Remove openssl.SetFIPS(true) call

[qmuntal]

As agreed in https://github.com/microsoft/go-lab/blob/main/docs/adr/0012-remove-gofips.md, we shouldn't try to modify the OpenSSL FIPS mode.

This PR removes the openssl.SetFIPS(true) call and update our build scripts to enable FIPS mode system-wide.

Our CI Mariner 2 image is not FIPS-enabled by default, so we need to force FIPS mode by setting OPENSSL_FORCE_FIPS_MODE. That flag should be passes to the TestScript child processes as they only inherit a filtered set of environment variables, which includes GODEBUG.

Note that since we switched from GOFIPS to GODEBUG=fips140, our test FIPS test coverage has increased, as GOFIPS was not being passed to TestScript child processes, making them not aware of the required FIPS mode.

Also, this is unlikely that users need to update their code to also pass OPENSSL_FORCE_FIPS_MODE to child processes that don't inherit all environment variables. Mainly because they should be running a FIPS-enabled Mariner image on production. If they don't, possible for testing purposes, then child processes won't inherit the GODEBUG env var neither.

For #1445.

[qmuntal]

Looks like Mariner 2 hasn't ported forward-ported the code to enable FIPS mode from the config file. OpenSSL only officially supports FIPS mode in v1.0.2, so the relevant code was removed in OpenSSL 1.1. Will have to find another way.

[dagood]

Also, this is unlikely that users need to update their code to also pass OPENSSL_FORCE_FIPS_MODE to child processes that don't inherit all environment variables. Mainly because they should be running a FIPS-enabled Mariner image on production. If they don't, possible for testing purposes, then child processes won't inherit the GODEBUG env var neither.

To make sure I have this right: for a user to run a test with forced FIPS mode, this will work:

GODEBUG=fips140=on OPENSSL_FORCE_FIPS_MODE=1 go test .

For the user to have an issue with passthrough, they'd have to be using yet another custom test runner that passes through GODEBUG but not OPENSSL_FORCE_FIPS_MODE.

[qmuntal]

Also, this is unlikely that users need to update their code to also pass OPENSSL_FORCE_FIPS_MODE to child processes that don't inherit all environment variables. Mainly because they should be running a FIPS-enabled Mariner image on production. If they don't, possible for testing purposes, then child processes won't inherit the GODEBUG env var neither.

To make sure I have this right: for a user to run a test with forced FIPS mode, this will work:

GODEBUG=fips140=on OPENSSL_FORCE_FIPS_MODE=1 go test .

For the user to have an issue with passthrough, they'd have to be using yet another custom test runner that passes through GODEBUG but not OPENSSL_FORCE_FIPS_MODE.

Yep, that's accurate.