mbedtls seemed to realize that they went overboard with the privacy stuff
on v3.0 and removed some of it. Introduce support for those members that
are only private on exactly v3.0 and unprotected before and after.
Coverity doesn't understand that since we already handled
akid.keyIdentifier.MBEDTLS_PRIVATE(len) being zero, we don't need to
check for akid.keyIdentifier.MBEDTLS_PRIVATE(p) being NULL.
So explicitly check it, even though it is a NOP.
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.
Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey. Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.
> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
This is a huge patch that should be a global NOP.
For unix type platforms it enables -Wconversion to issue warnings (-> error)
for all automatic casts that seem less than ideal but are normally concealed
by the toolchain.
This is things like passing an int to a size_t argument. Once enabled, I
went through all args on my default build (which build most things) and
tried to make the removed default cast explicit.
With that approach it neither change nor bloat the code, since it compiles
to whatever it was doing before, just with the casts made explicit... in a
few cases I changed some length args from int to size_t but largely left
the causes alone.
From now on, new code that is relying on less than ideal casting
will complain and nudge me to improve it by warnings.
Mbedtls mbedtls_x509_crt_parse() returns 0 for success which is good.
But it has a complicated idea about what to return on fail... if it
couldn't make even one cert from the data, then it returns a negative
return indicating the parsing problem and there is nothing to free.
If it managed to parse at least one cert, instead it retuns a positive
number indicating the number of certs it didn't parse successfully,
and there is something to free.
Adapt the code to understand this quirk.
