Merge bk-internal:/home/bk/mysql-4.1/

into serg.mylan:/usr/home/serg/Abk/mysql-4.1

Merge bk-internal:/home/bk/mysql-4.1/
into serg.mylan:/usr/home/serg/Abk/mysql-4.1
7d2b0a0c · serg@serg.mylan · 755455e1 · 2335c7a0 · 7d2b0a0c · 7d2b0a0c
Commit 7d2b0a0c authored Sep 03, 2003 by serg@serg.mylan
56 changed files
--- a/.bzrignore
+++ b/.bzrignore
@@ -23,6 +23,7 @@
 .vimrc
 50
 =6
+BUILD/compile-pentium-maintainer
 BitKeeper/etc/config
 BitKeeper/etc/csets
 BitKeeper/etc/csets-in
@@ -30,6 +31,8 @@ BitKeeper/etc/csets-out
 BitKeeper/etc/gone
 BitKeeper/etc/level
 BitKeeper/etc/pushed
+BitKeeper/post-commit
+BitKeeper/post-commit-manual
 BitKeeper/tmp/*
 BitKeeper/tmp/bkr3sAHD
 BitKeeper/tmp/gone
@@ -223,6 +226,7 @@ bkpull.log.5
 bkpull.log.6
 bkpush.log
 build.log
+build_tags.sh
 client/insert_test
 client/log_event.cc
 client/log_event.h
@@ -311,6 +315,8 @@ libmysql_r/conf_to_src
 libmysql_r/my_static.h
 libmysql_r/mysys_priv.h
 libmysqld/backup_dir
+libmysqld/client.c
+libmysqld/client_settings.h
 libmysqld/convert.cc
 libmysqld/derror.cc
 libmysqld/errmsg.c
@@ -355,6 +361,7 @@ libmysqld/item_sum.cc
 libmysqld/item_timefunc.cc
 libmysqld/item_uniq.cc
 libmysqld/key.cc
+libmysqld/libmysql.c
 libmysqld/lock.cc
 libmysqld/log.cc
 libmysqld/log_event.cc
@@ -366,6 +373,7 @@ libmysqld/net_serv.cc
 libmysqld/opt_ft.cc
 libmysqld/opt_range.cc
 libmysqld/opt_sum.cc
+libmysqld/pack.c
 libmysqld/password.c
 libmysqld/procedure.cc
 libmysqld/protocol.cc
@@ -483,6 +491,7 @@ mysys/#mf_iocache.c#
 mysys/charset2html
 mysys/getopt.c
 mysys/getopt1.c
+mysys/main.cc
 mysys/ste5KbMa
 mysys/test_charset
 mysys/test_dir
@@ -586,6 +595,7 @@ stamp-h1
 stamp-h2
 stamp-h3
 stamp-h4
+start_mysqld.sh
 strings/conf_to_src
 strings/ctype_autoconf.c
 strings/ctype_extra_sources.c
@@ -612,6 +622,7 @@ support-files/mysql.spec
 tags
 test_xml
 tests/client_test
+tests/connect_test
 thread_test
 tmp/*
 tools/my_vsnprintf.c
@@ -623,7 +634,3 @@ vio/test-ssl
 vio/test-sslclient
 vio/test-sslserver
 vio/viotest-ssl
-libmysqld/client.c
-libmysqld/client_settings.h
-libmysqld/libmysql.c
-libmysqld/pack.c
--- a/client/mysqladmin.c
+++ b/client/mysqladmin.c
@@ -769,9 +769,12 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
 	return 1;
      }
      if (argv[1][0])
-	make_scrambled_password(crypted_pw,argv[1],
+      {
-                                (find_type(argv[0], &command_typelib, 2) ==
+        if (find_type(argv[0], &command_typelib, 2) == ADMIN_OLD_PASSWORD)
-                                 ADMIN_OLD_PASSWORD), &rand_st);
+          make_scrambled_password_323(crypted_pw, argv[1]);
+        else
+          make_scrambled_password(crypted_pw, argv[1]);
+      }
      else
 	crypted_pw[0]=0;			/* No password */
      sprintf(buff,"set password='%s',sql_log_off=0",crypted_pw);

--- a/include/mysql.h
+++ b/include/mysql.h
@@ -229,7 +229,9 @@ typedef struct st_mysql
  enum mysql_status status;
  my_bool	free_me;		/* If free in mysql_close */
  my_bool	reconnect;		/* set to 1 if automatic reconnect */
-  char	        scramble_buff[21];      /* New protocol requires longer scramble*/
+  /* session-wide random string */
+  char	        scramble[SCRAMBLE_LENGTH+1];
 /*
   Set if this is the original connection, not a master or a slave we have

--- a/include/mysql_com.h
+++ b/include/mysql_com.h
@@ -49,8 +49,15 @@ enum enum_server_command
 };
-#define SCRAMBLE_LENGTH   8
+/*
-#define SCRAMBLE41_LENGTH 20
+  Length of random string sent by server on handshake; this is also length of
+  obfuscated password, recieved from client 
+*/
+#define SCRAMBLE_LENGTH 20
+#define SCRAMBLE_LENGTH_323 8
+/* length of password stored in the db: new passwords are preceeded with '*' */
+#define SCRAMBLED_PASSWORD_CHAR_LENGTH (SCRAMBLE_LENGTH*2+1)
+#define SCRAMBLED_PASSWORD_CHAR_LENGTH_323 (SCRAMBLE_LENGTH_323*2)
 #define NOT_NULL_FLAG	1		/* Field can't be NULL */
@@ -302,31 +309,34 @@ extern "C" {
 extern unsigned long max_allowed_packet;
 extern unsigned long net_buffer_length;
-void randominit(struct rand_struct *,unsigned long seed1,
+/*
+  These functions are used for authentication by client and server and
+  implemented in sql/password.c
+*/
+void randominit(struct rand_struct *, unsigned long seed1,
                unsigned long seed2);
 double my_rnd(struct rand_struct *);
-void make_scrambled_password(char *to,const char *password,
+void create_random_string(char *to, uint length, struct rand_struct *rand_st);
-     my_bool force_old_scramble,struct rand_struct *rand_st);
-int get_password_length(my_bool force_old_scramble);
+void hash_password(ulong *to, const char *password, uint password_len);
-char get_password_version(const char* password);
+void make_scrambled_password_323(char *to, const char *password);
-void create_random_string(int length,struct rand_struct *rand_st,char* target);
+void scramble_323(char *to, const char *message, const char *password);
-my_bool validate_password(const char* password, const char* message,
+my_bool check_scramble_323(const char *, const char *message,
-        unsigned long* salt);
+                           unsigned long *salt);
-void password_hash_stage1(char *to, const char *password);
+void get_salt_from_password_323(unsigned long *res, const char *password);
-void password_hash_stage2(char *to,const char *salt);
+void make_password_from_salt_323(char *to, const unsigned long *salt);
-void password_crypt(const char* from,char* to, const char* password,int length);
-void get_hash_and_password(unsigned long* salt, unsigned char  pversion,char* hash,
+void make_scrambled_password(char *to, const char *password);
-     unsigned char* bin_password);
+void scramble(char *to, const char *message, const char *password);
-void get_salt_from_password(unsigned long *res,const char *password);
+my_bool check_scramble(const char *reply, const char *message,
-void create_key_from_old_password(const char* password,char* key);
+                       const unsigned char *hash_stage2);
-void make_password_from_salt(char *to, unsigned long *hash_res,
+void get_salt_from_password(unsigned char *res, const char *password);
-     unsigned char  password_version);
+void make_password_from_salt(char *to, const unsigned char *hash_stage2);
-char *scramble(char *to,const char *message,const char *password,
-	       my_bool old_ver);
+/* end of password.c */
-my_bool check_scramble(const char *, const char *message,
-		       unsigned long *salt,my_bool old_ver);
 char *get_tty_password(char *opt_message);
-void hash_password(unsigned long *result, const char *password);
 const char *mysql_errno_to_sqlstate(unsigned int mysql_errno);
 /* Some other useful functions */

--- a/include/mysqld_error.h
+++ b/include/mysqld_error.h
@@ -290,4 +290,5 @@
 #define ER_VARIABLE_IS_NOT_STRUCT 1271
 #define ER_UNKNOWN_COLLATION 1272
 #define ER_SLAVE_IGNORED_SSL_PARAMS 1273
-#define ER_ERROR_MESSAGES 274
+#define ER_SERVER_IS_IN_SECURE_AUTH_MODE 1274
+#define ER_ERROR_MESSAGES 275
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@@ -604,40 +604,54 @@ my_bool	STDCALL mysql_change_user(MYSQL *mysql, const char *user,
  /* Store user into the buffer */
  end=strmov(end,user)+1;
-  /*
+  /* write scrambled password according to server capabilities */
-    We always start with old type handshake the only difference is message sent
-    If server handles secure connection type we'll not send the real scramble
-  */
-  if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
-  {
  if (passwd[0])
  {
-      /* Prepare false scramble  */
+    if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
-      bfill(end, SCRAMBLE_LENGTH, 'x');
+    {
-      end+=SCRAMBLE_LENGTH;
+      *end++= SCRAMBLE_LENGTH;
-      *end=0;
+      scramble(end, mysql->scramble, passwd);
+      end+= SCRAMBLE_LENGTH;
-    }
-    else					/* For empty password */
-      *end=0;					/* zero length scramble */
    }
    else
    {
-    /*
+      scramble_323(end, mysql->scramble, passwd);
-      Real scramble is only sent to old servers. This can be blocked 
+      end+= SCRAMBLE_LENGTH_323 + 1;
-      by calling mysql_options(MYSQL *, MYSQL_SECURE_CONNECT, (char*) &1);
-    */
-    end=scramble(end, mysql->scramble_buff, passwd,
-                 (my_bool) (mysql->protocol_version == 9));
    }
+  }
+  else
+    *end++= '\0';                               // empty password
  /* Add database if needed */
-  end=strmov(end+1,db ? db : "");
+  end= strmov(end, db ? db : "") + 1;
  /* Write authentication package */
  simple_command(mysql,COM_CHANGE_USER, buff,(ulong) (end-buff),1);
-  if (mysql_autenticate(mysql, passwd))
+  NET *net= &mysql->net;
+  ulong pkt_length= net_safe_read(mysql);
+  if (pkt_length == packet_error)
+    goto error;
+  if (pkt_length == 1 && net->read_pos[0] == 254 &&
+      mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
+  {
+    /*
+      By sending this very specific reply server asks us to send scrambled
+      password in old format. The reply contains scramble_323.
+    */
+    scramble_323(buff, mysql->scramble, passwd);
+    if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net))
+    {
+      net->last_errno= CR_SERVER_LOST;
+      strmov(net->sqlstate, unknown_sqlstate);
+      strmov(net->last_error,ER(net->last_errno));
      goto error;
+    }
+    /* Read what server thinks about out new auth message report */
+    if (net_safe_read(mysql) == packet_error)
+      goto error;
+  }
  /* Free old connect information */
  my_free(mysql->user,MYF(MY_ALLOW_ZERO_PTR));

--- a/mysql-test/r/connect.result
+++ b/mysql-test/r/connect.result
@@ -30,6 +30,7 @@ show tables;
 Tables_in_test
 update mysql.user set password=old_password("gambling2") where user="test";
 flush privileges;
+set password=old_password('gambling3');
 show tables;
 Tables_in_mysql
 columns_priv

--- a/mysql-test/r/func_crypt.result
+++ b/mysql-test/r/func_crypt.result
 select length(encrypt('foo', 'ff')) <> 0;
 length(encrypt('foo', 'ff')) <> 0
 1
-select password("a",""), password("a",NULL), password("","a"), password(NULL,"a");
+select password('abc');
-password("a","")	password("a",NULL)	password("","a")	password(NULL,"a")
+password('abc')
-*2517f7235d68d4ba2e5019c93420523101157a792c01	NULL		NULL
+*0D3CED9BEC10A777AEC23CCC353A8C08A633045E
-select password("aaaaaaaaaaaaaaaa","a"), password("a","aaaaaaaaaaaaaaaa");
+select password('');
-password("aaaaaaaaaaaaaaaa","a")	password("a","aaaaaaaaaaaaaaaa")
+password('')
-*2cd3b9a44e9a9994789a30f935c92f45a96c5472f381	*37c7c5c794ff144819f2531bf03c57772cd84e40db09
-select old_password('test'), length(password("1")), length(encrypt('test')), encrypt('test','aa');
+select old_password('abc');
-old_password('test')	length(password("1"))	length(encrypt('test'))	encrypt('test','aa')
+old_password('abc')
-378b243e220ca493	45	13	aaqPiZY5xR5l.
+7cd2b5942be28759
-select old_password(""), old_password(NULL), password(""), password(NULL);
+select old_password('');
-old_password("")	old_password(NULL)	password("")	password(NULL)
+old_password('')
-	NULL		NULL
+select password('gabbagabbahey');
+password('gabbagabbahey')
+*B0F99D2963660DD7E16B751EC9EE2F17B6A68FA6
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+select length(password('1'));
+length(password('1'))
+41
+select length(encrypt('test'));
+length(encrypt('test'))
+13
+select encrypt('test','aa');
+encrypt('test','aa')
+aaqPiZY5xR5l.
+select old_password(NULL);
+old_password(NULL)
+NULL
+select password(NULL);
+password(NULL)
+NULL
+set global old_passwords=on;
+select password('');
+password('')
+select old_password('');
+old_password('')
+select password('idkfa');
+password('idkfa')
+*B669C9DAC3AA6F2254B03CDEF8DFDD6B2D1054BA
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set old_passwords=on;
+select password('idkfa');
+password('idkfa')
+5c078dc54ca0fcca
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set global old_passwords=off;
+select password('idkfa');
+password('idkfa')
+5c078dc54ca0fcca
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set old_passwords=off;
+select password('idkfa ');
+password('idkfa ')
+*2DC31D90647B4C1ABC9231563D2236E96C9A2DB2
+select password('idkfa');
+password('idkfa')
+*B669C9DAC3AA6F2254B03CDEF8DFDD6B2D1054BA
+select password(' idkfa');
+password(' idkfa')
+*12B099E56BB7FE8D43C78FD834A9D1D11178D045
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+select old_password(' i 	 d k f a ');
+old_password(' i 	 d k f a ')
+5c078dc54ca0fcca
--- a/mysql-test/t/connect.test
+++ b/mysql-test/t/connect.test
@@ -48,8 +48,9 @@ flush privileges;
 #connect (con1,localhost,test,gambling2,"");
 #show tables;
 connect (con1,localhost,test,gambling2,mysql);
+set password=old_password('gambling3');
 show tables;
-connect (con1,localhost,test,gambling2,test);
+connect (con1,localhost,test,gambling3,test);
 show tables;
 # Re enable this one day if error handling on connect will take place
@@ -63,7 +64,9 @@ show tables;
 #connect (con1,localhost,test,zorro,);
 #--error 1045
 # remove user 'test' so that other tests which may use 'test'
 # do not depend on this test.
 delete from mysql.user where user="test";
 flush privileges;
--- a/mysql-test/t/func_crypt.test
+++ b/mysql-test/t/func_crypt.test
@@ -4,7 +4,33 @@ select length(encrypt('foo', 'ff')) <> 0;
 --replace_result $1$aa$4OSUA5cjdx0RUQ08opV27/ aaqPiZY5xR5l.
 # Test new and old password handling functions 
-select password("a",""), password("a",NULL), password("","a"), password(NULL,"a");
+select password('abc');
-select password("aaaaaaaaaaaaaaaa","a"), password("a","aaaaaaaaaaaaaaaa");
+select password('');
-select old_password('test'), length(password("1")), length(encrypt('test')), encrypt('test','aa');
+select old_password('abc');
-select old_password(""), old_password(NULL), password(""), password(NULL);
+select old_password('');
+select password('gabbagabbahey');
+select old_password('idkfa');
+select length(password('1'));
+select length(encrypt('test'));
+select encrypt('test','aa');
+select old_password(NULL);
+select password(NULL);
+set global old_passwords=on;
+select password('');
+select old_password('');
+select password('idkfa');
+select old_password('idkfa');
+set old_passwords=on;
+select password('idkfa');
+select old_password('idkfa');
+set global old_passwords=off;
+select password('idkfa');
+select old_password('idkfa');
+# this test shows that new scrambles honor spaces in passwords:
+set old_passwords=off;
+select password('idkfa ');
+select password('idkfa');
+select password(' idkfa');
+select old_password('idkfa');
+select old_password(' i 	 d k f a ');
--- a/scripts/mysql_create_system_tables.sh
+++ b/scripts/mysql_create_system_tables.sh
@@ -108,7 +108,7 @@ then
  c_u="$c_u CREATE TABLE user ("
  c_u="$c_u   Host char(60) binary DEFAULT '' NOT NULL,"
  c_u="$c_u   User char(16) binary DEFAULT '' NOT NULL,"
-  c_u="$c_u   Password char(45) binary DEFAULT '' NOT NULL,"
+  c_u="$c_u   Password char(41) binary DEFAULT '' NOT NULL,"
  c_u="$c_u   Select_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
  c_u="$c_u   Insert_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
  c_u="$c_u   Update_priv enum('N','Y') DEFAULT 'N' NOT NULL,"

--- a/scripts/mysql_fix_privilege_tables.sql
+++ b/scripts/mysql_fix_privilege_tables.sql
@@ -16,7 +16,7 @@ ALTER TABLE host type=MyISAM;
 ALTER TABLE func type=MyISAM;
 ALTER TABLE columns_priv type=MyISAM;
 ALTER TABLE tables_priv type=MyISAM;
-ALTER TABLE user change Password Password char(45) not null;
+ALTER TABLE user change Password Password char(41) not null;
 ALTER TABLE user add File_priv enum('N','Y') NOT NULL;
 CREATE TABLE IF NOT EXISTS func (
  name char(64) DEFAULT '' NOT NULL,

--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1391,76 +1391,6 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
 #endif /* HAVE_OPENSSL */
-/*
-  Handle password authentication
-*/
-my_bool mysql_autenticate(MYSQL *mysql, const char *passwd)
-{
-  ulong pkt_length;
-  NET *net= &mysql->net;
-  char buff[SCRAMBLE41_LENGTH];
-  char password_hash[SCRAMBLE41_LENGTH]; /* Used for storage of stage1 hash */
-  /* We shall only query server if it expect us to do so */
-  if ((pkt_length=net_safe_read(mysql)) == packet_error)
-    goto error;
-  if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
-  {
-    /*
-      This should always happen with new server unless empty password
-      OK/Error packets have zero as the first char
-    */
-    if (pkt_length == 24 && net->read_pos[0])
-    {
-      /* Old passwords will have '*' at the first byte of hash */
-      if (net->read_pos[0] != '*')
-      {
-        /* Build full password hash as it is required to decode scramble */
-        password_hash_stage1(buff, passwd);
-        /* Store copy as we'll need it later */
-        memcpy(password_hash,buff,SCRAMBLE41_LENGTH);
-        /* Finally hash complete password using hash we got from server */
-        password_hash_stage2(password_hash,(const char*) net->read_pos);
-        /* Decypt and store scramble 4 = hash for stage2 */
-        password_crypt((const char*) net->read_pos+4,mysql->scramble_buff,
-		       password_hash, SCRAMBLE41_LENGTH);
-        mysql->scramble_buff[SCRAMBLE41_LENGTH]=0;
-        /* Encode scramble with password. Recycle buffer */
-        password_crypt(mysql->scramble_buff,buff,buff,SCRAMBLE41_LENGTH);
-      }
-      else
-      {
-	/* Create password to decode scramble */
-	create_key_from_old_password(passwd,password_hash);
-	/* Decypt and store scramble 4 = hash for stage2 */
-	password_crypt((const char*) net->read_pos+4,mysql->scramble_buff,
-		       password_hash, SCRAMBLE41_LENGTH);
-	mysql->scramble_buff[SCRAMBLE41_LENGTH]=0;
-	/* Finally scramble decoded scramble with password */
-	scramble(buff, mysql->scramble_buff, passwd,0);
-      }
-      /* Write second package of authentication */
-      if (my_net_write(net,buff,SCRAMBLE41_LENGTH) || net_flush(net))
-      {
-        net->last_errno= CR_SERVER_LOST;
-	strmov(net->sqlstate, unknown_sqlstate);
-        strmov(net->last_error,ER(net->last_errno));
-        goto error;
-      }
-      /* Read what server thinks about out new auth message report */
-      if (net_safe_read(mysql) == packet_error)
-	goto error;
-    }
-  }
-  return 0;
-error:
-  return 1;
-}
 /*
  Note that the mysql argument must be initialized with mysql_init()
  before calling mysql_real_connect !
@@ -1553,7 +1483,7 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
  mysql->server_status=SERVER_STATUS_AUTOCOMMIT;
  /*
-    Grab a socket and connect it to the server
+    Part 0: Grab a socket and connect it to the server
  */
 #if defined(HAVE_SMEM)
  if ((!mysql->options.protocol ||
@@ -1754,6 +1684,11 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
    strmov(net->last_error,ER(net->last_errno));
    goto error;
  }
+  /*
+    Part 1: Connection established, read and parse first packet
+  */
  if ((pkt_length=net_safe_read(mysql)) == packet_error)
    goto error;
@@ -1774,8 +1709,13 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
  end=strend((char*) net->read_pos+1);
  mysql->thread_id=uint4korr(end+1);
  end+=5;
-  strmake(mysql->scramble_buff,end,8);
+  /* 
-  end+=9;
+    Scramble is split into two parts because old clients does not understand
+    long scrambles; here goes the first part.
+  */
+  strmake(mysql->scramble, end, SCRAMBLE_LENGTH_323);
+  end+= SCRAMBLE_LENGTH_323+1;
  if (pkt_length >= (uint) (end+1 - (char*) net->read_pos))
    mysql->server_capabilities=uint2korr(end);
  if (pkt_length >= (uint) (end+18 - (char*) net->read_pos))
@@ -1784,6 +1724,14 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
    mysql->server_language=end[2];
    mysql->server_status=uint2korr(end+3);
  }
+  end+= 18;
+  if (pkt_length >= (uint) (end + SCRAMBLE_LENGTH - SCRAMBLE_LENGTH_323 + 1 - 
+                           (char *) net->read_pos))
+    strmake(mysql->scramble+SCRAMBLE_LENGTH_323, end,
+            SCRAMBLE_LENGTH-SCRAMBLE_LENGTH_323);
+  else
+    mysql->server_capabilities&= ~CLIENT_SECURE_CONNECTION;
  charset_number= mysql->server_language;
  /* Set character set */
@@ -1860,9 +1808,12 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
    mysql->unix_socket=0;
  strmov(mysql->server_version,(char*) net->read_pos+1);
  mysql->port=port;
-  client_flag|=mysql->options.client_flag;
-  /* Send client information for access check */
+  /*
+    Part 2: format and send client info to the server for access check
+  */
+  client_flag|=mysql->options.client_flag;
  client_flag|=CLIENT_CAPABILITIES;
  if (client_flag & CLIENT_MULTI_QUERIES)
    client_flag|= CLIENT_MULTI_RESULTS;
@@ -1949,7 +1900,7 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
 		     mysql->server_status, client_flag));
  /* This needs to be changed as it's not useful with big packets */
  if (user && user[0])
-    strmake(end,user,32);			/* Max user name */
+    strmake(end,user,USERNAME_LENGTH);          /* Max user name */
  else
    read_user_name((char*) end);
@@ -1958,41 +1909,30 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
 #include "_cust_libmysql.h"
 #endif
  DBUG_PRINT("info",("user: %s",end));
-  /*
+  end= strend(end) + 1;
-    We always start with old type handshake the only difference is message sent
-    If server handles secure connection type we'll not send the real scramble
-  */
-  if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
-  {
  if (passwd[0])
  {
-      /* Prepare false scramble  */
+    if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
-      end=strend(end)+1;
-      bfill(end, SCRAMBLE_LENGTH, 'x');
-      end+=SCRAMBLE_LENGTH;
-      *end=0;
-    }
-    else				/* For empty password*/
    {
-      end=strend(end)+1;
+      *end++= SCRAMBLE_LENGTH;
-      *end=0;				/* Store zero length scramble */
+      scramble(end, mysql->scramble, passwd);
-    }
+      end+= SCRAMBLE_LENGTH;
    }
    else
    {
-    /*
+      scramble_323(end, mysql->scramble, passwd);
-      Real scramble is only sent to old servers. This can be blocked 
+      end+= SCRAMBLE_LENGTH_323 + 1;
-      by calling mysql_options(MYSQL *, MYSQL_SECURE_CONNECT, (char*) &1);
+    }
-    */
-    end=scramble(strend(end)+1, mysql->scramble_buff, passwd,
-                 (my_bool) (mysql->protocol_version == 9));
  }
+  else
+    *end++= '\0';                               /* empty password */
  /* Add database if needed */
  if (db && (mysql->server_capabilities & CLIENT_CONNECT_WITH_DB))
  {
-    end=strmake(end+1,db,NAME_LEN);
+    end= strmake(end, db, NAME_LEN) + 1;
-    mysql->db=my_strdup(db,MYF(MY_WME));
+    mysql->db= my_strdup(db,MYF(MY_WME));
-    db=0;
+    db= 0;
  }
  /* Write authentication package */
  if (my_net_write(net,buff,(ulong) (end-buff)) || net_flush(net))
@@ -2003,8 +1943,34 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
    goto error;
  }
-  if (mysql_autenticate(mysql, passwd))
+  /*
+    Part 3: Authorization data's been sent. Now server can reply with
+    OK-packet, or re-request scrambled password.
+  */
+  if ((pkt_length=net_safe_read(mysql)) == packet_error)
+    goto error;
+  if (pkt_length == 1 && net->read_pos[0] == 254 && 
+      mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
+  {
+    /*
+      By sending this very specific reply server asks us to send scrambled
+      password in old format.
+    */
+    scramble_323(buff, mysql->scramble, passwd);
+    if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net))
+    {
+      net->last_errno= CR_SERVER_LOST;
+      strmov(net->sqlstate, unknown_sqlstate);
+      strmov(net->last_error,ER(net->last_errno));
+      goto error;
+    }
+    /* Read what server thinks about out new auth message report */
+    if (net_safe_read(mysql) == packet_error)
      goto error;
+  }
  if (client_flag & CLIENT_COMPRESS)		/* We will use compression */
    net->compress=1;

--- a/sql/item_create.cc
+++ b/sql/item_create.cc
@@ -52,13 +52,6 @@ Item *create_func_ord(Item* a)
  return new Item_func_ord(a);
 }
-Item *create_func_old_password(Item* a)
-{
-  return new Item_func_old_password(a);
-}
 Item *create_func_asin(Item* a)
 {
  return new Item_func_asin(a);
@@ -324,11 +317,6 @@ Item *create_func_quarter(Item* a)
  return new Item_func_quarter(a);
 }
-Item *create_func_password(Item* a)
-{
-  return new Item_func_password(a);
-}
 Item *create_func_radians(Item *a)
 {
  return new Item_func_units((char*) "radians",a,M_PI/180,0.0);

--- a/sql/item_create.h
+++ b/sql/item_create.h
@@ -67,14 +67,12 @@ Item *create_func_monthname(Item* a);
 Item *create_func_nullif(Item* a, Item *b);
 Item *create_func_oct(Item *);
 Item *create_func_ord(Item* a);
-Item *create_func_old_password(Item* a);
 Item *create_func_period_add(Item* a, Item *b);
 Item *create_func_period_diff(Item* a, Item *b);
 Item *create_func_pi(void);
 Item *create_func_pow(Item* a, Item *b);
 Item *create_func_current_user(void);
 Item *create_func_quarter(Item* a);
-Item *create_func_password(Item* a);
 Item *create_func_radians(Item *a);
 Item *create_func_release_lock(Item* a);
 Item *create_func_repeat(Item* a, Item *b);

--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -1327,95 +1327,49 @@ void Item_func_trim::fix_length_and_dec()
 }
+/* Item_func_password */
-void Item_func_password::fix_length_and_dec()
-{
-  /*
-    If PASSWORD() was called with only one argument, it depends on a random
-    number so we need to save this random number into the binary log.
-    If called with two arguments, it is repeatable.
-  */
-  if (arg_count == 1)
-  {
-    THD *thd= current_thd;
-    thd->rand_used= 1;
-    thd->rand_saved_seed1= thd->rand.seed1;
-    thd->rand_saved_seed2= thd->rand.seed2;
-  } 
-  max_length= get_password_length(use_old_passwords);
-}
-/*
- Password() function has 2 arguments. Second argument can be used
- to make results repeatable
-*/ 
 String *Item_func_password::val_str(String *str)
 {
-  struct rand_struct rand_st; // local structure for 2 param version
+  String *res= args[0]->val_str(str); 
-  ulong  seed=0;              // seed to initialise random generator to
-  String *res  =args[0]->val_str(str);          
  if ((null_value=args[0]->null_value))
    return 0;
-  if (arg_count == 1)
-  {    
  if (res->length() == 0)
    return &empty_string;
-    make_scrambled_password(tmp_value,res->c_ptr(),use_old_passwords,
+  make_scrambled_password(tmp_value, res->c_ptr());
-                            &current_thd->rand);
+  str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH, res->charset());
-    str->set(tmp_value,get_password_length(use_old_passwords),res->charset());
  return str;
-  }
+}
-  else
-  {
-   /* We'll need the buffer to get second parameter */
-    char key_buff[80];
-    String tmp_key_value(key_buff, sizeof(key_buff), system_charset_info);
-    String *key  =args[1]->val_str(&tmp_key_value);          
-    /* Check second argument for NULL value. First one is already checked */
-    if ((null_value=args[1]->null_value))
-      return 0;
-    /* This shall be done after checking for null for proper results */       
-    if (res->length() == 0)
-      return &empty_string;  
-    /* Generate the seed first this allows to avoid double allocation */  
-    char* seed_ptr=key->c_ptr();
-    while (*seed_ptr)
-    {
-      seed=(seed*211+*seed_ptr) & 0xffffffffL; /* Use simple hashing */
-      seed_ptr++;
-    }
-    /* Use constants which allow nice random values even with small seed */
-    randominit(&rand_st,
-	       (ulong) ((ulonglong) seed*111111+33333333L) & (ulong) 0xffffffff,
-	       (ulong) ((ulonglong) seed*1111+55555555L) & (ulong) 0xffffffff);
-    make_scrambled_password(tmp_value,res->c_ptr(),use_old_passwords,
+char *Item_func_password::alloc(THD *thd, const char *password)
-                            &rand_st);
+{
-    str->set(tmp_value,get_password_length(use_old_passwords),res->charset());
+  char *buff= (char *) thd->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH+1);
-    return str;
+  if (buff)
-  }       
+    make_scrambled_password(buff, password);
+  return buff;
 }
+/* Item_func_old_password */
 String *Item_func_old_password::val_str(String *str)
 {
-  String *res  =args[0]->val_str(str);
+  String *res= args[0]->val_str(str);
  if ((null_value=args[0]->null_value))
    return 0;
  if (res->length() == 0)
    return &empty_string;
-  make_scrambled_password(tmp_value,res->c_ptr(),1,&current_thd->rand);
+  make_scrambled_password_323(tmp_value, res->c_ptr());
-  str->set(tmp_value,16,res->charset());
+  str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH_323, res->charset());
  return str;
 }
+char *Item_func_old_password::alloc(THD *thd, const char *password)
+{
+  char *buff= (char *) thd->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1);
+  if (buff)
+    make_scrambled_password_323(buff, password);
+  return buff;
+}
 #define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.')

--- a/sql/item_strfunc.h
+++ b/sql/item_strfunc.h
@@ -254,30 +254,45 @@ class Item_func_rtrim :public Item_func_trim
 };
+/*
+  Item_func_password -- new (4.1.1) PASSWORD() function implementation.
+  Returns strcat('*', octet2hex(sha1(sha1(password)))). '*' stands for new
+  password format, sha1(sha1(password) is so-called hash_stage2 value.
+  Length of returned string is always 41 byte. To find out how entire
+  authentification procedure works, see comments in password.c.
+*/
 class Item_func_password :public Item_str_func
 {
-  char tmp_value[64]; /* This should be enough for new password format */
+  char tmp_value[SCRAMBLED_PASSWORD_CHAR_LENGTH+1]; 
 public:
  Item_func_password(Item *a) :Item_str_func(a) {}
-  Item_func_password(Item *a, Item *b) :Item_str_func(a,b) {}
+  String *val_str(String *str);
-  String *val_str(String *);
+  void fix_length_and_dec() { max_length= SCRAMBLED_PASSWORD_CHAR_LENGTH; }
-  void fix_length_and_dec();
  const char *func_name() const { return "password"; }
+  static char *alloc(THD *thd, const char *password);
 };
+/*
+  Item_func_old_password -- PASSWORD() implementation used in MySQL 3.21 - 4.0
+  compatibility mode. This item is created in sql_yacc.yy when
+  'old_passwords' session variable is set, and to handle OLD_PASSWORD()
+  function.
+*/
 class Item_func_old_password :public Item_str_func
 {
-  char tmp_value[17]; /* old password length +1 */
+  char tmp_value[SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1];
 public:
  Item_func_old_password(Item *a) :Item_str_func(a) {}
-  String *val_str(String *);
+  String *val_str(String *str);
-  void fix_length_and_dec() { max_length = get_password_length(1); }
+  void fix_length_and_dec() { max_length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323; } 
  const char *func_name() const { return "old_password"; }
+  static char *alloc(THD *thd, const char *password);
 };
 class Item_func_des_encrypt :public Item_str_func
 {
  String tmp_value;

--- a/sql/lex.h
+++ b/sql/lex.h
@@ -294,6 +294,7 @@ static SYMBOL symbols[] = {
  { "NULL",		SYM(NULL_SYM),0,0},
  { "NUMERIC",		SYM(NUMERIC_SYM),0,0},
  { "OFFSET",		SYM(OFFSET_SYM),0,0},
+  { "OLD_PASSWORD",	SYM(OLD_PASSWORD),0,0},
  { "ON",		SYM(ON),0,0},
  { "OPEN",		SYM(OPEN_SYM),0,0},
  { "OPTIMIZE",		SYM(OPTIMIZE),0,0},
@@ -594,7 +595,6 @@ static SYMBOL sql_functions[] = {
  { "NUMPOINTS",	SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_numpoints)},
  { "OCTET_LENGTH",	SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_length)},
  { "OCT",		SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_oct)},
-  { "OLD_PASSWORD",     SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_old_password)},
  { "ORD",              SYM(FUNC_ARG1),0,CREATE_FUNC(create_func_ord)},
  { "OVERLAPS",		SYM(FUNC_ARG2),0,CREATE_FUNC(create_func_overlaps)},
  { "PERIOD_ADD",	SYM(FUNC_ARG2),0,CREATE_FUNC(create_func_period_add)},

--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@@ -74,9 +74,6 @@ extern CHARSET_INFO *national_charset_info, *table_alias_charset;
 ****************************************************************************/
 #define ACL_CACHE_SIZE		256
-/* Password lengh for 4.1 version previous versions had 16 bytes password hash */
-#define HASH_PASSWORD_LENGTH	45
-#define HASH_OLD_PASSWORD_LENGTH 16
 #define MAX_PASSWORD_LENGTH	32
 #define HOST_CACHE_SIZE		128
 #define MAX_ACCEPT_RETRY	10	// Test accept this many times
@@ -773,7 +770,7 @@ extern my_bool opt_safe_show_db, opt_local_infile, lower_case_table_names;
 extern my_bool opt_slave_compressed_protocol, use_temp_pool;
 extern my_bool opt_readonly;
 extern my_bool opt_enable_named_pipe;
-extern my_bool opt_old_passwords, use_old_passwords;
+extern my_bool opt_secure_auth;
 extern char *shared_memory_base_name, *mysqld_unix_port;
 extern bool opt_enable_shared_memory;

--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -257,9 +257,10 @@ my_bool opt_local_infile, opt_external_locking, opt_slave_compressed_protocol;
 my_bool opt_safe_user_create = 0, opt_no_mix_types = 0;
 my_bool lower_case_table_names, opt_old_rpl_compat;
 my_bool opt_show_slave_auth_info, opt_sql_bin_update = 0;
-my_bool opt_log_slave_updates= 0, opt_old_passwords=0, use_old_passwords=0;
+my_bool opt_log_slave_updates= 0;
 my_bool	opt_console= 0, opt_bdb, opt_innodb, opt_isam;
 my_bool opt_readonly, use_temp_pool, relay_log_purge;
+my_bool opt_secure_auth= 0;
 volatile bool mqh_used = 0;
 uint mysqld_port, test_flags, select_errors, dropping_tables, ha_open_options;
@@ -2819,12 +2820,6 @@ static void create_new_thread(THD *thd)
  if (thread_count-delayed_insert_threads > max_used_connections)
    max_used_connections=thread_count-delayed_insert_threads;
  thd->thread_id=thread_id++;
-  for (uint i=0; i < 8 ; i++)			// Generate password teststring
-    thd->scramble[i]= (char) (my_rnd(&sql_rand)*94+33);
-  thd->scramble[8]=0;
-  // Back it up as old clients may need it
-  memcpy(thd->old_scramble,thd->scramble,9);
  thd->real_id=pthread_self();			// Keep purify happy
@@ -3535,7 +3530,8 @@ enum options
  OPT_EXPIRE_LOGS_DAYS,
  OPT_DEFAULT_WEEK_FORMAT,
  OPT_GROUP_CONCAT_MAX_LEN,
-  OPT_DEFAULT_COLLATION
+  OPT_DEFAULT_COLLATION,
+  OPT_SECURE_AUTH
 };
@@ -3845,9 +3841,10 @@ master-ssl",
   (gptr*) &opt_no_mix_types, (gptr*) &opt_no_mix_types, 0, GET_BOOL, NO_ARG,
   0, 0, 0, 0, 0, 0},
 #endif
-  {"old-protocol", 'o', "Use the old (3.20) protocol client/server protocol.",
+  {"old-passwords", OPT_OLD_PASSWORDS, "Use old password encryption method (needed for 4.0 and older clients).",
-   (gptr*) &protocol_version, (gptr*) &protocol_version, 0, GET_UINT, NO_ARG,
+   (gptr*) &global_system_variables.old_passwords,
-   PROTOCOL_VERSION, 0, 0, 0, 0, 0},
+   (gptr*) &max_system_variables.old_passwords, 0, GET_BOOL, NO_ARG,
+   0, 0, 0, 0, 0, 0},
  {"old-rpl-compat", OPT_OLD_RPL_COMPAT,
   "Use old LOAD DATA format in the binary log (don't save data in file).",
   (gptr*) &opt_old_rpl_compat, (gptr*) &opt_old_rpl_compat, 0, GET_BOOL,
@@ -3914,8 +3911,6 @@ relay logs.",
   GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
  {"safe-mode", OPT_SAFE, "Skip some optimize stages (for testing).",
   0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},
-  {"old-passwords", OPT_OLD_PASSWORDS, "Use old password encryption method (needed for 4.0 and older clients).",
-   (gptr*) &opt_old_passwords, (gptr*) &opt_old_passwords, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
 #ifndef TO_BE_DELETED
  {"safe-show-database", OPT_SAFE_SHOW_DB,
   "Deprecated option; One should use GRANT SHOW DATABASES instead...",
@@ -3925,6 +3920,9 @@ relay logs.",
   "Don't allow new user creation by the user who has no write privileges to the mysql.user table.",
   (gptr*) &opt_safe_user_create, (gptr*) &opt_safe_user_create, 0, GET_BOOL,
   NO_ARG, 0, 0, 0, 0, 0, 0},
+  {"secure-auth", OPT_SECURE_AUTH, "Disallow authentication for accounts that have old (pre-4.1) passwords.",
+   (gptr*) &opt_secure_auth, (gptr*) &opt_secure_auth, 0, GET_BOOL, NO_ARG,
+   my_bool(0), 0, 0, 0, 0, 0},
  {"server-id",	OPT_SERVER_ID,
   "Uniquely identifies the server instance in the community of replication partners.",
   (gptr*) &server_id, (gptr*) &server_id, 0, GET_ULONG, REQUIRED_ARG, 0, 0, 0,
@@ -4714,7 +4712,8 @@ static void mysql_init_variables(void)
  opt_log= opt_update_log= opt_bin_log= opt_slow_log= 0;
  opt_disable_networking= opt_skip_show_db=0;
  opt_logname= opt_update_logname= opt_binlog_index_name= opt_slow_logname=0;
-  opt_bootstrap= opt_myisam_log= use_old_passwords= 0;
+  opt_secure_auth= 0;
+  opt_bootstrap= opt_myisam_log= 0;
  mqh_used= 0;
  segfaulted= kill_in_progress= 0;
  cleanup_done= 0;
@@ -4818,6 +4817,7 @@ static void mysql_init_variables(void)
  max_system_variables.select_limit=    (ulonglong) HA_POS_ERROR;
  global_system_variables.max_join_size= (ulonglong) HA_POS_ERROR;
  max_system_variables.max_join_size=   (ulonglong) HA_POS_ERROR;
+  global_system_variables.old_passwords= 0;
  /* Variables that depends on compile options */
 #ifndef DBUG_OFF
@@ -4939,9 +4939,6 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
  case 'L':
    strmake(language, argument, sizeof(language)-1);
    break;
-  case 'o':
-    protocol_version=PROTOCOL_VERSION-1;
-    break;
 #ifdef HAVE_REPLICATION
  case OPT_SLAVE_SKIP_ERRORS:
    init_slave_skip_errors(argument);

--- a/sql/password.c
+++ b/sql/password.c
--- a/sql/protocol.cc
+++ b/sql/protocol.cc
@@ -349,6 +349,25 @@ send_eof(THD *thd, bool no_flush)
  }
  DBUG_VOID_RETURN;
 }
+/*
+    Please client to send scrambled_password in old format.
+  SYNOPSYS
+    send_old_password_request()
+    thd thread handle
+  RETURN VALUE
+    0  ok
+   !0  error
+*/
+bool send_old_password_request(THD *thd)
+{
+  static char buff[1]= { (char) 254 };
+  NET *net= &thd->net;
+  return my_net_write(net, buff, 1) || net_flush(net);
+}
 #endif /* EMBEDDED_LIBRARY */
 /*

--- a/sql/protocol.h
+++ b/sql/protocol.h
@@ -164,6 +164,7 @@ void net_printf(THD *thd,uint sql_errno, ...);
 void send_ok(THD *thd, ha_rows affected_rows=0L, ulonglong id=0L,
 	     const char *info=0);
 void send_eof(THD *thd, bool no_flush=0);
+bool send_old_password_request(THD *thd);
 char *net_store_length(char *packet,ulonglong length);
 char *net_store_length(char *packet,uint length);
 char *net_store_data(char *to,const char *from, uint length);

--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -216,6 +216,7 @@ sys_var_thd_ulong	sys_net_retry_count("net_retry_count",
 					    &SV::net_retry_count,
 					    fix_net_retry_count);
 sys_var_thd_bool	sys_new_mode("new", &SV::new_mode);
+sys_var_thd_bool	sys_old_passwords("old_passwords", &SV::old_passwords);
 sys_var_thd_ulong       sys_preload_buff_size("preload_buffer_size",
                                              &SV::preload_buff_size);
 sys_var_thd_ulong	sys_read_buff_size("read_buffer_size",
@@ -242,6 +243,7 @@ sys_var_thd_enum	sys_query_cache_type("query_cache_type",
 					     &SV::query_cache_type,
 					     &query_cache_type_typelib);
 #endif /* HAVE_QUERY_CACHE */
+sys_var_bool_ptr	sys_secure_auth("secure_auth", &opt_secure_auth);
 sys_var_long_ptr	sys_server_id("server_id",&server_id);
 sys_var_bool_ptr	sys_slave_compressed_protocol("slave_compressed_protocol",
 						      &opt_slave_compressed_protocol);
@@ -432,6 +434,7 @@ sys_var *sys_variables[]=
  &sys_net_wait_timeout,
  &sys_net_write_timeout,
  &sys_new_mode,
+  &sys_old_passwords,
  &sys_preload_buff_size,
  &sys_pseudo_thread_id,
  &sys_query_cache_size,
@@ -450,6 +453,7 @@ sys_var *sys_variables[]=
 #endif
  &sys_rpl_recovery_rank,
  &sys_safe_updates,
+  &sys_secure_auth,
  &sys_select_limit,
  &sys_server_id,
 #ifdef HAVE_REPLICATION
@@ -608,6 +612,7 @@ struct show_var_st init_vars[]= {
  {sys_net_retry_count.name,  (char*) &sys_net_retry_count,	    SHOW_SYS},
  {sys_net_write_timeout.name,(char*) &sys_net_write_timeout,       SHOW_SYS},
  {sys_new_mode.name,         (char*) &sys_new_mode,                SHOW_SYS},
+  {sys_old_passwords.name,    (char*) &sys_old_passwords,           SHOW_SYS},
  {"open_files_limit",	      (char*) &open_files_limit,	    SHOW_LONG},
  {"pid_file",                (char*) pidfile_name,                 SHOW_CHAR},
  {"log_error",               (char*) log_error_file,               SHOW_CHAR},
@@ -628,6 +633,7 @@ struct show_var_st init_vars[]= {
   SHOW_SYS},
  {sys_query_cache_size.name, (char*) &sys_query_cache_size,	    SHOW_SYS},
  {sys_query_cache_type.name, (char*) &sys_query_cache_type,        SHOW_SYS},
+  {"secure_auth",             (char*) &sys_secure_auth,             SHOW_SYS},
 #endif /* HAVE_QUERY_CACHE */
 #ifdef HAVE_SMEM
  {"shared_memory",           (char*) &opt_enable_shared_memory,    SHOW_MY_BOOL},

--- a/sql/set_var.h
+++ b/sql/set_var.h
@@ -689,6 +689,9 @@ class NAMED_LIST :public ilink
  }
 };
+/* updated in sql_acl.cc */
+extern sys_var_thd_bool sys_old_passwords;
 /* For sql_yacc */
 struct sys_var_with_base

--- a/sql/share/czech/errmsg.txt
+++ b/sql/share/czech/errmsg.txt
@@ -279,3 +279,4 @@ v/*
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/danish/errmsg.txt
+++ b/sql/share/danish/errmsg.txt
@@ -273,3 +273,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/dutch/errmsg.txt
+++ b/sql/share/dutch/errmsg.txt
@@ -281,3 +281,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/english/errmsg.txt
+++ b/sql/share/english/errmsg.txt
@@ -275,3 +275,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/estonian/errmsg.txt
+++ b/sql/share/estonian/errmsg.txt
@@ -275,3 +275,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/french/errmsg.txt
+++ b/sql/share/french/errmsg.txt
@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/german/errmsg.txt
+++ b/sql/share/german/errmsg.txt
@@ -279,3 +279,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/greek/errmsg.txt
+++ b/sql/share/greek/errmsg.txt
@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/hungarian/errmsg.txt
+++ b/sql/share/hungarian/errmsg.txt
@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/italian/errmsg.txt
+++ b/sql/share/italian/errmsg.txt
@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/japanese/errmsg.txt
+++ b/sql/share/japanese/errmsg.txt
@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/korean/errmsg.txt
+++ b/sql/share/korean/errmsg.txt
@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/norwegian-ny/errmsg.txt
+++ b/sql/share/norwegian-ny/errmsg.txt
@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/norwegian/errmsg.txt
+++ b/sql/share/norwegian/errmsg.txt
@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/polish/errmsg.txt
+++ b/sql/share/polish/errmsg.txt
@@ -274,3 +274,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/portuguese/errmsg.txt
+++ b/sql/share/portuguese/errmsg.txt
@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/romanian/errmsg.txt
+++ b/sql/share/romanian/errmsg.txt
@@ -274,3 +274,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/russian/errmsg.txt
+++ b/sql/share/russian/errmsg.txt
@@ -272,3 +272,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"    --secure-auth ( ),    '%s@%s'  Σ   ;    "
--- a/sql/share/serbian/errmsg.txt
+++ b/sql/share/serbian/errmsg.txt
@@ -265,3 +265,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/slovak/errmsg.txt
+++ b/sql/share/slovak/errmsg.txt
@@ -278,3 +278,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/spanish/errmsg.txt
+++ b/sql/share/spanish/errmsg.txt
@@ -271,3 +271,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/swedish/errmsg.txt
+++ b/sql/share/swedish/errmsg.txt
@@ -270,3 +270,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/share/ukrainian/errmsg.txt
+++ b/sql/share/ukrainian/errmsg.txt
@@ -275,3 +275,4 @@
 "Variable '%-.64s' is not a variable component (Can't be used as XXXX.variable_name)",
 "Unknown collation: '%-.64s'",
 "SSL parameters in CHANGE MASTER are ignored because this MySQL slave was compiled without SSL support. They can be used later when MySQL slave with SSL will be started."
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
--- a/sql/slave.cc
+++ b/sql/slave.cc
@@ -1554,7 +1554,7 @@ void init_master_info_with_options(MASTER_INFO* mi)
  if (master_user)
    strmake(mi->user, master_user, sizeof(mi->user) - 1);
  if (master_password)
-    strmake(mi->password, master_password, HASH_PASSWORD_LENGTH);
+    strmake(mi->password, master_password, MAX_PASSWORD_LENGTH);
  mi->port = master_port;
  mi->connect_retry = master_connect_retry;
@@ -1707,8 +1707,8 @@ file '%s')", fname);
 			      master_host) ||
 	init_strvar_from_file(mi->user, sizeof(mi->user), &mi->file,
 			      master_user) || 
-	init_strvar_from_file(mi->password, HASH_PASSWORD_LENGTH+1, &mi->file,
+        init_strvar_from_file(mi->password, SCRAMBLED_PASSWORD_CHAR_LENGTH+1,
-			      master_password) ||
+                              &mi->file, master_password) ||
 	init_intvar_from_file(&port, &mi->file, master_port) ||
 	init_intvar_from_file(&connect_retry, &mi->file,
 			      master_connect_retry))

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@@ -111,9 +111,9 @@ class ACL_USER :public ACL_ACCESS
  acl_host_and_ip host;
  uint hostname_length;
  USER_RESOURCES user_resource;
-  char *user,*password;
+  char *user;
-  ulong salt[6]; // New password has longer length
+  uint8 salt[SCRAMBLE_LENGTH+1];       // scrambled password in binary form
-  uint8 pversion; // password version
+  uint8 salt_len;        // 0 - no password, 4 - 3.20, 8 - 3.23, 20 - 4.1.1 
  enum SSL_type ssl_type;
  const char *ssl_cipher, *x509_issuer, *x509_subject;
 };
@@ -135,11 +135,8 @@ void acl_reload(THD *thd);
 void acl_free(bool end=0);
 ulong acl_get(const char *host, const char *ip, const char *bin_ip,
 	      const char *user, const char *db, my_bool db_is_pattern);
-ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
+int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
-		  const char *password,const char *scramble,
+                uint passwd_len);
-                  char **priv_user, char *priv_host,
-		  bool old_ver, USER_RESOURCES *max,char* prepared_scramble,
-                  uint *cur_priv_version, ACL_USER **cached_user);
 bool acl_check_host(const char *host, const char *ip);
 bool check_change_password(THD *thd, const char *host, const char *user);
 bool change_password(THD *thd, const char *host, const char *user,

--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@@ -138,6 +138,7 @@ THD::THD():user_time(0), is_fatal_error(0),
  set_query_id=1;
  db_access=NO_ACCESS;
  version=refresh_version;			// For boot
+  *scramble= '\0';
  init();
  /* Initialize sub structures */

--- a/sql/sql_class.h
+++ b/sql/sql_class.h
@@ -399,6 +399,7 @@ struct system_variables
  my_bool log_warnings;
  my_bool low_priority_updates;
  my_bool new_mode;
+  my_bool old_passwords;
  CHARSET_INFO	*character_set_server;
  CHARSET_INFO	*character_set_database;
@@ -556,10 +557,10 @@ class THD :public ilink
  enum_tx_isolation session_tx_isolation;
  /* for user variables replication*/
  DYNAMIC_ARRAY user_var_events;
-             // extend scramble to handle new auth
-  char	     scramble[SCRAMBLE41_LENGTH+1];
+  /* scramble - random string sent to client on handshake */
-             // old scramble is needed to handle old clients
+  char	     scramble[SCRAMBLE_LENGTH+1];
-  char       old_scramble[SCRAMBLE_LENGTH+1];
  uint8	     query_cache_type;		// type of query cache processing
  bool       slave_thread;
  bool	     set_query_id,locked,count_cuted_fields,some_tables_deleted;

--- a/sql/sql_crypt.cc
+++ b/sql/sql_crypt.cc
@@ -32,7 +32,7 @@
 SQL_CRYPT::SQL_CRYPT(const char *password)
 {
  ulong rand_nr[2];
-  hash_password(rand_nr,password);
+  hash_password(rand_nr,password, strlen(password));
  crypt_init(rand_nr);
 }

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -506,6 +506,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b,int *yystacksize);
 %token  MULTIPOINT
 %token  MULTIPOLYGON
 %token	NOW_SYM
+%token	OLD_PASSWORD
 %token	PASSWORD
 %token	POINTFROMTEXT
 %token	POINT_SYM
@@ -2625,9 +2626,13 @@ simple_expr:
 	| NOW_SYM '(' expr ')'
 	  { $$= new Item_func_now_local($3); Lex->safe_to_cache_query=0;}
 	| PASSWORD '(' expr ')'
-	  { $$= new Item_func_password($3); }
+	  {
-        | PASSWORD '(' expr ',' expr ')'
+	    $$= YYTHD->variables.old_passwords ?
-          { $$= new Item_func_password($3,$5); }
+              (Item *) new Item_func_old_password($3) :
+	      (Item *) new Item_func_password($3);
+	  }
+	| OLD_PASSWORD '(' expr ')'
+	  { $$=  new Item_func_old_password($3); }
 	| POINT_SYM '(' expr ',' expr ')'
 	  { $$= new Item_func_point($3,$5); }
 	| POINTFROMTEXT '(' expr ')'
@@ -4535,6 +4540,7 @@ keyword:
 	| NO_SYM		{}
 	| NONE_SYM		{}
 	| OFFSET_SYM		{}
+	| OLD_PASSWORD		{}
 	| OPEN_SYM		{}
 	| PACK_KEYS_SYM		{}
 	| PARTIAL		{}
@@ -4759,15 +4765,15 @@ text_or_password:
 	TEXT_STRING { $$=$1.str;}
 	| PASSWORD '(' TEXT_STRING ')'
 	  {
-	    if (!$3.length)
+	    $$= $3.length ? YYTHD->variables.old_passwords ?
-	      $$=$3.str;
+	        Item_func_old_password::alloc(YYTHD, $3.str) :
-	    else
+	        Item_func_password::alloc(YYTHD, $3.str) :
-	    {
+	      $3.str;
-	      char *buff=(char*) YYTHD->alloc(HASH_PASSWORD_LENGTH+1);
-	      make_scrambled_password(buff,$3.str,use_old_passwords,
-				      &YYTHD->rand);
-	      $$=buff;
 	  }
+	| OLD_PASSWORD '(' TEXT_STRING ')'
+	  {
+	    $$= $3.length ? Item_func_old_password::alloc(YYTHD, $3.str) :
+	      $3.str;
 	  }
          ;
@@ -5075,13 +5081,23 @@ grant_user:
 	   $$=$1; $1->password=$4;
 	   if ($4.length)
 	   {
-	     char *buff=(char*) YYTHD->alloc(HASH_PASSWORD_LENGTH+1);
+             if (YYTHD->variables.old_passwords)
+             {
+               char *buff= 
+                 (char *) YYTHD->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1);
               if (buff)
+                 make_scrambled_password_323(buff, $4.str);
+               $1->password.str= buff;
+               $1->password.length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323;
+             }
+             else
             {
-	       make_scrambled_password(buff,$4.str,use_old_passwords,
+               char *buff= 
-				       &YYTHD->rand);
+                 (char *) YYTHD->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH+1);
-	       $1->password.str=buff;
+               if (buff)
-	       $1->password.length=HASH_PASSWORD_LENGTH;
+                 make_scrambled_password(buff, $4.str);
+               $1->password.str= buff;
+               $1->password.length= SCRAMBLED_PASSWORD_CHAR_LENGTH;
             }
 	  }
 	}