Teach circuit_extend() more about Ed25519 identities.

- forbid extending to the previous hop by Ed25519 ID.
- If we know the Ed25519 ID for the next hop and the client doesn't,
  insist on the one from the consensus.

src/or/circuitbuild.c

@@ -1175,6 +1175,16 @@ circuit_extend(cell_t *cell, circuit_t *circ)
     return -1;
   }
 
+  /* Fill in ed_pubkey if it was not provided and we can infer it from
+   * our networkstatus */
+  if (ed25519_public_key_is_zero(&ec.ed_pubkey)) {
+    const node_t *node = node_get_by_id((const char*)ec.node_id);
+    const ed25519_public_key_t *node_ed_id = NULL;
+    if (node && (node_ed_id = node_get_ed25519_id(node))) {
+      memcpy(ec.ed_pubkey.pubkey, node_ed_id->pubkey, ED25519_PUBKEY_LEN);
+    }
+  }
+
   /* Next, check if we're being asked to connect to the hop that the
    * extend cell came from. There isn't any reason for that, and it can
    * assist circular-path attacks. */
@@ -1185,10 +1195,15 @@ circuit_extend(cell_t *cell, circuit_t *circ)
            "Client asked me to extend back to the previous hop.");
     return -1;
   }
-  // XXX 15056 check prev-hop Ed ID too
 
-  // XXX 15056 Fill in ed_pubkey if it was not provided and we can infer
+  /* Check the previous hop Ed25519 ID too */
-  // XXX 15056 it from the networkstatus.
+  if (! ed25519_public_key_is_zero(&ec.ed_pubkey) &&
+      ed25519_pubkey_eq(&ec.ed_pubkey,
+                        &TO_OR_CIRCUIT(circ)->p_chan->ed25519_identity)) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Client asked me to extend back to the previous hop "
+           "(by Ed25519 ID).");
+  }
 
   n_chan = channel_get_for_extend((const char*)ec.node_id,
                                   &ec.ed_pubkey,