Implement full-duplex secret connection

[thanethomson]

Work towards #814

Something like this is necessary for the MConnection to be able to safely read from and write to the underlying stream from multiple threads (e.g. one thread for reading, one thread for writing).

• Referenced an issue explaining the need for the change
• Updated all relevant documentation in docs
• Updated all code comments where relevant
• Wrote tests
• Added entry in .changelog/

[codecov-commenter]

Codecov Report

Merging #938 (ce9290d) into master (cedf8de) will increase coverage by 0.0%.
The diff coverage is 85.2%.

❗ Current head ce9290d differs from pull request most recent head 2d5ef8b. Consider uploading reports for the commit 2d5ef8b to get more accurate results

@@           Coverage Diff           @@
##           master    #938    +/-   ##
=======================================
  Coverage    70.6%   70.7%            
=======================================
  Files         203     205     +2     
  Lines       16312   16432   +120     
=======================================
+ Hits        11524   11624   +100     
- Misses       4788    4808    +20     

Impacted Files	Coverage Δ
p2p/src/secret_connection.rs	85.0% <78.6%> (+0.2%)	⬆️
std-ext/src/lib.rs	100.0% <100.0%> (ø)
std-ext/src/try_clone.rs	100.0% <100.0%> (ø)
test/src/test/unit/p2p/secret_connection.rs	99.3% <100.0%> (+0.4%)	⬆️
tendermint/src/block/commit_sig.rs	77.2% <0.0%> (-2.3%)	⬇️
tendermint/src/timeout.rs	83.0% <0.0%> (-1.9%)	⬇️
tendermint/src/config.rs	64.2% <0.0%> (-1.7%)	⬇️
light-client/src/types.rs	30.6% <0.0%> (-0.3%)	⬇️
tendermint/src/node.rs	65.7% <0.0%> (-0.3%)	⬇️
tools/proto-compiler/src/constants.rs	6.2% <0.0%> (ø)
... and 2 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cedf8de...2d5ef8b. Read the comment docs.

[soareschen]

Would it be simpler if we just use TcpStream::try_clone(self) here and not having to explain in the comment?

[thanethomson]

It wasn't obvious to me whether the TcpStream's try_clone method was going to be called here or the TryClone trait's try_clone, so I thought I'd leave a comment here for posterity to explain it.

[thanethomson]

Oh, also, I tried explicitly calling TcpStream::try_clone(self) here and clippy complains that the better approach is to use Self::try_clone(self), which, to me, isn't nearly as clear as TcpStream::try_clone(self).

[soareschen]

What is the advantage of using this trait as compared to holding an Arc<IoHandler> and Clone?

[thanethomson]

See #938 (comment)

[soareschen]

Should we have higher level abstraction to guarantee that the nonce is always incremented after being acquired? Or should it never be incremented at all if there is error? Would the state be inconsistent if the line above or below returns error prematurely?

[thanethomson]

@tony-iqlusion, what's your take on this?

[tony-iqlusion]

Preventing nonce reuse is the most important thing as it fails catastrophically with ChaCha20Poly1305, but also if it's ever incremented without being used it will be out-of-sync with the peer and abort the connection that way.

So it's best to have a sort of simple state machine that aborts the whole connection on errors, and if that can wipe the nonce somehow that's best, but so long as you can prevent repeat nonce reuse that's probably the most important thing.

[soareschen]

Should we return error result here instead of panicking? Same for the other uses of .expect().

[thanethomson]

How would we (and should we be able to) recover from such an error?

My understanding is that, when Mutex::lock fails, it's due to a panic while the lock is held by another thread.

[soareschen]

Sounds reasonable. Perhaps we can add a comment here that we are panicking because a poisoned mutex is unrecoverable. This is mainly to distinguish it from the other uses of .expect in the same file, which IMO should be refactored to return Result::Err instead.

[thanethomson]

Fortunately in the new iteration there's no need for mutexes any more 😁

[thanethomson]

I've converted this back to a draft PR while I rework things a bit as per Tony's suggestions.

[tony-iqlusion]

Looks good now!

[xla]

Very sensible, mostly left some clarifying questions. Are the concerns addressed wrt nonce handling in #938 (comment)?

[xla]

Do we only want to guard against these conditions in debug builds?

[thanethomson]

Good question. @tony-iqlusion?

[thanethomson]

Are the concerns addressed wrt nonce handling in #938 (comment)?

I'm not at all familiar with the low-level details of ChaCha20Poly1305.

@tony-iqlusion, does this mean that, if there's any failure to read from/write to a SecretConnection, the whole connection needs to be dropped and re-established to be able to continue communicating? If so that's something I should probably add to the documentation.

[thanethomson]

The latest commits build incrementally on previous ones, so review shouldn't be too complex.

One question though for those who've done/seen this sort of performance benchmarking in Rust before: what's the potential performance hit of loading an AtomicBool's value before each time we read from/write to the underlying TCP stream?

[tony-iqlusion]

what's the potential performance hit of loading an AtomicBool's value before each time we read from/write to the underlying TCP stream?

Vanishingly small compared to the system call overhead of an I/O operation. On x86(-64) in particular, the architecture provides a strongly consistent memory model, which means AtomicBool is effectively zero overhead versus an unsynchronized load/store regardless of what consistency model you choose.

Things are a bit more complicated on e.g. ARM, where it will require flushing (potentially multicore) CPU pipelines, but again, minuscule compare to the overhead of a system call.

[thanethomson]

Sounds good, thanks for the insight @tony-iqlusion! 🙏

[xla]

With #905 (comment) in mind should the internals and the handles acquired from a split be named Reader and Writer respectively? Esp. as they implement Read and Write and receiver and sender can be reserved for abstractions which offer full messages as they input/output.

[thanethomson]

With #905 (comment) in mind should the internals and the handles acquired from a split be named Reader and Writer respectively? Esp. as they implement Read and Write and receiver and sender can be reserved for abstractions which offer full messages as they input/output.

I've been trying to figure out which set of idioms (either "send/receive" or "read/write") should apply where, and it seems to me like "read/write" seems more general than "send/receive" (e.g. the latter doesn't make too much sense when interacting with the filesystem).

Networked entities seem to send/receive more than read/write. This is probably due to the fact that low-level socket functions like send employ "send/receive" semantics on networking connections. As such, it probably makes more sense to keep the SecretConnection's "send/receive" semantics. It's already pretty pervasive throughout the SecretConnection-related code.

But either way, as long as it's consistent, I'd be fine with it. My issue in #905 (comment) was that it was inconsistent.

[xla]

🏌 😜 🏷 🏉