tor/changes/ntor

  o Major features:

    - Tor now supports a new circuit extension handshake designed by Ian
      Goldberg, Douglas Stebila, and Berkant Ustaoglu. Our original
      circuit extension handshake, later called "TAP", was a bit slow
      (especially on the server side), had a fragile security proof, and
      used weaker keys than we'd now prefer. The new circuit handshake
      uses Dan Bernstein's "curve25519" elliptic-curve Diffie-Hellman
      function, making it significantly more secure than the older
      handshake, and significantly faster. Tor can either use one of two
      built-in pure-C curve25519-donna implementations by Adam Langley,
      or link against the "nacl" library for a tuned version if present.

      The built-in version is very fast for 64-bit systems building with
      GCC. (About 10-14x faster on the server side, and about 7x faster
      on the client side.) The built-in 32-bit version is still faster
      than the old TAP protocol (about 3x), but using libnacl would be
      better on most 32-bit x86 hosts.

      Clients don't currently use this protocol by default, since
      comparatively few clients support it so far. To try it, set
      UseNTorHandshake to 1.

      Implements proposal 216; closes ticket #7202.

    - Tor servers and clients now support a better CREATE/EXTEND cell
      format, allowing the sender to specify multiple address, identity,
      and handshake types.  Implements Robert Ransom's proposal 200;
      closes ticket #7199.

  o Code simplification and refactoring:
    - Split the onion.c file into separate modules for the onion queue
      and the different handshakes it supports.
    - Remove the marshalling/unmarshalling code for sending requests to
      cpuworkers over a socket, and instead just send structs.  The
      recipient will always be the same Tor binary as the sender, so
      any encoding is overkill.

  o Testing:
    - Add benchmark functions to test onion handshake performance.