bundle libtls gmid (like all other daemons that want to do privsep crypto) has a very close relationship with libtls and need to stay in sync with it. OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD instead of the older ECDSA_METHOD, on the gmid side we have to do the same otherwise failures happens at runtime. In a similar manner, privsep crypto is silently broken in the current libretls (next version should fix it.) The proper solution would be to complete the signer APIs so that applications don't need to dive into the library' internals, but that's a mid-term goal, for the immediate bundling the 'little' libtls is the lesser evil. The configure script has gained a new (undocumented for the time being) flag `--with-libtls=bundled|system' to control which libtls to use. It defaults to `bundled' except for OpenBSD where it uses the `system' one. Note that OpenBSD versions before 7.3 (inclusive) ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.

address the strnvis(3) portability fiasco strnvis originates on OpenBSD. When NetBSD added it to their libc they decided to swap the argument. Without starting a holy war on the "best" argument order, adding an implementation of a function that's widely available and making its signature purposefully incompatible is beyond justification. FreeBSD (and so macos too?) followed NetBSD in this, so we end up with *two* major and incompatible strnvis implementations. libbsd is in a limbo, they started with the OpenBSD version but they'll probably switch to the NetBSD version in the future. That's why we can't have nice things. Do the right thing(tm) and check for the presence of the original strnvis(3), if not available or broken use the bundled one.

rework the configure script now it resembles less oconfigure and more the configure scripts I'm using in my recent projects. I'd argue it's more easy to use it.

add tests and compat for setresuid and setresgid

add memmem compat

rework `make dist'