commit 7c8032c22ba6270444d84604f33509a892293fcc Author: Nick Mathewson nickm@torproject.org Date: Fri Apr 27 11:51:48 2012 -0400

Bridges should never set the send_unencrypted flag on any of their descs

Fix for bug 5139. --- changes/bug5139 | 6 ++++++ src/or/router.c | 15 +++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/changes/bug5139 b/changes/bug5139 new file mode 100644 index 0000000..5cebc76 --- /dev/null +++ b/changes/bug5139 @@ -0,0 +1,6 @@ + o Minor features (bridges): + - Tag a bridge's descriptor as "never to be sent + unencrypted". This shouldn't matter, since bridges don't open + non-anonymous connections to the bridge authority and don't + allow unencrypted directory connections from clients, but we + might as well make sure. Closes bug 5139. diff --git a/src/or/router.c b/src/or/router.c index 4cdfd02..cba827d 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -1672,12 +1672,15 @@ router_rebuild_descriptor(int force)

ri->purpose = options->BridgeRelay ? ROUTER_PURPOSE_BRIDGE : ROUTER_PURPOSE_GENERAL; - ri->cache_info.send_unencrypted = 1; - /* Let bridges serve their own descriptors unencrypted, so they can - * pass reachability testing. (If they want to be harder to notice, - * they can always leave the DirPort off). */ - if (ei && !options->BridgeRelay) - ei->cache_info.send_unencrypted = 1; + if (options->BridgeRelay) { + /* Bridges shouldn't be able to send their descriptors unencrypted, + anyway, since they don't have a DirPort, and always connect to the + bridge authority anonymously. But just in case they somehow think of + sending them on an unencrypted connection, don't allow them to try. */ + ri->cache_info.send_unencrypted = ei->cache_info.send_unencrypted = 0; + } else { + ri->cache_info.send_unencrypted = ei->cache_info.send_unencrypted = 1; + }

router_get_router_hash(ri->cache_info.signed_descriptor_body, strlen(ri->cache_info.signed_descriptor_body),