bug 4115: make bridges use begindir for their dir fetches

removes another avenue for enumerating bridges.

diff --git a/changes/bug4115 b/changes/bug4115
new file mode 100644 (file)
index 0000000..626791a
--- /dev/null
+++ b/changes/bug4115
@@ -0,0 +1,7 @@
+  o Security fixes:
+    - Bridge relays now do their directory fetches inside Tor TLS
+      connections, like all the other clients do, rather than connecting
+      directly to the DirPort like public relays do. Removes another
+      avenue for enumerating bridges. Fixes part of bug 4115; bugfix
+      on 0.2.0.35.
+

diff --git a/src/or/directory.c b/src/or/directory.c
index 52fec6b61ad2184a0367ace347ab97ed400065f2..e3cc70f91fe40c18e124c78f8f319fe85a46570d 100644 (file)
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -785,8 +785,7 @@ directory_command_should_use_begindir(or_options_t *options,
     return 0; /* We don't know an ORPort -- no chance. */
   if (!anonymized_connection)
     if (!fascist_firewall_allows_address_or(addr, or_port) ||
-        directory_fetches_from_authorities(options) ||
-        (server_mode(options) && !options->Address))
+        directory_fetches_from_authorities(options))
       return 0; /* We're firewalled or are acting like a relay -- also no. */
   if (!options->TunnelDirConns &&
       router_purpose != ROUTER_PURPOSE_BRIDGE)