From d976d159d0a4e5f41c898f3da87d99c97e87f11f Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Fri, 11 Oct 2019 21:52:55 +0200
Subject: [PATCH] Keychain: make verification errors only happen when we're
 sure it's due to not found

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 WireGuard/Shared/Keychain.swift                 | 2 +-
 WireGuard/WireGuard/Tunnel/TunnelsManager.swift | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/WireGuard/Shared/Keychain.swift b/WireGuard/Shared/Keychain.swift
index edc546d..3059c57 100644
--- a/WireGuard/Shared/Keychain.swift
+++ b/WireGuard/Shared/Keychain.swift
@@ -112,6 +112,6 @@ class Keychain {
     static func verifyReference(called ref: Data) -> Bool {
         return SecItemCopyMatching([kSecClass as String: kSecClassGenericPassword,
                                     kSecValuePersistentRef as String: ref] as CFDictionary,
-                                   nil) == errSecSuccess
+                                   nil) != errSecItemNotFound
     }
 }
diff --git a/WireGuard/WireGuard/Tunnel/TunnelsManager.swift b/WireGuard/WireGuard/Tunnel/TunnelsManager.swift
index ec1ea74..efee1e4 100644
--- a/WireGuard/WireGuard/Tunnel/TunnelsManager.swift
+++ b/WireGuard/WireGuard/Tunnel/TunnelsManager.swift
@@ -70,6 +70,7 @@ class TunnelsManager {
                 if let ref = passwordRef {
                     refs.insert(ref)
                 } else {
+                    wg_log(.info, message: "Removing orphaned tunnel with non-verifying keychain entry: \(tunnelManager.localizedDescription ?? "<unknown>")")
                     tunnelManager.removeFromPreferences { _ in }
                     tunnelManagers.remove(at: index)
                 }