, 1) || net_flush(net);
+}
+
 #endif /* EMBEDDED_LIBRARY */
 
 /*

sql/protocol.h

@@ -164,6 +164,7 @@ void net_printf(THD *thd,uint sql_errno, ...);
 void send_ok(THD *thd, ha_rows affected_rows=0L, ulonglong id=0L,
 	     const char *info=0);
 void send_eof(THD *thd, bool no_flush=0);
+bool send_old_password_request(THD *thd);
 char *net_store_length(char *packet,ulonglong length);
 char *net_store_length(char *packet,uint length);
 char *net_store_data(char *to,const char *from, uint length);

sql/set_var.cc

@@ -216,6 +216,7 @@ sys_var_thd_ulong	sys_net_retry_count("net_retry_count",
 					    &SV::net_retry_count,
 					    fix_net_retry_count);
 sys_var_thd_bool	sys_new_mode("new", &SV::new_mode);
+sys_var_thd_bool	sys_old_passwords("old_passwords", &SV::old_passwords);
 sys_var_thd_ulong       sys_preload_buff_size("preload_buffer_size",
                                               &SV::preload_buff_size);
 sys_var_thd_ulong	sys_read_buff_size("read_buffer_size",
@@ -242,6 +243,7 @@ sys_var_thd_enum	sys_query_cache_type("query_cache_type",
 					     &SV::query_cache_type,
 					     &query_cache_type_typelib);
 #endif /* HAVE_QUERY_CACHE */
+sys_var_bool_ptr	sys_secure_auth("secure_auth", &opt_secure_auth);
 sys_var_long_ptr	sys_server_id("server_id",&server_id);
 sys_var_bool_ptr	sys_slave_compressed_protocol("slave_compressed_protocol",
 						      &opt_slave_compressed_protocol);
@@ -432,6 +434,7 @@ sys_var *sys_variables[]=
   &sys_net_wait_timeout,
   &sys_net_write_timeout,
   &sys_new_mode,
+  &sys_old_passwords,
   &sys_preload_buff_size,
   &sys_pseudo_thread_id,
   &sys_query_cache_size,
@@ -450,6 +453,7 @@ sys_var *sys_variables[]=
 #endif
   &sys_rpl_recovery_rank,
   &sys_safe_updates,
+  &sys_secure_auth,
   &sys_select_limit,
   &sys_server_id,
 #ifdef HAVE_REPLICATION
@@ -608,6 +612,7 @@ struct show_var_st init_vars[]= {
   {sys_net_retry_count.name,  (char*) &sys_net_retry_count,	    SHOW_SYS},
   {sys_net_write_timeout.name,(char*) &sys_net_write_timeout,       SHOW_SYS},
   {sys_new_mode.name,         (char*) &sys_new_mode,                SHOW_SYS},
+  {sys_old_passwords.name,    (char*) &sys_old_passwords,           SHOW_SYS},
   {"open_files_limit",	      (char*) &open_files_limit,	    SHOW_LONG},
   {"pid_file",                (char*) pidfile_name,                 SHOW_CHAR},
   {"log_error",               (char*) log_error_file,               SHOW_CHAR},
@@ -628,6 +633,7 @@ struct show_var_st init_vars[]= {
    SHOW_SYS},
   {sys_query_cache_size.name, (char*) &sys_query_cache_size,	    SHOW_SYS},
   {sys_query_cache_type.name, (char*) &sys_query_cache_type,        SHOW_SYS},
+  {"secure_auth",             (char*) &sys_secure_auth,             SHOW_SYS},
 #endif /* HAVE_QUERY_CACHE */
 #ifdef HAVE_SMEM
   {"shared_memory",           (char*) &opt_enable_shared_memory,    SHOW_MY_BOOL},

sql/set_var.h

@@ -689,6 +689,9 @@ public:
   }
 };
 
+/* updated in sql_acl.cc */
+
+extern sys_var_thd_bool sys_old_passwords;
 
 /* For sql_yacc */
 struct sys_var_with_base

sql/share/czech/errmsg.txt

@@ -279,3 +279,4 @@ v/*
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/danish/errmsg.txt

@@ -273,3 +273,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/dutch/errmsg.txt

@@ -281,3 +281,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/english/errmsg.txt

@@ -275,3 +275,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/estonian/errmsg.txt

@@ -275,3 +275,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/french/errmsg.txt

@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/german/errmsg.txt

@@ -279,3 +279,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/greek/errmsg.txt

@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/hungarian/errmsg.txt

@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/italian/errmsg.txt

@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/japanese/errmsg.txt

@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/korean/errmsg.txt

@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/norwegian-ny/errmsg.txt

@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/norwegian/errmsg.txt

@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/polish/errmsg.txt

@@ -274,3 +274,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/portuguese/errmsg.txt

@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/romanian/errmsg.txt

@@ -274,3 +274,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/russian/errmsg.txt

@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"    --secure-auth ( ),    '%s@%s'  Σ   ;    "

sql/share/serbian/errmsg.txt

@@ -265,3 +265,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/slovak/errmsg.txt

@@ -278,3 +278,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/spanish/errmsg.txt

@@ -271,3 +271,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/swedish/errmsg.txt

@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/ukrainian/errmsg.txt

@@ -275,3 +275,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/slave.cc

@@ -1707,8 +1707,8 @@ file '%s')", fname);
 			      master_host) ||
 	init_strvar_from_file(mi->user, sizeof(mi->user), &mi->file,
 			      master_user) || 
-	init_strvar_from_file(mi->password, HASH_PASSWORD_LENGTH+1, &mi->file,
-			      master_password) ||
+        init_strvar_from_file(mi->password, SCRAMBLED_PASSWORD_CHAR_LENGTH+1,
+                              &mi->file, master_password) ||
 	init_intvar_from_file(&port, &mi->file, master_port) ||
 	init_intvar_from_file(&connect_retry, &mi->file,
 			      master_connect_retry))

sql/sql_acl.h

@@ -111,9 +111,9 @@ public:
   acl_host_and_ip host;
   uint hostname_length;
   USER_RESOURCES user_resource;
-  char *user,*password;
-  ulong salt[6]; // New password has longer length
-  uint8 pversion; // password version
+  char *user;
+  uint8 salt[SCRAMBLE_LENGTH+1];       // scrambled password in binary form
+  uint8 salt_len;        // 0 - no password, 4 - 3.20, 8 - 3.23, 20 - 4.1.1 
   enum SSL_type ssl_type;
   const char *ssl_cipher, *x509_issuer, *x509_subject;
 };
@@ -135,11 +135,8 @@ void acl_reload(THD *thd);
 void acl_free(bool end=0);
 ulong acl_get(const char *host, const char *ip, const char *bin_ip,
 	      const char *user, const char *db, my_bool db_is_pattern);
-ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
-		  const char *password,const char *scramble,
-                  char **priv_user, char *priv_host,
-		  bool old_ver, USER_RESOURCES *max,char* prepared_scramble,
-                  uint *cur_priv_version, ACL_USER **cached_user);
+int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
+                uint passwd_len);
 bool acl_check_host(const char *host, const char *ip);
 bool check_change_password(THD *thd, const char *host, const char *user);
 bool change_password(THD *thd, const char *host, const char *user,

sql/sql_class.cc

@@ -138,6 +138,7 @@ THD::THD():user_time(0), is_fatal_error(0),
   set_query_id=1;
   db_access=NO_ACCESS;
   version=refresh_version;			// For boot
+  *scramble= '\0';
 
   init();
   /* Initialize sub structures */

sql/sql_class.h

@@ -399,6 +399,7 @@ struct system_variables
   my_bool log_warnings;
   my_bool low_priority_updates;
   my_bool new_mode;
+  my_bool old_passwords;
   
   CHARSET_INFO	*character_set_server;
   CHARSET_INFO	*character_set_database;
@@ -556,10 +557,10 @@ public:
   enum_tx_isolation session_tx_isolation;
   /* for user variables replication*/
   DYNAMIC_ARRAY user_var_events;
-             // extend scramble to handle new auth
-  char	     scramble[SCRAMBLE41_LENGTH+1];
-             // old scramble is needed to handle old clients
-  char       old_scramble[SCRAMBLE_LENGTH+1];
+
+  /* scramble - random string sent to client on handshake */
+  char	     scramble[SCRAMBLE_LENGTH+1];
+
   uint8	     query_cache_type;		// type of query cache processing
   bool       slave_thread;
   bool	     set_query_id,locked,count_cuted_fields,some_tables_deleted;

sql/sql_crypt.cc

@@ -32,7 +32,7 @@
 SQL_CRYPT::SQL_CRYPT(const char *password)
 {
   ulong rand_nr[2];
-  hash_password(rand_nr,password);
+  hash_password(rand_nr,password, strlen(password));
   crypt_init(rand_nr);
 }
 

sql/sql_yacc.yy

@@ -506,6 +506,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b,int *yystacksize);
 %token  MULTIPOINT
 %token  MULTIPOLYGON
 %token	NOW_SYM
+%token	OLD_PASSWORD
 %token	PASSWORD
 %token	POINTFROMTEXT
 %token	POINT_SYM
@@ -2607,9 +2608,13 @@ simple_expr:
 	| NOW_SYM '(' expr ')'
 	  { $$= new Item_func_now_local($3); Lex->safe_to_cache_query=0;}
 	| PASSWORD '(' expr ')'
-	  { $$= new Item_func_password($3); }
-        | PASSWORD '(' expr ',' expr ')'
-          { $$= new Item_func_password($3,$5); }
+	  {
+	    $$= YYTHD->variables.old_passwords ?
+              (Item *) new Item_func_old_password($3) :
+	      (Item *) new Item_func_password($3);
+	  }
+	| OLD_PASSWORD '(' expr ')'
+	  { $$=  new Item_func_old_password($3); }
 	| POINT_SYM '(' expr ',' expr ')'
 	  { $$= new Item_func_point($3,$5); }
  	| POINTFROMTEXT '(' expr ')'
@@ -4517,6 +4522,7 @@ keyword:
 	| NO_SYM		{}
 	| NONE_SYM		{}
 	| OFFSET_SYM		{}
+	| OLD_PASSWORD		{}
 	| OPEN_SYM		{}
 	| PACK_KEYS_SYM		{}
 	| PARTIAL		{}
@@ -4741,15 +4747,15 @@ text_or_password:
 	TEXT_STRING { $$=$1.str;}
 	| PASSWORD '(' TEXT_STRING ')'
 	  {
-	    if (!$3.length)
-	      $$=$3.str;
-	    else
-	    {
-	      char *buff=(char*) YYTHD->alloc(HASH_PASSWORD_LENGTH+1);
-	      make_scrambled_password(buff,$3.str,use_old_passwords,
-				      &YYTHD->rand);
-	      $$=buff;
-	    }
+	    $$= $3.length ? YYTHD->variables.old_passwords ?
+	        Item_func_old_password::alloc(YYTHD, $3.str) :
+	        Item_func_password::alloc(YYTHD, $3.str) :
+	      $3.str;
+	  }
+	| OLD_PASSWORD '(' TEXT_STRING ')'
+	  {
+	    $$= $3.length ? Item_func_old_password::alloc(YYTHD, $3.str) :
+	      $3.str;
 	  }
           ;
 
@@ -5057,14 +5063,24 @@ grant_user:
 	   $$=$1; $1->password=$4;
 	   if ($4.length)
 	   {
-	     char *buff=(char*) YYTHD->alloc(HASH_PASSWORD_LENGTH+1);
-	     if (buff)
-	     {
-	       make_scrambled_password(buff,$4.str,use_old_passwords,
-				       &YYTHD->rand);
-	       $1->password.str=buff;
-	       $1->password.length=HASH_PASSWORD_LENGTH;
-	     }
+             if (YYTHD->variables.old_passwords)
+             {
+               char *buff= 
+                 (char *) YYTHD->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1);
+               if (buff)
+                 make_scrambled_password_323(buff, $4.str);
+               $1->password.str= buff;
+               $1->password.length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323;
+             }
+             else
+             {
+               char *buff= 
+                 (char *) YYTHD->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH+1);
+               if (buff)
+                 make_scrambled_password(buff, $4.str);
+               $1->password.str= buff;
+               $1->password.length= SCRAMBLED_PASSWORD_CHAR_LENGTH;
+             }
 	  }
 	}
 	| user IDENTIFIED_SYM BY PASSWORD TEXT_STRING