T2. Add isolated Tor connection API, but don't enable it by default

[teor2345]

Motivation

When Zebra sends user-generated transactions over the internet, the transaction IDs can be linked to the sending and receiving IP addresses. This can link people with specific Zcash transfers. (But the amount of information disclosed is much less for fully shielded transactions.)

But if we send user-generated transactions over Tor, it's much harder to link them to the sender's IP address.

It's ok to merge this PR because:

• the Tor code changes are in a new API, in a newly created separate Rust modules
• the Tor feature is off by default at compile-time, and it uses a function that isn't called by other code at runtime
• the arti dependency is a specific public crate patch release, so it won't change unless we change it
• it will take us less effort to update to each new arti release

Solution

Tor API:

• Add a method for isolated anonymised Tor connections to a specific hostname, closes Merge minimal Tor integration for future zebra-client work #1643
• Use a shared tor client instance for all isolated connections

Dependencies:

• Add arti as a zebra-network dependency
  • This upgrades a bunch of dependencies in the lockfile, but we'll have to do those upgrades eventually anyway
• Make tor support optional, activate it via a new "tor" feature

Tests:

• Add tests for isolated tor connections
• Silence a spurious tor warning in tests

Close #1643

Review

This PR is ready for review, but it's based on PR #3302, so we should keep it in draft until that PR merges.

Let's assign reviewers when people are back from leave.

Reviewer Checklist

• Code compiles and tests pass with cargo test --features tor

[jvff]

Looks good overall, I only added some minor things. It would be nice if the test vectors were refactored a bit to reduce repeated code though.

[codecov]

Codecov Report

Merging #3303 (1495f66) into main (a1f4cec) will decrease coverage by 0.01%.
The diff coverage is 80.00%.

@@            Coverage Diff             @@
##             main    #3303      +/-   ##
==========================================
- Coverage   78.43%   78.42%   -0.02%     
==========================================
  Files         267      267              
  Lines       31530    31526       -4     
==========================================
- Hits        24732    24724       -8     
- Misses       6798     6802       +4     

[teor2345]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[teor2345]

This PR is blocking ticket #3234 due to merge conflicts. @jvff would you mind reviewing it tomorrow, so we can get it merged?

[jvff]

Approved! Yay, progress towards getting Tor support in Zebra :D

[dconnolly]

@teor2345 Looking at the rustdoc for TorClient and its config structs, it doesn't seem obvious how to config/ensure a new circuit is used every time we create a new TorClient here, or perhaps every time we use it. Am I missing context or this work arti needs to do first? @teor2345

[teor2345]

I gave similar feedback to the Tor team, and they have opened a ticket to improve the API:
https://forum.zcashcommunity.com/t/arti-a-pure-rust-tor-implementation-for-zcash-and-beyond/38776/58?u=teor

I expect we will rewrite this code when we upgrade to the next arti version.

[teor2345]

But here's what's going on in detail:

connect_isolated_tor either boostraps a new client, or creates an isolated clone of the shared client instance.

new_tor_client is a once-off method for bootstrapping a new client.

The isolated_client method ensures that the shared client's streams are on different circuits from the returned client's streams. (And if multiple initial connections race, and bootstrap multiple clients, all their streams are independent, because they make independent connections.)

cloned_tor_client is the method for cloning a new isolated client. It calls isolated_client for each clone.

[rex4539]

Is there any upside (from a privacy-only standpoint, I don't care about other aspects) to use arti instead of just running zebra through proxychains-ng?

The latter proxies everything through tor, and its the way I've been using zebra so far.

[teor2345]

Is there any upside (from a privacy-only standpoint, I don't care about other aspects) to use arti instead of just running zebra through proxychains-ng?

Currently, Zebra does not send any data through arti, even when the arti feature is active. This PR is only for a draft isolated Tor connection API.

In the future, Zebra might send user-generated transactions through arti, after we have completed lightwalletd or other client support.

We want to avoid syncing the entire blockchain over Tor. If hundreds of Zebra clients did that, it would put a lot of load on the Tor network. Particularly after a Zebra database upgrade, when nodes sync the full chain again.

The latter proxies everything through tor, and its the way I've been using zebra so far.

I'm glad to know that this configuration works!

I think this configuration is fine in general. But there are some things you should be aware of.

Zebra's initial sync of 20 GB of Zcash blockchain data might make you stand out on the Tor network. This could reduce your anonymity, even when using Tor. (Zebra does an initial sync every time the database format changes.)

Since all the blockchain data is public, and Zebra doesn't generate transactions yet, there isn't much sensitive information that gets hidden using Tor.

Some possibly sensitive data is the block you're currently syncing, the exact content of your node's mempool, and the fact that your home IP address is using Zcash.