Enable MBEDTLS_FS_IO when running ssl-opt in reference configurations

[gilles-peskine-arm]

We run ssl-opt.sh on some of the configurations in the configs directory. This is traditionally done by test-ref-configs.pl, although at the time of writing we are planning to move to separate all.sh components.

When we run ssl-opt.sh, we modify the configuration to enable MBEDTLS_DEBUG_C and MBEDTLS_ERROR_C, because a lot of test cases depend on having debug logs and error messages. We consider it an acceptable deviation from the reference configuration because those options shouldn't affect the behavior of the library much. We have unit tests and compat.sh to validate that debug calls don't accidentally change the behavior.

We should probably enable MBEDTLS_FS_IO as well. This option also largely enables extra features without modifying the behavior of other features. The reason to enable it is that we end up skipping a very large number of test cases, because ssl_client2 and ssl_server2 can't read the certificate files.

At the time of writing (Mbed TLS 3.6.1), we automatically skip all test cases that look like they use a file when MBEDTLS_FS_IO is disabled. We even skip test cases where only a GnuTLS or OpenSSL peer is reading files, not the Mbed TLS programs.

The goal of this task is to enable MBEDTLS_FS_IO when running ssl-opt.sh from all.sh. At the time of writing, this is the case for everything that isn't test-ref-configs.pl.

I started doing this in #9541, then backed off when I realized this caused many problems. The latest version with part of this change is https://github.com/gilles-peskine-arm/mbedtls/tree/ssl-opt-sample-programs-3.6-5, where the commit c481548 "Test ssl_client1" changes ssl-opt.sh to skip test cases only if an Mbed TLS program uses a file, not if a GnuTLS or OpenSSL peer uses a file. Even that caused many problems, not all of which I fixed in that branch:

• 11de7c2
• 817d2d4
• ee3bc89
• 7ddb604

(Note that some comments and commit messages might be wrong, because I initially thought the problems I had were caused by changes in protocol version detection and DTLS adpatation, rather than the relaxed dependencies on MBEDTLS_FS_IO.)

I expect more problems when we also run test cases that run ssl_client2 against ssl_server2 in the reference configurations.

Because of the amount of work required to complete this task, it should be done by incremental improvements. I think a good approach would be to focus locally on a set of related test cases, have them pass locally with one or more configuration that is a reference configuration plus MBEDTLS_FS_IO, go through code review without changing the CI. Then enable MBEDTLS_FS_IO for a configuration once it's fully working. Having the gnutls/openssl interoperability tests run but not the client2-server2 tests might be a good intermediate milestone.