Allowing third party OpenSSL providers

[parkerha1]

Hello maintainers,

I've noticed that there's currently no direct support to pass in third-party providers (other than FIPS). Given that OpenSSL has the capability to integrate third-party cryptographic modules, having a simple mechanism in the Golang wrapper to do so would be very beneficial. Would this be a feature your team is willing to accept into the project?

[qmuntal]

Allowing providers other than default and fips would be a nice addition. Which functions would need to be updated? AFAIK the only ones that have a hardcoded provider name are FIPS and SetFIPS. The others, including Init, use whatever provider is defined in the OpenSSL config.

By the way, would you mind sharing how you consume this module? Do you have your own Go fork or you import it directly?

[xnox]

@parkerha1 in ubuntu we patch our openssl to load the providers we like without any configs. Separately I believe one can write openssl.cnf to load providers by default, such that it should work with just this stock golang module too.

Let me know if patching your openssl, or customizing your own openssl.cnf is suitable or not.

This is mostly suitable for like country specific crypto (i.e. GOST, or Chinese one).

For accelerated providers, or hardware accelerated ones, ideally one would contribute autodetection and autoloading in openssl itself. In case there is accelerated crypto card available. (not sure but guessing if this is your usecase)

[qmuntal]

Note that third party OpenSSL provider support is in the works. We need to support the SymCrypt provider for OpenSSL (effort tracked here #158), so we are generalizing the code to not assume built-in providers are used.