hs: Do not allow more than one control cell on a circuit

This is the list of HS control cell that is they are all for establishing a circuit or/and "connection" between HS entities (IP, RP, Service, client):

RELAY_COMMAND_ESTABLISH_INTRO:
RELAY_COMMAND_ESTABLISH_RENDEZVOUS:
RELAY_COMMAND_INTRODUCE1:
RELAY_COMMAND_INTRODUCE2:
RELAY_COMMAND_INTRODUCE_ACK:
RELAY_COMMAND_INTRO_ESTABLISHED:
RELAY_COMMAND_RENDEZVOUS1:
RELAY_COMMAND_RENDEZVOUS2:
RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:

It appears that anyone can send an arbitrary amount of those cells on the same circuit. Even to the point that tor allows a rendezvous circuit to become an intro circuit.

The only special one is INTRODUCE2 which is by-design are sent a lot on the same circuit.

The only cell currently limited to 1 cell is INTRODUCE1 since we do not allow multiple introductions on the same client circuit for DoS reasons.

But the rest should only be seen once on a circuit. Lets restrict them and if we see more, then we close the circuit due to a protocol error. This would limit side-channels.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information