build: enable -Wsign-conversion warnings and fix/silence them (OpenSSF)

[vszakats]

• silence all -Wsign-conversion warnings by size_t and curl_off_t casts.
• build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF).
• build: make -Wsign-conversion an error (OpenSSF).

Related fixes, including type changes or casts in interface boundaries:

• disable -Wsign-conversion warning for FD_SET()/FD_ISSET() macros. → build: silence -Wsign-conversion in FD_SET()/FD_ISSET() #13896
  These trigger on some systems due to the macros' implementation.
• fix signedness in some printf masks. → tests: make the unit test result type CURLcode #13600 lib: tidy up types and casts #13862
• tests: switch unit tests to return CURLcode. → tests: make the unit test result type CURLcode #13600
• mingw declares sin_family/sin6_family as short. → lib: tidy up types and casts #13862
• openssl: fix ctx_option_t type for openssl 1.1.x → lib/v*: tidy up types and casts #13622
• sectransp: fix CURLcode/OSStatus mix-up. → lib/v*: tidy up types and casts #13622
• tool_parsecfg: fix ParameterError mix-up. → src: tidy up types, add necessary casts #13614
• fix assert in Curl_hash_add. → hash: change 'slots' to size_t from int #13502 lib: bump hash sizes to size_t #13601

Follow-up to 3829759 #12489
Closes #13489

[vszakats]

PR now passes all CI builds and tests.

It did help finding small issues, but I haven't investigated all possible ones, only the trivial ones.
Some of the fixed ones were type disagreements, error code confusions, wrong types assumed
at API boundaries, and wrong casts.

About half of the patch is addressing CURLcode/int mixups in unit tests. They now all
universally use CURLcode.

To my eyes the resulting code better expresses what's happening and more clearly describes
component boundaries. It also makes it easier to spot (or grep) potential issues arising from
switching between signed/unsigned size variables, IMO.

There is no exact number for the warnings fixed. There were about 450 in the first round and
in the ballpark of 900 total after addressing all, disregarding unit tests. Relative to the size of
the codebase, this number doesn't seem to be high and suggest a clean codebase.

Of these, around 140 were silenced with the (size_t)(ptr1 - ptr2) pattern, which we discussed
earlier.

It's possible that warnings are still present in code not compiled in CI and/or build combinations
triggering more.

Next steps?:

• make a list of fixes
• make a list of unrelated issues found
• split up the patch into smaller PRs, I was keeping tests, examples → examples: fix/silence -Wsign-conversion #13501, lib, lib/*, src separate
  while working on this. I'd probably start with moving unit tests fixes to a separate PR,
  or merge them separately via tests: silence -Wsign-conversion, type tidy-ups #13469.

I'll force push now to cleanup to sub-commits. [DONE]

[vszakats]

Separate PRs for the major curl components:

• examples: examples: fix/silence -Wsign-conversion #13501
• tests: tests: silence -Wsign-conversion, type tidy-ups #13469
• curl tool: src: silence -Wsign-conversion, type tidy-ups #13470
• libcurl: lib: silence -Wsign-conversion, tidy-ups, fixes #13481
• libcurl backends: lib/v*: silence -Wsign-conversion, tidy-ups, fixes #13472

The above are the same sub-commits as here, except two controlling the warning option, which is unique to this one.

[bagder]

I just think that adding typecasts in hundreds of new places is not a big win. They just silence the warnings with code that is a tad bit harder to read, the same logic is still there.

The improvements done by changing variable types and prototypes are the interesting ones I think. A typecast is always a bit of a "I surrender" sign.

[vszakats]

-Wsign-conversion is unwanted in curl.