build: enable missing OpenSSF-recommended warnings, with fixes

Ref:
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
(2023-11-29)

Enable new warnings:

- replace `-Wno-sign-conversion` with `-Wsign-conversion`.

  Fix them in example, tests and wincng. There remain about 360 of these
  warnings in `src`. Add a TODO item for those and disable `-Werror` for
  this particular warning.

- enable `-Wformat=2` for clang (in both cmake and autotools).

- enable `__attribute__((format))` for `_libssh2_debug()`,
  `_libssh2_snprintf()` and in tests for `run_command()`.

  `LIBSSH2_PRINTF()` copied from `CURL_TEMP_PRINTF()` in curl.

- enable `-Wimplicit-fallthrough`.

- enable `-Wtrampolines`.

Fix them:

- src: replace obsolete fall-through-comments with
  `__attribute__((fallthrough))`.

- wincng: fix `-Wsign-conversion` warnings.

- tests: fix `-Wsign-conversion` warnings.

- example: fix `-Wsign-conversion` warnings.

- src: fix `-Wformat` issues in trace calls.

  Also, where necessary fix `int` and `unsigned char` casts to
  `unsigned int` and adjust printf format strings. These were not
  causing compiler warnings.

  Cast large types to `long` to avoid dealing with printf masks for
  `size_t` and other C99 types. Existing code often used `int` for this.
  I'll update them to `long` in an upcoming commit.

- tests: fix `-Wformat` warning.

- silence `-Wformat-nonliteral` warnings.

- mbedtls: silence `-Wsign-conversion`/`-Warith-conversion`
  in external header.

Closes #1257

tests/test_auth_keyboard_info_request.c

@@ -52,7 +52,7 @@ struct expected {
 };
 struct test_case {
     const char *data;
-    int data_len;
+    unsigned int data_len;
     struct expected expected;
 };
 
@@ -248,7 +248,7 @@ LIBSSH2_FREE_FUNC(test_free)
 
 static
 int test_case(int num,
-              const char *data, int data_len, void *abstract,
+              const char *data, unsigned int data_len, void *abstract,
               struct expected expected)
 {
     int rc;