Code to parse and format CREATE{,2,_FAST} cells and their allies

As elsewhere, it makes sense when adding or extending a cell type to actually make the code to parse it into a separate tested function. This commit doesn't actually make anything use these new functions; that's for a later commit.
2024-11-11 05:33:47 +01:00 · 2012-12-05 16:47:22 -05:00 · 2012-12-05 16:47:22 -05:00 · 5d15d597a9
commit 5d15d597a9
parent 18c7d3f157
4 changed files with 1037 additions and 2 deletions
--- a/src/or/onion.c
+++ b/src/or/onion.c
@ -6,8 +6,8 @@

 /**
 * \file onion.c
- * \brief Functions to queue create cells, handle onionskin
- * parsing and creation, and wrap the various onionskin types.
+ * \brief Functions to queue create cells, wrap the various onionskin types,
+ * and parse and create the CREATE cell and its allies.
 **/

 #include "or.h"
@ -17,6 +17,7 @@
 #include "onion_fast.h"
 #include "onion_ntor.h"
 #include "onion_tap.h"
+#include "relay.h"
 #include "rephist.h"
 #include "router.h"

@ -410,3 +411,517 @@ onion_skin_client_handshake(int type,
  }
 }

+/** Helper: return 0 if <b>cell</b> appears valid, -1 otherwise. If
+ * <b>unknown_ok</b> is true, allow cells with handshake types we don't
+ * recognize. */
+static int
+check_create_cell(const create_cell_t *cell, int unknown_ok)
+{
+  switch (cell->cell_type) {
+  case CELL_CREATE:
+    if (cell->handshake_type != ONION_HANDSHAKE_TYPE_TAP)
+      return -1;
+    break;
+  case CELL_CREATE_FAST:
+    if (cell->handshake_type != ONION_HANDSHAKE_TYPE_FAST)
+      return -1;
+    break;
+  case CELL_CREATE2:
+    break;
+  default:
+    return -1;
+  }
+
+  switch (cell->handshake_type) {
+  case ONION_HANDSHAKE_TYPE_TAP:
+    if (cell->handshake_len != TAP_ONIONSKIN_CHALLENGE_LEN)
+      return -1;
+    break;
+  case ONION_HANDSHAKE_TYPE_FAST:
+    if (cell->handshake_len != CREATE_FAST_LEN)
+      return -1;
+    break;
+#ifdef CURVE25519_ENABLED
+  case ONION_HANDSHAKE_TYPE_NTOR:
+    if (cell->handshake_len != NTOR_ONIONSKIN_LEN)
+      return -1;
+    break;
+#endif
+  default:
+    if (! unknown_ok)
+      return -1;
+  }
+
+  return 0;
+}
+
+/** Helper: parse the CREATE2 payload at <b>p</b>, which could be up to
+ * <b>p_len</b> bytes long, and use it to fill the fields of
+ * <b>cell_out</b>. Return 0 on success and -1 on failure.
+ *
+ * Note that part of the body of an EXTEND2 cell is a CREATE2 payload, so
+ * this function is also used for parsing those.
+ */
+static int
+parse_create2_payload(create_cell_t *cell_out, const uint8_t *p, size_t p_len)
+{
+  if (p_len < 4)
+    return -1;
+  cell_out->cell_type = CELL_CREATE2;
+  cell_out->handshake_type = ntohs(get_uint16(p));
+  cell_out->handshake_len = ntohs(get_uint16(p+2));
+  if (cell_out->handshake_len > CELL_PAYLOAD_SIZE - 4 ||
+      cell_out->handshake_len > p_len - 4)
+    return -1;
+  memcpy(cell_out->onionskin, p+4, cell_out->handshake_len);
+  return 0;
+}
+
+/** Parse a CREATE, CREATE_FAST, or CREATE2 cell from <b>cell_in</b> into
+ * <b>cell_out</b>. Return 0 on success, -1 on failure. (We reject some
+ * syntactically valid CREATE2 cells that we can't generate or react to.) */
+int
+create_cell_parse(create_cell_t *cell_out, const cell_t *cell_in)
+{
+  memset(cell_out, 0, sizeof(*cell_out));
+
+  switch (cell_in->command) {
+  case CELL_CREATE:
+    cell_out->cell_type = CELL_CREATE;
+    cell_out->handshake_type = ONION_HANDSHAKE_TYPE_TAP;
+    cell_out->handshake_len = TAP_ONIONSKIN_CHALLENGE_LEN;
+    memcpy(cell_out->onionskin, cell_in->payload, TAP_ONIONSKIN_CHALLENGE_LEN);
+    break;
+  case CELL_CREATE_FAST:
+    cell_out->cell_type = CELL_CREATE_FAST;
+    cell_out->handshake_type = ONION_HANDSHAKE_TYPE_FAST;
+    cell_out->handshake_len = CREATE_FAST_LEN;
+    memcpy(cell_out->onionskin, cell_in->payload, CREATE_FAST_LEN);
+    break;
+  case CELL_CREATE2:
+    if (parse_create2_payload(cell_out, cell_in->payload,
+                              CELL_PAYLOAD_SIZE) < 0)
+      return -1;
+    break;
+  default:
+    return -1;
+  }
+
+  return check_create_cell(cell_out, 0);
+}
+
+/** Helper: return 0 if <b>cell</b> appears valid, -1 otherwise. */
+static int
+check_created_cell(const created_cell_t *cell)
+{
+  switch (cell->cell_type) {
+  case CELL_CREATED:
+    if (cell->handshake_len != TAP_ONIONSKIN_REPLY_LEN)
+      return -1;
+    break;
+  case CELL_CREATED_FAST:
+    if (cell->handshake_len != CREATED_FAST_LEN)
+      return -1;
+    break;
+  case CELL_CREATED2:
+    if (cell->handshake_len > RELAY_PAYLOAD_SIZE-2)
+      return -1;
+    break;
+  }
+
+  return 0;
+}
+
+/** Parse a CREATED, CREATED_FAST, or CREATED2 cell from <b>cell_in</b> into
+ * <b>cell_out</b>. Return 0 on success, -1 on failure. */
+int
+created_cell_parse(created_cell_t *cell_out, const cell_t *cell_in)
+{
+  memset(cell_out, 0, sizeof(*cell_out));
+
+  switch (cell_in->command) {
+  case CELL_CREATED:
+    cell_out->cell_type = CELL_CREATED;
+    cell_out->handshake_len = TAP_ONIONSKIN_REPLY_LEN;
+    memcpy(cell_out->reply, cell_in->payload, TAP_ONIONSKIN_REPLY_LEN);
+    break;
+  case CELL_CREATED_FAST:
+    cell_out->cell_type = CELL_CREATED_FAST;
+    cell_out->handshake_len = CREATED_FAST_LEN;
+    memcpy(cell_out->reply, cell_in->payload, CREATED_FAST_LEN);
+    break;
+  case CELL_CREATED2:
+    {
+      const uint8_t *p = cell_in->payload;
+      cell_out->cell_type = CELL_CREATED2;
+      cell_out->handshake_len = ntohs(get_uint16(p));
+      if (cell_out->handshake_len > CELL_PAYLOAD_SIZE - 2)
+        return -1;
+      memcpy(cell_out->reply, p+2, cell_out->handshake_len);
+      break;
+    }
+  }
+
+  return check_created_cell(cell_out);
+}
+
+/** Helper: return 0 if <b>cell</b> appears valid, -1 otherwise. */
+static int
+check_extend_cell(const extend_cell_t *cell)
+{
+  if (tor_digest_is_zero((const char*)cell->node_id))
+    return -1;
+  /* We don't currently allow EXTEND2 cells without an IPv4 address */
+  if (tor_addr_family(&cell->orport_ipv4.addr) == AF_UNSPEC)
+    return -1;
+  if (cell->create_cell.cell_type == CELL_CREATE) {
+    if (cell->cell_type != RELAY_COMMAND_EXTEND)
+      return -1;
+  } else if (cell->create_cell.cell_type == CELL_CREATE2) {
+    if (cell->cell_type != RELAY_COMMAND_EXTEND2)
+      return -1;
+  } else {
+    /* In particular, no CREATE_FAST cells are allowed */
+    return -1;
+  }
+  if (cell->create_cell.handshake_type == ONION_HANDSHAKE_TYPE_FAST)
+    return -1;
+
+  return check_create_cell(&cell->create_cell, 1);
+}
+
+/** Protocol constants for specifier types in EXTEND2
+ * @{
+ */
+#define SPECTYPE_IPV4 0
+#define SPECTYPE_IPV6 1
+#define SPECTYPE_LEGACY_ID 2
+/** @} */
+
+/** Parse an EXTEND or EXTEND2 cell (according to <b>command</b>) from the
+ * <b>payload_length</b> bytes of <b>payload</b> into <b>cell_out</b>. Return
+ * 0 on success, -1 on failure. */
+int
+extend_cell_parse(extend_cell_t *cell_out, const uint8_t command,
+                  const uint8_t *payload, size_t payload_length)
+{
+  const uint8_t *eop;
+
+  memset(cell_out, 0, sizeof(*cell_out));
+  if (payload_length > RELAY_PAYLOAD_SIZE)
+    return -1;
+  eop = payload + payload_length;
+
+  switch (command) {
+  case RELAY_COMMAND_EXTEND:
+    {
+      if (payload_length != 6 + TAP_ONIONSKIN_CHALLENGE_LEN + DIGEST_LEN)
+        return -1;
+
+      cell_out->cell_type = RELAY_COMMAND_EXTEND;
+      tor_addr_from_ipv4n(&cell_out->orport_ipv4.addr, get_uint32(payload));
+      cell_out->orport_ipv4.port = ntohs(get_uint16(payload+4));
+      tor_addr_make_unspec(&cell_out->orport_ipv6.addr);
+      cell_out->create_cell.cell_type = CELL_CREATE;
+      cell_out->create_cell.handshake_type = ONION_HANDSHAKE_TYPE_TAP;
+      cell_out->create_cell.handshake_len = TAP_ONIONSKIN_CHALLENGE_LEN;
+      memcpy(cell_out->create_cell.onionskin, payload + 6,
+             TAP_ONIONSKIN_CHALLENGE_LEN);
+      memcpy(cell_out->node_id, payload + 6 + TAP_ONIONSKIN_CHALLENGE_LEN,
+             DIGEST_LEN);
+      break;
+    }
+  case RELAY_COMMAND_EXTEND2:
+    {
+      uint8_t n_specs = *payload, spectype, speclen;
+      int i;
+      int found_ipv4 = 0, found_ipv6 = 0, found_id = 0;
+      tor_addr_make_unspec(&cell_out->orport_ipv4.addr);
+      tor_addr_make_unspec(&cell_out->orport_ipv6.addr);
+
+      cell_out->cell_type = RELAY_COMMAND_EXTEND2;
+      ++payload;
+      /* Parse the specifiers. We'll only take the first IPv4 and first IPv6
+       * addres, and the node ID, and ignore everything else */
+      for (i = 0; i < n_specs; ++i) {
+        if (eop - payload < 2)
+          return -1;
+        spectype = payload[0];
+        speclen = payload[1];
+        payload += 2;
+        if (eop - payload < speclen)
+          return -1;
+        switch (spectype) {
+        case SPECTYPE_IPV4:
+          if (speclen != 6)
+            return -1;
+          if (!found_ipv4) {
+            tor_addr_from_ipv4n(&cell_out->orport_ipv4.addr,
+                                get_uint32(payload));
+            cell_out->orport_ipv4.port = ntohs(get_uint16(payload+4));
+            found_ipv4 = 1;
+          }
+          break;
+        case SPECTYPE_IPV6:
+          if (speclen != 18)
+            return -1;
+          if (!found_ipv6) {
+            tor_addr_from_ipv6_bytes(&cell_out->orport_ipv6.addr,
+                                     (const char*)payload);
+            cell_out->orport_ipv6.port = ntohs(get_uint16(payload+16));
+            found_ipv6 = 1;
+          }
+          break;
+        case SPECTYPE_LEGACY_ID:
+          if (speclen != 20)
+            return -1;
+          if (found_id)
+            return -1;
+          memcpy(cell_out->node_id, payload, 20);
+          found_id = 1;
+          break;
+        }
+        payload += speclen;
+      }
+      if (!found_id || !found_ipv4)
+        return -1;
+      if (parse_create2_payload(&cell_out->create_cell,payload,eop-payload)<0)
+        return -1;
+
+      break;
+    }
+  default:
+    return -1;
+  }
+
+  return check_extend_cell(cell_out);
+}
+
+/** Helper: return 0 if <b>cell</b> appears valid, -1 otherwise. */
+static int
+check_extended_cell(const extended_cell_t *cell)
+{
+  if (cell->created_cell.cell_type == CELL_CREATED) {
+    if (cell->cell_type != RELAY_COMMAND_EXTENDED)
+      return -1;
+  } else if (cell->created_cell.cell_type == CELL_CREATED2) {
+    if (cell->cell_type != RELAY_COMMAND_EXTENDED2)
+      return -1;
+  } else {
+    return -1;
+  }
+
+  return check_created_cell(&cell->created_cell);
+}
+
+/** Parse an EXTENDED or EXTENDED2 cell (according to <b>command</b>) from the
+ * <b>payload_length</b> bytes of <b>payload</b> into <b>cell_out</b>. Return
+ * 0 on success, -1 on failure. */
+int
+extended_cell_parse(extended_cell_t *cell_out,
+                    const uint8_t command, const uint8_t *payload,
+                    size_t payload_len)
+{
+  const uint8_t *eop;
+
+  memset(cell_out, 0, sizeof(*cell_out));
+  if (payload_len > RELAY_PAYLOAD_SIZE)
+    return -1;
+  eop = payload + payload_len;
+
+  switch (command) {
+  case RELAY_COMMAND_EXTENDED:
+    if (payload_len != TAP_ONIONSKIN_REPLY_LEN)
+      return -1;
+    cell_out->cell_type = RELAY_COMMAND_EXTENDED;
+    cell_out->created_cell.cell_type = CELL_CREATED;
+    cell_out->created_cell.handshake_len = TAP_ONIONSKIN_REPLY_LEN;
+    memcpy(cell_out->created_cell.reply, payload, TAP_ONIONSKIN_REPLY_LEN);
+    break;
+  case RELAY_COMMAND_EXTENDED2:
+    {
+      cell_out->cell_type = RELAY_COMMAND_EXTENDED2;
+      cell_out->created_cell.cell_type = CELL_CREATED2;
+      cell_out->created_cell.handshake_len = ntohs(get_uint16(payload));
+      if (cell_out->created_cell.handshake_len > RELAY_PAYLOAD_SIZE - 2 ||
+          cell_out->created_cell.handshake_len > payload_len - 2)
+        return -1;
+      memcpy(cell_out->created_cell.reply, payload+2,
+             cell_out->created_cell.handshake_len);
+    }
+    break;
+  default:
+    return -1;
+  }
+
+  return check_extended_cell(cell_out);
+}
+
+/** Fill <b>cell_out</b> with a correctly formatted version of the
+ * CREATE{,_FAST,2} cell in <b>cell_in</b>. Return 0 on success, -1 on
+ * failure. */
+int
+create_cell_format(cell_t *cell_out, const create_cell_t *cell_in)
+{
+  if (check_create_cell(cell_in, 0) < 0)
+    return -1;
+
+  memset(cell_out->payload, 0, sizeof(cell_out->payload));
+  cell_out->command = cell_in->cell_type;
+
+  switch (cell_in->cell_type) {
+  case CELL_CREATE:
+  case CELL_CREATE_FAST:
+    tor_assert(cell_in->handshake_len <= sizeof(cell_out->payload));
+    memcpy(cell_out->payload, cell_in->onionskin, cell_in->handshake_len);
+    break;
+  case CELL_CREATE2:
+    tor_assert(cell_in->handshake_len <= sizeof(cell_out->payload)-4);
+    set_uint16(cell_out->payload, htons(cell_in->handshake_type));
+    set_uint16(cell_out->payload+2, htons(cell_in->handshake_len));
+    memcpy(cell_out->payload + 4, cell_in->onionskin, cell_in->handshake_len);
+    break;
+  default:
+    return -1;
+  }
+
+  return 0;
+}
+
+/** Fill <b>cell_out</b> with a correctly formatted version of the
+ * CREATED{,_FAST,2} cell in <b>cell_in</b>. Return 0 on success, -1 on
+ * failure. */
+int
+created_cell_format(cell_t *cell_out, const created_cell_t *cell_in)
+{
+  if (check_created_cell(cell_in) < 0)
+    return -1;
+
+  memset(cell_out->payload, 0, sizeof(cell_out->payload));
+  cell_out->command = cell_in->cell_type;
+
+  switch (cell_in->cell_type) {
+  case CELL_CREATED:
+  case CELL_CREATED_FAST:
+    tor_assert(cell_in->handshake_len <= sizeof(cell_out->payload));
+    memcpy(cell_out->payload, cell_in->reply, cell_in->handshake_len);
+    break;
+  case CELL_CREATED2:
+    tor_assert(cell_in->handshake_len <= sizeof(cell_out->payload)-2);
+    set_uint16(cell_out->payload, htons(cell_in->handshake_len));
+    memcpy(cell_out->payload + 2, cell_in->reply, cell_in->handshake_len);
+    break;
+  default:
+    return -1;
+  }
+  return 0;
+}
+
+/** Format the EXTEND{,2} cell in <b>cell_in</b>, storing its relay payload in
+ * <b>payload_out</b>, the number of bytes used in *<b>len_out</b>, and the
+ * relay command in *<b>command_out</b>. The <b>payload_out</b> must have
+ * RELAY_PAYLOAD_SIZE bytes available.  Return 0 on success, -1 on failure. */
+int
+extend_cell_format(uint8_t *command_out, uint16_t *len_out,
+                   uint8_t *payload_out, const extend_cell_t *cell_in)
+{
+  uint8_t *p, *eop;
+  if (check_extend_cell(cell_in) < 0)
+    return -1;
+
+  p = payload_out;
+  eop = payload_out + RELAY_PAYLOAD_SIZE;
+
+  memset(p, 0, RELAY_PAYLOAD_SIZE);
+
+  switch (cell_in->cell_type) {
+  case RELAY_COMMAND_EXTEND:
+    {
+      *command_out = RELAY_COMMAND_EXTEND;
+      *len_out = 6 + TAP_ONIONSKIN_CHALLENGE_LEN + DIGEST_LEN;
+      set_uint32(p, tor_addr_to_ipv4n(&cell_in->orport_ipv4.addr));
+      set_uint16(p+4, ntohs(cell_in->orport_ipv4.port));
+      memcpy(p+6, cell_in->create_cell.onionskin,
+             TAP_ONIONSKIN_CHALLENGE_LEN);
+      memcpy(p+6+TAP_ONIONSKIN_CHALLENGE_LEN, cell_in->node_id, DIGEST_LEN);
+    }
+    break;
+  case RELAY_COMMAND_EXTEND2:
+    {
+      uint8_t n = 2;
+      *command_out = RELAY_COMMAND_EXTEND2;
+
+      *p++ = n; /* 2 identifiers */
+      *p++ = SPECTYPE_IPV4; /* First is IPV4. */
+      *p++ = 6; /* It's 6 bytes long. */
+      set_uint32(p, tor_addr_to_ipv4n(&cell_in->orport_ipv4.addr));
+      set_uint16(p+4, htons(cell_in->orport_ipv4.port));
+      p += 6;
+      *p++ = SPECTYPE_LEGACY_ID; /* Next is an identity digest. */
+      *p++ = 20; /* It's 20 bytes long */
+      memcpy(p, cell_in->node_id, DIGEST_LEN);
+      p += 20;
+
+      /* Now we can send the handshake */
+      set_uint16(p, htons(cell_in->create_cell.handshake_type));
+      set_uint16(p+2, htons(cell_in->create_cell.handshake_len));
+      p += 4;
+
+      if (cell_in->create_cell.handshake_len > eop - p)
+        return -1;
+
+      memcpy(p, cell_in->create_cell.onionskin,
+             cell_in->create_cell.handshake_len);
+
+      p += cell_in->create_cell.handshake_len;
+      *len_out = p - payload_out;
+    }
+    break;
+  default:
+    return -1;
+  }
+
+  return 0;
+}
+
+/** Format the EXTENDED{,2} cell in <b>cell_in</b>, storing its relay payload
+ * in <b>payload_out</b>, the number of bytes used in *<b>len_out</b>, and the
+ * relay command in *<b>command_out</b>. The <b>payload_out</b> must have
+ * RELAY_PAYLOAD_SIZE bytes available.  Return 0 on success, -1 on failure. */
+int
+extended_cell_format(uint8_t *command_out, uint16_t *len_out,
+                     uint8_t *payload_out, const extended_cell_t *cell_in)
+{
+  uint8_t *p, *eop;
+  if (check_extended_cell(cell_in) < 0)
+    return -1;
+
+  p = payload_out;
+  eop = payload_out + RELAY_PAYLOAD_SIZE;
+  memset(p, 0, RELAY_PAYLOAD_SIZE);
+
+  switch (cell_in->cell_type) {
+  case RELAY_COMMAND_EXTENDED:
+    {
+      *command_out = RELAY_COMMAND_EXTENDED;
+      *len_out = TAP_ONIONSKIN_REPLY_LEN;
+      memcpy(payload_out, cell_in->created_cell.reply,
+             TAP_ONIONSKIN_REPLY_LEN);
+    }
+    break;
+  case RELAY_COMMAND_EXTENDED2:
+    {
+      *command_out = RELAY_COMMAND_EXTENDED2;
+      *len_out = 2 + cell_in->created_cell.handshake_len;
+      set_uint16(payload_out, htons(cell_in->created_cell.handshake_len));
+      memcpy(payload_out+2, cell_in->created_cell.reply,
+             cell_in->created_cell.handshake_len);
+    }
+    break;
+  default:
+    return -1;
+  }
+
+  return 0;
+}
+
--- a/src/or/onion.h
+++ b/src/or/onion.h
@ -50,5 +50,66 @@ int onion_skin_client_handshake(int type,
                      uint8_t *keys_out, size_t key_out_len,
                      uint8_t *rend_authenticator_out);

+/** A parsed CREATE, CREATE_FAST, or CREATE2 cell. */
+typedef struct create_cell_t {
+  /** The cell command. One of CREATE{,_FAST,2} */
+  uint8_t cell_type;
+  /** One of the ONION_HANDSHAKE_TYPE_* values */
+  uint16_t handshake_type;
+  /** The number of bytes used in <b>onionskin</b>. */
+  uint16_t handshake_len;
+  /** The client-side message for the circuit creation handshake. */
+  uint8_t onionskin[CELL_PAYLOAD_SIZE - 4];
+} create_cell_t;
+
+/** A parsed CREATED, CREATED_FAST, or CREATED2 cell. */
+typedef struct created_cell_t {
+  /** The cell command. One of CREATED{,_FAST,2} */
+  uint8_t cell_type;
+  /** The number of bytes used in <b>reply</b>. */
+  uint16_t handshake_len;
+  /** The server-side message for the circuit creation handshake. */
+  uint8_t reply[CELL_PAYLOAD_SIZE - 2];
+} created_cell_t;
+
+/** A parsed RELAY_EXTEND or RELAY_EXTEND2 cell */
+typedef struct extend_cell_t {
+  /** One of RELAY_EXTEND or RELAY_EXTEND2 */
+  uint8_t cell_type;
+  /** An IPv4 address and port for the node we're connecting to. */
+  tor_addr_port_t orport_ipv4;
+  /** An IPv6 address and port for the node we're connecting to. Not currently
+   * used. */
+  tor_addr_port_t orport_ipv6;
+  /** Identity fingerprint of the node we're conecting to.*/
+  uint8_t node_id[DIGEST_LEN];
+  /** The "create cell" embedded in this extend cell. Note that unlike the
+   * create cells we generate ourself, this once can have a handshake type we
+   * don't recognize. */
+  create_cell_t create_cell;
+} extend_cell_t;
+
+/** A parsed RELAY_EXTEND or RELAY_EXTEND2 cell */
+typedef struct extended_cell_t {
+  /** One of RELAY_EXTENDED or RELAY_EXTENDED2. */
+  uint8_t cell_type;
+  /** The "created cell" embedded in this extended cell. */
+  created_cell_t created_cell;
+} extended_cell_t;
+
+int create_cell_parse(create_cell_t *cell_out, const cell_t *cell_in);
+int created_cell_parse(created_cell_t *cell_out, const cell_t *cell_in);
+int extend_cell_parse(extend_cell_t *cell_out, uint8_t command,
+                      const uint8_t *payload_in, size_t payload_len);
+int extended_cell_parse(extended_cell_t *cell_out, uint8_t command,
+                        const uint8_t *payload_in, size_t payload_len);
+
+int create_cell_format(cell_t *cell_out, const create_cell_t *cell_in);
+int created_cell_format(cell_t *cell_out, const created_cell_t *cell_in);
+int extend_cell_format(uint8_t *command_out, uint16_t *len_out,
+                       uint8_t *payload_out, const extend_cell_t *cell_in);
+int extended_cell_format(uint8_t *command_out, uint16_t *len_out,
+                         uint8_t *payload_out, const extended_cell_t *cell_in);
+
 #endif

--- a/src/or/or.h
+++ b/src/or/or.h
@ -561,6 +561,8 @@ typedef enum {
 #define RELAY_COMMAND_RESOLVE 11
 #define RELAY_COMMAND_RESOLVED 12
 #define RELAY_COMMAND_BEGIN_DIR 13
+#define RELAY_COMMAND_EXTEND2 14
+#define RELAY_COMMAND_EXTENDED2 15

 #define RELAY_COMMAND_ESTABLISH_INTRO 32
 #define RELAY_COMMAND_ESTABLISH_RENDEZVOUS 33
@ -827,6 +829,8 @@ typedef enum {
 #define CELL_VERSIONS 7
 #define CELL_NETINFO 8
 #define CELL_RELAY_EARLY 9
+#define CELL_CREATE2 10
+#define CELL_CREATED2 11

 #define CELL_VPADDING 128
 #define CELL_CERTS 129
--- a/src/test/test_cell_formats.c
+++ b/src/test/test_cell_formats.c
@ -9,6 +9,10 @@
 #define RELAY_PRIVATE
 #include "or.h"
 #include "connection_edge.h"
+#include "onion.h"
+#include "onion_tap.h"
+#include "onion_fast.h"
+#include "onion_ntor.h"
 #include "relay.h"
 #include "test.h"

@ -374,6 +378,453 @@ test_cfmt_connected_cells(void *arg)
  tor_free(mem_op_hex_tmp);
 }

+static void
+test_cfmt_create_cells(void *arg)
+{
+  uint8_t b[MAX_ONIONSKIN_CHALLENGE_LEN];
+  create_cell_t cc;
+  cell_t cell;
+  cell_t cell2;
+
+  (void)arg;
+
+  /* === Let's try parsing some good cells! */
+
+  /* A valid create cell. */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, TAP_ONIONSKIN_CHALLENGE_LEN);
+  cell.command = CELL_CREATE;
+  memcpy(cell.payload, b, TAP_ONIONSKIN_CHALLENGE_LEN);
+  tt_int_op(0, ==, create_cell_parse(&cc, &cell));
+  tt_int_op(CELL_CREATE, ==, cc.cell_type);
+  tt_int_op(ONION_HANDSHAKE_TYPE_TAP, ==, cc.handshake_type);
+  tt_int_op(TAP_ONIONSKIN_CHALLENGE_LEN, ==, cc.handshake_len);
+  test_memeq(cc.onionskin, b, TAP_ONIONSKIN_CHALLENGE_LEN + 10);
+  tt_int_op(0, ==, create_cell_format(&cell2, &cc));
+  tt_int_op(cell.command, ==, cell2.command);
+  test_memeq(cell.payload, cell2.payload, CELL_PAYLOAD_SIZE);
+
+  /* A valid create_fast cell. */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, CREATE_FAST_LEN);
+  cell.command = CELL_CREATE_FAST;
+  memcpy(cell.payload, b, CREATE_FAST_LEN);
+  tt_int_op(0, ==, create_cell_parse(&cc, &cell));
+  tt_int_op(CELL_CREATE_FAST, ==, cc.cell_type);
+  tt_int_op(ONION_HANDSHAKE_TYPE_FAST, ==, cc.handshake_type);
+  tt_int_op(CREATE_FAST_LEN, ==, cc.handshake_len);
+  test_memeq(cc.onionskin, b, CREATE_FAST_LEN + 10);
+  tt_int_op(0, ==, create_cell_format(&cell2, &cc));
+  tt_int_op(cell.command, ==, cell2.command);
+  test_memeq(cell.payload, cell2.payload, CELL_PAYLOAD_SIZE);
+
+  /* A valid create2 cell with a TAP payload */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, TAP_ONIONSKIN_CHALLENGE_LEN);
+  cell.command = CELL_CREATE2;
+  memcpy(cell.payload, "\x00\x00\x00\xBA", 4); /* TAP, 186 bytes long */
+  memcpy(cell.payload+4, b, TAP_ONIONSKIN_CHALLENGE_LEN);
+  tt_int_op(0, ==, create_cell_parse(&cc, &cell));
+  tt_int_op(CELL_CREATE2, ==, cc.cell_type);
+  tt_int_op(ONION_HANDSHAKE_TYPE_TAP, ==, cc.handshake_type);
+  tt_int_op(TAP_ONIONSKIN_CHALLENGE_LEN, ==, cc.handshake_len);
+  test_memeq(cc.onionskin, b, TAP_ONIONSKIN_CHALLENGE_LEN + 10);
+  tt_int_op(0, ==, create_cell_format(&cell2, &cc));
+  tt_int_op(cell.command, ==, cell2.command);
+  test_memeq(cell.payload, cell2.payload, CELL_PAYLOAD_SIZE);
+
+  /* A valid create2 cell with an ntor payload */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, NTOR_ONIONSKIN_LEN);
+  cell.command = CELL_CREATE2;
+  memcpy(cell.payload, "\x00\x02\x00\x54", 4); /* ntor, 84 bytes long */
+  memcpy(cell.payload+4, b, NTOR_ONIONSKIN_LEN);
+#ifdef CURVE25519_ENABLED
+  tt_int_op(0, ==, create_cell_parse(&cc, &cell));
+  tt_int_op(CELL_CREATE2, ==, cc.cell_type);
+  tt_int_op(ONION_HANDSHAKE_TYPE_NTOR, ==, cc.handshake_type);
+  tt_int_op(NTOR_ONIONSKIN_LEN, ==, cc.handshake_len);
+  test_memeq(cc.onionskin, b, NTOR_ONIONSKIN_LEN + 10);
+  tt_int_op(0, ==, create_cell_format(&cell2, &cc));
+  tt_int_op(cell.command, ==, cell2.command);
+  test_memeq(cell.payload, cell2.payload, CELL_PAYLOAD_SIZE);
+#else
+  tt_int_op(-1, ==, create_cell_parse(&cc, &cell));
+#endif
+
+  /* == Okay, now let's try to parse some impossible stuff. */
+
+  /* It has to be some kind of a create cell! */
+  cell.command = CELL_CREATED;
+  tt_int_op(-1, ==, create_cell_parse(&cc, &cell));
+
+  /* You can't acutally make an unparseable CREATE or CREATE_FAST cell. */
+
+  /* Try some CREATE2 cells.  First with a bad type. */
+  cell.command = CELL_CREATE2;
+  memcpy(cell.payload, "\x00\x50\x00\x99", 4); /* Type 0x50???? */
+  tt_int_op(-1, ==, create_cell_parse(&cc, &cell));
+  /* Now a good type with an incorrect length. */
+  memcpy(cell.payload, "\x00\x00\x00\xBC", 4); /* TAP, 187 bytes.*/
+  tt_int_op(-1, ==, create_cell_parse(&cc, &cell));
+  /* Now a good type with a ridiculous length. */
+  memcpy(cell.payload, "\x00\x00\x02\x00", 4); /* TAP, 512 bytes.*/
+  tt_int_op(-1, ==, create_cell_parse(&cc, &cell));
+
+  /* == Time to try formatting bad cells.  The important thing is that
+     we reject big lengths, so just check that for now. */
+  cc.handshake_len = 512;
+  tt_int_op(-1, ==, create_cell_format(&cell2, &cc));
+
+  /* == Try formatting a create2 cell we don't understand. XXXX */
+
+ done:
+  ;
+}
+
+static void
+test_cfmt_created_cells(void *arg)
+{
+  uint8_t b[512];
+  created_cell_t cc;
+  cell_t cell;
+  cell_t cell2;
+
+  (void)arg;
+
+  /* A good CREATED cell */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, TAP_ONIONSKIN_REPLY_LEN);
+  cell.command = CELL_CREATED;
+  memcpy(cell.payload, b, TAP_ONIONSKIN_REPLY_LEN);
+  tt_int_op(0, ==, created_cell_parse(&cc, &cell));
+  tt_int_op(CELL_CREATED, ==, cc.cell_type);
+  tt_int_op(TAP_ONIONSKIN_REPLY_LEN, ==, cc.handshake_len);
+  test_memeq(cc.reply, b, TAP_ONIONSKIN_REPLY_LEN + 10);
+  tt_int_op(0, ==, created_cell_format(&cell2, &cc));
+  tt_int_op(cell.command, ==, cell2.command);
+  test_memeq(cell.payload, cell2.payload, CELL_PAYLOAD_SIZE);
+
+  /* A good CREATED_FAST cell */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, CREATED_FAST_LEN);
+  cell.command = CELL_CREATED_FAST;
+  memcpy(cell.payload, b, CREATED_FAST_LEN);
+  tt_int_op(0, ==, created_cell_parse(&cc, &cell));
+  tt_int_op(CELL_CREATED_FAST, ==, cc.cell_type);
+  tt_int_op(CREATED_FAST_LEN, ==, cc.handshake_len);
+  test_memeq(cc.reply, b, CREATED_FAST_LEN + 10);
+  tt_int_op(0, ==, created_cell_format(&cell2, &cc));
+  tt_int_op(cell.command, ==, cell2.command);
+  test_memeq(cell.payload, cell2.payload, CELL_PAYLOAD_SIZE);
+
+  /* A good CREATED2 cell with short reply */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, 64);
+  cell.command = CELL_CREATED2;
+  memcpy(cell.payload, "\x00\x40", 2);
+  memcpy(cell.payload+2, b, 64);
+  tt_int_op(0, ==, created_cell_parse(&cc, &cell));
+  tt_int_op(CELL_CREATED2, ==, cc.cell_type);
+  tt_int_op(64, ==, cc.handshake_len);
+  test_memeq(cc.reply, b, 80);
+  tt_int_op(0, ==, created_cell_format(&cell2, &cc));
+  tt_int_op(cell.command, ==, cell2.command);
+  test_memeq(cell.payload, cell2.payload, CELL_PAYLOAD_SIZE);
+
+  /* A good CREATED2 cell with maximal reply */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, 496);
+  cell.command = CELL_CREATED2;
+  memcpy(cell.payload, "\x01\xF0", 2);
+  memcpy(cell.payload+2, b, 496);
+  tt_int_op(0, ==, created_cell_parse(&cc, &cell));
+  tt_int_op(CELL_CREATED2, ==, cc.cell_type);
+  tt_int_op(496, ==, cc.handshake_len);
+  test_memeq(cc.reply, b, 496);
+  tt_int_op(0, ==, created_cell_format(&cell2, &cc));
+  tt_int_op(cell.command, ==, cell2.command);
+  test_memeq(cell.payload, cell2.payload, CELL_PAYLOAD_SIZE);
+
+  /* Bogus CREATED2 cell: too long! */
+  memset(&cell, 0, sizeof(cell));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, 496);
+  cell.command = CELL_CREATED2;
+  memcpy(cell.payload, "\x01\xF1", 2);
+  tt_int_op(-1, ==, created_cell_parse(&cc, &cell));
+
+  /* Unformattable CREATED2 cell: too long! */
+  cc.handshake_len = 497;
+  tt_int_op(-1, ==, created_cell_format(&cell2, &cc));
+
+ done:
+  ;
+}
+
+static void
+test_cfmt_extend_cells(void *arg)
+{
+  uint8_t b[512];
+  extend_cell_t ec;
+  create_cell_t *cc = &ec.create_cell;
+  uint8_t p[RELAY_PAYLOAD_SIZE];
+  uint8_t p2[RELAY_PAYLOAD_SIZE];
+  uint8_t p2_cmd;
+  uint16_t p2_len;
+  char *mem_op_hex_tmp = NULL;
+
+  (void) arg;
+
+  /* Let's start with a simple EXTEND cell. */
+  memset(p, 0, sizeof(p));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, TAP_ONIONSKIN_CHALLENGE_LEN);
+  memcpy(p, "\x12\xf4\x00\x01\x01\x02", 6); /* 18 244 0 1 : 258 */
+  memcpy(p+6,b,TAP_ONIONSKIN_CHALLENGE_LEN);
+  memcpy(p+6+TAP_ONIONSKIN_CHALLENGE_LEN, "electroencephalogram", 20);
+  tt_int_op(0, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND,
+                                     p, 26+TAP_ONIONSKIN_CHALLENGE_LEN));
+  tt_int_op(RELAY_COMMAND_EXTEND, ==, ec.cell_type);
+  tt_str_op("18.244.0.1", ==, fmt_addr(&ec.orport_ipv4.addr));
+  tt_int_op(258, ==, ec.orport_ipv4.port);
+  tt_int_op(AF_UNSPEC, ==, tor_addr_family(&ec.orport_ipv6.addr));
+  test_memeq(ec.node_id, "electroencephalogram", 20);
+  tt_int_op(cc->cell_type, ==, CELL_CREATE);
+  tt_int_op(cc->handshake_type, ==, ONION_HANDSHAKE_TYPE_TAP);
+  tt_int_op(cc->handshake_len, ==, TAP_ONIONSKIN_CHALLENGE_LEN);
+  test_memeq(cc->onionskin, b, TAP_ONIONSKIN_CHALLENGE_LEN+20);
+  tt_int_op(0, ==, extend_cell_format(&p2_cmd, &p2_len, p2, &ec));
+  tt_int_op(p2_cmd, ==, RELAY_COMMAND_EXTEND);
+  tt_int_op(p2_len, ==, 26+TAP_ONIONSKIN_CHALLENGE_LEN);
+  test_memeq(p2, p, RELAY_PAYLOAD_SIZE);
+
+  /* Now let's do a minimal ntor EXTEND2 cell. */
+  memset(&ec, 0xff, sizeof(ec));
+  memset(p, 0, sizeof(p));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, NTOR_ONIONSKIN_LEN);
+  /* 2 items; one 18.244.0.1:61681 */
+  memcpy(p, "\x02\x00\x06\x12\xf4\x00\x01\xf0\xf1", 9);
+  /* The other is a digest. */
+  memcpy(p+9, "\x02\x14" "anarchoindividualist", 22);
+  /* Prep for the handshake: type and length */
+  memcpy(p+31, "\x00\x02\x00\x54", 4);
+  memcpy(p+35, b, NTOR_ONIONSKIN_LEN);
+  tt_int_op(0, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                     p, 35+NTOR_ONIONSKIN_LEN));
+  tt_int_op(RELAY_COMMAND_EXTEND2, ==, ec.cell_type);
+  tt_str_op("18.244.0.1", ==, fmt_addr(&ec.orport_ipv4.addr));
+  tt_int_op(61681, ==, ec.orport_ipv4.port);
+  tt_int_op(AF_UNSPEC, ==, tor_addr_family(&ec.orport_ipv6.addr));
+  test_memeq(ec.node_id, "anarchoindividualist", 20);
+  tt_int_op(cc->cell_type, ==, CELL_CREATE2);
+  tt_int_op(cc->handshake_type, ==, ONION_HANDSHAKE_TYPE_NTOR);
+  tt_int_op(cc->handshake_len, ==, NTOR_ONIONSKIN_LEN);
+  test_memeq(cc->onionskin, b, NTOR_ONIONSKIN_LEN+20);
+  tt_int_op(0, ==, extend_cell_format(&p2_cmd, &p2_len, p2, &ec));
+  tt_int_op(p2_cmd, ==, RELAY_COMMAND_EXTEND2);
+  tt_int_op(p2_len, ==, 35+NTOR_ONIONSKIN_LEN);
+  test_memeq(p2, p, RELAY_PAYLOAD_SIZE);
+
+  /* Now let's do a fanciful EXTEND2 cell. */
+  memset(&ec, 0xff, sizeof(ec));
+  memset(p, 0, sizeof(p));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, 99);
+  /* 4 items; one 18 244 0 1 61681 */
+  memcpy(p, "\x04\x00\x06\x12\xf4\x00\x01\xf0\xf1", 9);
+  /* One is a digest. */
+  memcpy(p+9, "\x02\x14" "anthropomorphization", 22);
+  /* One is an ipv6 address */
+  memcpy(p+31, "\x01\x12\x20\x02\x00\x00\x00\x00\x00\x00"
+               "\x00\x00\x00\x00\x00\xf0\xc5\x1e\x11\x12", 20);
+  /* One is the Konami code. */
+  memcpy(p+51, "\xf0\x20upupdowndownleftrightleftrightba", 34);
+  /* Prep for the handshake: weird type and length */
+  memcpy(p+85, "\x01\x05\x00\x63", 4);
+  memcpy(p+89, b, 99);
+  tt_int_op(0, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2, p, 89+99));
+  tt_int_op(RELAY_COMMAND_EXTEND2, ==, ec.cell_type);
+  tt_str_op("18.244.0.1", ==, fmt_addr(&ec.orport_ipv4.addr));
+  tt_int_op(61681, ==, ec.orport_ipv4.port);
+  tt_str_op("2002::f0:c51e", ==, fmt_addr(&ec.orport_ipv6.addr));
+  tt_int_op(4370, ==, ec.orport_ipv6.port);
+  test_memeq(ec.node_id, "anthropomorphization", 20);
+  tt_int_op(cc->cell_type, ==, CELL_CREATE2);
+  tt_int_op(cc->handshake_type, ==, 0x105);
+  tt_int_op(cc->handshake_len, ==, 99);
+  test_memeq(cc->onionskin, b, 99+20);
+  tt_int_op(0, ==, extend_cell_format(&p2_cmd, &p2_len, p2, &ec));
+  tt_int_op(p2_cmd, ==, RELAY_COMMAND_EXTEND2);
+  /* We'll generate it minus the IPv6 address and minus the konami code */
+  tt_int_op(p2_len, ==, 89+99-34-20);
+  test_memeq_hex(p2,
+                 /* Two items: one that same darn IP address. */
+                 "02000612F40001F0F1"
+                 /* The next is a digest : anthropomorphization */
+                 "0214616e7468726f706f6d6f727068697a6174696f6e"
+                 /* Now the handshake prologue */
+                 "01050063");
+  test_memeq(p2+1+8+22+4, b, 99+20);
+
+  /* == Now try parsing some junk */
+
+  /* Try a too-long handshake */
+  memset(p, 0, sizeof(p));
+  memcpy(p, "\x02\x00\x06\x12\xf4\x00\x01\xf0\xf1", 9);
+  memcpy(p+9, "\x02\x14" "anarchoindividualist", 22);
+  memcpy(p+31, "\xff\xff\x01\xd0", 4);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+
+  /* Try two identities. */
+  memset(p, 0, sizeof(p));
+  memcpy(p, "\x03\x00\x06\x12\xf4\x00\x01\xf0\xf1", 9);
+  memcpy(p+9, "\x02\x14" "anarchoindividualist", 22);
+  memcpy(p+31, "\x02\x14" "autodepolymerization", 22);
+  memcpy(p+53, "\xff\xff\x00\x10", 4);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+
+  /* No identities. */
+  memset(p, 0, sizeof(p));
+  memcpy(p, "\x01\x00\x06\x12\xf4\x00\x01\xf0\xf1", 9);
+  memcpy(p+53, "\xff\xff\x00\x10", 4);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+
+  /* Try a bad IPv4 address (too long, too short)*/
+  memset(p, 0, sizeof(p));
+  memcpy(p, "\x02\x00\x07\x12\xf4\x00\x01\xf0\xf1\xff", 10);
+  memcpy(p+10, "\x02\x14" "anarchoindividualist", 22);
+  memcpy(p+32, "\xff\xff\x00\x10", 4);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+  memset(p, 0, sizeof(p));
+  memcpy(p, "\x02\x00\x05\x12\xf4\x00\x01\xf0", 8);
+  memcpy(p+8, "\x02\x14" "anarchoindividualist", 22);
+  memcpy(p+30, "\xff\xff\x00\x10", 4);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+
+  /* IPv6 address (too long, too short, no IPv4)*/
+  memset(p, 0, sizeof(p));
+  memcpy(p, "\x03\x00\x06\x12\xf4\x00\x01\xf0\xf1", 9);
+  memcpy(p+9, "\x02\x14" "anarchoindividualist", 22);
+  memcpy(p+31, "\x01\x13" "xxxxxxxxxxxxxxxxYYZ", 19);
+  memcpy(p+50, "\xff\xff\x00\x20", 4);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+  memset(p, 0, sizeof(p));
+  memcpy(p, "\x03\x00\x06\x12\xf4\x00\x01\xf0\xf1", 9);
+  memcpy(p+9, "\x02\x14" "anarchoindividualist", 22);
+  memcpy(p+31, "\x01\x11" "xxxxxxxxxxxxxxxxY", 17);
+  memcpy(p+48, "\xff\xff\x00\x20", 4);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+  memset(p, 0, sizeof(p));
+  memcpy(p, "\x02", 1);
+  memcpy(p+1, "\x02\x14" "anarchoindividualist", 22);
+  memcpy(p+23, "\x01\x12" "xxxxxxxxxxxxxxxxYY", 18);
+  memcpy(p+41, "\xff\xff\x00\x20", 4);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+
+  /* Running out of space in specifiers  */
+  memset(p,0,sizeof(p));
+  memcpy(p, "\x05\x0a\xff", 3);
+  memcpy(p+3+255, "\x0a\xff", 2);
+  tt_int_op(-1, ==, extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2,
+                                      p, sizeof(p)));
+
+  /* Fuzz, because why not. */
+  memset(&ec, 0xff, sizeof(ec));
+  {
+    int i;
+    memset(p, 0, sizeof(p));
+    for (i = 0; i < 10000; ++i) {
+      int n = crypto_rand_int(sizeof(p));
+      crypto_rand((char *)p, n);
+      extend_cell_parse(&ec, RELAY_COMMAND_EXTEND2, p, n);
+    }
+  }
+
+ done:
+  tor_free(mem_op_hex_tmp);
+}
+
+static void
+test_cfmt_extended_cells(void *arg)
+{
+  uint8_t b[512];
+  extended_cell_t ec;
+  created_cell_t *cc = &ec.created_cell;
+  uint8_t p[RELAY_PAYLOAD_SIZE];
+  uint8_t p2[RELAY_PAYLOAD_SIZE];
+  uint8_t p2_cmd;
+  uint16_t p2_len;
+  char *mem_op_hex_tmp = NULL;
+
+  (void) arg;
+
+  /* Try a regular EXTENDED cell. */
+  memset(&ec, 0xff, sizeof(ec));
+  memset(p, 0, sizeof(p));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, TAP_ONIONSKIN_REPLY_LEN);
+  memcpy(p,b,TAP_ONIONSKIN_REPLY_LEN);
+  tt_int_op(0, ==, extended_cell_parse(&ec, RELAY_COMMAND_EXTENDED, p,
+                                       TAP_ONIONSKIN_REPLY_LEN));
+  tt_int_op(RELAY_COMMAND_EXTENDED, ==, ec.cell_type);
+  tt_int_op(cc->cell_type, ==, CELL_CREATED);
+  tt_int_op(cc->handshake_len, ==, TAP_ONIONSKIN_REPLY_LEN);
+  test_memeq(cc->reply, b, TAP_ONIONSKIN_REPLY_LEN);
+  tt_int_op(0, ==, extended_cell_format(&p2_cmd, &p2_len, p2, &ec));
+  tt_int_op(RELAY_COMMAND_EXTENDED, ==, p2_cmd);
+  tt_int_op(TAP_ONIONSKIN_REPLY_LEN, ==, p2_len);
+  test_memeq(p2, p, sizeof(p2));
+
+  /* Try an EXTENDED2 cell */
+  memset(&ec, 0xff, sizeof(ec));
+  memset(p, 0, sizeof(p));
+  memset(b, 0, sizeof(b));
+  crypto_rand((char*)b, 42);
+  memcpy(p,"\x00\x2a",2);
+  memcpy(p+2,b,42);
+  tt_int_op(0, ==, extended_cell_parse(&ec, RELAY_COMMAND_EXTENDED2, p, 2+42));
+  tt_int_op(RELAY_COMMAND_EXTENDED2, ==, ec.cell_type);
+  tt_int_op(cc->cell_type, ==, CELL_CREATED2);
+  tt_int_op(cc->handshake_len, ==, 42);
+  test_memeq(cc->reply, b, 42+10);
+  tt_int_op(0, ==, extended_cell_format(&p2_cmd, &p2_len, p2, &ec));
+  tt_int_op(RELAY_COMMAND_EXTENDED2, ==, p2_cmd);
+  tt_int_op(2+42, ==, p2_len);
+  test_memeq(p2, p, sizeof(p2));
+
+  /* Try an almost-too-long EXTENDED2 cell */
+  memcpy(p, "\x01\xf0", 2);
+  tt_int_op(0, ==,
+            extended_cell_parse(&ec, RELAY_COMMAND_EXTENDED2, p, sizeof(p)));
+
+  /* Now try a too-long extended2 cell. That's the only misparse I can think
+   * of. */
+  memcpy(p, "\x01\xf1", 2);
+  tt_int_op(-1, ==,
+            extended_cell_parse(&ec, RELAY_COMMAND_EXTENDED2, p, sizeof(p)));
+
+ done:
+  tor_free(mem_op_hex_tmp);
+}
+
 #define TEST(name, flags)                                               \
  { #name, test_cfmt_ ## name, flags, 0, NULL }

@ -381,6 +832,10 @@ struct testcase_t cell_format_tests[] = {
  TEST(relay_header, 0),
  TEST(begin_cells, 0),
  TEST(connected_cells, 0),
+  TEST(create_cells, 0),
+  TEST(created_cells, 0),
+  TEST(extend_cells, 0),
+  TEST(extended_cells, 0),
  END_OF_TESTCASES
 };