build: enable missing OpenSSF-recommended warnings, with fixes

Ref:
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
(2023-11-29)

Enable new warnings:

- replace `-Wno-sign-conversion` with `-Wsign-conversion`.

  Fix them in example, tests and wincng. There remain about 360 of these
  warnings in `src`. Add a TODO item for those and disable `-Werror` for
  this particular warning.

- enable `-Wformat=2` for clang (in both cmake and autotools).

- enable `__attribute__((format))` for `_libssh2_debug()`,
  `_libssh2_snprintf()` and in tests for `run_command()`.

  `LIBSSH2_PRINTF()` copied from `CURL_TEMP_PRINTF()` in curl.

- enable `-Wimplicit-fallthrough`.

- enable `-Wtrampolines`.

Fix them:

- src: replace obsolete fall-through-comments with
  `__attribute__((fallthrough))`.

- wincng: fix `-Wsign-conversion` warnings.

- tests: fix `-Wsign-conversion` warnings.

- example: fix `-Wsign-conversion` warnings.

- src: fix `-Wformat` issues in trace calls.

  Also, where necessary fix `int` and `unsigned char` casts to
  `unsigned int` and adjust printf format strings. These were not
  causing compiler warnings.

  Cast large types to `long` to avoid dealing with printf masks for
  `size_t` and other C99 types. Existing code often used `int` for this.
  I'll update them to `long` in an upcoming commit.

- tests: fix `-Wformat` warning.

- silence `-Wformat-nonliteral` warnings.

- mbedtls: silence `-Wsign-conversion`/`-Warith-conversion`
  in external header.

Closes #1257

example/direct_tcpip.c

@@ -41,10 +41,10 @@ static const char *password = "";
 static const char *server_ip = "127.0.0.1";
 
 static const char *local_listenip = "127.0.0.1";
-static unsigned int local_listenport = 2222;
+static int local_listenport = 2222;
 
 static const char *remote_desthost = "localhost"; /* resolved by the server */
-static unsigned int remote_destport = 22;
+static int remote_destport = 22;
 
 enum {
     AUTH_NONE = 0,
@@ -63,7 +63,7 @@ int main(int argc, char *argv[])
     LIBSSH2_SESSION *session = NULL;
     LIBSSH2_CHANNEL *channel = NULL;
     const char *shost;
-    unsigned int sport;
+    int sport;
     fd_set fds;
     struct timeval tv;
     ssize_t len, wr;
@@ -270,7 +270,8 @@ int main(int argc, char *argv[])
             wr = 0;
             while(wr < len) {
                 ssize_t nwritten = libssh2_channel_write(channel,
-                                                         buf + wr, len - wr);
+                                                         buf + wr,
+                                                         (size_t)(len - wr));
                 if(nwritten == LIBSSH2_ERROR_EAGAIN) {
                     continue;
                 }
@@ -292,7 +293,8 @@ int main(int argc, char *argv[])
             }
             wr = 0;
             while(wr < len) {
-                ssize_t nsent = send(forwardsock, buf + wr, len - wr, 0);
+                ssize_t nsent = send(forwardsock, buf + wr,
+                                     (size_t)(len - wr), 0);
                 if(nsent <= 0) {
                     fprintf(stderr, "failed to send().\n");
                     goto shutdown;