Hello again everyone! 

For anyone who doesn't know\remember, my name is Eli, I'm a high school student from Israel and I'm currently trying to implement a TOR Client in Python.

Currently, my project is configured so that my python client (OP) has its guard node set as my local machine (which is running a downloaded version of TOR). I do this for debugging purposes so that if I send a malformed cell as the implemented client, I can read the debug log that the OR generates and see what I did wrong.

Last time I sent a question to the dev-list I was stuck trying to get my CREATE cells to work, and Nick Mathewson immediately answered my question and helped me a lot! Thanks Nick!

I've made pretty good progress since then, and as of writing this, my implemented OP can successfully send a CREATE cell and even an EXTEND cell to my guard node. 

However, I am running into a problem while trying to extend my circuit to the third node (my exit node in this case).
 
After sending a RELAY_EXTEND cell to my middle node (which is encrypted twice with my middle node and then guard node forward key using AES128 in CTR mode), the Response I get back is a relay cell with the correct Circuit Id and command (the command I get is the RELAY command which is represented as 3), BUT the payload of the response cell is very weird. I am unable to 'recognize' it (as specified in section 6.1 of the tor-spec). and furthermore, it does not seem to be any type of cell, it just seems like a bunch of nonsense.

Seeing this I initially thought that the response cell I kept getting was a RELAY_EXTENDED cell that I couldn't 'recognize' due to an error while decrypting the cell payload.

But then I looked at the debug log of my guard node (remember that my guard node is on my local machine) and it said that it had received a DESTROY Cell back from the middle node and was passing on a RELAY_TRUNCATED cell to me:

Apr 26 16:11:03.014 [debug] command_process_destroy_cell: Received for circID 2297363203. <------this is the circuit ID between my gaurd node and the middle node
Apr 26 16:11:03.014 [debug] command_process_destroy_cell: Delivering 'truncated' back.
Apr 26 16:11:03.014 [debug] relay_send_command_from_edge_: delivering 9 cell backward.


To my understanding what this log means is that some part of the EXTEND cell I sent to the middle node was wrong or malformed and because of this when the middle node tried to extend the circuit, an error occurred, and the circuit needed to be torn down.

This is very weird because when I send an EXTEND cell that is meant for my guard node (meaning I want to extend the circuit from one hop to two hops) everything works fine, and I can even successfully derive the shared key material for the middle node.


So I have several questions regarding this:

1. First of all, I didn't quite understand the exact format of a RELAY_TRUNCATED cell. Does it contain a relay cell command + recognized+field +digest and so on? or is it just a single octet that immediately follows the cell command field? If some could show me an example of the cell, it would be much appreciated... 

2. What are some common errors that would make an OR drop a RELAY EXTEND cell? I thought maybe it was a problem with my TAP handshake data, but after extensive checking that doesn't seem to be the case.

3. If someone could describe the exact steps of extending a circuit to a third node, it would greatly help me to make sure that I didn't miss a step or do something wrong.

Thanks in advance for any answers, examples, or comments! I am having a lot of fun doing this project so far and I hope to hear back from anyone who has an answer :)

Regards,
Eli