Ensure WTF-Pad padding comes from the expected hop
When first looking at the WTF-Pad design for integration into Tor, we were concerned that there may be flow control issues with padding causing our SENDME windows to empty prematurely. It turns out that RELAY_DROP does not count towards these windows though, so no updates are needed there.
However, we should add an additional check to ensure that RELAY_DROP cells come from the expected hop (middle). This check is easy to do -- just inspect the layer_hint after the cell is recognized and see where it came from. In this way, we can prevent a malicious Exit node or RP from injecting end-to-end side channel cells, while still allowing padding.