Simplify DirFilter API

See merge request nickm/arti!1

This means you can write a DirFilter and only write code to mess with
the bits you want to.

Also, it is less code here.

There are two reasons why the DynFilter newtype might be needed:

1. To impl Default.  But we don't need it to impl Default since we can
have an accessor which does the defaulting.

2. To hide the API.  But this is usrely an unstable API.

Just writing Arc<dyn> gets rid of a lot of unnecessary boilerplate and
conversion code.

Abolish the handwritten Debug impl for DynFilter, which is no longer
needed.

This will make it possible to implement a directory-munging
mechanism in arti-testing for #397.

This code sits behind a feature flag, and can be used to modify
directories before storing them.  This is part of the implementation
for #397.

tor-proto: add the ability to learn clock skew from NETINFO cells

See merge request tpo/core/arti!410

We now check the handshake certificates unconditionally, and only
report them as _expired_ as a last resort.

(Rationale: if somebody is presenting the wrong identity from a year
ago, it is more interesting that they are presenting the wrong ID
than it is that they are doing so with an expired cert.

We also now report a different error if the certificate is expired,
but its expiration is within the range of reported clock skew.

(Rationale: it's helpful to distinguish this case, so that we can
blame the failure on possible clock skew rather than definitely
attributing it to a misbehaving relay.)

Part of #405.

NETINFO cells, which are sent in every handshake, may contain
timestamps.  This patch adds an accessor for the timestamp in the
Netinfo messages, and teaches the tor-proto code how to compute the
minimum clock skew in the code.

The computation isn't terribly precise, but it doesn't need to be:
Tor should work fine if your clock is accurate to within a few
hours.

This patch also notes a Y2038 problem in the protocol: see
torspec#80.

Part of #405.

Move SystemConfig to arti::cfg

Closes #418 and #314

See merge request tpo/core/arti!427

Expand documentation for isolation traits

See merge request tpo/core/arti!420

Change rules for retrying guards (and marking them broken)

See merge request tpo/core/arti!426

Adjust a comment

See merge request tpo/core/arti!428

Noticed this while reviewing !426

Pattern bindings after `@` weren't stabilized then :/

Fixes #314, #418.

Move almost all of the rest of options.rs to arti crate

See merge request tpo/core/arti!425

Some error types indicate that the guard has failed as a dircache.
We should treat these errors as signs to close the circuit, and to
mark the guard as having failed.

We'll need this so that we can say "This guard behaved bogusly
as a directory cache; try somebody else."

This commit refactors the dirclient error type into two cases:
errors when constructing a circuit, and errors that occur once we
already have a one-hop circuit.  The latter can usually be
attributed to the specific cache we're talking to.

This commit also adds a function to expose the information about
which directory gave us the info.

We already have the ability to get peer information from ChanMgr
errors, and therefore from any RetryErrors that contain ChanMgr
errors.

This commit adds optional peer information to tor-proto errors, and
a function to expose whatever peer information is available.

It'll soon more convenient to pass in FallbackDirs as a slice of
references, rather than just a slice of FallbackDirs: I'm going to
be changing how we handle these in tor-dirmgr.

If all guards are down and they won't be retriable for a while, try
waiting that long to get whichever guard _is_ retriable.

Additionally, if we are making multiple circuit plans in parallel,
only report our planning as having failed if we failed at making
_all_ the plans.  Previously we treated any failure as fatal for the
other plans, which could lead to trouble in the case when guards
were all down or pending.

Part of #407.

When all guards are down, we would previously mark them all as up,
and retry aggressively.  But that's far too aggressive: if there's
something wrong with our ability to connect to guards, it makes us
hammer the network over and over, ignoring all the guard retry
timeouts in practice.

Instead,
  * We now allow the `pick_guard()` function to fail without
    automatically retrying.
  * We give different errors in the cases when all our guards are
    down, and when all of the guards selected by our active usage
    are down.
  * Our "guards are down" error includes the time at which a guard
    will next be retriable.

This is part of #407.

C tor used one schedule, and guard-spec specified another.  But in
reality we should probably use a randomized schedule to retry
guards, for the reasons explained in the documentation for
RetrySchedule.

I've chosen the minima to be not too far from our previous minima
for primary and non-primary guards.

This is part of #407.

UdpSocket: remove support for connect().

Closes #410

See merge request tpo/core/arti!424

Code motion and import fixups.

Making these fields pub(crate) is quite reasonable and does away with
the need for accessors.

We put this in cfg.rs, rather than (say) socks.rs, because it has
config relating to both socks.rs and dns.rs.

Code motion and import fixups.

Combine logging config and implementation in arti lib crate

See merge request tpo/core/arti!421

This was clumsy.  Now it is brought together it can be simplified.