sendme: Failure to validate authenticated SENDMEs client side
Turns out that we have two issues with
sendme_is_valid() (new authenticated SENDMEs).
- We can not fallback onto version 0 if the version of the cell is unrecognized. Right now, if let say we have a minimum version (from consensus) of 1 and then we support version 3 but we get version 4, then ultimately we will end up in defaulting to version 0. Not good.
There needs to be a strong check on what we can minimally support (from consensus) and the upper bound of what we support. Anything outside of that range, the circuit has to be closed.
- This one is a bit more bad. Basically,
sendme_process_circuit_level()needs to validate the SENDME for both client and service. SENDMEs authenticate both ways and thus can not only be on service side like it is right now.
In other words, we need to call
sendme_is_valid() in both cases that is if we are origin circuit or not.
Now that we have the unit test predictable fast prng feature, we should really add a tests that makes sure this entire logic works by sending 100 cells and expecting a SENDME validation.
Thanks to armadev's review for spotting those big issues!