1. 28 Oct, 2021 16 commits
  2. 27 Oct, 2021 8 commits
    • Nick Mathewson's avatar
      tor_circmgr: Refactor and re-enable build_timeout() test · b7c7c8ba
      Nick Mathewson authored
      The previous version of this test used the old, racy version of
      wait_for (see #149).  The new version is refactored so that
      simulated time is only allowed to advance after each step is done,
      so that we can actually be sure that each step in the process will
      happen as it should.
      In order to get the time-advances to proceed properly, and avoid
      polluting state between tests, I've had to introduce some machinery
      to encode the proper amount for time to advance.  It isn't something
      I'd want to use for a whole bunch of tests, but for just one set,
      it's fine.
      These tests now pass reliably for me.
      I wonder if a discrete-event-simulation approach (hello, Shadow)
      would let us write tests like these to our hearts' content?
    • Nick Mathewson's avatar
      Small FAQ update. · 3c82666d
      Nick Mathewson authored
    • Nick Mathewson's avatar
      Add missing entries to Architecture.md · 01894dcd
      Nick Mathewson authored
    • Nick Mathewson's avatar
      Upgrade to fslock version 0.2 · 2fae63b5
      Nick Mathewson authored
      This version makes all locks per-handle rather than per-process, by
      moving from lockf() to flock() on unix.
    • eta's avatar
      Improve and future-proof the `arti` CLI · 4fa0122d
      eta authored
      This switches out `arti`'s argument-parsing library with `clap`, which
      is a lot more featureful (and very widely used within the Rust
      ecosystem). We also now use a lot of `clap`'s features to improve the
      CLI experience:
      - The CLI now expects a subcommand (currently, either "help", or "proxy"
        for the existing SOCKS proxy behaviour). This should let us add
        additional non-SOCKS-proxy features to arti in future.
      - `clap` supports default values determined at runtime, so the way the
        default config file is loaded was changed: now, we determine the
        OS-specific path for said file before invoking `clap`, so the help
        command can show it properly.
        - The behaviour of `tor_config` was also changed; now, one simply
          specifies a list of configuration files to load, together with
          whether they're required.
        - That function also way overused generics; this has been fixed.
      - Instead of using the ARTI_LOG environment variable to configure
        logging, one now uses th...
    • Nick Mathewson's avatar
    • eta's avatar
      Add Futureproof<T> wrapper type, use for GuardDisabled enum · 5a4db67b
      eta authored
      The Futureproof<T> type lets you serialize and deserialize types whose
      representations might change (most useful for enums that might grow
      additional variants). It uses #[serde(untagged)] to accomplish this.
      This gets used in order to make the `disabled` field of `Guard` more
      robust against future guard disablement reasons being added.
      A test was also added to verify correct behaviour of the new type.
    • eta's avatar
      Add #[serde(flatten)] HashMap fields to serializable objects · 7a931b4d
      eta authored
      As per arti#175, we'd like to be able to handle newer Arti versions
      storing additional state in the persisted state files, without dropping
      this data on the floor when we write out changes to these files.
      Use the #[serde(flatten)] mechanism to achieve this, by adding catch-all
      HashMap<String, JsonValue> fields to all structs that are at risk of
      this happening to them.
  3. 26 Oct, 2021 13 commits
    • Nick Mathewson's avatar
      Fix some clippy-nightly warnings. · e64177d9
      Nick Mathewson authored
      These are my fault; I merged the wrong version of !102. :p
    • Nick Mathewson's avatar
    • Nick Mathewson's avatar
      circmgr: Split request_timeout test into two. · c6a1bcaa
      Nick Mathewson authored
      There seems to be some issue here with the new WaitFor code,
      where using the same MockSleepProvider with both of these wait_for()
      calls gives questionable behavior under some circumstances (like
      when running under Tarpaulin with the wrong set of flags).
    • Nick Mathewson's avatar
    • Nick Mathewson's avatar
      Merge branch 'pb_lite_squashed' · da450086
      Nick Mathewson authored
    • Nick Mathewson's avatar
      Avoid a strange borrow syntax in tor_guardmgr::sample · 682f31b1
      Nick Mathewson authored
      I'm not sure what I was thinking here.
    • Nick Mathewson's avatar
      Do not blame a guard for failures on non-random circuits. · 72ebaed1
      Nick Mathewson authored
      We must not apply our new path-bias behavior (where we blame a guard
      if it gives us too many indeterminate circuit failures) if the path
      was not chosen at random.  If too many random paths fail, we know
      that's suspicious, since the other relays are a random sample.  But
      if a bunch of user-provided paths fail, that could simply be because
      the user's chosen exit is down.
    • Nick Mathewson's avatar
      Implement a "lightweight" form of pathbias detection. · 8c69b5d3
      Nick Mathewson authored
      We now track, for every guard: the total number of successful
      circuits we've built through it, along with the total number of
      "indeterminate" circuits.
      Recall that a circuit's status is "indeterminate" if it has failed
      for a reason that _might_ be the guard's fault, or might not be the
      guard's fault.  For example, if extending to the second hop of the
      circuit fails, we have no way to know whether the guard deliberately
      refused to connect there, or whether the second hop is just offline.
      But we don't want to forgive all indeterminate circuit failures: if
      we did, then a malicious guard could simply reject any second hops
      that it didn't like, thereby filtering the client into a chosen
      set of circuits.
      As a stopgap solution, this patch now makes guards become
      permanently disabled if the fraction of their circuit failures
      becomes too high.
      See also general-purpose path bias selection (arti#65), and Mike's
      idea for changing the guard reachability definition (torspec#67).
      This patch doesn't do either of those.
      Closes #185.
    • eta's avatar
      Overhaul the way WaitFor and the MockSleepProvider work · e8419abd
      eta authored
      Instead of racily advancing time forward, this commit attempts to rework
      how WaitFor works, such that it makes advances when all sleeper futures
      that have been created have been polled (by handing the MockSleepRuntime
      a Waker with which to wake up the WaitFor).
      The above described mechanics work well enough for the double timeout
      test, but fail in the presence of code that spawns asynchronous /
      background tasks that must make progress before time is advanced for the
      test to work properly. In order to deal with these cases, a set of APIs
      are introduced in order to block time from being advanced until some
      code has run, and a carveout added in order to permit small advances in
      time where required.
      (In some cases, code needed to be hacked up a bit in order to be made
      properly testable using these APIs; the `MockablePlan` trait included in
      here is somewhat unfortunate.)
      This should fix arti#149.
    • Nick Mathewson's avatar
      Tests and refactoring for IsolationMap. · a3c472c6
      Nick Mathewson authored
    • Nick Mathewson's avatar
    • Nick Mathewson's avatar
      More tests for arti_client::address · 1b6098d0
      Nick Mathewson authored
    • Nick Mathewson's avatar
      Merge branch 'isolate_clients' · fadb6727
      Nick Mathewson authored
  4. 25 Oct, 2021 3 commits