add fips feature, adjust aws-lc-rs sys dep

Previously we unconditionally used the `aws-lc-sys` and `prebuilt-nasm`
features of the `aws-lc-rs` dep, meaning we always brought along
`aws-lc-sys` (note the `prebuilt-nasm` feature customizes that dep).

However, when a user is looking for a FIPS crypto provider we want to
avoid bringing in `aws-lc-sys` and instead use `aws-lc-rs/fips` to get
`aws-lc-fips-sys`.

This commit makes the `aws-lc-rs` feature of `webpki` activate the
"usual" config: `aws-lc-rs/aws-lc-sys` w/ `aws-lc-rs/prebuilt-nasm` to
have `aws-lc-sys` with prebuilt assmebly to avoid the nasm dep.

A new `fips` feature is added for `webpki` that activates the FIPS
specific config: `aws-lc-rs/fips`. The `aws-lc-sys` and `prebuilt-nasm`
features are **not** activated.

.github/workflows/ci.yml

@@ -357,4 +357,8 @@ jobs:
         uses: taiki-e/install-action@cargo-hack
 
       - name: Check feature powerset
-        run: cargo hack check --feature-powerset --no-dev-deps
+        run: >
+          cargo hack check
+          --feature-powerset
+          --no-dev-deps
+          --mutually-exclusive-features fips,aws-lc-rs

Cargo.toml

@@ -75,12 +75,13 @@ name = "webpki"
 [features]
 default = ["std", "ring"]
 alloc = ["ring?/alloc", "pki-types/alloc"]
-aws_lc_rs = ["dep:aws-lc-rs"]
+aws_lc_rs = ["dep:aws-lc-rs", "aws-lc-rs/aws-lc-sys", "aws-lc-rs/prebuilt-nasm"]
+fips = ["dep:aws-lc-rs", "aws-lc-rs/fips"]
 ring = ["dep:ring"]
 std = ["alloc", "pki-types/std"]
 
 [dependencies]
-aws-lc-rs = { version = "1.9", optional = true, default-features = false, features = ["aws-lc-sys", "prebuilt-nasm"] }
+aws-lc-rs = { version = "1.9", optional = true, default-features = false }
 pki-types = { package = "rustls-pki-types", version = "1.7", default-features = false }
 ring = { version = "0.17", default-features = false, optional = true }
 untrusted = "0.9"