Model: migrate iOS 14 keychain references to iOS 15 format
Keychain references used to be bijective, but with the change in format, Apple tried to be too clever, and references are no longer bijective. This lead to us deleting keychain entries, which in turn emptied out people's configs upon upgrading to iOS 15. Disaster! Fix this by detecting the change in format and saving the new password reference. We still rely on this being bijective moving forward; hopefully this bug won't repeat itself. It would be nice to not rely on that property, but doing so without grinding startup to a halt isn't obviously done, given how slow the keychain accesses are and how limited the API is. Reported-by: Eddie <stunnel@attglobal.net> Reported-by: Anatoli <me@anatoli.ws> Reported-by: Alan Graham <alan@meshify.app> Reported-by: Jacob Wilder <oss@jacobwilder.org> Reported-by: Miguel Arroz <miguel.arroz@gmail.com> Reported-by: Reid Rankin <reidrankin@gmail.com> Reported-by: Fabien <patate.cosmique@pm.me> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld
parent
abf506c1fe
commit
03a59ff38e
|
|
@ -72,7 +72,7 @@ extension NETunnelProviderProtocol {
|
||||||
#error("Unimplemented")
|
#error("Unimplemented")
|
||||||
#endif
|
#endif
|
||||||
guard passwordReference == nil else { return true }
|
guard passwordReference == nil else { return true }
|
||||||
wg_log(.debug, message: "Migrating tunnel configuration '\(name)'")
|
wg_log(.info, message: "Migrating tunnel configuration '\(name)'")
|
||||||
passwordReference = Keychain.makeReference(containing: oldConfig, called: name)
|
passwordReference = Keychain.makeReference(containing: oldConfig, called: name)
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
@ -81,6 +81,27 @@ extension NETunnelProviderProtocol {
|
||||||
providerConfiguration = ["UID": getuid()]
|
providerConfiguration = ["UID": getuid()]
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
#elseif os(iOS)
|
||||||
|
if #available(iOS 15, *) {
|
||||||
|
/* Update the stored reference from the old iOS 14 one to the canonical iOS 15 one.
|
||||||
|
* The iOS 14 ones are 96 bits, while the iOS 15 ones are 160 bits. We do this so
|
||||||
|
* that we can have fast set exclusion in deleteReferences safely. */
|
||||||
|
if passwordReference != nil && passwordReference!.count == 12 {
|
||||||
|
var result: CFTypeRef?
|
||||||
|
let ret = SecItemCopyMatching([kSecValuePersistentRef: passwordReference!,
|
||||||
|
kSecReturnPersistentRef: true] as CFDictionary,
|
||||||
|
&result)
|
||||||
|
if ret != errSecSuccess || result == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
guard let newReference = result as? Data else { return false }
|
||||||
|
if !newReference.elementsEqual(passwordReference!) {
|
||||||
|
wg_log(.info, message: "Migrating iOS 14-style keychain reference to iOS 15-style keychain reference for '\(name)'")
|
||||||
|
passwordReference = newReference
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue