fix

2026-03-31 14:46:03 +08:00 · 2026-03-31 14:46:03 +08:00 · 2f354c94fb
commit 2f354c94fb
parent 92f224e721
2 changed files with 26 additions and 16 deletions
--- a/Tun/Punchnet/Actors/SDLContextActor.swift
+++ b/Tun/Punchnet/Actors/SDLContextActor.swift
@ -755,11 +755,11 @@ actor SDLContextActor {
    
    // 网络改变时需要重新配置网络信息
    private func setNetworkSettings(networkAddress: SDLConfiguration.NetworkAddress, dnsServer: String) async throws {
+        // 配置路由规则
        let routes: [NEIPv4Route] = [
            NEIPv4Route(destinationAddress: networkAddress.netAddress, subnetMask: networkAddress.maskAddress),
            NEIPv4Route(destinationAddress: dnsServer, subnetMask: "255.255.255.255"),
            
-            // TODO测试代码
            NEIPv4Route(destinationAddress: "172.16.1.0", subnetMask: "255.255.255.0"),
        ]
        
--- a/Tun/Punchnet/Actors/SDLQuicClient.swift
+++ b/Tun/Punchnet/Actors/SDLQuicClient.swift
@ -50,7 +50,7 @@ final class SDLQUICClient {
            options.securityProtocolOptions,
            { metadata, trust, complete in
                // 执行公钥校验
-                complete(QUICVerifier.verify(trust: trust))
+                complete(QUICVerifier.verify(trust: trust, host: host))
            },
            self.queue
        )
@ -285,33 +285,43 @@ extension SDLQUICClient {
    enum QUICVerifier {
        // 你的 Base64 公钥指纹
        static let pinnedPublicKeyHashes = [
-            "Z2S0VNhlCqelkqTXxZNY39icMu622SfKhxXi3qi5fFA="
+            "Q41r6hbMWEVyxo6heNAH4Wx/TH5NNOWlNif9bewcJ3E="
        ]
        
-        static func verify(trust: sec_trust_t) -> Bool {
+        static func verify(trust: sec_trust_t, host: String) -> Bool {
            let secTrust = sec_trust_copy_ref(trust).takeRetainedValue()
            
-            // --- 修复部分：使用 macOS 12+ 的新 API ---
-            // SecTrustCopyCertificateChain 会返回一个 CFArray，包含整个证书链
+            // --- Step 1: 系统验证 ---
+            var error: CFError?
+            guard SecTrustEvaluateWithError(secTrust, &error) else {
+                SDLLogger.shared.log("❌ 系统证书验证失败: \(error?.localizedDescription ?? "未知错误")")
+                return false
+            }
+            
+            // --- Step 2: 主机名验证 ---
+            let policy = SecPolicyCreateSSL(true, host as CFString)
+            SecTrustSetPolicies(secTrust, policy)
+            
+            guard SecTrustEvaluateWithError(secTrust, &error) else {
+                SDLLogger.shared.log("❌ 主机名校验失败: \(error?.localizedDescription ?? "未知错误")")
+                return false
+            }
+            
+            // --- Step 3: 获取叶子证书 ---
            guard let chain = SecTrustCopyCertificateChain(secTrust) as? [SecCertificate],
                  let leafCertificate = chain.first else {
                SDLLogger.shared.log("❌ 无法获取证书链或叶子证书")
                return false
            }
            
-            // 提取公钥
-            guard let publicKey = SecCertificateCopyKey(leafCertificate) else {
-                SDLLogger.shared.log("❌ 无法从证书中提取公钥")
+            // --- Step 4: 提取公钥 ---
+            guard let publicKey = SecCertificateCopyKey(leafCertificate),
+                  let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else {
+                SDLLogger.shared.log("❌ 无法提取公钥")
                return false
            }
            
-            // 导出公钥原始数据 (SubjectPublicKeyInfo)
-            guard let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else {
-                SDLLogger.shared.log("❌ 无法导出公钥数据")
-                return false
-            }
-
-            // 计算哈希并比对
+            // --- Step 5: SHA256 校验 ---
            let hash = SHA256.hash(data: publicKeyData)
            let hashBase64 = Data(hash).base64EncodedString()