Create a CGO_ENABLED=0 version

[saracen]

It would be very convenient for us if we could compile FIPS-enabled binaries that didn't require CGO.

Rough plan:

• Create an internal/openssl package, exposing openssl functions in a Go friendly way that handles all the existing CGO binding concerns:

  For example:

  // this: 
  name := C.CString("ED25519")
  defer C.free(unsafe.Pointer(name))
  sig := C.go_openssl_EVP_SIGNATURE_fetch(nil, name, nil)
  
  // becomes this:
  sig := openssl.Go_openssl_EVP_SIGNATURE_fetch(nil, "ED25519", nil)
  
  // with the openssl package implementing:
  func Go_openssl_EVP_SIGNATURE_fetch(ctx GO_OSSL_LIB_CTX_PTR, algorithm string) GO_EVP_SIGNATURE_PTR {
  	cAlgorithm := C.CString(algorithm)
  	defer C.free(unsafe.Pointer(cAlgorithm))
  
  	return C.go_openssl_EVP_SIGNATURE_fetch(ctx, cAlgorithm, nil /* properties not used */)
  }

  My guess is that this is a very large and tedious refactor, but without too many complications.

  Given this is an internal/openssl library, and not a generic openssl binding, we don't have to implement, for example, the properties parameter as it's not used by any caller.

• Once all of the CGO functionality is ported to openssl, using a build tag, we create a !cgo version that implements the same functions but leverages https://github.com/ebitengine/purego.

Worth pursuing?