But introduces dependency on variadic macros

Assume we have two trusted CAs with the same name, the first uses ECDSA 256
bits, the second RSA 2048; cert is signed by the second. If we do the keysize
check before we checked the key types match, we'll raise the badkey flags when
checking the EC-256 CA and it will remain up even when we finally find the
correct CA. So, move the check for the key size after signature verification,
which implicitly checks the key type.

When we build with Visual Studio in debug mode, the invalid parameter handler
aborts the application (and offers to debug it) when n is 0. We want to
just return -1 instead (as calls with n == 0 are expected and happen in our
tests).

For the sake of systems where we want gmake.

Used to fail on our FreeBSD and Windows buildbots. Seems to be working at
least on my Darwin physical machine and on my Windows VM with MSYS2 now.

Some versions of "which" print on stderr.

x509_get_name() does not make defensive copies of strings in its input (which
is OK as usually the caller will have made a copy already), so we shouldn't
reuse its input buffer as an output while "parsed" is still alive.

Our Windows implementation based on vsnprintf_s( ..., _TRUNCATE ) sometimes
writes *two* terminating NULLs. Allow for that, but obviously bytes past the
end of the buffer mustn't be touched.

Name chosen to match the existing make target.

I was a bit too trigger-happy with copy-pasting in a previous commit...

In my tests on Linux, LD_PRELOAD does not seem to work, but LD_LIBRARY_PATH
does.

- all spaces no tabs
- indent with 4 spaces everywhere

Timing belongs in libcrypto (due to havege depending on it)
while net.c was put in libtls (only test ssl servers use it)

certs.c belongs to the X.509 library, while DHM belongs to the crypto lib.

GNU ld cares about the order in which static libs are mentioned on the command
line: if A depends on B then A must com first.

We document that either of recv or recv_timeout may be NULL, but for TLS we
always used recv... Thanks Coverity for catching that.
(Not remotely trigerrable: local configuration.)

Also made me notice net_recv_timeout didn't do its job properly.

With the default config, it noticed the accept_comp was always 0, so the rest
of the test was dead code.

- fix old build commands still using OFLAGS
- make everything work with --warn-undefined-variables, which can be useful
  for debugging typos