Merge branch 'multi-ke'

This adds support for multiple key exchanges (no KEMs yet as none are
standardized so far).  Work on this started over five years ago and went
through multiple iterations (first our own protocol, then standardized
extensions in different variations).

IKE_INTERMEDIATE exchanges, defined RFC 9242, are used to transport
multiple KE payloads between the IKE_SA_INIT and IKE_AUTH exchanges.
To rekey IKE and CHILD_SAs with multiple key exchanges, IKE_FOLLOWUP_KE
exchanges are used, as defined in RFC 9370.

In proposals, additional key exchange methods are configured via `keX_`
prefix, where X is a number between 1 and 7.  For example, `ke1_ecp256`
adds ECP_256 as additional KE method.  As with regular key exchanges,
peers have to agree on a method for each round unless no algorithms are
defined by both or `keX_none` is configured to make that round explicitly
optional.

Also changed is how rekey collisions are handled, which makes CHILD_SAs
properly trackable via child_rekey() hook.