Prevent port scanning of hidden services

If you connect to a hidden service that's listening on virtual port 5222, and send it a begin cell for port 80, it will send you back an end cell but leave the circuit up.

I actually thought the design was more defensive: that if you ever asked for a virtual port that wasn't assigned, then it would close the circuit on you, to prevent scanning to find out what ports are open.

But it turns out I never built it that way. We should fix it.

With thanks to Ivan Pustogarov for noticing.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information