Preliminary support for options --secure-auth,

--old-passwords
Support for option --old-protocol was removed.
Some test performed.
Tests for SSL and replication are pending.
More strict following to specification for --old-passwords
is in the TODO.


include/mysql_com.h:
  support for 3.20 passwords removed from
  scramble_323
include/mysqld_error.h:
  added error code for --secure-auth mode
libmysql/libmysql.c:
  removed support for 3.20 password and protocol
  version 9
mysql-test/r/connect.result:
  added check for new syntax of 
  set password
mysql-test/r/func_crypt.result:
  tests for two-argument of password() were removed.
  Instead added tests for cooperation of password() and
  old_passwords session/global variable, passwords() and spaces 
  in argument string
mysql-test/t/connect.test:
  added check for new syntax of
  set password
mysql-test/t/func_crypt.test:
  tests for two-argument of password() were removed.
  Instead added tests for cooperation of password() and
  old_passwords session/global variable, passwords() and spaces 
  in argument string
sql-common/client.c:
  removed support for 3.20 servers and 
  protocol version 9
sql/item_strfunc.h:
  fixed comment
sql/mysql_priv.h:
  added declarartion for option opt_secure_auth
sql/mysqld.cc:
  added option opt_secure_auth
  option old-password placed according to
  sort order
sql/password.c:
  removed support for 3.20 clients and 
  old scrambles
sql/set_var.cc:
  added system variable 'secure_auth'
  added system/thread variable 'old_passwords'
sql/set_var.h:
  sys_old_passwords needs to be exported 
  because sys_old_passwords.after_update is used
  in sql_acl.cc
sql/sql_acl.cc:
  support for 3.20 passwords removed
  now acl_init honors options works properly with
  options/variables --secure-auth and --old-passwords
sql/sql_acl.h:
  support for 3.20 clients removed
sql/sql_class.h:
  added system/thread variable old_passwords
sql/sql_parse.cc:
  support for 3.20 clients removed
  now check_user takes into account option
  secure_auth
sql/sql_yacc.yy:
  global variable use_old_passwords 
  replaced with thread-specific variable 
  old_passwords
sql/share/czech/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/danish/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/dutch/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/english/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/estonian/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/french/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/german/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/greek/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/hungarian/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/italian/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/japanese/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/korean/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/norwegian-ny/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/norwegian/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/polish/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/portuguese/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/romanian/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/russian/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/serbian/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/slovak/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/spanish/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/swedish/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)
sql/share/ukrainian/errmsg.txt:
  error message for --secure-auth added
  (as suggested by Paul)

1 files changed, 54 insertions, 28 deletions

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index f88799c2843..ee544335a99 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -87,16 +87,33 @@ set_user_salt(ACL_USER *acl_user, const char *password, uint password_len)
     get_salt_from_password(acl_user->salt, password);
     acl_user->salt_len= SCRAMBLE_LENGTH;
   }
-  else if (password_len == SCRAMBLED_PASSWORD_CHAR_LENGTH_323
-           || password_len == 8 && protocol_version == 9)
+  else if (password_len == SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
   {
     get_salt_from_password_323((ulong *) acl_user->salt, password);
-    acl_user->salt_len= password_len/2;
+    acl_user->salt_len= SCRAMBLE_LENGTH_323;
   }
   else
     acl_user->salt_len= 0;
 }
 
+/*
+  This after_update function is used when user.password is less than
+  SCRAMBLE_LENGTH bytes.
+*/
+
+static void restrict_update_of_old_passwords_var(THD *thd,
+                                                 enum_var_type var_type)
+{
+  if (var_type == OPT_GLOBAL)
+  {
+    pthread_mutex_lock(&LOCK_global_system_variables);
+    global_system_variables.old_passwords= 1;
+    pthread_mutex_unlock(&LOCK_global_system_variables);
+  }
+  else
+    thd->variables.old_passwords= 1;
+}
+
 
 /*
   Read grant privileges from the privilege tables in the 'mysql' database.
@@ -139,8 +156,6 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
   if (!(thd=new THD))
     DBUG_RETURN(1); /* purecov: inspected */
   thd->store_globals();
-  /* Use passwords according to command line option */
-  use_old_passwords= opt_old_passwords;
 
   acl_cache->clear(1);				// Clear locked hostname cache
   thd->db= my_strdup("mysql",MYF(0));
@@ -197,24 +212,43 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
 
   init_read_record(&read_record_info,thd,table=tables[1].table,NULL,1,0);
   VOID(my_init_dynamic_array(&acl_users,sizeof(ACL_USER),50,100));
-  if (table->field[2]->field_length == 8 &&
-      protocol_version == PROTOCOL_VERSION)
+  if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
   {
-    sql_print_error("Old 'user' table. "
-                    "(Check README or the Reference manual). "
-                    "Continuing --old-protocol"); /* purecov: tested */
-    protocol_version=9; /* purecov: tested */
+    sql_print_error("Fatal error: mysql.user table is damaged or in "
+                    "unsupported 3.20 format.");
+    goto end;
   }
 
   DBUG_PRINT("info",("user table fields: %d, password length: %d",
 		     table->fields, table->field[2]->field_length));
-  if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH &&
-      !use_old_passwords)
+  
+  pthread_mutex_lock(&LOCK_global_system_variables);
+  if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH)
   {
-    sql_print_error("mysql.user table is not updated to new password format; "
-                    "Disabling new password usage until "
-                    "mysql_fix_privilege_tables is run");
-    use_old_passwords= 1;
+    if (opt_secure_auth)
+    {
+      pthread_mutex_unlock(&LOCK_global_system_variables);
+      sql_print_error("Fatal error: mysql.user table is in old format, "
+                      "but server started with --secure-auth option.");
+      goto end;
+    }
+    sys_old_passwords.after_update= restrict_update_of_old_passwords_var;
+    if (global_system_variables.old_passwords)
+      pthread_mutex_unlock(&LOCK_global_system_variables);
+    else
+    {
+      global_system_variables.old_passwords= 1;
+      pthread_mutex_unlock(&LOCK_global_system_variables);
+      sql_print_error("mysql.user table is not updated to new password format; "
+                      "Disabling new password usage until "
+                      "mysql_fix_privilege_tables is run");
+    }
+    thd->variables.old_passwords= 1;
+  }
+  else
+  {
+    sys_old_passwords.after_update= 0;
+    pthread_mutex_unlock(&LOCK_global_system_variables);
   }
 
   allow_all_hosts=0;
@@ -229,12 +263,6 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
     if (user.salt_len == 0 && password_len != 0)
     {
       switch (password_len) {
-      case 8: /* 3.20: to be removed */
-        sql_print_error("Found old style password for user '%s'. "
-                        "Ignoring user. (You may want to restart mysqld "
-                        "using --old-protocol) ",
-                        user.user ? user.user : "");
-        break;
       case 45: /* 4.1: to be removed */
         sql_print_error("Found 4.1 style password for user '%s'. "
                         "Ignoring user. "
@@ -513,7 +541,6 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b)
                        original random string,
     passwd_len   IN    length of passwd, must be one of 0, 8,
                        SCRAMBLE_LENGTH_323, SCRAMBLE_LENGTH
-    old_version  IN    if old (3.20) protocol is used
  RETURN VALUE
     0  success: thread data and mqh are updated
     1  user not found or authentification failure
@@ -521,9 +548,8 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b)
    -1  user found, has short (3.23) salt, but passwd is in new (4.1.1) format.
 */
 
-int
-acl_getroot(THD *thd, USER_RESOURCES  *mqh,
-            const char *passwd, uint passwd_len, bool old_version)
+int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
+                const char *passwd, uint passwd_len)
 {
   DBUG_ENTER("acl_getroot");
 
@@ -557,7 +583,7 @@ acl_getroot(THD *thd, USER_RESOURCES  *mqh,
               user_i->salt_len == SCRAMBLE_LENGTH &&
               check_scramble(passwd, thd->scramble, user_i->salt) == 0 ||
               check_scramble_323(passwd, thd->scramble_323,
-                (ulong *) user_i->salt, old_version) == 0)
+                                 (ulong *) user_i->salt) == 0)
           {
             acl_user= user_i;
             res= 0;