Add experimental post-quantum hybrid key exchange method
based on Streamlined NTRU Prime (coupled with X25519).

The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).

The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.

ok markus@ patrick@

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@