Double-check ed25519 identity and is_canonical in `circuit_n_chan_done()`
circuit_n_chan_done() checks rsa identity digest, but not ed25519 identity or
This is probably not a high-security issue, so I'm going to use it to experiment with confidential issues. Here's why I think this is not high-security: If we're a client, we already filled in the intended ed25519 identity and address for the channel when we launched it, and rejected the channel if it was wrong.
If we're a relay, then exploiting this issue would at worst require an attacker to jump through a lot of hoops (impersonating RSA identity, sending bogus EXTEND cell at exactly the right time to de-rail other pending circuits), and also either require the attacker to steal onion keys, or limit the attacker's capability to encrypted traffic sniffing.