remove configure.local{,.example} unused, un-updated and ignored for quite some time now.

resurrect landlock support this time targetting ABI level 3; partially based on how claudio@ handled it in rpki-client. Fun how this bit of code has come full circle (gmid inspired what I wrote for got, which inspired what was written for rpki-client, which has come back.)

bundle libtls gmid (like all other daemons that want to do privsep crypto) has a very close relationship with libtls and need to stay in sync with it. OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD instead of the older ECDSA_METHOD, on the gmid side we have to do the same otherwise failures happens at runtime. In a similar manner, privsep crypto is silently broken in the current libretls (next version should fix it.) The proper solution would be to complete the signer APIs so that applications don't need to dive into the library' internals, but that's a mid-term goal, for the immediate bundling the 'little' libtls is the lesser evil. The configure script has gained a new (undocumented for the time being) flag `--with-libtls=bundled|system' to control which libtls to use. It defaults to `bundled' except for OpenBSD where it uses the `system' one. Note that OpenBSD versions before 7.3 (inclusive) ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.

sync DISTFILES

two more missing ge -> gemexp

rename ge -> gemexp gemserv is already taken...

add missing -include titan.d

add titan(1) -- a draft titan client

there's no more any `static' target

add a `lint' maintainer target to check the manpages

use REGRESS_HOST to specify the host to listen to; use in CI some CI envs don't like `listen on localhost' but tolerate INADDR_ANY or IN6ADDR_ANY_INIT.

add missing -include of *.d files

add `release' target

rework the configure script now it resembles less oconfigure and more the configure scripts I'm using in my recent projects. I'd argue it's more easy to use it.

add a privsep crypto engine Incorporate the OpenSMTPD' privsep crypto engine. The idea behind it is to never load the certificate' private keys in a networked process, instead they are loaded in a separate process (the `crypto' one) which signs payloads on the behalf of the server processes. This way, we greatly reduce the risk of leaking the certificate' private key should the server process be compromised. This currently compiles only on LibreSSL (portable fix is in the way).