Second part of WL #519:

Client option secure-auth deployed on all possible layers:
- mysql client command-line and config file option
- mysql_options option MYSQL_SECURE_AUTH
- mysql_real_connect will automatically take into account that option if
  mysql->options.my_cnf_file/my_cnf_group is set


client/client_priv.h:
  added OPT_SECURE_AUTH to enum of all my_read_default_options options.
client/mysql.cc:
  added support for mysql command-line option --secure-auth
include/errmsg.h:
  added return code for option --secure-auth
include/mysql.h:
  added MYSQL_SECURE_AUTH to enum of all mysql_options options.
  added secure_auth flag to MYSQL handle
libmysql/errmsg.c:
  Error messages for option --secure-auth
sql-common/client.c:
  added check for secure-auth in mysql_real_connect:
  if password is provided, and secure-auth is on, then client will
  refuse connecting to pre-4.1.1 server

client/client_priv.h

@@ -40,4 +40,4 @@ enum options_client { OPT_CHARSETS_DIR=256, OPT_DEFAULT_CHARSET,
 	       OPT_DELETE_MASTER_LOGS,
                OPT_PROMPT, OPT_IGN_LINES,OPT_TRANSACTION,OPT_MYSQL_PROTOCOL,
                OPT_SHARED_MEMORY_BASE_NAME, OPT_FRM, OPT_SKIP_OPTIMIZATION,
-               OPT_COMPATIBLE, OPT_RECONNECT, OPT_DELIMITER };
+               OPT_COMPATIBLE, OPT_RECONNECT, OPT_DELIMITER, OPT_SECURE_AUTH };

client/mysql.cc

@@ -134,7 +134,7 @@ static my_bool info_flag=0,ignore_errors=0,wait_flag=0,quick=0,
 	       vertical=0, line_numbers=1, column_names=1,opt_html=0,
                opt_xml=0,opt_nopager=1, opt_outfile=0, named_cmds= 0,
 	       tty_password= 0, opt_nobeep=0, opt_reconnect=1,
-	       default_charset_used= 0;
+	       default_charset_used= 0, opt_secure_auth= 0;
 static uint verbose=0,opt_silent=0,opt_mysql_port=0, opt_local_infile=0;
 static my_string opt_mysql_unix_port=0;
 static int connect_flag=CLIENT_INTERACTIVE;
@@ -623,6 +623,9 @@ static struct my_option my_long_options[] =
   {"max_join_size", OPT_MAX_JOIN_SIZE, "", (gptr*) &max_join_size,
    (gptr*) &max_join_size, 0, GET_ULONG, REQUIRED_ARG, 1000000L, 1, ~0L, 0, 1,
    0},
+  {"secure-auth", OPT_SECURE_AUTH, "Refuse client connecting to server if it"
+    " uses old (pre-4.1.1) protocol", (gptr*) &opt_secure_auth,
+    (gptr*) &opt_secure_auth, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
   { 0, 0, 0, 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0}
 };
 
@@ -2553,6 +2556,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
   }
   if (opt_compress)
     mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
+  if (opt_secure_auth)
+    mysql_options(&mysql, MYSQL_SECURE_AUTH, (char *) &opt_secure_auth);
   if (using_opt_local_infile)
     mysql_options(&mysql,MYSQL_OPT_LOCAL_INFILE, (char*) &opt_local_infile);
 #ifdef HAVE_OPENSSL

include/errmsg.h

@@ -87,3 +87,4 @@ extern const char *client_errors[];	/* Error messages */
 #define CR_CONN_UNKNOW_PROTOCOL 		2046
 #define CR_INVALID_CONN_HANDLE			2047
 #define CR_MYSQL_SERVER_INIT_MISSED             2048
+#define CR_SECURE_AUTH                          2049

include/mysql.h

@@ -145,7 +145,7 @@ enum mysql_option
   MYSQL_OPT_PROTOCOL, MYSQL_SHARED_MEMORY_BASE_NAME, MYSQL_OPT_READ_TIMEOUT,
   MYSQL_OPT_WRITE_TIMEOUT, MYSQL_OPT_USE_RESULT,
   MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION,
-  MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP
+  MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH
 };
 
 struct st_mysql_options {
@@ -184,6 +184,8 @@ struct st_mysql_options {
 #endif
   enum mysql_option methods_to_use;
   char *client_ip;
+  /* Refuse client connecting to server if it uses old (pre-4.1.1) protocol */
+  my_bool secure_auth;
 };
 
 enum mysql_status 

libmysql/errmsg.c

@@ -72,7 +72,8 @@ const char *client_errors[]=
   "Can't open shared memory. Can't send the request event to server (%lu)",
   "Wrong or unknown protocol",
   "Invalid connection handle",
-  "mysql_server_init wasn't called"
+  "mysql_server_init wasn't called",
+  "Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)"
 };
 
 /* Start of code added by Roberto M. Serqueira - martinsc@uol.com.br - 05.24.2001 */
@@ -128,7 +129,8 @@ const char *client_errors[]=
   "Can't open shared memory. Can't send the request event to server (%lu)",
   "Wrong or unknown protocol",
   "Invalid connection handle",
-  "mysql_server_init wasn't called"
+  "mysql_server_init wasn't called",
+  "Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)"
 };
 
 #else /* ENGLISH */
@@ -182,7 +184,8 @@ const char *client_errors[]=
   "Can't open shared memory. Can't send the request event to server (%lu)",
   "Wrong or unknown protocol",
   "Invalid connection handle",
-  "mysql_server_init wasn't called"
+  "mysql_server_init wasn't called",
+  "Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)"
 };
 #endif
 

sql-common/client.c

@@ -783,7 +783,7 @@ static const char *default_options[]=
   "connect-timeout", "local-infile", "disable-local-infile",
   "replication-probe", "enable-reads-from-master", "repl-parse-query",
   "ssl-cipher", "max-allowed-packet", "protocol", "shared-memory-base-name",
-  "multi-results", "multi-queries",
+  "multi-results", "multi-queries", "secure-auth",
   NullS
 };
 
@@ -991,6 +991,9 @@ void mysql_read_default_options(struct st_mysql_options *options,
 	case 31:
 	  options->client_flag|= CLIENT_MULTI_STATEMENTS | CLIENT_MULTI_RESULTS;
 	  break;
+        case 32: /* secure-auth */
+          options->secure_auth= TRUE;
+          break;
 	default:
 	  DBUG_PRINT("warning",("unknown option: %s",option[0]));
 	}
@@ -1473,7 +1476,11 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
   if (!host || !host[0])
     host=mysql->options.host;
   if (!user || !user[0])
+  {
     user=mysql->options.user;
+    if (!user)
+      user= "";
+  }
   if (!passwd)
   {
     passwd=mysql->options.password;
@@ -1481,6 +1488,8 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
     if (!passwd)
       passwd=getenv("MYSQL_PWD");		/* get it from environment */
 #endif
+    if (!passwd)
+      passwd= "";
   }
   if (!db || !db[0])
     db=mysql->options.db;
@@ -1742,6 +1751,14 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
   else
     mysql->server_capabilities&= ~CLIENT_SECURE_CONNECTION;
 
+  if (mysql->options.secure_auth && passwd[0] &&
+      !(mysql->server_capabilities & CLIENT_SECURE_CONNECTION))
+  {
+    strmov(net->sqlstate, unknown_sqlstate);
+    strmov(net->last_error, ER(net->last_errno=CR_SECURE_AUTH));
+    goto error;
+  }
+
   charset_number= mysql->server_language;
 
   /* Set character set */
@@ -1793,8 +1810,6 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
   }
 
   /* Save connection information */
-  if (!user) user="";
-  if (!passwd) passwd="";
   if (!my_multi_malloc(MYF(0),
 		       &mysql->host_info, (uint) strlen(host_info)+1,
 		       &mysql->host,      (uint) strlen(host)+1,
@@ -2542,6 +2557,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg)
     break;
   case MYSQL_SET_CLIENT_IP:
     mysql->options.client_ip= my_strdup(arg, MYF(MY_WME));
+  case MYSQL_SECURE_AUTH:
+    mysql->options.secure_auth= *(my_bool *) arg;
+    break;
   default:
     DBUG_RETURN(1);
   }