crypto/tls: FIPS 140-3 mode

Consolidates handling of FIPS 140-3 considerations for the tls package.
Considerations specific to certificates are now handled in tls instead
of x509 to limit the area-of-effect of FIPS as much as possible.
Boringcrypto specific prefixes are renamed as appropriate.

For #69536

Co-authored-by: Filippo Valsorda <filippo@golang.org>
Change-Id: I1b1fef83c3599e4c9b98ad81db582ac93253030b
Reviewed-on: https://go-review.googlesource.com/c/go/+/629675
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

internal/fips140tls/fipstls.go

@@ -0,0 +1,37 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package fips140tls controls whether crypto/tls requires FIPS-approved settings.
+package fips140tls
+
+import (
+	"crypto/internal/fips140"
+	"sync/atomic"
+)
+
+var required atomic.Bool
+
+func init() {
+	if fips140.Enabled {
+		Force()
+	}
+}
+
+// Force forces crypto/tls to restrict TLS configurations to FIPS-approved settings.
+// By design, this call is impossible to undo (except in tests).
+func Force() {
+	required.Store(true)
+}
+
+// Required reports whether FIPS-approved settings are required.
+//
+// Required is true if FIPS 140-3 mode is enabled with GODEBUG=fips140=on, or if
+// the crypto/tls/fipsonly package is imported by a Go+BoringCrypto build.
+func Required() bool {
+	return required.Load()
+}
+
+func TestingOnlyAbandon() {
+	required.Store(false)
+}