gmni: headers are not displayed for REDIRECT and INPUT responses in SHOW_HEADERS and ONLY_HEADERS modes

I've noticed headers are not displayed in some cases with -i/-I
specified. For example:

echo "printf" | gmni -i gemini://drewdevault.com/cgi-bin/man.sh
Output: empty

echo "printf" | gmni -IL gemini://drewdevault.com/cgi-bin/man.sh -
Output: 10 Search for a POSIX man page
INPUT header is here, but no REDIRECT header appeared.

The reason is headers processing is done after responses dispatch. So
some responses (redirect and input) are processed and dropped before.
Patch makes this logic a bit clearer imho: print response header before
any processing if mode is not OMIT_HEADERS and then process response body if mode
is not ONLY_HEADERS. It also deduplicates header printing as a bonus.
gmnlm: host freed too early, causing UAF

The host variable is freed too early. If a client certificate is not
found, the later error message in the
variable to produce an incorrect openssl command. This fix just delays
the free to after the switch statement.

Test case:
gmnlm gemini://feeds.drewdevault.com

The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
 -keyout /home/andrew/.local/share/gmni/certs/€Ú-=öU.key \
 -out /home/andrew/.local/share/gmni/certs/€Ú-=öU.crt \
 -days 36500 -nodes

The following OpenSSL command will generate a certificate for this host:

openssl req -x509 -newkey rsa:4096 \
-keyout /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.key \
-out /home/andrew/.local/share/gmni/certs/feeds.drewdevault.com.crt \
-days 36500 -nodes
gmnlm: Include blank line to frame browser window when reading more
gmnlm: Improve paging behavior on narrow terminals
all: use posix_dirname rather than dirname
gmnlm: create cert dir on 6x response

So that the OpenSSL command doesn't fail when the cert dir hasn't
already been created.
Makefile: install libgmni.a with 644 perms

Static libraries don't need execution perms. I know this is very minor,
but best practice is to give everything the least amount of necessary
privileges. Thus, I propose changing the install command to use 644

Always take the last cert, CA or not
Implement basic client certs for gmnlm
Initial support for client side certificates

This is only supported with gmni for now - gmnlm support will come
later. A limitation with BearSSL prevents us from doing automated
certificate generation for now, unfortunately.
TOFU: more improvements to new cert handling logic
Remove useless variable cast
Discard CA certs unless there's no other
tofu: don't discard CA certs
all: rewrite with BearSSL rather than OpenSSL
fix display of message on TOFU_FINGERPRINT_MISMATCH

Previously the message was never displayed to users
leaving them with a simple "Error: certificate is untrusted".

This also fixes the display of line numbers in the message.
jump more than one entry back or forth in history

by giving an optional number to b & f commands.
The default behaviour of b & f commands has not
been changed.
Fix incorrectly missing -g flag

On systems using dsymutil the check for the "-g" flag was failing not
because the compiler didn't provide it but because of `/dev/null`
being used as output file.
Fix OpenBSD compilation errors

Those changes fix the following compilation errors on OpenBSD:

src/tofu.c:128:28: error: format specifies type 'long' but the argument has type
      'time_t' (aka 'long long') [-Werror,-Wformat]
                        "SHA-512", fingerprint, expires);

src/gmnlm.c:341:31: error: missing sentinel in function call
                execlp("sh", "sh", "-c", cmd);
                                            , NULL
preserve all bytes except spaces when wrapping

When wrapping the new line should not start with a space.
All other bytes must be preserved to avoid breaking unicode chars.

fix for ~sircmpwn/gmni#21