QUIC: generate unique server_name for client connections (#7260)

generate unique server_name for QUIC connections

Author: alexpyattaev

core/src/repair/quic_endpoint.rs

@@ -18,7 +18,8 @@ use {
     solana_pubkey::Pubkey,
     solana_runtime::bank_forks::BankForks,
     solana_tls_utils::{
-        new_dummy_x509_certificate, tls_client_config_builder, tls_server_config_builder,
+        new_dummy_x509_certificate, socket_addr_to_quic_server_name, tls_client_config_builder,
+        tls_server_config_builder,
     },
     std::{
         cmp::Reverse,
@@ -73,7 +74,6 @@ const CLIENT_CHANNEL_BUFFER: usize = 1 << 14;
 const ROUTER_CHANNEL_BUFFER: usize = 64;
 const CONNECTION_CACHE_CAPACITY: usize = 3072;
 const ALPN_REPAIR_PROTOCOL_ID: &[u8] = b"solana-repair";
-const CONNECT_SERVER_NAME: &str = "solana-repair";
 
 // Transport config.
 const DATAGRAM_RECEIVE_BUFFER_SIZE: usize = 256 * 1024 * 1024;
@@ -672,9 +672,8 @@ async fn make_connection<T>(
 where
     T: 'static + From<(Pubkey, SocketAddr, Bytes)> + Send,
 {
-    let connection = endpoint
-        .connect(remote_address, CONNECT_SERVER_NAME)?
-        .await?;
+    let server_name = socket_addr_to_quic_server_name(remote_address);
+    let connection = endpoint.connect(remote_address, &server_name)?.await?;
     handle_connection(
         endpoint,
         connection.remote_address(),

quic-client/src/nonblocking/quic_client.rs

@@ -27,7 +27,8 @@ use {
     solana_rpc_client_api::client_error::ErrorKind as ClientErrorKind,
     solana_streamer::nonblocking::quic::ALPN_TPU_PROTOCOL_ID,
     solana_tls_utils::{
-        new_dummy_x509_certificate, tls_client_config_builder, QuicClientCertificate,
+        new_dummy_x509_certificate, socket_addr_to_quic_server_name, tls_client_config_builder,
+        QuicClientCertificate,
     },
     solana_transaction_error::TransportResult,
     std::{
@@ -154,8 +155,8 @@ impl QuicNewConnection {
     ) -> Result<Self, QuicError> {
         let mut make_connection_measure = Measure::start("make_connection_measure");
         let endpoint = endpoint.get_endpoint().await;
-
-        let connecting = endpoint.connect(addr, "connect")?;
+        let server_name = socket_addr_to_quic_server_name(addr);
+        let connecting = endpoint.connect(addr, &server_name)?;
         stats.total_connections.fetch_add(1, Ordering::Relaxed);
         if let Ok(connecting_result) = timeout(QUIC_CONNECTION_HANDSHAKE_TIMEOUT, connecting).await
         {
@@ -190,7 +191,8 @@ impl QuicNewConnection {
         addr: SocketAddr,
         stats: &ClientStats,
     ) -> Result<Arc<Connection>, QuicError> {
-        let connecting = self.endpoint.connect(addr, "connect")?;
+        let server_name = socket_addr_to_quic_server_name(addr);
+        let connecting = self.endpoint.connect(addr, &server_name)?;
         stats.total_connections.fetch_add(1, Ordering::Relaxed);
         let connection = match connecting.into_0rtt() {
             Ok((connection, zero_rtt)) => {

tls-utils/src/tls_certificates.rs

@@ -2,6 +2,7 @@ use {
     solana_keypair::Keypair,
     solana_pubkey::Pubkey,
     solana_signer::Signer,
+    std::net::SocketAddr,
     x509_parser::{prelude::*, public_key::PublicKey},
 };
 
@@ -126,9 +127,28 @@ pub fn get_pubkey_from_tls_certificate(
     }
 }
 
+/// Translate a SocketAddr into a valid SNI for the purposes of QUIC connection
+///
+/// We do not actually check if the server holds a cert for this server_name
+/// since Solana does not rely on DNS names, but we need to provide a unique
+/// one to ensure that we present correct QUIC tokens to the correct server.
+pub fn socket_addr_to_quic_server_name(peer: SocketAddr) -> String {
+    format!("{}.{}.sol", peer.ip(), peer.port())
+}
+
 #[cfg(test)]
 mod tests {
-    use {super::*, solana_signer::Signer};
+    use {
+        super::*,
+        solana_signer::Signer,
+        std::net::{IpAddr, Ipv4Addr},
+    };
+
+    #[test]
+    fn test_socket_addr_to_quic_server_name() {
+        let socket = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(1, 2, 3, 4)), 8004);
+        assert_eq!(socket_addr_to_quic_server_name(socket), "1.2.3.4.8004.sol");
+    }
 
     #[test]
     fn test_generate_tls_certificate() {

tpu-client-next/src/connection_worker.rs

@@ -12,6 +12,7 @@ use {
     solana_clock::{DEFAULT_MS_PER_SLOT, MAX_PROCESSING_AGE, NUM_CONSECUTIVE_LEADER_SLOTS},
     solana_measure::measure::Measure,
     solana_time_utils::timestamp,
+    solana_tls_utils::socket_addr_to_quic_server_name,
     std::{
         net::SocketAddr,
         sync::{atomic::Ordering, Arc},
@@ -209,7 +210,8 @@ impl ConnectionWorker {
     /// If an error occurs, the state may transition to `Retry` or `Closing`,
     /// depending on the nature of the error.
     async fn create_connection(&mut self, retries_attempt: usize) {
-        let connecting = self.endpoint.connect(self.peer, "connect");
+        let server_name = socket_addr_to_quic_server_name(self.peer);
+        let connecting = self.endpoint.connect(self.peer, &server_name);
         match connecting {
             Ok(connecting) => {
                 let mut measure_connection = Measure::start("establish connection");

turbine/src/quic_endpoint.rs

@@ -17,7 +17,8 @@ use {
     solana_pubkey::Pubkey,
     solana_runtime::bank_forks::BankForks,
     solana_tls_utils::{
-        new_dummy_x509_certificate, tls_client_config_builder, tls_server_config_builder,
+        new_dummy_x509_certificate, socket_addr_to_quic_server_name, tls_client_config_builder,
+        tls_server_config_builder,
     },
     std::{
         cmp::Reverse,
@@ -44,7 +45,6 @@ const CLIENT_CHANNEL_BUFFER: usize = 1 << 14;
 const ROUTER_CHANNEL_BUFFER: usize = 64;
 const CONNECTION_CACHE_CAPACITY: usize = 3072;
 const ALPN_TURBINE_PROTOCOL_ID: &[u8] = b"solana-turbine";
-const CONNECT_SERVER_NAME: &str = "solana-turbine";
 
 // Transport config.
 const DATAGRAM_RECEIVE_BUFFER_SIZE: usize = 256 * 1024 * 1024;
@@ -504,9 +504,8 @@ async fn make_connection(
     cache: Arc<Mutex<HashMap<Pubkey, Connection>>>,
     stats: Arc<TurbineQuicStats>,
 ) -> Result<(), Error> {
-    let connection = endpoint
-        .connect(remote_address, CONNECT_SERVER_NAME)?
-        .await?;
+    let server_name = socket_addr_to_quic_server_name(remote_address);
+    let connection = endpoint.connect(remote_address, &server_name)?.await?;
     handle_connection(
         endpoint,
         connection.remote_address(),