Call the certificates .pem and the keys .key; use contrib/gencert
to generate the certificates and provide a GENCERT_FLAGS knob so
that regress can be run with EC keys (GENCERT_FLAGS=-e). Still no
automatic way of testing with both RSA and EC keys.
gmid (like all other daemons that want to do privsep crypto) has a
very close relationship with libtls and need to stay in sync with
it.
OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD
instead of the older ECDSA_METHOD, on the gmid side we have to do
the same otherwise failures happens at runtime. In a similar manner,
privsep crypto is silently broken in the current libretls (next
version should fix it.)
The proper solution would be to complete the signer APIs so that
applications don't need to dive into the library' internals, but
that's a mid-term goal, for the immediate bundling the 'little'
libtls is the lesser evil.
The configure script has gained a new (undocumented for the time
being) flag `--with-libtls=bundled|system' to control which libtls
to use. It defaults to `bundled' except for OpenBSD where it uses
the `system' one. Note that OpenBSD versions before 7.3 (inclusive)
ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
we can use cmp to tell if two files are different, which also has
the benefit of being available everywhere and reporting the byte
offset of the first difference. Reduces the test dependencies on
some systems.
The tests are still there, the suite is equivalent to the old one, but
this one is better structured.
The biggest annoyance I had with the old one was that it wasn't
straightforward to test only a specific set of tests. It's still
impossible, but it's way easier to do it now.
This extract all the tests to their own functions. It's overall
better in all possible regards.