Add experimental post-quantum hybrid key exchange method
based on Streamlined NTRU Prime (coupled with X25519).

The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).

The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.

ok markus@ patrick@

Move policy printing code from parse.y to new print.c

ok patrick@

Remove -g from CFLAGS. This was accidentally added with the last commit.

Derive config netmask from address pool if not explicitly configured.

ok markus@

Add dynamic address configuration for roadwarrior clients.
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.

Input from sthen@ and claudio@
ok patrick@

more depends gc / yacc rules overhaul

okay millert@

no need to generate y.tab.h if nothing uses it, set YFLAGS to nothing
instead of CLEANFILES += y.tab.h

okay millert@

push LDSTATIC line down so it's not overridden by makefile.inc. ok reyk

Stop linking iked -static: It was inherited from isakmpd that is
-static for NFS-over-IPsec that might mount the libraries after /usr.
The benefit of linking iked dynamic outweighs the historic reason, eg.
to get full address space randomization and to benefit from libcrypto
updates, so we turn it into a dynamic binary.

OK deraadt@ naddy@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Remove -Wbounded: it is now the compiler default.

not need to specify OBJDIR; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Correct DPADD to not list libssl which is not used by iked.

ok sthen@ mikeb@

split util.c into two files: imsg_util.c for ibuf/imsg stuff and util for
everything else. we might need to include util.c in ikectl later.

sure mikeb@

add some infrastructure to support timers and initiator mode later.

tweak the code slightly so we can remove -lssl

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

remove my BINDIR override, pointed out by deraadt@

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Move policy printing code from parse.y to new print.c

ok patrick@

Remove -g from CFLAGS. This was accidentally added with the last commit.

Derive config netmask from address pool if not explicitly configured.

ok markus@

Add dynamic address configuration for roadwarrior clients.
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.

Input from sthen@ and claudio@
ok patrick@

more depends gc / yacc rules overhaul

okay millert@

no need to generate y.tab.h if nothing uses it, set YFLAGS to nothing
instead of CLEANFILES += y.tab.h

okay millert@

push LDSTATIC line down so it's not overridden by makefile.inc. ok reyk

Stop linking iked -static: It was inherited from isakmpd that is
-static for NFS-over-IPsec that might mount the libraries after /usr.
The benefit of linking iked dynamic outweighs the historic reason, eg.
to get full address space randomization and to benefit from libcrypto
updates, so we turn it into a dynamic binary.

OK deraadt@ naddy@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Remove -Wbounded: it is now the compiler default.

not need to specify OBJDIR; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Correct DPADD to not list libssl which is not used by iked.

ok sthen@ mikeb@

split util.c into two files: imsg_util.c for ibuf/imsg stuff and util for
everything else. we might need to include util.c in ikectl later.

sure mikeb@

add some infrastructure to support timers and initiator mode later.

tweak the code slightly so we can remove -lssl

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

remove my BINDIR override, pointed out by deraadt@

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Remove -g from CFLAGS. This was accidentally added with the last commit.

Derive config netmask from address pool if not explicitly configured.

ok markus@

Add dynamic address configuration for roadwarrior clients.
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.

Input from sthen@ and claudio@
ok patrick@

more depends gc / yacc rules overhaul

okay millert@

no need to generate y.tab.h if nothing uses it, set YFLAGS to nothing
instead of CLEANFILES += y.tab.h

okay millert@

push LDSTATIC line down so it's not overridden by makefile.inc. ok reyk

Stop linking iked -static: It was inherited from isakmpd that is
-static for NFS-over-IPsec that might mount the libraries after /usr.
The benefit of linking iked dynamic outweighs the historic reason, eg.
to get full address space randomization and to benefit from libcrypto
updates, so we turn it into a dynamic binary.

OK deraadt@ naddy@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Remove -Wbounded: it is now the compiler default.

not need to specify OBJDIR; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Correct DPADD to not list libssl which is not used by iked.

ok sthen@ mikeb@

split util.c into two files: imsg_util.c for ibuf/imsg stuff and util for
everything else. we might need to include util.c in ikectl later.

sure mikeb@

add some infrastructure to support timers and initiator mode later.

tweak the code slightly so we can remove -lssl

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

remove my BINDIR override, pointed out by deraadt@

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add dynamic address configuration for roadwarrior clients.
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.

Input from sthen@ and claudio@
ok patrick@

more depends gc / yacc rules overhaul

okay millert@

no need to generate y.tab.h if nothing uses it, set YFLAGS to nothing
instead of CLEANFILES += y.tab.h

okay millert@

push LDSTATIC line down so it's not overridden by makefile.inc. ok reyk

Stop linking iked -static: It was inherited from isakmpd that is
-static for NFS-over-IPsec that might mount the libraries after /usr.
The benefit of linking iked dynamic outweighs the historic reason, eg.
to get full address space randomization and to benefit from libcrypto
updates, so we turn it into a dynamic binary.

OK deraadt@ naddy@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Remove -Wbounded: it is now the compiler default.

not need to specify OBJDIR; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Correct DPADD to not list libssl which is not used by iked.

ok sthen@ mikeb@

split util.c into two files: imsg_util.c for ibuf/imsg stuff and util for
everything else. we might need to include util.c in ikectl later.

sure mikeb@

add some infrastructure to support timers and initiator mode later.

tweak the code slightly so we can remove -lssl

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

remove my BINDIR override, pointed out by deraadt@

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

more depends gc / yacc rules overhaul

okay millert@

no need to generate y.tab.h if nothing uses it, set YFLAGS to nothing
instead of CLEANFILES += y.tab.h

okay millert@

push LDSTATIC line down so it's not overridden by makefile.inc. ok reyk

Stop linking iked -static: It was inherited from isakmpd that is
-static for NFS-over-IPsec that might mount the libraries after /usr.
The benefit of linking iked dynamic outweighs the historic reason, eg.
to get full address space randomization and to benefit from libcrypto
updates, so we turn it into a dynamic binary.

OK deraadt@ naddy@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Remove -Wbounded: it is now the compiler default.

not need to specify OBJDIR; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Correct DPADD to not list libssl which is not used by iked.

ok sthen@ mikeb@

split util.c into two files: imsg_util.c for ibuf/imsg stuff and util for
everything else. we might need to include util.c in ikectl later.

sure mikeb@

add some infrastructure to support timers and initiator mode later.

tweak the code slightly so we can remove -lssl

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

remove my BINDIR override, pointed out by deraadt@

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@