Keychain: Use app group when dereferencing a password reference

Co-authored-by: Davide De Rosa <keeshux@gmail.com>

Better retain access group every time keychain is written to or
read from, there is no good reason to omit it. Requires Keychain
method to be reverted to non-static.

Partially revert 4490f0c116, based
on wrong assumptions about password references.
This commit is contained in:
Roopesh Chander 2021-02-08 00:50:11 +05:30 committed by Davide De Rosa
parent 4114605520
commit 2b3eb5412c
2 changed files with 8 additions and 7 deletions

View File

@ -201,12 +201,10 @@ public class Keychain {
- Returns: The password for the input username and reference.
- Throws: `KeychainError.notFound` if unable to find the password in the keychain.
**/
public static func password(for username: String, reference: Data, context: String? = nil) throws -> String {
public func password(for username: String, reference: Data, context: String? = nil) throws -> String {
var query = [String: Any]()
setScope(query: &query, context: context)
query[kSecClass as String] = kSecClassGenericPassword
if let context = context {
query[kSecAttrService as String] = context
}
query[kSecAttrAccount as String] = username
query[kSecMatchItemList as String] = [reference]
query[kSecReturnData as String] = true

View File

@ -212,9 +212,12 @@ open class OpenVPNTunnelProvider: NEPacketTunnelProvider {
// optional credentials
let credentials: OpenVPN.Credentials?
if let username = protocolConfiguration.username, let passwordReference = protocolConfiguration.passwordReference,
let password = try? Keychain.password(for: username, reference: passwordReference) {
if let username = protocolConfiguration.username, let passwordReference = protocolConfiguration.passwordReference {
let keychain = Keychain(group: appGroup)
guard let password = try? keychain.password(for: username, reference: passwordReference) else {
completionHandler(ProviderConfigurationError.credentials(details: "keychain.password(for:, reference:)"))
return
}
credentials = OpenVPN.Credentials(username, password)
} else {
credentials = nil