Manually roll back all changes for #2979

Those will be moved to a different branch for the time being since other stuff needs to be changed first

6 files changed, 87 insertions, 217 deletions

diff --git a/Source/SPConnectionController.h b/Source/SPConnectionController.h
index 44b0a89f..2da8f58a 100644
--- a/Source/SPConnectionController.h
+++ b/Source/SPConnectionController.h
@@ -69,8 +69,6 @@
 	BOOL isConnecting;
 	BOOL isEditingConnection;
 	BOOL isTestingConnection;
-	NSString *agreedInsecurePlugin;
-	NSString *insecureOverridePassword;
 	
 	// Standard details
 	NSInteger previousType;
@@ -166,10 +164,6 @@
     IBOutlet NSMenuItem *favoritesSortByMenuItem;
 	IBOutlet NSView *exportPanelAccessoryView;
 	IBOutlet NSView *editButtonsView;
-
-	IBOutlet NSView *requestPasswordAccessoryView;
-	IBOutlet NSTextField *requestPasswordPluginNameField;
-	IBOutlet NSSecureTextField *requestPasswordPasswordField;
 	
 	BOOL isEditingItemName;
     BOOL reverseFavoritesSort;
@@ -214,24 +208,11 @@
 @property (readwrite, assign) NSInteger sshKeyLocationEnabled;
 @property (readwrite, retain) NSString *sshKeyLocation;
 @property (readwrite, retain) NSString *sshPort;
-@property (readwrite, copy, nonatomic) NSString *connectionKeychainID;
 @property (readwrite, retain) NSString *connectionKeychainItemName;
 @property (readwrite, retain) NSString *connectionKeychainItemAccount;
 @property (readwrite, retain) NSString *connectionSSHKeychainItemName;
 @property (readwrite, retain) NSString *connectionSSHKeychainItemAccount;
 @property (readwrite, assign) BOOL useCompression;
-/**
- * If the user was prompted to allow a connection with an insecure auth plugin,
- * the name of that plugin will be stored here (not persisted) so that we
- * don't have to ask again when duplicating a connection/reconnecting.
- */
-@property (readwrite, copy, nonatomic) NSString *agreedInsecurePlugin;
-/**
- * If the user has given a password that is not the keychain password in
- * the insecure auth plugin request, we will store it in memory and keep the
- * other properties unchanged, since they are connected to GUI and/or backing stores
- */
-@property (readwrite, copy, nonatomic) NSString *insecureOverridePassword;
 
 #ifdef SP_CODA
 @property (readwrite, assign) SPDatabaseDocument *dbDocument;
@@ -240,10 +221,6 @@
 @property (readonly, assign) BOOL isConnecting;
 @property (readonly, assign) BOOL isEditingConnection;
 
-- (NSString *)keychainPassword;
-- (NSString *)keychainPasswordForSSH;
-- (NSString *)actualPasswordForAuthPlugin:(NSString *)pluginName;
-
 // Connection processes
 - (IBAction)initiateConnection:(id)sender;
 - (IBAction)cancelConnection:(id)sender;
diff --git a/Source/SPConnectionController.m b/Source/SPConnectionController.m
index 8df37973..018ecf93 100644
--- a/Source/SPConnectionController.m
+++ b/Source/SPConnectionController.m
@@ -114,9 +114,6 @@ static BOOL FindLinesInFile(NSData *fileData,const void *first,size_t first_len,
 
 - (void)_documentWillClose:(NSNotification *)notification;
 
-- (void)_beginRequestPasswordForInsecurePlugin:(NSString *)pluginName;
-- (void)_insecurePasswordAlertDidEnd:(NSAlert *)alert returnCode:(NSInteger)returnCode contextInfo:(void *)contextInfo;
-
 static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2, void *key);
 #endif
 
@@ -166,14 +163,11 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 @synthesize sshKeyLocation;
 @synthesize sshPort;
 @synthesize useCompression;
-@synthesize agreedInsecurePlugin = agreedInsecurePlugin;
-@synthesize insecureOverridePassword = insecureOverridePassword;
 
 #ifdef SP_CODA
 @synthesize dbDocument;
 #endif
 
-@synthesize connectionKeychainID = connectionKeychainID;
 @synthesize connectionKeychainItemName;
 @synthesize connectionKeychainItemAccount;
 @synthesize connectionSSHKeychainItemName;
@@ -182,155 +176,6 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 @synthesize isConnecting;
 @synthesize isEditingConnection;
 
-- (NSString *)keychainPassword
-{
-	NSString *kcItemName = [self connectionKeychainItemName];
-	// If no keychain item is available, return an empty password
-	if (!kcItemName) return nil;
-
-	// Otherwise, pull the password from the keychain using the details from this connection
-	NSString *kcPassword = [keychain getPasswordForName:kcItemName account:[self connectionKeychainItemAccount]];
-
-	return kcPassword;
-}
-
-- (NSString *)keychainPasswordForSSH
-{
-	if (![self connectionKeychainItemName]) return nil;
-
-	// Otherwise, pull the password from the keychain using the details from this connection
-	NSString *kcSSHPassword = [keychain getPasswordForName:connectionSSHKeychainItemName account:connectionSSHKeychainItemAccount];
-
-	return kcSSHPassword;
-}
-
-/**
- * This method is responsible for handing the user password to SPMySQL when it needs it.
- * It will receive the name of the auth plugin mysql plans to use and with
- * that it has to decide whether to fetch the password from keychain, or present
- * additional prompts to the user (e.g. in case the auth plugin is insecure).
- *
- * Note: The 5.5 libmysqlclient on the first attempt ignores the requested plugin
- *       and tries to guess one instead. Only if that fails it will try to use
- *       the server's suggested one. Thus this method may be invoked multiple times
- *       during a single connection attempt.
- *
- * @return The actual user password to give to the mysql auth plugin.
- *         This may be empty (no password).
- *         This may be nil, which will be interpreted as "cancelled by user"
- *
- * This MUST be called on the UI thread!
- */
-- (NSString *)actualPasswordForAuthPlugin:(NSString *)pluginName
-{
-	NSArray *securePluginNames = @[
-		@"mysql_native_password", //default on 4.1+
-		//@"sha256_password", // not supported by the 5.5 client, only secure when used with TLS server cert checks!
-		                      //   over SSL: password is transmitted in plaintext
-		                      //   over plaintext: the mysql client uses assymetric crypto to encrypt the password and
-		                      //                   send the encrypted plaintext to the server (this requires the OpenSSL
-		                      //                   libs, so doesn't work with our client builds)
-	];
-	//INSECURE:
-	//  mysql_clear_password; Plaintext password
-	//  mysql_old_password;   Deprecated, used with pre-4.1 servers. No longer supported in 5.7.5+ clients
-	//UNSUPPORTED:
-	//  authentication_windows_client;   Kerberos/NTLM auth. Not supported on UNIX by libmysqlclient
-	//  authentication_ldap_sasl_client; MySQL Enterprise
-	//  auth_test_plugin;                Developer example only
-
-	// TODO incorporate SSL/TLS state in decision (cleartext over trusted SSL should be fine)
-	// This is not possible right now, because someone with access to the Mac could just swap the SSL CA cert
-	// and server ip to something he controls. So if Sequel Pro would just check that SSL was in use, it could
-	// still be attacked to easily give the password away.
-	// Instead we have to link all critical connection parameters (host+port+ssh-tunnel+ssl server or ca cert hash)
-	// to the password in keychain and make sure none of them changed before giving the password to libmysqlclient.
-
-	if(![securePluginNames containsObject:pluginName]) {
-		if(![pluginName isEqualToString:agreedInsecurePlugin]) {
-			// since the user will probably take longer to answer the dialog than the connection timeout is
-			// (and because the UI sheet is async anyway),
-			// we will do a little trick and disconnect mysql right now and retry, once we actually have the password
-			[self performSelector:@selector(_beginRequestPasswordForInsecurePlugin:) withObject:pluginName afterDelay:0.0];
-			cancellingConnection = YES;
-			return nil;
-		}
-	}
-
-	NSString *pass;
-	// override password always wins
-	if ((pass = [self insecureOverridePassword])) {
-		;
-	}
-	// Only set the password if there is no Keychain item set and the connection is not being tested.
-	// The connection will otherwise ask the delegate for passwords in the Keychain.
-	else if ((!connectionKeychainItemName || isTestingConnection) && (pass = [self password])) {
-		;
-	}
-	else {
-		pass = [self keychainPassword];
-	}
-
-	return (pass ? pass : @""); //returning nil would mean cancelled
-}
-
-- (void)_beginRequestPasswordForInsecurePlugin:(NSString *)pluginName
-{
-	// if the user presses "Disconnect" in the dialog OR
-	// if this was only a test connection OR
-	// if the connection failed anyway
-	// -> agreedInsecurePlugin will be cleared again via -_restoreConnectionInterface
-	[self setAgreedInsecurePlugin:pluginName];
-
-	//show modal warning dialog
-	NSAlert *alert = [[NSAlert alloc] init]; //released in alert callback
-	[alert setAlertStyle:NSAlertStyleCritical];
-	[alert setMessageText:NSLocalizedString(@"Transmit password insecurely?",@"Connection dialog : password security error alert : title")];
-	[alert setInformativeText:NSLocalizedString(@"The MySQL server has requested the password to be transmitted in an insecure manner. This could be indicative of an attack on the server or your network connection!\n\nIf you still want to continue anyway, manually reenter your connection password.",@"Connection dialog : password security error alert : detail message")];
-	[alert setAccessoryView:requestPasswordAccessoryView];
-
-	[requestPasswordPluginNameField setStringValue:pluginName];
-
-	NSButton *connectAnywayButton = [alert addButtonWithTitle:NSLocalizedString(@"Connect Anyway",@"Connection dialog : password security error alert : confirm button")];
-	[connectAnywayButton setTag:NSAlertDefaultReturn];
-
-	NSButton *disconnectButton = [alert addButtonWithTitle:NSLocalizedString(@"Disconnect",@"Connection dialog : password security error alert : cancel button")];
-	[disconnectButton setTag:NSAlertAlternateReturn];
-
-	[alert beginSheetModalForWindow:[dbDocument parentWindow]
-	                  modalDelegate:self
-	                 didEndSelector:@selector(_insecurePasswordAlertDidEnd:returnCode:contextInfo:)
-	                    contextInfo:NULL];
-}
-
-- (void)_insecurePasswordAlertDidEnd:(NSAlert *)alert returnCode:(NSInteger)returnCode contextInfo:(void *)contextInfo
-{
-	NSString *pass = nil;
-	if(returnCode == NSAlertDefaultReturn) {
-		pass = [NSString stringWithString:[requestPasswordPasswordField stringValue]];
-	}
-	[requestPasswordPasswordField setStringValue:@""];
-
-	[alert autorelease];
-
-	cancellingConnection = NO;
-
-	//cancelled by user?
-	if(!pass) {
-		[self _restoreConnectionInterface];
-		return;
-	}
-
-	// if the manually given password matches the keychain password there is no need to keep it in memory,
-	// otherwise we use the override password ivar in order to not affect the normal logic
-	if (!connectionKeychainItemName || ![pass isEqualToString:[self keychainPassword]]) {
-		[self setInsecureOverridePassword:pass];
-	}
-
-	[[pass retain] release]; //free it asap
-	[self initiateMySQLConnection]; //reconnect
-}
-
 #pragma mark -
 #pragma mark Connection processes
 
@@ -892,13 +737,11 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 #ifndef SP_CODA
 
 	// Clear the keychain referral items as appropriate
-	[self setConnectionKeychainID:nil];
+	if (connectionKeychainID) SPClear(connectionKeychainID);
 	if (connectionKeychainItemName) SPClear(connectionKeychainItemName);
 	if (connectionKeychainItemAccount) SPClear(connectionKeychainItemAccount);
 	if (connectionSSHKeychainItemName) SPClear(connectionSSHKeychainItemName);
 	if (connectionSSHKeychainItemAccount) SPClear(connectionSSHKeychainItemAccount);
-	[self setAgreedInsecurePlugin:nil];
-	[self setInsecureOverridePassword:nil];
 
 	SPTreeNode *node = [self selectedFavoriteNode];
 	if ([node isGroup]) node = nil;
@@ -961,7 +804,7 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 	}
 
 	// Store the selected favorite ID for use with the document on connection
-	if ([fav objectForKey:SPFavoriteIDKey]) [self setConnectionKeychainID:[[fav objectForKey:SPFavoriteIDKey] stringValue]];
+	if ([fav objectForKey:SPFavoriteIDKey]) connectionKeychainID = [[[fav objectForKey:SPFavoriteIDKey] stringValue] retain];
 
 	// And the same for the SSH password
 	connectionSSHKeychainItemName = [[keychain nameForSSHForFavoriteName:[fav objectForKey:SPFavoriteNameKey] id:[fav objectForKey:SPFavoriteIDKey]] retain];
@@ -1898,11 +1741,7 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 	// Reset the window title
 	[dbDocument updateWindowTitle:self];
 	[[dbDocument parentTabViewItem] setLabel:[dbDocument displayName]];
-
-	//only store that if the connection attempt was successful
-	[self setAgreedInsecurePlugin:nil];
-	[self setInsecureOverridePassword:nil];
-
+	
 	// Stop the current tab's progress indicator
 	[dbDocument setIsProcessing:NO];
 
@@ -2221,6 +2060,12 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 		}
 	}
 
+	// Only set the password if there is no Keychain item set and the connection is not being tested.
+	// The connection will otherwise ask the delegate for passwords in the Keychain.
+	if ((!connectionKeychainItemName || isTestingConnection) && [self password]) {
+		[mySQLConnection setPassword:[self password]];
+	}
+
 	// Enable SSL if set
 	if ([self useSSL]) {
 		[mySQLConnection setUseSSL:YES];
@@ -2262,11 +2107,6 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 	[mySQLConnection setUseKeepAlive:[[prefs objectForKey:SPUseKeepAlive] boolValue]];
 	[mySQLConnection setKeepAliveInterval:[[prefs objectForKey:SPKeepAliveInterval] floatValue]];
 
-	// We can always enable the cleartext plugin (this does not yet mean it will actually be used),
-	// since mysql will ask us for the password in -actualPasswordForAuthPlugin: at which point
-	// we get to decide what to do with the actual plugin.
-	[mySQLConnection setAllowCleartextPlugin:YES];
-
 	// Connect
 	[mySQLConnection connect];
 
@@ -2532,6 +2372,8 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 	for (NSUInteger i = 0; i < [toolbarItems count]; i++) [[toolbarItems objectAtIndex:i] setEnabled:YES];
 #endif
 
+	if (connectionKeychainID) [dbDocument setKeychainID:connectionKeychainID];
+
 	// Pass the connection to the table document, allowing it to set
 	// up the other classes and the rest of the interface.
 	[dbDocument setConnection:mySQLConnection];
@@ -3325,6 +3167,7 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 #endif
 
 		// Keychain references
+		connectionKeychainID = nil;
 		connectionKeychainItemName = nil;
 		connectionKeychainItemAccount = nil;
 		connectionSSHKeychainItemName = nil;
@@ -3778,13 +3621,11 @@ static NSComparisonResult _compareFavoritesUsingKey(id favorite1, id favorite2,
 
 	SPClear(nibObjectsToRelease);
 
-	[self setConnectionKeychainID:nil];
+	if (connectionKeychainID)             SPClear(connectionKeychainID);
 	if (connectionKeychainItemName)       SPClear(connectionKeychainItemName);
 	if (connectionKeychainItemAccount)    SPClear(connectionKeychainItemAccount);
 	if (connectionSSHKeychainItemName)    SPClear(connectionSSHKeychainItemName);
 	if (connectionSSHKeychainItemAccount) SPClear(connectionSSHKeychainItemAccount);
-	[self setAgreedInsecurePlugin:nil];
-	[self setInsecureOverridePassword:nil];
 
 #ifndef SP_CODA
 	if (currentFavorite) SPClear(currentFavorite);
diff --git a/Source/SPDatabaseDocument.h b/Source/SPDatabaseDocument.h
index c89f7847..de7dd55e 100644
--- a/Source/SPDatabaseDocument.h
+++ b/Source/SPDatabaseDocument.h
@@ -262,6 +262,8 @@
 	NSMutableArray *runningActivitiesArray;
 #endif
 
+	NSString *keyChainID;
+	
 #ifndef SP_CODA /* ivars */
 	NSThread *printThread;
 	
@@ -340,6 +342,7 @@
 #endif
 - (void)setConnection:(SPMySQLConnection *)theConnection;
 - (SPMySQLConnection *)getConnection;
+- (void)setKeychainID:(NSString *)theID;
 
 // Database methods
 - (IBAction)setDatabases:(id)sender;
@@ -448,6 +451,7 @@
 - (NSString *)port;
 - (NSString *)mySQLVersion;
 - (NSString *)user;
+- (NSString *)keyChainID;
 - (NSString *)connectionID;
 #ifndef SP_CODA /* method decls */
 - (NSString *)tabTitleForTooltip;
diff --git a/Source/SPDatabaseDocument.m b/Source/SPDatabaseDocument.m
index fe555241..2340b97e 100644
--- a/Source/SPDatabaseDocument.m
+++ b/Source/SPDatabaseDocument.m
@@ -119,6 +119,7 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 
 - (void) closeAndDisconnect;
 
+- (NSString *)keychainPasswordForConnection:(SPMySQLConnection *)connection;
 - (NSString *)keychainPasswordForSSHConnection:(SPMySQLConnection *)connection;
 
 @end
@@ -217,6 +218,8 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 		alterDatabaseCharsetHelper = nil; //init in awakeFromNib
 		addDatabaseCharsetHelper = nil;
 		
+		keyChainID = nil;
+
 #ifndef SP_CODA /* init ivars */
 		statusValues = nil;
 		printThread = nil;
@@ -610,6 +613,14 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 	return mySQLConnection;
 }
 
+/**
+ * Sets this connection's Keychain ID.
+ */ 
+- (void)setKeychainID:(NSString *)theId
+{
+	keyChainID = [[NSString stringWithString:theId] retain];
+}
+
 #pragma mark -
 #pragma mark Database methods
 
@@ -2852,6 +2863,11 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 	return thePort;
 }
 
+- (NSString *)keyChainID
+{
+	return keyChainID;
+}
+
 - (BOOL)isSaveInBundle
 {
 	return _isSavedInBundle;
@@ -4658,8 +4674,7 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 		}
 		[connection setObject:connectionType forKey:@"type"];
 
-		NSString *kcid = [connectionController connectionKeychainID];
-		if ([kcid length]) [connection setObject:kcid forKey:@"kcid"];
+		if ([[self keyChainID] length]) [connection setObject:[self keyChainID] forKey:@"kcid"];
 		[connection setObject:[self name] forKey:@"name"];
 		[connection setObject:[self host] forKey:@"host"];
 		[connection setObject:[self user] forKey:@"user"];
@@ -4671,7 +4686,7 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 			[connection setObject:[self database] forKey:@"database"];
 
 		if (includePasswords) {
-			NSString *pw = [connectionController keychainPassword];
+			NSString *pw = [self keychainPasswordForConnection:nil];
 			if (!pw) pw = [connectionController password];
 			if (pw) [connection setObject:pw forKey:@"password"];
 
@@ -4860,10 +4875,9 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 		[connectionController setSslCACertFileLocation:[connection objectForKey:@"sslCACertFileLocation"]];
 
 	// Set the keychain details if available
-	NSString *kcid = (NSString *)[connection objectForKey:@"kcid"];
-	if ([kcid length]) {
-		[connectionController setConnectionKeychainID:kcid];
-		[connectionController setConnectionKeychainItemName:[keychain nameForFavoriteName:[connectionController name] id:kcid]];
+	if ([connection objectForKey:@"kcid"] && [(NSString *)[connection objectForKey:@"kcid"] length]) {
+		[self setKeychainID:[connection objectForKey:@"kcid"]];
+		[connectionController setConnectionKeychainItemName:[keychain nameForFavoriteName:[connectionController name] id:[self keyChainID]]];
 		[connectionController setConnectionKeychainItemAccount:[keychain accountForUser:[connectionController user] host:[connectionController host] database:[connection objectForKey:@"database"]]];
 	}
 
@@ -4871,8 +4885,9 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 	if ([connection objectForKey:@"password"])
 		[connectionController setPassword:[connection objectForKey:@"password"]];
 	else {
-		NSString *pw = [connectionController keychainPassword];
-		if (pw) [connectionController setPassword:pw];
+		NSString *pw = [self keychainPasswordForConnection:nil];
+		if (pw)
+			[connectionController setPassword:pw];
 	}
 
 	// Set the socket details, whether or not the type is a socket
@@ -4895,8 +4910,8 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 	if ([connection objectForKey:@"ssh_password"])
 		[connectionController setSshPassword:[connection objectForKey:@"ssh_password"]];
 	else {
-		if ([kcid length]) {
-			[connectionController setConnectionSSHKeychainItemName:[keychain nameForSSHForFavoriteName:[connectionController name] id:kcid]];
+		if ([connection objectForKey:@"kcid"] && [(NSString *)[connection objectForKey:@"kcid"] length]) {
+			[connectionController setConnectionSSHKeychainItemName:[keychain nameForSSHForFavoriteName:[connectionController name] id:[self keyChainID]]];
 			[connectionController setConnectionSSHKeychainItemAccount:[keychain accountForSSHUser:[connectionController sshUser] sshHost:[connectionController sshHost]]];
 		}
 		NSString *sshpw = [self keychainPasswordForSSHConnection:nil];
@@ -7133,11 +7148,21 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 }
 
 /**
- * Invoked when the current connection needs a password.
+ * Invoked when the current connection needs a password from the Keychain.
  */
-- (NSString *)passwordForConnection:(SPMySQLConnection *)connection authPlugin:(NSString *)pluginName
+- (NSString *)keychainPasswordForConnection:(SPMySQLConnection *)connection
 {
-	return [[connectionController onMainThread] actualPasswordForAuthPlugin:pluginName];
+	// If no keychain item is available, return an empty password
+	if (![connectionController connectionKeychainItemName]) return nil;
+
+	// Otherwise, pull the password from the keychain using the details from this connection
+	SPKeychain *keychain = [[SPKeychain alloc] init];
+
+	NSString *password = [keychain getPasswordForName:[connectionController connectionKeychainItemName] account:[connectionController connectionKeychainItemAccount]];
+
+	[keychain release];
+
+	return password;
 }
 
 /**
@@ -7148,10 +7173,25 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 - (NSString *)keychainPasswordForSSHConnection:(SPMySQLConnection *)connection
 {
 	// If no keychain item is available, return an empty password
-	NSString *password = [connectionController keychainPasswordForSSH];
-	if (!password) return @"";
+	if (![connectionController connectionKeychainItemName]) return @"";
 
-	return password;
+	// Otherwise, pull the password from the keychain using the details from this connection
+	SPKeychain *keychain = [[SPKeychain alloc] init];
+
+	NSString *connectionSSHKeychainItemName = [[keychain nameForSSHForFavoriteName:[connectionController name] id:[self keyChainID]] retain];
+	NSString *connectionSSHKeychainItemAccount = [[keychain accountForSSHUser:[connectionController sshUser] sshHost:[connectionController sshHost]] retain];
+	NSString *sshPassword = [keychain getPasswordForName:connectionSSHKeychainItemName account:connectionSSHKeychainItemAccount];
+
+	if (!sshPassword || ![sshPassword length]) {
+		sshPassword = @"";
+	}
+
+	if (connectionSSHKeychainItemName) [connectionSSHKeychainItemName release];
+	if (connectionSSHKeychainItemAccount) [connectionSSHKeychainItemAccount release];
+
+	[keychain release];
+
+	return sshPassword;
 }
 
 /**
@@ -7714,6 +7754,7 @@ static int64_t SPDatabaseDocumentInstanceCounter = 0;
 	if (spfPreferences) SPClear(spfPreferences);
 	if (spfSession) SPClear(spfSession);
 	if (spfDocData) SPClear(spfDocData);
+	if (keyChainID) SPClear(keyChainID);
 	if (mainToolbar) SPClear(mainToolbar);
 	if (titleAccessoryView) SPClear(titleAccessoryView);
 	if (taskProgressWindow) SPClear(taskProgressWindow);
diff --git a/Source/SPDatabaseStructure.m b/Source/SPDatabaseStructure.m
index 99a274b0..9289b13b 100644
--- a/Source/SPDatabaseStructure.m
+++ b/Source/SPDatabaseStructure.m
@@ -258,7 +258,6 @@
 		goto cleanup_thread_and_pool;
 	}
 
-#if 0
 	// For future usage - currently unused
 	// If the affected item name and type - for example, table type and table name - were supplied, extract it.
 	NSString *affectedItem = nil;
@@ -270,7 +269,6 @@
 		else
 			affectedItem = nil;
 	}
-#endif
 
 	// Delete all stored data for the database to be updated, leaving the structure key
 	[queriedStructure removeObjectForKey:db_id];
@@ -444,11 +442,11 @@ cleanup_thread_and_pool:
 #pragma mark SPMySQLConnection delegate methods
 
 /**
- * Forward password requests to the database object.
+ * Forward keychain password requests to the database object.
  */
-- (NSString *)passwordForConnection:(id)connection authPlugin:(NSString *)pluginName
+- (NSString *)keychainPasswordForConnection:(id)connection
 {
-	return [delegate passwordForConnection:connection authPlugin:pluginName];
+	return [delegate keychainPasswordForConnection:connection];
 }
 
 #pragma mark -
diff --git a/Source/SPKeychain.m b/Source/SPKeychain.m
index 61b1f5a8..94b561c5 100644
--- a/Source/SPKeychain.m
+++ b/Source/SPKeychain.m
@@ -43,6 +43,15 @@
 	if (!(self = [super init])) {
 		return nil;
 	}
+	
+	NSString *cleartext = [NSProcessInfo processInfo].environment[@"LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN"];
+	if (cleartext != nil) {
+		NSLog(@"LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN is set. Disabling keychain access. See Issue #2437");
+		
+		[self release];
+		return nil;
+	}
+	
 	return self;
 }