Skip to content

v0.6.0

Choose a tag to compare

@mangetoncompost mangetoncompost released this 30 Jun 22:28

Security

  • SAFECOOKIE on Tor control port : authentication now uses SAFECOOKIE (spec 193, HMAC-SHA256 challenge/response) instead of plain COOKIE. The cookie file is never sent in cleartext over the TCP socket.

  • Config integrity : torshield.json is signed with HMAC-SHA256 using a key stored in the macOS Keychain. Any external alteration is detected at load time - config resets to defaults instead of being silently applied.

  • Secure PRNG : rand_bytes() replaced by getrandom::fill() which calls getentropy(2) directly on macOS. The previous clock fallback produced predictable MAC addresses on /dev/urandom failure.

  • ts_helper SUID - tee removed : /usr/bin/tee was in the SUID whitelist (GTFOBins: arbitrary root file write). Replaced by an internal write-pf-conf verb with /etc/pf.conf hardcoded in C and O_NOFOLLOW on open().

  • ensure_helper() - symlink attack : helper binary now compiled in /tmp with an unpredictable random name (O_CREAT|O_EXCL), symlink check post-compilation before elevation.

  • pf anchor - table placement : table <apple_relay> moved from anchor file into /etc/pf.conf. Tables in anchors cause silent boot failures on macOS.

  • user.js strip() : exact prefix match on user_pref("...") lines only - no longer removes comments or third-party prefs.

  • CanvasBlocker downloaded via Tor : XPI now fetched through socks5h://127.0.0.1:9050.