karelia · mikeabdullah · Mar 11, 2015 · Mar 11, 2015 · Mar 11, 2015 · Mar 11, 2015
diff --git a/CK2SSHCredential.h b/CK2SSHCredential.h
@@ -75,8 +75,13 @@
 
 // Looks up a keychain entry for the private key's passphrase. Nil if none is stored
 - (NSURLCredential *)ck2_credentialForPrivateKeyAtURL:(NSURL *)privateKey user:(NSString *)user;
+
+// Save the private key passphrase into Keychain
 - (BOOL)ck2_setPrivateKeyCredential:(NSURLCredential *)credential;
 
+// Removed saved private key passphrase from Keychain
+- (BOOL)ck2_removePrivateKeyCredential:(NSURLCredential *)credential;
+
 @end
 
 

diff --git a/CK2SSHCredential.m b/CK2SSHCredential.m
@@ -50,7 +50,7 @@ - (id)initWithUser:(NSString *)user keychainItem:(SecKeychainItemRef)item;
 {
     NSParameterAssert(item);
 
-    if (self = [self initWithUser:user password:nil persistence:NSURLCredentialPersistencePermanent])
+    if (self = [self initWithUser:user password:@"" persistence:NSURLCredentialPersistencePermanent])
     {
         _keychainItem = item;
         CFRetain(_keychainItem);
@@ -61,7 +61,7 @@ - (id)initWithUser:(NSString *)user keychainItem:(SecKeychainItemRef)item;
 
 - (id)initWithUser:(NSString *)user;
 {
-    if (self = [self initWithUser:user password:nil persistence:NSURLCredentialPersistenceNone])
+    if (self = [self initWithUser:user password:@"" persistence:NSURLCredentialPersistenceNone])
     {
         _isPublicKey = YES;
     }
@@ -170,7 +170,7 @@ @implementation CK2GenericPasswordCredential
 
 - (id)initWithUser:(NSString *)user service:(NSString *)service;
 {
-    if (self = [self initWithUser:user password:nil persistence:NSURLCredentialPersistencePermanent])
+    if (self = [self initWithUser:user password:@"" persistence:NSURLCredentialPersistencePermanent])
     {
         _service = [service copy];
     }
@@ -226,7 +226,7 @@ + (NSURLCredential *)ck2_credentialWithUser:(NSString *)user
     NSParameterAssert(privateKey);
 
     CK2SSHCredential *result = [[CK2SSHCredential alloc] initWithUser:user
-                                                             password:nil
+                                                             password:@""
                                                           persistence:NSURLCredentialPersistenceNone];
 
     [result setPublicKeyURL:publicKey privateKeyURL:privateKey];
@@ -311,27 +311,30 @@ + (NSError *)ck2_keychainErrorWithCode:(OSStatus)code localizedOperationDescript
 
 @implementation NSURLCredentialStorage (CK2SSHCredential)
 
-- (SecKeychainItemRef)copyKeychainItemForPrivateKeyPath:(NSString *)privateKey;
+- (SecKeychainItemRef)copyKeychainItemForPrivateKeyURL:(NSURL *)privateKeyURL;
 {
-    NSString *service = @"SSH";
-    
+	NSString *service = [self ck2_SSHServiceNameForKeyAtURL:privateKeyURL];
+	
     SecKeychainItemRef result;
     OSStatus status = SecKeychainFindGenericPassword(NULL,
                                                      (UInt32) [service lengthOfBytesUsingEncoding:NSUTF8StringEncoding], [service UTF8String],
-                                                     (UInt32) [privateKey lengthOfBytesUsingEncoding:NSUTF8StringEncoding], [privateKey UTF8String],
+                                                     (UInt32) [privateKeyURL.path lengthOfBytesUsingEncoding:NSUTF8StringEncoding], [privateKeyURL.path UTF8String],
                                                      NULL, NULL,
                                                      &result);
 
     return (status == errSecSuccess ? result : NULL);
 }
 
+- (NSString *)ck2_SSHServiceNameForKeyAtURL:(NSURL *)privateKey {
+	return [NSString stringWithFormat:@"Sandvox SSH key passphrase: %@", privateKey.lastPathComponent];
+}
+
 - (NSURLCredential *)ck2_credentialForPrivateKeyAtURL:(NSURL *)privateKey user:(NSString *)user;
 {
     // Try fetching passphrase from the keychain
-    // The service & account name is entirely empirical based on what's in my keychain from SSH Agent
-    NSString *privateKeyPath = [privateKey path];
-
-    SecKeychainItemRef item = [self copyKeychainItemForPrivateKeyPath:privateKeyPath];
+    // The service & account name is entirely empirical based on what's in my keychain
+
+    SecKeychainItemRef item = [self copyKeychainItemForPrivateKeyURL:privateKey];
     if (!item) return nil;
 
     CK2SSHCredential *result = [[CK2SSHCredential alloc] initWithUser:user keychainItem:item];
@@ -347,15 +350,15 @@ - (BOOL)ck2_setPrivateKeyCredential:(NSURLCredential *)credential;
     if (persistence == NSURLCredentialPersistenceNone) return YES;
     if ([credential persistence] != NSURLCredentialPersistencePermanent) return YES;
 
-    NSString *privateKey = [[credential ck2_privateKeyURL] path];
+    NSURL *privateKeyURL = [credential ck2_privateKeyURL];
     NSString *password = [credential password];
 
-    if (privateKey && password)
+    if (privateKeyURL && password)
     {
         // Time to store the passphrase
-        NSString *service = @"SSH";
+        NSString *service = [self ck2_SSHServiceNameForKeyAtURL:[credential ck2_privateKeyURL]];
 
-        SecKeychainItemRef item = [self copyKeychainItemForPrivateKeyPath:privateKey];
+        SecKeychainItemRef item = [self copyKeychainItemForPrivateKeyURL:privateKeyURL];
 
         OSStatus status;
         if (item)
@@ -370,7 +373,7 @@ - (BOOL)ck2_setPrivateKeyCredential:(NSURLCredential *)credential;
         {
             status = SecKeychainAddGenericPassword(NULL,
                                                    (UInt32) [service lengthOfBytesUsingEncoding:NSUTF8StringEncoding], [service UTF8String],
-                                                   (UInt32) [privateKey lengthOfBytesUsingEncoding:NSUTF8StringEncoding], [privateKey UTF8String],
+                                                   (UInt32) [privateKeyURL.path lengthOfBytesUsingEncoding:NSUTF8StringEncoding], [privateKeyURL.path UTF8String],
                                                    (UInt32) [password lengthOfBytesUsingEncoding:NSUTF8StringEncoding], [password UTF8String],
                                                    NULL);
         }
@@ -380,7 +383,28 @@ - (BOOL)ck2_setPrivateKeyCredential:(NSURLCredential *)credential;
 
     return NO;
 }
+
+- (BOOL)ck2_removePrivateKeyCredential:(NSURLCredential *)credential
+{
+    BOOL result = NO;
+    NSURL *privateKeyURL = [credential ck2_privateKeyURL];
 
+    if (privateKeyURL)
+    {
+        SecKeychainItemRef item = [self copyKeychainItemForPrivateKeyURL:privateKeyURL];
+
+        if (item) {
+            OSStatus err = SecKeychainItemDelete(item);
+            if (err != noErr) {
+                NSLog(@"Problem deleting ssh key passphrase from keychain: %s", GetMacOSStatusErrorString(err));
+            }
+            result = (err == noErr);
+        }
+    }
+
+    return result;
+}
+
 @end
 
 

diff --git a/libcrypto.dylib b/libcrypto.dylib
diff --git a/libcrypto.dylib.dSYM/Contents/Resources/DWARF/libcrypto.dylib b/libcrypto.dylib.dSYM/Contents/Resources/DWARF/libcrypto.dylib
diff --git a/libssh2 b/libssh2
diff --git a/libssh2.dylib b/libssh2.dylib
diff --git a/libssh2.dylib.dSYM/Contents/Resources/DWARF/libssh2.dylib b/libssh2.dylib.dSYM/Contents/Resources/DWARF/libssh2.dylib
diff --git a/libssl.dylib b/libssl.dylib
diff --git a/libssl.dylib.dSYM/Contents/Resources/DWARF/libssl.dylib b/libssl.dylib.dSYM/Contents/Resources/DWARF/libssl.dylib
diff --git a/openssl b/openssl
diff --git a/openssl-build-include/openssl/aes.h b/openssl-build-include/openssl/aes.h
@@ -7,7 +7,7 @@
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
  *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
@@ -50,98 +50,100 @@
  */
 
 #ifndef HEADER_AES_H
-#define HEADER_AES_H
+# define HEADER_AES_H
 
-#include <openssl/opensslconf.h>
+# include <openssl/opensslconf.h>
 
-#ifdef OPENSSL_NO_AES
-#error AES is disabled.
-#endif
+# ifdef OPENSSL_NO_AES
+#  error AES is disabled.
+# endif
 
-#include <stddef.h>
+# include <stddef.h>
 
-#define AES_ENCRYPT	1
-#define AES_DECRYPT	0
+# define AES_ENCRYPT     1
+# define AES_DECRYPT     0
 
-/* Because array size can't be a const in C, the following two are macros.
-   Both sizes are in bytes. */
-#define AES_MAXNR 14
-#define AES_BLOCK_SIZE 16
+/*
+ * Because array size can't be a const in C, the following two are macros.
+ * Both sizes are in bytes.
+ */
+# define AES_MAXNR 14
+# define AES_BLOCK_SIZE 16
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
 /* This should be a hidden type, but EVP requires that the size be known */
 struct aes_key_st {
-#ifdef AES_LONG
-    unsigned long rd_key[4 *(AES_MAXNR + 1)];
-#else
-    unsigned int rd_key[4 *(AES_MAXNR + 1)];
-#endif
+# ifdef AES_LONG
+    unsigned long rd_key[4 * (AES_MAXNR + 1)];
+# else
+    unsigned int rd_key[4 * (AES_MAXNR + 1)];
+# endif
     int rounds;
 };
 typedef struct aes_key_st AES_KEY;
 
 const char *AES_options(void);
 
 int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-	AES_KEY *key);
+                        AES_KEY *key);
 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-	AES_KEY *key);
+                        AES_KEY *key);
 
 int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-	AES_KEY *key);
+                                AES_KEY *key);
 int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-	AES_KEY *key);
+                                AES_KEY *key);
 
 void AES_encrypt(const unsigned char *in, unsigned char *out,
-	const AES_KEY *key);
+                 const AES_KEY *key);
 void AES_decrypt(const unsigned char *in, unsigned char *out,
-	const AES_KEY *key);
+                 const AES_KEY *key);
 
 void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
-	const AES_KEY *key, const int enc);
+                     const AES_KEY *key, const int enc);
 void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
-	size_t length, const AES_KEY *key,
-	unsigned char *ivec, const int enc);
+                     size_t length, const AES_KEY *key,
+                     unsigned char *ivec, const int enc);
 void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
-	size_t length, const AES_KEY *key,
-	unsigned char *ivec, int *num, const int enc);
+                        size_t length, const AES_KEY *key,
+                        unsigned char *ivec, int *num, const int enc);
 void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
-	size_t length, const AES_KEY *key,
-	unsigned char *ivec, int *num, const int enc);
+                      size_t length, const AES_KEY *key,
+                      unsigned char *ivec, int *num, const int enc);
 void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
-	size_t length, const AES_KEY *key,
-	unsigned char *ivec, int *num, const int enc);
+                      size_t length, const AES_KEY *key,
+                      unsigned char *ivec, int *num, const int enc);
 void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
-	size_t length, const AES_KEY *key,
-	unsigned char *ivec, int *num);
+                        size_t length, const AES_KEY *key,
+                        unsigned char *ivec, int *num);
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
-	size_t length, const AES_KEY *key,
-	unsigned char ivec[AES_BLOCK_SIZE],
-	unsigned char ecount_buf[AES_BLOCK_SIZE],
-	unsigned int *num);
+                        size_t length, const AES_KEY *key,
+                        unsigned char ivec[AES_BLOCK_SIZE],
+                        unsigned char ecount_buf[AES_BLOCK_SIZE],
+                        unsigned int *num);
 /* NB: the IV is _two_ blocks long */
 void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
-		     size_t length, const AES_KEY *key,
-		     unsigned char *ivec, const int enc);
+                     size_t length, const AES_KEY *key,
+                     unsigned char *ivec, const int enc);
 /* NB: the IV is _four_ blocks long */
 void AES_bi_ige_encrypt(const unsigned char *in, unsigned char *out,
-			size_t length, const AES_KEY *key,
-			const AES_KEY *key2, const unsigned char *ivec,
-			const int enc);
+                        size_t length, const AES_KEY *key,
+                        const AES_KEY *key2, const unsigned char *ivec,
+                        const int enc);
 
 int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
-		unsigned char *out,
-		const unsigned char *in, unsigned int inlen);
+                 unsigned char *out,
+                 const unsigned char *in, unsigned int inlen);
 int AES_unwrap_key(AES_KEY *key, const unsigned char *iv,
-		unsigned char *out,
-		const unsigned char *in, unsigned int inlen);
+                   unsigned char *out,
+                   const unsigned char *in, unsigned int inlen);
 
 
 #ifdef  __cplusplus
 }
 #endif
 
-#endif /* !HEADER_AES_H */
+#endif                          /* !HEADER_AES_H */