Allow bridge descriptors to contain no address if they are not being published

To strengthen an "isolating proxy"-style approach to client security, I'd like to allow a Tor bridge node to not reveal its external address(es) in its bridge descriptor. The following patch leaves the address as 0.0.0.0 when it's not going to be published:

diff --git a/src/or/router.c b/src/or/router.c
index 1063eda..30749b9 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -1772,7 +1772,7 @@ router_rebuild_descriptor(int force)
 {
   routerinfo_t *ri;
   extrainfo_t *ei;
-  uint32_t addr;
+  uint32_t addr = 0;
   char platform[256];
   int hibernating = we_are_hibernating();
   const or_options_t *options = get_options();
@@ -1780,11 +1780,16 @@ router_rebuild_descriptor(int force)
   if (desc_clean_since && !force)
     return 0;
 
-  if (router_pick_published_address(options, &addr) < 0 ||
-      router_get_advertised_or_port(options) == 0) {
+  /* If we're not trying to publish our descriptor, it's OK to use 0.0.0.0
+   * as the address therein.
+   */
+  if ((options->PublishServerDescriptor_ != NO_DIRINFO) &&
+      (router_pick_published_address(options, &addr) < 0 ||
+       router_get_advertised_or_port(options) == 0)) {
     /* Stop trying to rebuild our descriptor every second. We'll
      * learn that it's time to try again when ip_address_changed()
      * marks it dirty. */

Trac:
Username: nwf