Hello Sergei!

This patch has a server-side only effect.
You see, the old code was sending either the internally-generated scramble, or the plugin-provided payload. But never both. 

The protocol would interpret both as a scramble.

You wrote:
How can thd->scramble[SCRAMBLE_LENGTH] be not zero at this point?
 
thd->scramble[SCRAMBLE_LENGTH] is set to 1 in acl_authenticate():

 if (command == COM_CHANGE_USER)
  {
  ...
  }
  else
  {
    /* mark the thd as having no scramble yet */
    thd->scramble[SCRAMBLE_LENGTH]= 1;


So when THD is just connecting, it has 1 in the (SCRAMBLE_LENGTH+1)-th byte. 

This is true only for the server: libmariadb makes no such marking, so it's harder (I know no way) to distinguish the initial handshake from an extra roundtrip.

Overall, my solution is to use only the first 20 bytes as a nonce used to generate the SSL secret.
Quick'n'dirty, maybe, but I think that supporting arbitrary length scrambles can be done on top of it, if necessary.

It won't make it into 11.7, though.


Best regards,
Nikita