Ensure node is a guard candidate when picking a directory guard

diff --git a/changes/bug17772 b/changes/bug17772
new file mode 100644 (file)
index 0000000..54d457c
--- /dev/null
+++ b/changes/bug17772
@@ -0,0 +1,7 @@
+  o Major bugfixes (guard selection):
+    - Actually look at the Guard flag when selecting a new directory
+      guard. When we implemented the directory guard design, we
+      accidentally started treating all relays as if they have the Guard
+      flag during guard selection, leading to weaker anonymity and worse
+      performance. Fixes bug 17222; bugfix on 0.2.4.8-alpha. Discovered
+      by Mohsen Imani.

diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index 8fe496b51eee2dda24a64c811a09ea43f546398f..9ad763c4d18f99074322994879851b0448062038 100644 (file)
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -1537,8 +1537,14 @@ router_pick_directory_server_impl(dirinfo_type_t type, int flags)
     if ((type & MICRODESC_DIRINFO) && !is_trusted &&
         !node->rs->version_supports_microdesc_cache)
       continue;
-    if (for_guard && node->using_as_guard)
-      continue; /* Don't make the same node a guard twice. */
+    /* Don't make the same node a guard twice */
+    if (for_guard && node->using_as_guard) {
+      continue;
+    }
+    /* Ensure that a directory guard is actually a guard node. */
+    if (for_guard && !node->is_possible_guard) {
+      continue;
+    }
     if (try_excluding &&
         routerset_contains_routerstatus(options->ExcludeNodes, status,
                                         country)) {