P2P: rate-limit pre-authentication Handshake messages per connection

[BowTiedRadone]

During connection establishment, before the first Handshake completes and installs a session key, a peer can send multiple Handshake messages with distinct public keys. Each one triggers a synchronous SQLite write to the PeerDB on the main P2P event loop thread.

Once authentication completes, the session key is locked in and subsequent Handshakes with different keys are rejected, so the window is limited to the pre-auth phase.

Relevant code:

• PeerDB write path:

  stacks-core/stackslib/src/net/chat.rs

  Lines 1260 to 1280 in 1208ed3

  	if updated {
  	// save the new key
  	let tx = network.peerdb_tx_begin().map_err(net_error::DBError)?;
  	let (mut neighbor, _) = Neighbor::load_and_update(
  	&tx,
  	message.preamble.peer_version,
  	message.preamble.network_id,
  	&handshake_data,
  	)?;
  	neighbor.save_update(&tx, None)?;
  	tx.commit()
  	.map_err(|e| net_error::DBError(db_error::SqliteError(e)))?;
  	debug!(
  	"{:?}: Re-key {:?} to {:?} expires {}",
  	network.get_local_peer(),
  	&neighbor.addr,
  	&to_hex(&neighbor.public_key.to_bytes_compressed()),
  	neighbor.expire_block
  	);
  	}

• pre-auth message dispatch:

  stacks-core/stackslib/src/net/chat.rs

  Lines 2602 to 2608 in 1208ed3

  	StacksMessageType::Handshake(_) => {
  	monitoring::increment_msg_counter("p2p_unauthenticated_handshake".to_string());
  	debug!("{:?}: Got unauthenticated Handshake", &self);
  	let (reply_opt, handled) = self.handle_handshake(network, msg, false, ibd)?;
  	consume = handled;
  	Ok(reply_opt)
  	}