Preliminary support for options --secure-auth,

--old-passwords
Support for option --old-protocol was removed.
Some test performed.
Tests for SSL and replication are pending.
More strict following to specification for --old-passwords
is in the TODO.

include/mysql_com.h

@@ -319,10 +319,9 @@ void create_random_string(char *to, uint length, struct rand_struct *rand_st);
 
 void hash_password(ulong *to, const char *password);
 void make_scrambled_password_323(char *to, const char *password);
-char *scramble_323(char *to, const char *message, const char *password,
+char *scramble_323(char *to, const char *message, const char *password);
-                   my_bool old_ver);
 my_bool check_scramble_323(const char *, const char *message,
-                           unsigned long *salt, my_bool old_ver);
+                           unsigned long *salt);
 void get_salt_from_password_323(unsigned long *res, const char *password);
 void make_password_from_salt_323(char *to, const unsigned long *salt);
 

include/mysqld_error.h

@@ -286,4 +286,5 @@
 #define ER_REVOKE_GRANTS 1267
 #define ER_CANT_AGGREGATE_3COLLATIONS 1268
 #define ER_CANT_AGGREGATE_NCOLLATIONS 1269
-#define ER_ERROR_MESSAGES 270
+#define ER_SERVER_IS_IN_SECURE_AUTH_MODE 1270
+#define ER_ERROR_MESSAGES 271

libmysql/libmysql.c

@@ -626,8 +626,7 @@ my_bool	STDCALL mysql_change_user(MYSQL *mysql, const char *user,
       end+= SCRAMBLE_LENGTH;
     }
     else
-      end= scramble_323(end, mysql->scramble_323, passwd,
+      end= scramble_323(end, mysql->scramble_323, passwd);
-                   (my_bool) (mysql->protocol_version == 9)) + 1;
   }
   else
     *end++= '\0';                               // empty password
@@ -651,8 +650,7 @@ my_bool	STDCALL mysql_change_user(MYSQL *mysql, const char *user,
       By sending this very specific reply server asks us to send scrambled
       password in old format. The reply contains scramble_323.
     */
-    scramble_323(buff, mysql->scramble_323, passwd,
+    scramble_323(buff, mysql->scramble_323, passwd);
-                 (my_bool) (mysql->protocol_version == 9));
     if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net))
     {
       net->last_errno= CR_SERVER_LOST;

mysql-test/r/connect.result

@@ -30,6 +30,7 @@ show tables;
 Tables_in_test
 update mysql.user set password=old_password("gambling2") where user="test";
 flush privileges;
+set password=old_password('gambling3');
 show tables;
 Tables_in_mysql
 columns_priv

mysql-test/r/func_crypt.result

@@ -1,15 +1,79 @@
 select length(encrypt('foo', 'ff')) <> 0;
 length(encrypt('foo', 'ff')) <> 0
 1
-select password("a",""), password("a",NULL), password("","a"), password(NULL,"a");
+select password('abc');
-password("a","")	password("a",NULL)	password("","a")	password(NULL,"a")
+password('abc')
-*2517f7235d68d4ba2e5019c93420523101157a792c01	NULL		NULL
+*0d3ced9bec10a777aec23ccc353a8c08a633045e
-select password("aaaaaaaaaaaaaaaa","a"), password("a","aaaaaaaaaaaaaaaa");
+select password('');
-password("aaaaaaaaaaaaaaaa","a")	password("a","aaaaaaaaaaaaaaaa")
+password('')
-*2cd3b9a44e9a9994789a30f935c92f45a96c5472f381	*37c7c5c794ff144819f2531bf03c57772cd84e40db09
+
-select old_password('test'), length(password("1")), length(encrypt('test')), encrypt('test','aa');
+select old_password('abc');
-old_password('test')	length(password("1"))	length(encrypt('test'))	encrypt('test','aa')
+old_password('abc')
-378b243e220ca493	45	13	aaqPiZY5xR5l.
+7cd2b5942be28759
-select old_password(""), old_password(NULL), password(""), password(NULL);
+select old_password('');
-old_password("")	old_password(NULL)	password("")	password(NULL)
+old_password('')
-	NULL		NULL
+
+select password('gabbagabbahey');
+password('gabbagabbahey')
+*b0f99d2963660dd7e16b751ec9ee2f17b6a68fa6
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+select length(password('1'));
+length(password('1'))
+41
+select length(encrypt('test'));
+length(encrypt('test'))
+13
+select encrypt('test','aa');
+encrypt('test','aa')
+aaqPiZY5xR5l.
+select old_password(NULL);
+old_password(NULL)
+NULL
+select password(NULL);
+password(NULL)
+NULL
+set global old_passwords=on;
+select password('');
+password('')
+
+select old_password('');
+old_password('')
+
+select password('idkfa');
+password('idkfa')
+*b669c9dac3aa6f2254b03cdef8dfdd6b2d1054ba
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set old_passwords=on;
+select password('idkfa');
+password('idkfa')
+5c078dc54ca0fcca
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set global old_passwords=off;
+select password('idkfa');
+password('idkfa')
+5c078dc54ca0fcca
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+set old_passwords=off;
+select password('idkfa ');
+password('idkfa ')
+*2dc31d90647b4c1abc9231563d2236e96c9a2db2
+select password('idkfa');
+password('idkfa')
+*b669c9dac3aa6f2254b03cdef8dfdd6b2d1054ba
+select password(' idkfa');
+password(' idkfa')
+*12b099e56bb7fe8d43c78fd834a9d1d11178d045
+select old_password('idkfa');
+old_password('idkfa')
+5c078dc54ca0fcca
+select old_password(' i 	 d k f a ');
+old_password(' i 	 d k f a ')
+5c078dc54ca0fcca

mysql-test/t/connect.test

@@ -48,8 +48,9 @@ flush privileges;
 #connect (con1,localhost,test,gambling2,"");
 #show tables;
 connect (con1,localhost,test,gambling2,mysql);
+set password=old_password('gambling3');
 show tables;
-connect (con1,localhost,test,gambling2,test);
+connect (con1,localhost,test,gambling3,test);
 show tables;
 
 # Re enable this one day if error handling on connect will take place
@@ -63,7 +64,9 @@ show tables;
 #connect (con1,localhost,test,zorro,);
 #--error 1045
 
+
 # remove user 'test' so that other tests which may use 'test'
 # do not depend on this test.
+
 delete from mysql.user where user="test";
 flush privileges;

mysql-test/t/func_crypt.test

@@ -4,7 +4,33 @@ select length(encrypt('foo', 'ff')) <> 0;
 --replace_result $1$aa$4OSUA5cjdx0RUQ08opV27/ aaqPiZY5xR5l.
 
 # Test new and old password handling functions 
-select password("a",""), password("a",NULL), password("","a"), password(NULL,"a");
+select password('abc');
-select password("aaaaaaaaaaaaaaaa","a"), password("a","aaaaaaaaaaaaaaaa");
+select password('');
-select old_password('test'), length(password("1")), length(encrypt('test')), encrypt('test','aa');
+select old_password('abc');
-select old_password(""), old_password(NULL), password(""), password(NULL);
+select old_password('');
+select password('gabbagabbahey');
+select old_password('idkfa');
+select length(password('1'));
+select length(encrypt('test'));
+select encrypt('test','aa');
+select old_password(NULL);
+select password(NULL);
+set global old_passwords=on;
+select password('');
+select old_password('');
+select password('idkfa');
+select old_password('idkfa');
+set old_passwords=on;
+select password('idkfa');
+select old_password('idkfa');
+set global old_passwords=off;
+select password('idkfa');
+select old_password('idkfa');
+
+# this test shows that new scrambles honor spaces in passwords:
+set old_passwords=off;
+select password('idkfa ');
+select password('idkfa');
+select password(' idkfa');
+select old_password('idkfa');
+select old_password(' i 	 d k f a ');

sql-common/client.c

@@ -1842,8 +1842,7 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user,
       end+= SCRAMBLE_LENGTH;
     }
     else
-      end= scramble_323(end, mysql->scramble_323, passwd,
+      end= scramble_323(end, mysql->scramble_323, passwd) + 1;
-                   (my_bool) (mysql->protocol_version == 9)) + 1;
   }
   else
     *end++= '\0';                               /* empty password */
@@ -1880,8 +1879,7 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user,
       By sending this very specific reply server asks us to send scrambled
       password in old format. The reply contains scramble_323.
     */
-    scramble_323(buff, mysql->scramble_323, passwd,
+    scramble_323(buff, mysql->scramble_323, passwd);
-                 (my_bool) (mysql->protocol_version == 9));
     if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net))
     {
       net->last_errno= CR_SERVER_LOST;

sql/item_strfunc.h

@@ -277,7 +277,7 @@ public:
 /*
   Item_func_old_password -- PASSWORD() implementation used in MySQL 3.21 - 4.0
   compatibility mode. This item is created in sql_yacc.yy when
-  'use_old_passwords' session variable is set, and to handle OLD_PASSWORD()
+  'old_passwords' session variable is set, and to handle OLD_PASSWORD()
   function.
 */
 

sql/mysql_priv.h

@@ -748,7 +748,7 @@ extern my_bool opt_safe_show_db, opt_local_infile, lower_case_table_names;
 extern my_bool opt_slave_compressed_protocol, use_temp_pool;
 extern my_bool opt_readonly;
 extern my_bool opt_enable_named_pipe;
-extern my_bool opt_old_passwords, use_old_passwords;
+extern my_bool opt_secure_auth;
 extern char *shared_memory_base_name, *mysqld_unix_port;
 extern bool opt_enable_shared_memory;
 

sql/mysqld.cc

@@ -250,9 +250,10 @@ my_bool opt_local_infile, opt_external_locking, opt_slave_compressed_protocol;
 my_bool opt_safe_user_create = 0, opt_no_mix_types = 0;
 my_bool lower_case_table_names, opt_old_rpl_compat;
 my_bool opt_show_slave_auth_info, opt_sql_bin_update = 0;
-my_bool opt_log_slave_updates= 0, opt_old_passwords=0, use_old_passwords=0;
+my_bool opt_log_slave_updates= 0;
 my_bool	opt_console= 0, opt_bdb, opt_innodb, opt_isam;
 my_bool opt_readonly, use_temp_pool, relay_log_purge;
+my_bool opt_secure_auth= 0;
 volatile bool mqh_used = 0;
 
 uint mysqld_port, test_flags, select_errors, dropping_tables, ha_open_options;
@@ -3452,7 +3453,8 @@ enum options
   OPT_EXPIRE_LOGS_DAYS,
   OPT_DEFAULT_WEEK_FORMAT,
   OPT_GROUP_CONCAT_MAX_LEN,
-  OPT_DEFAULT_COLLATION
+  OPT_DEFAULT_COLLATION,
+  OPT_SECURE_AUTH
 };
 
 
@@ -3753,9 +3755,10 @@ Does nothing yet.",
    (gptr*) &opt_no_mix_types, (gptr*) &opt_no_mix_types, 0, GET_BOOL, NO_ARG,
    0, 0, 0, 0, 0, 0},
 #endif
-  {"old-protocol", 'o', "Use the old (3.20) protocol client/server protocol.",
+  {"old-passwords", OPT_OLD_PASSWORDS, "Use old password encryption method (needed for 4.0 and older clients).",
-   (gptr*) &protocol_version, (gptr*) &protocol_version, 0, GET_UINT, NO_ARG,
+   (gptr*) &global_system_variables.old_passwords,
-   PROTOCOL_VERSION, 0, 0, 0, 0, 0},
+   (gptr*) &max_system_variables.old_passwords, 0, GET_BOOL, NO_ARG,
+   0, 0, 0, 0, 0, 0},
   {"old-rpl-compat", OPT_OLD_RPL_COMPAT,
    "Use old LOAD DATA format in the binary log (don't save data in file).",
    (gptr*) &opt_old_rpl_compat, (gptr*) &opt_old_rpl_compat, 0, GET_BOOL,
@@ -3824,8 +3827,6 @@ relay logs.",
    GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
   {"safe-mode", OPT_SAFE, "Skip some optimize stages (for testing).",
    0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},
-  {"old-passwords", OPT_OLD_PASSWORDS, "Use old password encryption method (needed for 4.0 and older clients).",
-   (gptr*) &opt_old_passwords, (gptr*) &opt_old_passwords, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
 #ifndef TO_BE_DELETED
   {"safe-show-database", OPT_SAFE_SHOW_DB,
    "Deprecated option; One should use GRANT SHOW DATABASES instead...",
@@ -3835,6 +3836,9 @@ relay logs.",
    "Don't allow new user creation by the user who has no write privileges to the mysql.user table.",
    (gptr*) &opt_safe_user_create, (gptr*) &opt_safe_user_create, 0, GET_BOOL,
    NO_ARG, 0, 0, 0, 0, 0, 0},
+  {"secure-auth", OPT_SECURE_AUTH, "Disallow authentication for accounts that have old (pre-4.1) passwords.",
+   (gptr*) &opt_secure_auth, (gptr*) &opt_secure_auth, 0, GET_BOOL, NO_ARG,
+   my_bool(0), 0, 0, 0, 0, 0},
   {"server-id",	OPT_SERVER_ID,
    "Uniquely identifies the server instance in the community of replication partners.",
    (gptr*) &server_id, (gptr*) &server_id, 0, GET_ULONG, REQUIRED_ARG, 0, 0, 0,
@@ -4604,7 +4608,8 @@ static void mysql_init_variables(void)
   opt_log= opt_update_log= opt_bin_log= opt_slow_log= 0;
   opt_disable_networking= opt_skip_show_db=0;
   opt_logname= opt_update_logname= opt_binlog_index_name= opt_slow_logname=0;
-  opt_bootstrap= opt_myisam_log= use_old_passwords= 0;
+  opt_secure_auth= 0;
+  opt_bootstrap= opt_myisam_log= 0;
   mqh_used= 0;
   segfaulted= kill_in_progress= 0;
   cleanup_done= 0;
@@ -4704,6 +4709,7 @@ static void mysql_init_variables(void)
   max_system_variables.select_limit=    (ulonglong) HA_POS_ERROR;
   global_system_variables.max_join_size= (ulonglong) HA_POS_ERROR;
   max_system_variables.max_join_size=   (ulonglong) HA_POS_ERROR;
+  global_system_variables.old_passwords= 0;
 
   /* Variables that depends on compile options */
 #ifndef DBUG_OFF
@@ -4825,9 +4831,6 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
   case 'L':
     strmake(language, argument, sizeof(language)-1);
     break;
-  case 'o':
-    protocol_version=PROTOCOL_VERSION-1;
-    break;
 #ifdef HAVE_REPLICATION
   case OPT_SLAVE_SKIP_ERRORS:
     init_slave_skip_errors(argument);

sql/password.c

@@ -88,24 +88,6 @@ void randominit(struct rand_struct *rand_st, ulong seed1, ulong seed2)
 }
 
 
-/*
-  Old (MySQL 3.20) random generation structure initialization
-  XXX: is to be deleted very soon!
-  SYNOPSIS
-    old_randominit()
-    rand_st    OUT  Structure to initialize
-    seed1      IN   First initialization parameter
-*/
-
-static void old_randominit(struct rand_struct *rand_st, ulong seed1)
-{                                               /* For mysql 3.20.# */
-  rand_st->max_value= 0x01FFFFFFL;
-  rand_st->max_value_dbl=(double) rand_st->max_value;
-  seed1%=rand_st->max_value;
-  rand_st->seed1=seed1 ; rand_st->seed2=seed1/2;
-}
-
-
 /*
     Generate random number.
   SYNOPSIS
@@ -178,13 +160,11 @@ void make_scrambled_password_323(char *to, const char *password)
     message  IN  Message to scramble. Message must be exactly 
                  SRAMBLE_LENGTH_323 long and NULL terminated. 
     password IN  Password to use while scrambling
-    old_ver  IN  Force old version random number generator
   RETURN
     End of scrambled string
 */
 
-char *scramble_323(char *to, const char *message, const char *password,
+char *scramble_323(char *to, const char *message, const char *password)
-                   my_bool old_ver)
 {
   struct rand_struct rand_st;
   ulong hash_pass[2], hash_message[2];
@@ -194,21 +174,15 @@ char *scramble_323(char *to, const char *message, const char *password,
     char *to_start=to;
     hash_password(hash_pass,password);
     hash_password(hash_message, message);
-    if (old_ver)
+    randominit(&rand_st,hash_pass[0] ^ hash_message[0],
-      old_randominit(&rand_st,hash_pass[0] ^ hash_message[0]);
+               hash_pass[1] ^ hash_message[1]);
-    else
-      randominit(&rand_st,hash_pass[0] ^ hash_message[0],
-                 hash_pass[1] ^ hash_message[1]);
     while (*message++)
       *to++= (char) (floor(my_rnd(&rand_st)*31)+64);
-    if (!old_ver)
+    char extra=(char) (floor(my_rnd(&rand_st)*31));
-    {                                           /* Make it harder to break */
+    while (to_start != to)
-      char extra=(char) (floor(my_rnd(&rand_st)*31));
+      *(to_start++)^=extra;
-      while (to_start != to)
-        *(to_start++)^=extra;
-    }
   }
-  *to=0;
+  *to= 0;
   return to;
 }
 
@@ -223,7 +197,6 @@ char *scramble_323(char *to, const char *message, const char *password,
                   be exactly SCRAMBLED_LENGTH_323 bytes long and
                   NULL-terminated.
     hash_pass  IN password which should be used for scrambling
-    old_ver    IN force old (3.20) version random number generator
   RETURN VALUE
     0 - password correct
    !0 - password invalid
@@ -231,7 +204,7 @@ char *scramble_323(char *to, const char *message, const char *password,
 
 my_bool
 check_scramble_323(const char *scrambled, const char *message,
-                   ulong *hash_pass, my_bool old_ver)
+                   ulong *hash_pass)
 {
   struct rand_struct rand_st;
   ulong hash_message[2];
@@ -243,18 +216,12 @@ check_scramble_323(const char *scrambled, const char *message,
     return 1;                                   /* Wrong password */
 
   hash_password(hash_message,message);
-  if (old_ver)
+  randominit(&rand_st,hash_pass[0] ^ hash_message[0],
-    old_randominit(&rand_st,hash_pass[0] ^ hash_message[0]);
+             hash_pass[1] ^ hash_message[1]);
-  else
-    randominit(&rand_st,hash_pass[0] ^ hash_message[0],
-               hash_pass[1] ^ hash_message[1]);
   to=buff;
   for (pos=scrambled ; *pos ; pos++)
     *to++=(char) (floor(my_rnd(&rand_st)*31)+64);
-  if (old_ver)
+  extra=(char) (floor(my_rnd(&rand_st)*31));
-    extra=0;
-  else
-    extra=(char) (floor(my_rnd(&rand_st)*31));
   to=buff;
   while (*scrambled)
   {

sql/set_var.cc

@@ -210,6 +210,7 @@ sys_var_thd_ulong	sys_net_retry_count("net_retry_count",
 					    &SV::net_retry_count,
 					    fix_net_retry_count);
 sys_var_thd_bool	sys_new_mode("new", &SV::new_mode);
+sys_var_thd_bool	sys_old_passwords("old_passwords", &SV::old_passwords);
 sys_var_thd_ulong       sys_preload_buff_size("preload_buffer_size",
                                               &SV::preload_buff_size);
 sys_var_thd_ulong	sys_read_buff_size("read_buffer_size",
@@ -236,6 +237,7 @@ sys_var_thd_enum	sys_query_cache_type("query_cache_type",
 					     &SV::query_cache_type,
 					     &query_cache_type_typelib);
 #endif /* HAVE_QUERY_CACHE */
+sys_var_bool_ptr	sys_secure_auth("secure_auth", &opt_secure_auth);
 sys_var_long_ptr	sys_server_id("server_id",&server_id);
 sys_var_bool_ptr	sys_slave_compressed_protocol("slave_compressed_protocol",
 						      &opt_slave_compressed_protocol);
@@ -425,6 +427,7 @@ sys_var *sys_variables[]=
   &sys_net_wait_timeout,
   &sys_net_write_timeout,
   &sys_new_mode,
+  &sys_old_passwords,
   &sys_preload_buff_size,
   &sys_pseudo_thread_id,
   &sys_query_cache_size,
@@ -443,6 +446,7 @@ sys_var *sys_variables[]=
 #endif
   &sys_rpl_recovery_rank,
   &sys_safe_updates,
+  &sys_secure_auth,
   &sys_select_limit,
   &sys_server_id,
 #ifdef HAVE_REPLICATION
@@ -600,6 +604,7 @@ struct show_var_st init_vars[]= {
   {sys_net_retry_count.name,  (char*) &sys_net_retry_count,	    SHOW_SYS},
   {sys_net_write_timeout.name,(char*) &sys_net_write_timeout,       SHOW_SYS},
   {sys_new_mode.name,         (char*) &sys_new_mode,                SHOW_SYS},
+  {sys_old_passwords.name,    (char*) &sys_old_passwords,           SHOW_SYS},
   {"open_files_limit",	      (char*) &open_files_limit,	    SHOW_LONG},
   {"pid_file",                (char*) pidfile_name,                 SHOW_CHAR},
   {"log_error",               (char*) log_error_file,               SHOW_CHAR},
@@ -620,6 +625,7 @@ struct show_var_st init_vars[]= {
    SHOW_SYS},
   {sys_query_cache_size.name, (char*) &sys_query_cache_size,	    SHOW_SYS},
   {sys_query_cache_type.name, (char*) &sys_query_cache_type,        SHOW_SYS},
+  {"secure_auth",             (char*) &sys_secure_auth,             SHOW_SYS},
 #endif /* HAVE_QUERY_CACHE */
 #ifdef HAVE_SMEM
   {"shared_memory",           (char*) &opt_enable_shared_memory,    SHOW_MY_BOOL},

sql/set_var.h

@@ -652,3 +652,5 @@ ulong fix_sql_mode(ulong sql_mode);
 
 extern sys_var_str sys_charset_system;
 CHARSET_INFO *get_old_charset_by_name(const char *old_name);
+
+extern sys_var_thd_bool sys_old_passwords;

sql/share/czech/errmsg.txt

@@ -275,3 +275,4 @@ v/*
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/danish/errmsg.txt

@@ -269,3 +269,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/dutch/errmsg.txt

@@ -277,3 +277,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/english/errmsg.txt

@@ -271,3 +271,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/estonian/errmsg.txt

@@ -271,3 +271,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/french/errmsg.txt

@@ -266,3 +266,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/german/errmsg.txt

@@ -275,3 +275,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/greek/errmsg.txt

@@ -266,3 +266,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/hungarian/errmsg.txt

@@ -268,3 +268,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/italian/errmsg.txt

@@ -266,3 +266,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/japanese/errmsg.txt

@@ -268,3 +268,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/korean/errmsg.txt

@@ -266,3 +266,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/norwegian-ny/errmsg.txt

@@ -268,3 +268,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/norwegian/errmsg.txt

@@ -268,3 +268,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/polish/errmsg.txt

@@ -270,3 +270,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/portuguese/errmsg.txt

@@ -266,3 +266,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/romanian/errmsg.txt

@@ -270,3 +270,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/russian/errmsg.txt

@@ -268,3 +268,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Сервер запущен в режиме --secure-auth (безопасной авторизации), но для пользователя '%s@%s' пароль сохранён в старом формате; необходимо обновить формат пароля"

sql/share/serbian/errmsg.txt

@@ -262,3 +262,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/slovak/errmsg.txt

@@ -274,3 +274,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/spanish/errmsg.txt

@@ -267,3 +267,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/swedish/errmsg.txt

@@ -266,3 +266,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/share/ukrainian/errmsg.txt

@@ -271,3 +271,4 @@
 "Can't revoke all privileges, grant for one or more of the requested users"
 "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
 "Illegal mix of collations for operation '%s'",
+"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"

sql/sql_acl.cc

@@ -87,16 +87,33 @@ set_user_salt(ACL_USER *acl_user, const char *password, uint password_len)
     get_salt_from_password(acl_user->salt, password);
     acl_user->salt_len= SCRAMBLE_LENGTH;
   }
-  else if (password_len == SCRAMBLED_PASSWORD_CHAR_LENGTH_323
+  else if (password_len == SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
-           || password_len == 8 && protocol_version == 9)
   {
     get_salt_from_password_323((ulong *) acl_user->salt, password);
-    acl_user->salt_len= password_len/2;
+    acl_user->salt_len= SCRAMBLE_LENGTH_323;
   }
   else
     acl_user->salt_len= 0;
 }
 
+/*
+  This after_update function is used when user.password is less than
+  SCRAMBLE_LENGTH bytes.
+*/
+
+static void restrict_update_of_old_passwords_var(THD *thd,
+                                                 enum_var_type var_type)
+{
+  if (var_type == OPT_GLOBAL)
+  {
+    pthread_mutex_lock(&LOCK_global_system_variables);
+    global_system_variables.old_passwords= 1;
+    pthread_mutex_unlock(&LOCK_global_system_variables);
+  }
+  else
+    thd->variables.old_passwords= 1;
+}
+
 
 /*
   Read grant privileges from the privilege tables in the 'mysql' database.
@@ -139,8 +156,6 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
   if (!(thd=new THD))
     DBUG_RETURN(1); /* purecov: inspected */
   thd->store_globals();
-  /* Use passwords according to command line option */
-  use_old_passwords= opt_old_passwords;
 
   acl_cache->clear(1);				// Clear locked hostname cache
   thd->db= my_strdup("mysql",MYF(0));
@@ -197,24 +212,43 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
 
   init_read_record(&read_record_info,thd,table=tables[1].table,NULL,1,0);
   VOID(my_init_dynamic_array(&acl_users,sizeof(ACL_USER),50,100));
-  if (table->field[2]->field_length == 8 &&
+  if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
-      protocol_version == PROTOCOL_VERSION)
   {
-    sql_print_error("Old 'user' table. "
+    sql_print_error("Fatal error: mysql.user table is damaged or in "
-                    "(Check README or the Reference manual). "
+                    "unsupported 3.20 format.");
-                    "Continuing --old-protocol"); /* purecov: tested */
+    goto end;
-    protocol_version=9; /* purecov: tested */
   }
 
   DBUG_PRINT("info",("user table fields: %d, password length: %d",
 		     table->fields, table->field[2]->field_length));
-  if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH &&
+  
-      !use_old_passwords)
+  pthread_mutex_lock(&LOCK_global_system_variables);
+  if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH)
   {
-    sql_print_error("mysql.user table is not updated to new password format; "
+    if (opt_secure_auth)
-                    "Disabling new password usage until "
+    {
-                    "mysql_fix_privilege_tables is run");
+      pthread_mutex_unlock(&LOCK_global_system_variables);
-    use_old_passwords= 1;
+      sql_print_error("Fatal error: mysql.user table is in old format, "
+                      "but server started with --secure-auth option.");
+      goto end;
+    }
+    sys_old_passwords.after_update= restrict_update_of_old_passwords_var;
+    if (global_system_variables.old_passwords)
+      pthread_mutex_unlock(&LOCK_global_system_variables);
+    else
+    {
+      global_system_variables.old_passwords= 1;
+      pthread_mutex_unlock(&LOCK_global_system_variables);
+      sql_print_error("mysql.user table is not updated to new password format; "
+                      "Disabling new password usage until "
+                      "mysql_fix_privilege_tables is run");
+    }
+    thd->variables.old_passwords= 1;
+  }
+  else
+  {
+    sys_old_passwords.after_update= 0;
+    pthread_mutex_unlock(&LOCK_global_system_variables);
   }
 
   allow_all_hosts=0;
@@ -229,12 +263,6 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
     if (user.salt_len == 0 && password_len != 0)
     {
       switch (password_len) {
-      case 8: /* 3.20: to be removed */
-        sql_print_error("Found old style password for user '%s'. "
-                        "Ignoring user. (You may want to restart mysqld "
-                        "using --old-protocol) ",
-                        user.user ? user.user : "");
-        break;
       case 45: /* 4.1: to be removed */
         sql_print_error("Found 4.1 style password for user '%s'. "
                         "Ignoring user. "
@@ -513,7 +541,6 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b)
                        original random string,
     passwd_len   IN    length of passwd, must be one of 0, 8,
                        SCRAMBLE_LENGTH_323, SCRAMBLE_LENGTH
-    old_version  IN    if old (3.20) protocol is used
  RETURN VALUE
     0  success: thread data and mqh are updated
     1  user not found or authentification failure
@@ -521,9 +548,8 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b)
    -1  user found, has short (3.23) salt, but passwd is in new (4.1.1) format.
 */
 
-int
+int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
-acl_getroot(THD *thd, USER_RESOURCES  *mqh,
+                const char *passwd, uint passwd_len)
-            const char *passwd, uint passwd_len, bool old_version)
 {
   DBUG_ENTER("acl_getroot");
 
@@ -557,7 +583,7 @@ acl_getroot(THD *thd, USER_RESOURCES  *mqh,
               user_i->salt_len == SCRAMBLE_LENGTH &&
               check_scramble(passwd, thd->scramble, user_i->salt) == 0 ||
               check_scramble_323(passwd, thd->scramble_323,
-                (ulong *) user_i->salt, old_version) == 0)
+                                 (ulong *) user_i->salt) == 0)
           {
             acl_user= user_i;
             res= 0;

sql/sql_acl.h

@@ -135,8 +135,8 @@ void acl_reload(THD *thd);
 void acl_free(bool end=0);
 ulong acl_get(const char *host, const char *ip, const char *bin_ip,
 	      const char *user, const char *db);
-int acl_getroot(THD *thd, USER_RESOURCES *mqh,
+int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
-                const char *passwd, uint passwd_len, bool old_ver);
+                uint passwd_len);
 bool acl_check_host(const char *host, const char *ip);
 bool check_change_password(THD *thd, const char *host, const char *user);
 bool change_password(THD *thd, const char *host, const char *user,

sql/sql_class.h

@@ -386,6 +386,7 @@ struct system_variables
   my_bool log_warnings;
   my_bool low_priority_updates;
   my_bool new_mode;
+  my_bool old_passwords;
   
   CHARSET_INFO	*character_set_server;
   CHARSET_INFO	*character_set_database;

sql/sql_parse.cc

@@ -204,7 +204,22 @@ static int check_user(THD *thd, enum enum_server_command command,
                       bool check_count)
 {
   DBUG_ENTER("check_user");
-
+  
+  my_bool opt_secure_auth_local;
+  pthread_mutex_lock(&LOCK_global_system_variables);
+  opt_secure_auth_local= opt_secure_auth;
+  pthread_mutex_unlock(&LOCK_global_system_variables);
+  
+  /*
+    If the server is running in secure auth mode, short scrambles are 
+    forbidden.
+  */
+  if (opt_secure_auth_local && passwd_len == SCRAMBLE_LENGTH_323)
+  {
+    net_printf(thd, ER_NOT_SUPPORTED_AUTH_MODE);
+    mysql_log.write(thd, COM_CONNECT, ER(ER_NOT_SUPPORTED_AUTH_MODE));
+    DBUG_RETURN(-1);
+  }
   if (passwd_len != 0 &&
       passwd_len != SCRAMBLE_LENGTH &&
       passwd_len != SCRAMBLE_LENGTH_323)
@@ -220,9 +235,7 @@ static int check_user(THD *thd, enum enum_server_command command,
   char buff[NAME_LEN + 1]; /* to conditionally save db */
   
   USER_RESOURCES ur;
-  int res= acl_getroot(thd, &ur, passwd, passwd_len,
+  int res= acl_getroot(thd, &ur, passwd, passwd_len);
-                       protocol_version == 9 ||
-                       !(thd->client_capabilities & CLIENT_LONG_PASSWORD));
   if (res == -1)
   {
     /*
@@ -231,6 +244,14 @@ static int check_user(THD *thd, enum enum_server_command command,
       scramble_323()). Here we please client to send scrambled_password
       in old format.
     */
+    if (opt_secure_auth_local)
+    {
+      net_printf(thd, ER_SERVER_IS_IN_SECURE_AUTH_MODE,
+                 thd->user, thd->host_or_ip);
+      mysql_log.write(thd, COM_CONNECT, ER(ER_SERVER_IS_IN_SECURE_AUTH_MODE),
+                      thd->user, thd->host_or_ip);
+      DBUG_RETURN(-1);
+    }
     /* save db because network buffer is to hold new packet */
     if (db)
     {
@@ -247,8 +268,7 @@ static int check_user(THD *thd, enum enum_server_command command,
     }
     /* Final attempt to check the user based on reply */
     /* So as passwd is short, errcode is always >= 0 */
-    res= acl_getroot(thd, &ur, (char *) net->read_pos, SCRAMBLE_LENGTH_323,
+    res= acl_getroot(thd, &ur, (char *) net->read_pos, SCRAMBLE_LENGTH_323);
-                     false);
   }
   /* here res is always >= 0 */
   if (res == 0)

sql/sql_yacc.yy

@@ -2517,7 +2517,8 @@ simple_expr:
 	  { $$= new Item_func_now($3); Lex->safe_to_cache_query=0;}
 	| PASSWORD '(' expr ')'
 	  {
-	    $$= use_old_passwords ?  (Item *) new Item_func_old_password($3) :
+	    $$= YYTHD->variables.old_passwords ?
+              (Item *) new Item_func_old_password($3) :
 	      (Item *) new Item_func_password($3);
 	  }
 	| OLD_PASSWORD '(' expr ')'
@@ -4607,7 +4608,7 @@ text_or_password:
 	TEXT_STRING { $$=$1.str;}
 	| PASSWORD '(' TEXT_STRING ')'
 	  {
-	    $$= $3.length ? use_old_passwords ?
+	    $$= $3.length ? YYTHD->variables.old_passwords ?
 	        Item_func_old_password::alloc(YYTHD, $3.str) :
 	        Item_func_password::alloc(YYTHD, $3.str) :
 	      $3.str;
@@ -4923,7 +4924,7 @@ grant_user:
 	   $$=$1; $1->password=$4;
 	   if ($4.length)
 	   {
-             if (use_old_passwords)
+             if (YYTHD->variables.old_passwords)
              {
                char *buff= 
                  (char *) YYTHD->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1);