aes-gcm: Clarify CPU feature detection.

[briansmith]

Although every key has been represented with the same types aes::AES_KEY and gcm::HTable regardless of which implementation is used, in reality those types are polymorphic in ways that aren't captured by the type system currently. Thus, the
set_encrypt_key! function must be matched with the corresponding encrypt_block! and/or ctr32_encrypt_blocks! function. Previously, we did CPU feature detection for each function call and assumed that CPU feature detection is idempotent. Now, we do CPU feature detection during key construction and make the lesser assumption that at least those same CPU features are available as long as the key exists.

This is a step towards making further improvements in CPU-feature-based dispatching.

One side-effect of this change is that GCM keys (and thus AES-GCM keys) are now much smaller on targets that don't support any assembly implementation, as they now just store a single U128 instead of a whole HTable.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.12%. Comparing base (515a04a) to head (9ce7475).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2106      +/-   ##
==========================================
+ Coverage   97.07%   97.12%   +0.05%     
==========================================
  Files         144      151       +7     
  Lines       20124    20101      -23     
  Branches      456      447       -9     
==========================================
- Hits        19536    19524      -12     
+ Misses        492      482      -10     
+ Partials       96       95       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.