aes-gcm: Clarify CPU feature detection.

[briansmith]

Although every key has been represented with the same types aes::AES_KEY and gcm::HTable regardless of which implementation is used, in reality those types are polymorphic in ways that aren't captured by the type system currently. Thus, the set_encrypt_key! function must be matched with the corresponding encrypt_block! and/or ctr32_encrypt_blocks! function. Previously, we did CPU feature detection for each function call and assumed that CPU feature detection is idempotent. Now, we do CPU feature detection during key construction and make the lesser assumption that at least those same CPU features are available as long as the key exists.

This is a step towards making further improvements in CPU-feature-based dispatching.

One side-effect of this change is that GCM keys (and thus AES-GCM keys) are now much smaller on targets that don't support any assembly implementation, as they now just store a single U128 instead of a whole HTable.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 97.12%. Comparing base (515a04a) to head (9ce7475). Report is 1 commits behind head on main.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #2106 +/- ## ========================================== + Coverage 97.07% 97.12% +0.05% ========================================== Files 144 151 +7 Lines 20124 20101 -23 Branches 456 447 -9 ========================================== - Hits 19536 19524 -12 + Misses 492 482 -10 + Partials 96 95 -1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.