anlicheng/punchnet-macos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
anlicheng 2026-03-31 14:46:03 +08:00
parent 92f224e721
commit 2f354c94fb
2 changed files with 26 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Tun/Punchnet/Actors/SDLContextActor.swift
View File

@ -755,11 +755,11 @@ actor SDLContextActor {
// //
private func setNetworkSettings(networkAddress: SDLConfiguration.NetworkAddress, dnsServer: String) async throws { private func setNetworkSettings(networkAddress: SDLConfiguration.NetworkAddress, dnsServer: String) async throws {
//
let routes: [NEIPv4Route] = [ let routes: [NEIPv4Route] = [
NEIPv4Route(destinationAddress: networkAddress.netAddress, subnetMask: networkAddress.maskAddress), NEIPv4Route(destinationAddress: networkAddress.netAddress, subnetMask: networkAddress.maskAddress),
NEIPv4Route(destinationAddress: dnsServer, subnetMask: "255.255.255.255"), NEIPv4Route(destinationAddress: dnsServer, subnetMask: "255.255.255.255"),
// TODO
NEIPv4Route(destinationAddress: "172.16.1.0", subnetMask: "255.255.255.0"), NEIPv4Route(destinationAddress: "172.16.1.0", subnetMask: "255.255.255.0"),
] ]

40
Tun/Punchnet/Actors/SDLQuicClient.swift
View File

@ -50,7 +50,7 @@ final class SDLQUICClient {
options.securityProtocolOptions, options.securityProtocolOptions,
{ metadata, trust, complete in { metadata, trust, complete in
// //
complete(QUICVerifier.verify(trust: trust)) complete(QUICVerifier.verify(trust: trust, host: host))
}, },
self.queue self.queue
) )
@ -285,33 +285,43 @@ extension SDLQUICClient {
enum QUICVerifier { enum QUICVerifier {
// Base64 // Base64
static let pinnedPublicKeyHashes = [ static let pinnedPublicKeyHashes = [
"Z2S0VNhlCqelkqTXxZNY39icMu622SfKhxXi3qi5fFA=" "Q41r6hbMWEVyxo6heNAH4Wx/TH5NNOWlNif9bewcJ3E="
] ]
static func verify(trust: sec_trust_t) -> Bool { static func verify(trust: sec_trust_t, host: String) -> Bool {
let secTrust = sec_trust_copy_ref(trust).takeRetainedValue() let secTrust = sec_trust_copy_ref(trust).takeRetainedValue()
// --- 使 macOS 12+ API --- // --- Step 1: ---
// SecTrustCopyCertificateChain CFArray var error: CFError?
guard SecTrustEvaluateWithError(secTrust, &error) else {
SDLLogger.shared.log("❌ 系统证书验证失败: \(error?.localizedDescription ?? "未知错误")")
return false
}
// --- Step 2: ---
let policy = SecPolicyCreateSSL(true, host as CFString)
SecTrustSetPolicies(secTrust, policy)
guard SecTrustEvaluateWithError(secTrust, &error) else {
SDLLogger.shared.log("❌ 主机名校验失败: \(error?.localizedDescription ?? "未知错误")")
return false
}
// --- Step 3: ---
guard let chain = SecTrustCopyCertificateChain(secTrust) as? [SecCertificate], guard let chain = SecTrustCopyCertificateChain(secTrust) as? [SecCertificate],
let leafCertificate = chain.first else { let leafCertificate = chain.first else {
SDLLogger.shared.log("❌ 无法获取证书链或叶子证书") SDLLogger.shared.log("❌ 无法获取证书链或叶子证书")
return false return false
} }
// // --- Step 4: ---
guard let publicKey = SecCertificateCopyKey(leafCertificate) else { guard let publicKey = SecCertificateCopyKey(leafCertificate),
SDLLogger.shared.log("❌ 无法从证书中提取公钥") let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else {
SDLLogger.shared.log("❌ 无法提取公钥")
return false return false
} }
// (SubjectPublicKeyInfo) // --- Step 5: SHA256 ---
guard let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else {
SDLLogger.shared.log("❌ 无法导出公钥数据")
return false
}
//
let hash = SHA256.hash(data: publicKeyData) let hash = SHA256.hash(data: publicKeyData)
let hashBase64 = Data(hash).base64EncodedString() let hashBase64 = Data(hash).base64EncodedString()