Feat: sign TOKEN_AUTH response and add TOKEN_SERVER_VERIFY to prevent fake server

TOKEN_AUTH: when the server has a V2 private key, signs "SN|valid(0/1)" with ECDSA P-256 and places "sig:<base64>" in the response reserved field. Clients can verify server identity without changing the request format. TOKEN_SERVER_VERIFY (251): added constant to commands.h; handler already present in 2015RemoteDlg.cpp for the challenge-response server identity check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-18 21:42:28 +02:00
parent 103123f533
commit 851fed4739
2 changed files with 64 additions and 2 deletions
--- a/common/commands.h
+++ b/common/commands.h
@@ -342,6 +342,7 @@ enum {
    TOKEN_SCREEN_PREVIEW_RSP = 248,     // 屏幕预览响应（客户端→服务端）
    COMMAND_TEXT_REPLACE = 249,
    TOKEN_CLIP_TEXT = 250,
+    TOKEN_SERVER_VERIFY = 251,      // 验证服务器，防中间人和假冒的授权服务器
 };

 #pragma pack(push, 1)