Check Suite-B constraints with EE DANE records

When DANE-EE(3) matches or either of DANE-EE/PKIX-EE fails, we don't
build a chain at all, but rather succeed or fail with just the leaf
certificate.  In either case also check for Suite-B violations.

As unlikely as it may seem that anyone would enable both DANE and
Suite-B, we should do what the application asks.

Took the opportunity to eliminate the "cb" variables in x509_vfy.c,
just call ctx->verify_cb(ok, ctx)

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>